Closed dlom closed 2 weeks ago
@dlom: This pull request references CCO-572 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set.
Attention: Patch coverage is 16.66667%
with 5 lines
in your changes missing coverage. Please review.
Project coverage is 47.27%. Comparing base (
2c25ae6
) to head (1637536
). Report is 4 commits behind head on master.
Files | Patch % | Lines |
---|---|---|
pkg/gcp/actuator/actuator.go | 16.66% | 3 Missing and 2 partials :warning: |
/hold
/retest
/lgtm
/retest
@dlom I had a test on this PR. After creating the root credentials secret (work around for OCPBUGS-37952), it worked and the test case OCP-75429 was updated. one thing to mention is that CredentialsProvisionFailure set to True for the CredentialsRequest with audience etc. From the logs, it is the side effect for creating the credentials secret, not a real issue.
jianpingshu@jshu-mac ~ % oc -n openshift-cloud-credential-operator get -o json credentialsrequests | jq -r '.items[] | select(tostring | contains("InfrastructureMismatch") | not) | .metadata.name as $n | .status.conditions // [{type: "NoConditions"}] | .[] | .type + "=" + .status + " " + $n + " " + .reason + ": " + .message' | sort CredentialsProvisionFailure=False cloud-credential-operator-gcp-ro-creds CredentialsProvisionSuccess: successfully granted credentials request CredentialsProvisionFailure=False openshift-cloud-network-config-controller-gcp CredentialsProvisionSuccess: successfully granted credentials request CredentialsProvisionFailure=False openshift-gcp-ccm CredentialsProvisionSuccess: successfully granted credentials request CredentialsProvisionFailure=False openshift-gcp-pd-csi-driver-operator CredentialsProvisionSuccess: successfully granted credentials request CredentialsProvisionFailure=False openshift-image-registry-gcs CredentialsProvisionSuccess: successfully granted credentials request CredentialsProvisionFailure=False openshift-ingress-gcp CredentialsProvisionSuccess: successfully granted credentials request CredentialsProvisionFailure=False openshift-machine-api-gcp CredentialsProvisionSuccess: successfully granted credentials request CredentialsProvisionFailure=True test-creds CredentialsProvisionFailure: failed to grant creds: error determining whether a credentials update is needed
logs: time="2024-08-12T00:59:53Z" level=debug msg="target secret exists" actuator=gcp cr=openshift-cloud-credential-operator/test-creds time="2024-08-12T00:59:53Z" level=error msg="cloud cred secret not yet annotated" actuator=gcp cr=openshift-cloud-credential-operator/test-creds secret=kube-system/gcp-credentials time="2024-08-12T00:59:53Z" level=debug msg="error retrieving cloud credentials secret" error="cannot proceed without cloud cred secret annotation" time="2024-08-12T00:59:53Z" level=error msg="error determining whether a credentials update is needed" actuator=gcp cr=openshift-cloud-credential-operator/test-creds error="cannot proceed without cloud cred secret annotation"
@jianping-shu have you tried creating read-only credentials as a workaround as well?
@dlom I think the gcp read-only credential already exists after gcp wif cluster installs. But from cco logs, it still reported below. I'll double check this.
time="2024-08-11T03:46:11Z" level=warning msg="read-only creds not found, using root creds client" actuator=gcp cr=openshift-cloud-credential-operator/openshift-cloud-network-config-controller-gcp secret=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds
@dlom Checked on the cluster. There's read-only creds but still log "read-only creds not found". Here is full log for one syncing. jianpingshu@jshu-mac ~ % oc get secret cloud-credential-operator-gcp-ro-creds -n openshift-cloud-credential-operator NAME TYPE DATA AGE cloud-credential-operator-gcp-ro-creds Opaque 1 6h35m
time="2024-08-15T00:35:55Z" level=info msg="syncing credentials request" controller=credreq cr=openshift-cloud-credential-operator/openshift-image-registry-gcs time="2024-08-15T00:35:55Z" level=debug msg="found secret namespace" controller=credreq cr=openshift-cloud-credential-operator/openshift-image-registry-gcs secret=openshift-image-registry/installer-cloud-credentials time="2024-08-15T00:35:55Z" level=debug msg="timed token access cluster detected: true, so not trying to provision with root secret" controller=credreq cr=openshift-cloud-credential-operator/openshift-image-registry-gcs secret=openshift-image-registry/installer-cloud-credentials time="2024-08-15T00:35:55Z" level=debug msg="target secret does not exist" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs time="2024-08-15T00:35:55Z" level=debug msg="running sync" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs time="2024-08-15T00:35:55Z" level=debug msg="Loading infrastructure name: jshu815-bbz9t" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs time="2024-08-15T00:35:55Z" level=debug msg="loading GCP read-only credentials from secret" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs secret=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds time="2024-08-15T00:35:55Z" level=warning msg="read-only creds not found, using root creds client" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs secret=openshift-cloud-credential-operator/cloud-credential-operator-gcp-ro-creds time="2024-08-15T00:35:55Z" level=debug msg="loading GCP credentials from secret" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs secret=kube-system/gcp-credentials time="2024-08-15T00:35:55Z" level=error msg="error creating GCP client" error="Secret \"gcp-credentials\" not found" time="2024-08-15T00:35:55Z" level=error msg="error determining whether a credentials update is needed" actuator=gcp cr=openshift-cloud-credential-operator/openshift-image-registry-gcs error="unable to check whether credentialsRequest needs update"
@jianping-shu I have pushed another change to this branch that should fix the error. Please give it a try
/retest
/retest
/retest
/retest
@dlom I tested with cluster-bot build based on the new commit and it works fine now. Test case OCP-75429 - Test the STS OLM functionality of GCP has been updated. I also did simple regression test on mint/passthrough mode and no issue. But how about OCPBUGS-37952? Are you going to fix the bug by this PR for 4.18/4.17 and do manual back-porting for pre-4.17 releases?
/retest
@jianping-shu I plan to address OCPBUGS-37952 with a separate PR and backport it as necessary. I believe this PR (once tests pass) should merge ASAP.
/unhold
/assign @jstuever
/retest
/retest
/override ci/prow/okd-scos-images
@dlom: Overrode contexts on behalf of dlom: ci/prow/okd-scos-images
@dlom: all tests passed!
Full PR test history. Your PR dashboard.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: 2uasimojo, dlom, jstuever
The full list of commands accepted by this bot can be found here.
The pull request process is described here
/hold
@dlom: This pull request references Jira Issue OCPBUGS-38951, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
The bug has been updated to refer to the pull request using the external bug tracker.
/jira refresh
@dlom: This pull request references Jira Issue OCPBUGS-38951, which is valid. The bug has been moved to the POST state.
Requesting review from QA contact: /cc @jianping-shu
/label acknowledge-critical-fixes-only
/jira backport release-4.17
@dlom: The following backport issues have been created:
Queuing cherrypicks to the requested branches to be created after this PR merges: /cherrypick release-4.17
@openshift-ci-robot: once the present PR merges, I will cherry-pick it on top of release-4.17 in a new PR and assign it to you.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
/unhold
@dlom: Jira Issue OCPBUGS-38951: All pull requests linked via external trackers have merged:
Jira Issue OCPBUGS-38951 has been moved to the MODIFIED state.
@openshift-ci-robot: new pull request created: #751
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
[ART PR BUILD NOTIFIER]
Distgit: ose-cloud-credential-operator This PR has been included in build ose-cloud-credential-operator-container-v4.18.0-202408270610.p0.gea71719.assembly.stream.el9. All builds following this will include this PR.
/assign @jstuever