OCPBUGS-16684: Set cr.status.provisioned=false on syncErr path

[bentito]

I think this cures the bug as long as I tracked from the correct part of the code that was setting cr.status.provisioned to true despite a failure to actually provision the Secret.

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-16684, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.14.0) matches configured target version for branch (4.14.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @fxierh

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

I think this cures the bug as long as I tracked from the correct part of the code that was setting cr.status.provisioned to true despite a failure to actually provision the Secret.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bentito]

@fxierh I think I could have fixed it with this change, but I'm not totally sure. If you can run this PR, set conditions again, and we'll see if it is fixed. If it's not fixed, I'll see how I can debug on this PR, perhaps with the STS workflow with clusterbot.

[codecov]

Codecov Report

Merging #583 (eb6ef9b) into master (b4d1c3d) will increase coverage by 0.23%.
Report is 19 commits behind head on master.
The diff coverage is 0.00%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #583      +/-   ##
==========================================
+ Coverage   48.15%   48.38%   +0.23%     
==========================================
  Files          94       94              
  Lines       11543    11641      +98     
==========================================
+ Hits         5558     5633      +75     
- Misses       5377     5398      +21     
- Partials      608      610       +2     

Files Changed	Coverage Δ
pkg/aws/actuator/actuator.go	63.90% <0.00%> (-0.16%)	⬇️
...redentialsrequest/credentialsrequest_controller.go	53.25% <0.00%> (+4.32%)	⬆️

... and 5 files with indirect coverage changes

[fxierh]

When CR.spec.providerSpec.stsIAMRoleARN is unset, syncErr is still nil

cloud-credential-operator/pkg/aws/actuator/actuator.go

Lines 342 to 345 in 859de53

	if awsSTSIAMRoleARN == "" {
	logger.Debug("CredentialsRequest has no awsSTSIAMRoleARN, no reason to sync")
	return nil
	}

So we fall into the else branch below where we call

cloud-credential-operator/pkg/operator/credentialsrequest/credentialsrequest_controller.go

Line 724 in 859de53

updateErr := r.UpdateProvisionedStatus(cr, true)

In other words CR.status.provisioned is still set to true when CR.spec.providerSpec.stsIAMRoleARN is unset and there is no Secret provisioned.

[fxierh]

The comment above aligns with what I observed today in a test (on this PR).

[bentito]

Thanks! I think my next commit fixes it then.

[fxierh]

For debugging IMO you can try to install an STS cluster, scale down CVO & CCO and then run the controllers locally with the latest commit.

[fxierh]

Btw just wanted to check if you're planning to address the comment I left under https://issues.redhat.com/browse/OCPBUGS-16684 in this PR (or I can open another card for it if you want them to be separated) ?

[bentito]

For debugging IMO you can try to install an STS cluster, scale down CVO & CCO and then run the controllers locally with the latest commit.

Yeah, that's basically what's happening with clusterbot, but with automation, but it's way slow for a quick test to see if I got something wrong or right.

[bentito]

Btw just wanted to check if you're planning to address the comment I left under https://issues.redhat.com/browse/OCPBUGS-16684 in this PR (or I can open another card for it if you want them to be separated) ?

If you could make a new card about the lastSyncGeneration problems that would be good. Thanks.

[fxierh]

I haven't tested your latest commit in action yet but it appears to me that:
if the stsIAMRoleARN field is unset, this awsSTSIAMRoleARN string would be empty and err would be nil. So returning err would be equivalent to returning nil.

[bentito]

Yep, new commit, didn't think that through very well. Thanks!

[fxierh]

@bentito With the current implementation the .status field of CRs without .stsIAMRoleARN (e.g. the ones extracted via oc adm release extract $IMG --cloud=aws --credentials-requests) looks like the following:

status:
  conditions:
  - lastProbeTime: "2023-07-28T16:08:52Z"
    lastTransitionTime: "2023-07-28T16:08:52Z"
    message: 'failed to grant creds: an empty roleARN was found so no Secret was created'
    reason: CredentialsProvisionFailure
    status: "True"
    type: CredentialsProvisionFailure
  lastSyncGeneration: 0
  lastSyncTimestamp: "2023-07-28T16:16:09Z"
  provisioned: false

Just wanted to make sure this is expected behavior.

[fxierh]

On the other hand, the aforementioned failing condition (CredentialsProvisionFailure) is not reflected at the CO level (i.e. we won't see "%d of %d credentials requests are failing to sync" when calling oc get co cloud-credential -o yaml:

cloud-credential-operator/pkg/operator/credentialsrequest/status.go

Lines 107 to 108 in 859de53

	if operatorIsDisabled {
	return conditions

This makes me wonder if we should display Secret provision failures on CO/cloud-credential in STS mode just like in mint.
cc. @abutcher

[fxierh]

If you could make a new card about the lastSyncGeneration problems that would be good. Thanks.

Done.

[bentito]

/test e2e-aws-ovn

[bentito]

Just wanted to make sure this is expected behavior.
@fxierh Yes, I think this is as desired...
And if so, @abutcher , I think this can get an LGTM?

[abutcher]

I'll make a card for the CO level status.
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abutcher, bentito

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [abutcher]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 4031723 and 2 for PR HEAD eb6ef9b in total

[bentito]

@abutcher ci/prow/e2e-azure-manual-oidc is showing up as a required test here and it definitely shouldn't be here on an AWS related PR I'd think. Or at least not as a required...

[abutcher]

Related to a recent change we made to the tests which should have made e2e-azure-manual-oidc required for changes which impact specific pathing but are instead making the test required.

/override ci/prow/e2e-azure-manual-oidc

[openshift-ci]

@abutcher: Overrode contexts on behalf of abutcher: ci/prow/e2e-azure-manual-oidc

In response to this:

Related to a recent change we made to the tests which should have made e2e-azure-manual-oidc required for changes which impact specific pathing but are instead making the test required.

/override ci/prow/e2e-azure-manual-oidc

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bentito]

/test e2e-hypershift

[bentito]

/test e2e-hypershift

[bentito]

/test e2e-hypershift

[bentito]

/test e2e-hypershift

[openshift-ci]

@bentito: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@bentito: Jira Issue OCPBUGS-16684: All pull requests linked via external trackers have merged:

• openshift/cloud-credential-operator#583

Jira Issue OCPBUGS-16684 has been moved to the MODIFIED state.

In response to this:

I think this cures the bug as long as I tracked from the correct part of the code that was setting cr.status.provisioned to true despite a failure to actually provision the Secret.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.