OCPBUGS-20478: Explicitly set the vsphere secret credential data on sync.

[jstuever]

The behavior recently changed to patching the credential secrets as opposed to updating them. As a result, sometimes when a credential is changed it can continue to have pieces of the old credential.

This change overrides the entire vphere credential data to be explicitly set to the new credential. This will remove all old credential data when syncing the new credential.

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-20478, which is invalid:

• expected the bug to target the "4.15.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

The behavior previously changed to patching the credential secrets as opposed to updating them. As a result, sometimes when a credential is changed it can continue to have pieces of the old credential.

This change overrides the entire credential data to be explicitly set to the new credential. This will remove all old credential data when syncing the new credential.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jstuever]

/jira refresh

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-20478, which is invalid:

• expected the bug to target the "4.15.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jstuever]

/jira refresh

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-20478, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.15.0) matches configured target version for branch (4.15.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jianping-shu

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jstuever]

/test

[openshift-ci]

@jstuever: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

• /test coverage
• /test e2e-aws-ovn
• /test e2e-azure-manual-oidc
• /test e2e-hypershift
• /test e2e-upgrade
• /test images
• /test security
• /test unit
• /test verify
• /test verify-deps

The following commands are available to trigger optional jobs:

• /test e2e-aws-manual-oidc
• /test e2e-azure
• /test e2e-azure-upgrade
• /test e2e-gcp
• /test e2e-gcp-manual-oidc
• /test e2e-openstack
• /test e2e-openstack-parallel

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-openshift-cloud-credential-operator-master-coverage
• pull-ci-openshift-cloud-credential-operator-master-e2e-aws-ovn
• pull-ci-openshift-cloud-credential-operator-master-e2e-hypershift
• pull-ci-openshift-cloud-credential-operator-master-e2e-upgrade
• pull-ci-openshift-cloud-credential-operator-master-images
• pull-ci-openshift-cloud-credential-operator-master-security
• pull-ci-openshift-cloud-credential-operator-master-unit
• pull-ci-openshift-cloud-credential-operator-master-verify
• pull-ci-openshift-cloud-credential-operator-master-verify-deps

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jstuever]

/test e2e-azure
/test e2e-gcp
/test e2e-openstack

[codecov]

Codecov Report

Merging #628 (3d13848) into master (5a6da9c) will decrease coverage by 0.01%.
Report is 2 commits behind head on master.
The diff coverage is 100.00%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #628      +/-   ##
==========================================
- Coverage   47.90%   47.89%   -0.01%     
==========================================
  Files          96       96              
  Lines       11680    11679       -1     
==========================================
- Hits         5595     5594       -1     
  Misses       5465     5465              
  Partials      620      620              

Files	Coverage Δ
pkg/vsphere/actuator/actuator.go	53.60% <100.00%> (-0.24%)	⬇️

[jstuever]

/retest

[gamli75]

@jstuever can you add unit test to this code to simulate the problem in assisted installer? thanks

[adriengentil]

I built my own OCP release with this PR in it, and I ran an install on vsphere, the issue looks to be fixed:

$ omg get secret/vmware-vsphere-cloud-credentials -n openshift-cluster-csi-drivers -o yaml
apiVersion: v1
data:
  v8c-2-vcenter.ocp2.dev.cluster.com.password: MTIgYnl0ZXMgbG9uZw==
  v8c-2-vcenter.ocp2.dev.cluster.com.username: MjQgYnl0ZXMgbG9uZw==
kind: Secret
metadata:
  annotations:
    cloudcredential.openshift.io/credentials-request: openshift-cloud-credential-operator/openshift-vmware-vsphere-csi-driver-operator
  creationTimestamp: '2023-11-16T12:21:37Z'
  labels:
    cloudcredential.openshift.io/credentials-request: 'true'

[gamli75]

@jstuever can you merge it, please?

[jstuever]

/retest

[jstuever]

/label acknowledge-critical-fixes-only

[jstuever]

/assign @dlom

[jstuever]

/cherry-pick release-4.14

[openshift-cherrypick-robot]

@jstuever: once the present PR merges, I will cherry-pick it on top of release-4.14 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@jstuever: This pull request references Jira Issue OCPBUGS-20478, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.15.0) matches configured target version for branch (4.15.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jianping-shu

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

The behavior recently changed to patching the credential secrets as opposed to updating them. As a result, sometimes when a credential is changed it can continue to have pieces of the old credential.

This change overrides the entire vphere credential data to be explicitly set to the new credential. This will remove all old credential data when syncing the new credential.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[dlom]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlom, jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dlom,jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9507066 and 2 for PR HEAD 3d13848 in total

[gamli75]

/test e2e-hypershift

[openshift-ci]

@jstuever: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@jstuever: Jira Issue OCPBUGS-20478: All pull requests linked via external trackers have merged:

• openshift/cloud-credential-operator#628

Jira Issue OCPBUGS-20478 has been moved to the MODIFIED state.

In response to this:

The behavior recently changed to patching the credential secrets as opposed to updating them. As a result, sometimes when a credential is changed it can continue to have pieces of the old credential.

This change overrides the entire vphere credential data to be explicitly set to the new credential. This will remove all old credential data when syncing the new credential.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@jstuever: new pull request created: #629

In response to this:

/cherry-pick release-4.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cloud-credential-operator-container-v4.15.0-202311191150.p0.g3c72c02.assembly.stream for distgit ose-cloud-credential-operator.
All builds following this will include this PR.

[openshift-merge-robot]

Fix included in accepted release 4.15.0-0.nightly-2023-11-19-145055