Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[OSDOCS-4353]: Adds GCP workload ID upgrade procedure #51752

Merged
merged 1 commit into from
Oct 19, 2022
Merged

[OSDOCS-4353]: Adds GCP workload ID upgrade procedure #51752

merged 1 commit into from
Oct 19, 2022

Conversation

jeana-redhat
Copy link
Contributor

@jeana-redhat jeana-redhat commented Oct 17, 2022
edited

Version(s):
4.11+

Issue:
OSDOCS-4353

Link to docs preview:

QE review:

  • QE has approved this change.

Additional information:
N/A

@jeana-redhat jeana-redhat added this to the Continuous Release milestone Oct 17, 2022
@openshift-ci openshift-ci bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Oct 17, 2022
@ocpdocs-previewbot
Copy link

ocpdocs-previewbot commented Oct 17, 2022
edited

🤖 Updated build preview is available at:
https://51752--docspreview.netlify.app

Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/2088

@jeana-redhat
Copy link
Contributor Author

@abutcher PTAL when you have time

abutcher
abutcher approved these changes Oct 17, 2022
View reviewed changes
Copy link
Member

@abutcher abutcher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good to me 👍

@jeana-redhat
Copy link
Contributor Author

@jianping-shu PTAL 🙏

@jianping-shu
Copy link

@abutcher @jeana-redhat
I tested w/ case OCP-55031, create-all has some issue
I tested 2 scenarios,
scenario 1, run ccoctl gcp create-all with a new and empty output-dir in upgrade steps, the RSA key pair was re-generated and tls/bound-service-account-signing-key.key is different to that in installation
The upgrade hung up for long time
jianpingshu@jshu-mac 4.11.7-manifests % oc get clusterversion -w
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.10.34 True True 3h21m Working towards 4.11.7: 637 of 803 done (79% complete), waiting on image-registry

There was the following error for co image-registry
image-registry 4.10.34 True True False 170m Progressing: Unable to apply resources: unable to sync storage configuration: Get "https://storage.googleapis.com/storage/v1/b/jshu-gcp6-bsn42-image-registry-us-central1-yanxcjvqmhhnvwxwysj?alt=json&prettyPrint=false&projection=full": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/jshu-gcp6-openshift-i-pt6g9@openshift-qe.iam.gserviceaccount.com:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_grant","error_description":"Unable to verify the ID Token signature."}...

scenario 2, run ccoctl gcp create-all with the same output-dir in install/upgrade steps, the RSA key pair was reused and tls/bound-service-account-signing-key.key is re-generated but same
The upgrade was successful in 1 hour
jianpingshu@jshu-mac 4.11.7-manifests2 % oc get clusterversion -w
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.11.7 True False 6m1s Cluster version is 4.11.7

I guess tls/bound-service-account-signing-key.key is used in the created resources by ccoctl, so if it re-generated then it will not match with the one in the cluster.
I think the ccoctl output-dir in installation might be long gone when upgrade, so create-service-accounts makes more sense. WDYT?

@jianping-shu
Copy link

jianping-shu commented Oct 18, 2022
edited

@jeana-redhat Here are some comments not related to this PR. Maybe we can create another ticket for tracking them if they are valid and need some effort.

  1. $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE)
    In my run, it needs "-a ~/.pull-secret"
    But it may depend on my environment, may be not a real issue
  2. Feature gate in 4.11 vs. feature set in 4.12, this is an general issue
  3. Comparing w/ aws sts procedure, gcp procedure doesn't list the role/permission needed for running ccoctl
  4. In Example output of "ccoctl aws create-identity-provider",
    "where 02-openid-configuration is a discovery document and 03-keys.json is a JSON web key set file."
    But neither 02-openid-configuration nor 03-keys.json exists in the output. Should be openid-configuration and keys.json?

@abutcher
Copy link
Member

I think the ccoctl output-dir in installation might be long gone when upgrade, so create-service-accounts makes more sense. WDYT?

Yes, I hadn't considered the output-dir not being around which seems very likely. create-service-accounts makes more sense 👍.

@jianping-shu
Copy link

Thanks for confirmation! Let's change to create-service-accounts and the procedure will be fine.

@jeana-redhat
Copy link
Contributor Author

jeana-redhat commented Oct 18, 2022
edited

Thanks for the review! Leaving some comments below:

@jeana-redhat Here are some comments not related to this PR. Maybe we can create another ticket for tracking them if they are valid and need some effort.

1. $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE)
   In my run, it needs "-a ~/.pull-secret"
   But it may depend on my environment, may be not a real issue

I actually did this a bit more granularly in a different ccoctl PR I have in-flight, I will add that detail here in case users have the same issue.

2. Feature gate in 4.11 vs. feature set in 4.12, this is an general issue

Yes, I have a card to make this change in 4.12: OSDOCS-4159

3. Comparing w/ aws sts procedure, gcp procedure doesn't list the role/permission needed for running ccoctl

I opened AWS and GCP docs cards at the same time, but the GCP update is waiting on CCO-197.

4. In Example output of "ccoctl aws create-identity-provider",
   "where 02-openid-configuration is a discovery document and 03-keys.json is a JSON web key set file."
   But neither 02-openid-configuration nor 03-keys.json exists in the output. Should be openid-configuration and keys.json?

Good catch! I will fix that while I am in here rather than adding to my to-do list for later 🙂

@jeana-redhat jeana-redhat force-pushed the OSDOCS-4353-GCP-WIF-upgrade branch 3 times, most recently from a5afffc to bac7d04 Compare October 18, 2022 14:57
abutcher
abutcher approved these changes Oct 18, 2022
View reviewed changes
Copy link
Member

@abutcher abutcher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updates look good to me.

@jianping-shu
Copy link

Looks good to me, LGTM

@jeana-redhat jeana-redhat added the peer-review-needed Signifies that the peer review team needs to review this PR label Oct 19, 2022
@sheriff-rh
Copy link
Contributor

/label peer-review-in-progress

@openshift-ci openshift-ci bot added the peer-review-in-progress Signifies that the peer review team is reviewing this PR label Oct 19, 2022
@sheriff-rh
Copy link
Contributor

/remove-label peer-review-needed

@openshift-ci openshift-ci bot removed the peer-review-needed Signifies that the peer review team needs to review this PR label Oct 19, 2022
sheriff-rh
sheriff-rh approved these changes Oct 19, 2022
View reviewed changes
Copy link
Contributor

@sheriff-rh sheriff-rh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is really excellent work, Jeana. I've definitely learned a thing or two by reviewing this. Nice work with the ifdefs! 🚀

@sheriff-rh
Copy link
Contributor

/remove-label peer-review-in-progress
/label peer-review-done

@openshift-ci openshift-ci bot added peer-review-done Signifies that the peer review team has reviewed this PR and removed peer-review-in-progress Signifies that the peer review team is reviewing this PR labels Oct 19, 2022
@jeana-redhat
Copy link
Contributor Author

Force pushed to force rebuild before merging, no change.

@jeana-redhat jeana-redhat merged commit 217f41f into openshift:main Oct 19, 2022
@jeana-redhat
Copy link
Contributor Author

/cherrypick enterprise-4.12

@jeana-redhat
Copy link
Contributor Author

/cherrypick enterprise-4.11

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Oct 19, 2022
Merged
@openshift-cherrypick-robot
Copy link

@jeana-redhat: new pull request created: #51878

In response to this:

/cherrypick enterprise-4.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Oct 19, 2022
Merged
@openshift-cherrypick-robot
Copy link

@jeana-redhat: new pull request created: #51879

In response to this:

/cherrypick enterprise-4.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jianping-shu jianping-shu jianping-shu left review comments

@abutcher abutcher abutcher approved these changes

@sheriff-rh sheriff-rh sheriff-rh approved these changes

Assignees
No one assigned
Labels
branch/enterprise-4.11 branch/enterprise-4.12 peer-review-done Signifies that the peer review team has reviewed this PR size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
Continuous Release
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@jeana-redhat @ocpdocs-previewbot @jianping-shu @abutcher @sheriff-rh @openshift-cherrypick-robot