Revert "Temporary cred request filter workaround"

[patrickdillon]

Follow up to revert temporary workaround from #76228

This reverts commit 068c4d1.

https://redhat.atlassian.net/browse/OCPBUGS-77845
may be resolved with openshift/oc#2241

[patrickdillon]

/pj-rehearse pull-ci-openshift-secrets-store-csi-driver-operator-main-operator-e2e-azure

[openshift-ci-robot]

@patrickdillon: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci-robot]

[REHEARSALNOTIFIER]
@patrickdillon: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-machine-api-operator-main-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-machine-api-operator-release-5.0-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-machine-api-operator-release-4.23-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-machine-api-operator-release-4.22-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-machine-api-operator-release-4.21-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-machine-api-operator-release-4.20-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-machine-api-operator-release-4.19-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-machine-api-operator-release-4.18-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-machine-api-operator-release-4.17-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-machine-api-operator-release-4.16-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-machine-api-operator-release-4.15-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-machine-api-operator-release-4.14-e2e-azure-manual-oidc	openshift/machine-api-operator	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-main-e2e-aws	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-5.0-e2e-aws	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.23-e2e-aws	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.22-e2e-aws	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.21-e2e-aws	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.20-e2e-aws	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-main-e2e-azure	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-5.0-e2e-azure	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.23-e2e-azure	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.22-e2e-azure	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.21-e2e-azure	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-release-4.20-e2e-azure	openshift/secrets-store-csi-driver	presubmit	Registry content changed
pull-ci-openshift-secrets-store-csi-driver-main-e2e-gcp	openshift/secrets-store-csi-driver	presubmit	Registry content changed

A total of 1245 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here
Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[patrickdillon]

definition of insanity:

/pj-rehearse pull-ci-openshift-secrets-store-csi-driver-operator-main-operator-e2e-azure

[openshift-ci-robot]

@patrickdillon: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[patrickdillon]

/hold

waiting on confirmation this works

[patrickdillon]

/pj-rehearse pull-ci-openshift-secrets-store-csi-driver-operator-main-operator-e2e-azure

[openshift-ci-robot]

@patrickdillon: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[patrickdillon]

/pj-rehearse
/hold cancel

azure test failed but looks unrelated. it got past the point where this was failing before

[openshift-ci-robot]

@patrickdillon: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[jstuever]

/pj-rehearse pull-ci-openshift-cloud-credential-operator-master-e2e-aws-manual-oidc pull-ci-openshift-cloud-credential-operator-master-e2e-azure-manual-oidc pull-ci-openshift-cloud-credential-operator-master-e2e-gcp-manual-oidc

[openshift-ci-robot]

@jstuever: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[jstuever]

/pj-rehearse pull-ci-openshift-cloud-credential-operator-master-e2e-azure-manual-oidc pull-ci-openshift-cloud-credential-operator-master-e2e-gcp-manual-oidc

I don't expect different results.

[openshift-ci-robot]

@jstuever: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci-robot]

@jstuever, pj-rehearse: unable to determine affected jobs ERROR:

could not load configuration from candidate revision of release repo: failed to load ci-operator configuration from release repo: failed to load ci-operator config (error unmarshaling JSON: json: cannot unmarshal object into Go struct field ReleaseBuildConfiguration.images of type []api.ProjectDirectoryImageBuildStepConfiguration)

If the problem persists, please contact Test Platform.

[jstuever]

/pj-rehearse pull-ci-openshift-cloud-credential-operator-master-e2e-azure-manual-oidc pull-ci-openshift-cloud-credential-operator-master-e2e-gcp-manual-oidc

[openshift-ci-robot]

@jstuever: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[jstuever]

It looks like the rehearsals might not be getting a version of oc that contains the fix in the oidc-creds-provision step.

[jstuever]

/pj-rehearse pull-ci-openshift-cluster-api-provider-azure-main-e2e-azure-manual-oidc

[openshift-ci-robot]

@jstuever: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[jstuever]

/lgtm
I would like to see the azure job stop failing before we merge this. I've ran a rehearsal on the cluster-api-provider-azure component with the intention of reaching out to the relevant team to resolve the issue there. However, we should not be seeing it fail here because that component is still techpreview, and we should not be seeing the credentialRequest being extracted by oc.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jstuever, patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/ipi/conf/aws/oidc-creds-provision/OWNERS [jstuever,patrickdillon]
• ci-operator/step-registry/ipi/conf/azure/oidc-creds-provision/OWNERS [jstuever,patrickdillon]
• ci-operator/step-registry/ipi/conf/gcp/oidc-creds-provision/OWNERS [jstuever,patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[patrickdillon]

I would like to see the azure job stop failing before we merge this. I've ran a rehearsal on the cluster-api-provider-azure component with the intention of reaching out to the relevant team to resolve the issue there. However, we should not be seeing it fail here because that component is still techpreview, and we should not be seeing the credentialRequest being extracted by oc.

Right. The azure failure is weird and seems unrelated to this PR (more like a permission thing) but I was mistaken about what I said before, and the failing step is pre install. So let's see what we can figure out.

/hold

[patrickdillon]

@jstuever hm, yeah it does look related it looks like 1) a capi credential request is still there 2) it contains a bad permission which causes things to blow up

2026/04/01 17:43:58 Saved credentials configuration to: /tmp/manifests/openshift-cloud-controller-manager-azure-cloud-credentials-credentials.yaml
2026/04/01 17:43:59 Created user-assigned managed identity /subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/resourcegroups/ci-op-tdd1cmw2-1a82e-oidc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ci-op-tdd1cmw2-1a82e-openshift-cluster-api-capz-manager-bootstrap-credentials
2026/04/01 17:44:00 error ensuring custom role: PUT https://management.azure.com/subscriptions/d38f1e38-4bed-438e-b227-833f997adf6a/providers/Microsoft.Authorization/roleDefinitions/f7cd69af-d967-4441-a92c-8ddf2f2e3e92
--------------------------------------------------------------------------------
RESPONSE 400: 400 Bad Request
ERROR CODE: InvalidActionOrNotAction
--------------------------------------------------------------------------------
{
  "error": {
    "code": "InvalidActionOrNotAction",
    "message": "'Microsoft.Resourcehealth/healthevent/action' does not match any of the actions supported by the providers."
  }
}
--------------------------------------------------------------------------------

https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_release/76835/rehearse-76835-pull-ci-openshift-cloud-credential-operator-master-e2e-azure-manual-oidc/2039393343099637760/artifacts/e2e-azure-manual-oidc/ipi-conf-azure-oidc-creds-provision/build-log.txt

That's a quick take. Let me try to confirm.

[patrickdillon]

@jstuever The oc used in these steps could be old

[petr-muller]

/uncc

[jstuever]

/pj-rehearse ci/rehearse/openshift/cloud-credential-operator/master/e2e-azure-manual-oidc ci/rehearse/openshift/cloud-credential-operator/master/e2e-gcp-manual-oidc

[openshift-merge-bot]

@jstuever: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@jstuever: job(s): ci/rehearse/openshift/cloud-credential-operator/master/e2e-azure-manual-oidc, ci/rehearse/openshift/cloud-credential-operator/master/e2e-gcp-manual-oidc either don't exist or were not found to be affected, and cannot be rehearsed

[jstuever]

/pj-rehearse pull-ci-openshift-cloud-credential-operator-master-e2e-azure-manual-oidc pull-ci-openshift-cloud-credential-operator-master-e2e-gcp-manual-oidc

[openshift-merge-bot]

@jstuever: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[jstuever]

/pj-rehearse pull-ci-openshift-cloud-credential-operator-master-e2e-azure-manual-oidc pull-ci-openshift-cloud-credential-operator-master-e2e-gcp-manual-oidc

[openshift-merge-bot]

@jstuever: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@patrickdillon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/secrets-store-csi-driver-operator/main/operator-e2e-azure	94b52b9	link	unknown	/pj-rehearse pull-ci-openshift-secrets-store-csi-driver-operator-main-operator-e2e-azure
ci/rehearse/openshift/cluster-network-operator/release-4.23/e2e-azure-ovn-manual-oidc	94b52b9	link	unknown	/pj-rehearse pull-ci-openshift-cluster-network-operator-release-4.23-e2e-azure-ovn-manual-oidc
ci/rehearse/openshift/cluster-network-operator/release-4.22/e2e-azure-ovn-manual-oidc	94b52b9	link	unknown	/pj-rehearse pull-ci-openshift-cluster-network-operator-release-4.22-e2e-azure-ovn-manual-oidc
ci/rehearse/openshift/cluster-network-operator/master/e2e-azure-ovn-manual-oidc	94b52b9	link	unknown	/pj-rehearse pull-ci-openshift-cluster-network-operator-master-e2e-azure-ovn-manual-oidc
ci/rehearse/openshift/cluster-network-operator/release-5.0/e2e-azure-ovn-manual-oidc	94b52b9	link	unknown	/pj-rehearse pull-ci-openshift-cluster-network-operator-release-5.0-e2e-azure-ovn-manual-oidc
ci/rehearse/openshift/cluster-api-provider-azure/main/e2e-azure-manual-oidc	94b52b9	link	unknown	/pj-rehearse pull-ci-openshift-cluster-api-provider-azure-main-e2e-azure-manual-oidc
ci/rehearse/openshift/cloud-credential-operator/master/e2e-azure-manual-oidc	94b52b9	link	unknown	/pj-rehearse pull-ci-openshift-cloud-credential-operator-master-e2e-azure-manual-oidc
ci/rehearse/openshift/cloud-credential-operator/master/e2e-gcp-manual-oidc	94b52b9	link	unknown	/pj-rehearse pull-ci-openshift-cloud-credential-operator-master-e2e-gcp-manual-oidc

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jstuever]

@patrickdillon The steps that extract the credentialRequests needs to be updated before we can merge this. It is not using the --included flag, so all of the oc work to resolve this is not being picked up by the steps.

release/ci-operator/step-registry/ipi/conf/azure/oidc-creds-provision/ipi-conf-azure-oidc-creds-provision-commands.sh

Line 110 in 94f1bbd

oc adm release extract --registry-config pull-secret --credentials-requests --cloud=azure --to="/tmp/credrequests" ${ADDITIONAL_OC_EXTRACT_ARGS} "${TESTING_RELEASE_IMAGE}"

There are several more.

https://github.com/search?q=repo%3Aopenshift%2Frelease+--credentials-requests+--cloud&type=code