Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-4.12] OCPBUGS-15467: Add missing AWS permission for ListTagsForResources #954

Merged
merged 1 commit into from
Aug 8, 2023
Merged

[release-4.12] OCPBUGS-15467: Add missing AWS permission for ListTagsForResources #954

merged 1 commit into from
Aug 8, 2023

Conversation

Miciah
Copy link
Contributor

@Miciah Miciah commented Jun 27, 2023

This is a manual cherry-pick of #868. pkg/manifests/bindata.go had a conflict and had to be regenerated for the backport.

The defined CredentialsRequest is missing a required permission for the AWS "Provider.lookupZoneIDWithoutResourceTagging" method.

@montaguethomas @Miciah
OCPBUGS-4827 Add missing AWS permission for ListTagsForResources
49791ea 
The defined CredentialsRequest is missing a required permission for the AWS "Provider.lookupZoneIDWithoutResourceTagging" method.
@Miciah Miciah changed the title [release-4.12] OCPBUGS-15467 Add missing AWS permission for ListTagsForResources [release-4.12] OCPBUGS-15467: Add missing AWS permission for ListTagsForResources Jun 27, 2023
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Jun 27, 2023
@openshift-ci openshift-ci bot requested review from frobware and gcs278 June 27, 2023 15:28
@openshift-ci-robot
Copy link
Contributor

@Miciah: This pull request references Jira Issue OCPBUGS-15467, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.12.z) matches configured target version for branch (4.12.z)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • dependent bug Jira Issue OCPBUGS-4827 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE))
  • dependent Jira Issue OCPBUGS-4827 targets the "4.13.0" version, which is one of the valid target versions: 4.13.0, 4.13.z
  • bug has dependents

Requesting review from QA contact:
/cc @lihongan

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is a manual cherry-pick of #868. pkg/manifests/bindata.go had a conflict and had to be regenerated for the backport.

The defined CredentialsRequest is missing a required permission for the AWS "Provider.lookupZoneIDWithoutResourceTagging" method.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jun 27, 2023
@openshift-ci openshift-ci bot requested a review from lihongan June 27, 2023 15:28
@candita
Copy link
Contributor

candita commented Jun 28, 2023

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 28, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 28, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: candita

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 28, 2023
@melvinjoseph86
Copy link

/retest-required

@melvinjoseph86
Copy link

Verified using cluster bot
melvinjoseph@mjoseph-mac Downloads % oc -n openshift-cloud-credential-operator get CredentialsRequest openshift-ingress -oyaml
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
creationTimestamp: "2023-07-02T07:28:12Z"
finalizers:

  • cloudcredential.openshift.io/deprovision
    generation: 1
    labels:
    controller-tools.k8s.io: "1.0"
    name: openshift-ingress
    namespace: openshift-cloud-credential-operator
    ownerReferences:
  • apiVersion: config.openshift.io/v1
    kind: ClusterVersion
    name: version
    uid: 4392c2c8-dee9-4c0b-8d4c-125ab23be005
    resourceVersion: "1995"
    uid: f38eb63b-eb82-495e-8831-f893644dff00
    spec:
    providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    • action:
      • elasticloadbalancing:DescribeLoadBalancers
      • route53:ListHostedZones
      • route53:ListTagsForResources <-------------------------
      • route53:ChangeResourceRecordSets
      • tag:GetResources
        effect: Allow
        resource: '*'
        secretRef:
        name: cloud-credentials
        namespace: openshift-ingress-operator
        serviceAccountNames:
  • ingress-operator
    status:
    conditions:
  • lastProbeTime: "2023-07-02T07:28:40Z"
    lastTransitionTime: "2023-07-02T07:28:40Z"
    message: successfully granted credentials request
    reason: CredentialsProvisionSuccess
    status: "False"
    type: CredentialsProvisionFailure
    lastSyncCloudCredsSecretResourceVersion: "1894"
    lastSyncGeneration: 1
    lastSyncTimestamp: "2023-07-02T07:28:40Z"
    providerStatus:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderStatus
    policy: ci-ln-lwbrwsb-76ef8--openshift-ingress-7wnw2-policy
    user: ci-ln-lwbrwsb-76ef8--openshift-ingress-7wnw2
    provisioned: true
    melvinjoseph@mjoseph-mac Downloads % oc get co
    oc NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE
    authentication 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 7m15s
    baremetal 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 25m
    cloud-controller-manager 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 28m
    cloud-credential 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 29m
    cluster-autoscaler 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 25m
    config-operator 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 26m
    console 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 11m
    control-plane-machine-set 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 24m
    csi-snapshot-controller 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 26m
    dns 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 25m
    etcd 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 24m
    image-registry 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 20m
    ingress 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 16m
    insights 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 17m
    kube-apiserver 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 23m
    kube-controller-manager 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 23m
    kube-scheduler 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 23m
    kube-storage-version-migrator 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 26m
    machine-api 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 21m
    machine-approver 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 25m
    machine-config 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 24m
    marketplace 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 25m
    monitoring 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 13m
    network 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 28m
    node-tuning 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 25m
    openshift-apiserver 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 8m13s
    openshift-controller-manager 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 25m
    openshift-samples 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 20m
    operator-lifecycle-manager 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 26m
    operator-lifecycle-manager-catalog 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 26m
    operator-lifecycle-manager-packageserver 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 21m
    service-ca 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 26m
    storage 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 25m
    melvinjoseph@mjoseph-mac Downloads % oc get co/ingress
    NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE
    ingress 4.12.0-0.ci.test-2023-07-02-071721-ci-ln-lwbrwsb-latest True False False 16m
    melvinjoseph@mjoseph-mac Downloads % oc get po -n openshift-ingress
    NAME READY STATUS RESTARTS AGE
    router-default-59ccd55cf8-grqfp 1/1 Running 0 26m
    router-default-59ccd55cf8-s52jc 1/1 Running 0 26m
    melvinjoseph@mjoseph-mac Downloads % oc get po -n openshift-ingress-operator
    NAME READY STATUS RESTARTS AGE
    ingress-operator-99749874b-n8mmz 2/2 Running 3 (19m ago) 30m

@Miciah
Copy link
Contributor Author

Miciah commented Jul 20, 2023

This backport is low-risk as it only adds a required permission and has been pre-merge verified.
/label backport-risk-assessed

e2e-aws-operator failed because TestAWSELBConnectionIdleTimeout and TestRouterCompressionOperation failed. These test failures are known issues that should be fixed by #959 and #963, respectively.

e2e-gcp-ovn-serial failed because [sig-instrumentation] Prometheus [apigroup:image.openshift.io] when installed on the cluster shouldn't report any alerts in firing state apart from Watchdog and AlertmanagerReceiversNotConfigured failed.

{  "severity": "warning"
        },
        "value": [
          1688285125.514,
          "1"
        ]
      },
      {
        "metric": {
          "__name__": "ALERTS",
          "alertname": "KubeAggregatedAPIErrors",
          "alertstate": "firing",
          "name": "v1.project.openshift.io",
          "namespace": "default",
          "prometheus": "openshift-monitoring/k8s",
          "severity": "warning"
        },
        "value": [
          1688285125.514,
          "1"
        ]
      },
      {
        "metric": {
          "__name__": "ALERTS",
          "alertname": "KubeAggregatedAPIErrors",
          "alertstate": "firing",
          "name": "v1.quota.openshift.io",
          "namespace": "default",
          "prometheus": "openshift-monitoring/k8s",
          "severity": "warning"
        },
        "value": [
          1688285125.514,
          "1"
        ]
      },
      {
        "metric": {
          "__name__": "ALERTS",
          "alertname": "KubeAggregatedAPIErrors",
          "alertstate": "firing",
          "name": "v1.route.openshift.io",
          "namespace": "default",
          "prometheus": "openshift-monitoring/k8s",
          "severity": "warning"
        },
        "value": [
          1688285125.514,
          "1"
        ]
      },
      {
        "metric": {
          "__name__": "ALERTS",
          "alertname": "KubeAggregatedAPIErrors",
          "alertstate": "firing",
          "name": "v1.security.openshift.io",
          "namespace": "default",
          "prometheus": "openshift-monitoring/k8s",
          "severity": "warning"
        },
        "value": [
          1688285125.514,
          "1"
        ]
      },
      {
        "metric": {
          "__name__": "ALERTS",
          "alertname": "KubeAggregatedAPIErrors",
          "alertstate": "firing",
          "name": "v1.template.openshift.io",
          "namespace": "default",
          "prometheus": "openshift-monitoring/k8s",
          "severity": "warning"
        },
        "value": [
          1688285125.514,
          "1"
        ]
      },
      {
        "metric": {
          "__name__": "ALERTS",
          "alertname": "KubeAggregatedAPIErrors",
          "alertstate": "firing",
          "name": "v1.user.openshift.io",
          "namespace": "default",
          "prometheus": "openshift-monitoring/k8s",
          "severity": "warning"
        },
        "value": [
          1688285125.514,
          "1"
        ]
      }
    ]
occurred
Ginkgo exit error 1: exit with code 1}

Also, [sig-instrumentation][Late] Alerts shouldn't report any unexpected alerts in firing or pending state failed.

{  fail [github.com/onsi/ginkgo/v2@v2.1.5-0.20220909190140-b488ab12695a/internal/suite.go:612]: Jul  2 09:30:51.894: Unexpected alerts fired or pending after the test run:  alert KubeAggregatedAPIErrors fired for 180 seconds with labels: {name="v1.apps.openshift.io", namespace="default", severity="warning"} alert KubeAggregatedAPIErrors fired for 180 seconds with labels: {name="v1.authorization.openshift.io", namespace="default", severity="warning"} alert KubeAggregatedAPIErrors fired for 180 seconds with labels: {name="v1.build.openshift.io", namespace="default", severity="warning"} alert KubeAggregatedAPIErrors fired for 180 seconds with labels: {name="v1.image.openshift.io", namespace="default", severity="warning"} alert KubeAggregatedAPIErrors fired for 180 seconds with labels: {name="v1.oauth.openshift.io", namespace="default", severity="warning"} alert KubeAggregatedAPIErrors fired for 180 seconds with labels: {name="v1.project.openshift.io", namespace="default", severity="warning"} alert KubeAggregatedAPIErrors fired for 180 seconds with labels: {name="v1.quota.openshift.io", namespace="default", severity="warning"} alert KubeAggregatedAPIErrors fired for 180 seconds with labels: {name="v1.route.openshift.io", namespace="default", severity="warning"} alert KubeAggregatedAPIErrors fired for 180 seconds with labels: {name="v1.security.openshift.io", namespace="default", severity="warning"} alert KubeAggregatedAPIErrors fired for 180 seconds with labels: {name="v1.template.openshift.io", namespace="default", severity="warning"} alert KubeAggregatedAPIErrors fired for 180 seconds with labels: {name="v1.user.openshift.io", namespace="default", severity="warning"} Ginkgo exit error 1: exit with code 1}

Let's see whether the same issue happens again.
/test e2e-gcp-ovn-serial

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jul 20, 2023
@melvinjoseph86
Copy link

/label cherry-pick-approved

@openshift-ci openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jul 21, 2023
@melvinjoseph86
Copy link

/retest-required

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 37c11f6 and 2 for PR HEAD 49791ea in total

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 7a507e4 and 1 for PR HEAD 49791ea in total

@melvinjoseph86
Copy link

/retest-required

@melvinjoseph86
Copy link

/test e2e-aws-operator

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD e56a18d and 0 for PR HEAD 49791ea in total

@openshift-ci-robot
Copy link
Contributor

/hold

Revision 49791ea was retested 3 times: holding

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 3, 2023
@Miciah
Copy link
Contributor Author

Miciah commented Aug 7, 2023

/hold cancel
/test all
since #963 and #964 have merged.

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 7, 2023
@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 8b44d0b and 2 for PR HEAD 49791ea in total

@melvinjoseph86
Copy link

/retest-required

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 8, 2023

@Miciah: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-single-node 49791ea link false /test e2e-aws-ovn-single-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit d5fe3f4 into openshift:release-4.12 Aug 8, 2023
9 of 10 checks passed
@openshift-ci-robot
Copy link
Contributor

@Miciah: Jira Issue OCPBUGS-15467: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-15467 has been moved to the MODIFIED state.

In response to this:

This is a manual cherry-pick of #868. pkg/manifests/bindata.go had a conflict and had to be regenerated for the backport.

The defined CredentialsRequest is missing a required permission for the AWS "Provider.lookupZoneIDWithoutResourceTagging" method.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot
Copy link
Contributor

Fix included in accepted release 4.12.0-0.nightly-2023-08-08-111329

@wking wking mentioned this pull request Aug 10, 2023
Merged
wking added a commit to wking/openshift-release that referenced this pull request Aug 13, 2023
@wking
ci-operator/config/openshift/release: Run credentials-request-freeze …
d2d6640 
…every 48h

Rolling back changes from 26ebda9 (Bulk frequency reduce of 4.12
periodics to limit costs of CI platform, 2023-07-07, openshift#40924) and
similar.  These jobs are very cheap, because they do not launch a
cluster (they just compare release image content), and running them
more frequently gives plenty of post-merge time before a release gets
cut to discuss what to do about changes like [1] adding
route53:ListTagsForResources as an ingress permission in 4.12.

[1]: openshift/cluster-ingress-operator#954
openshift-merge-robot pushed a commit to openshift/release that referenced this pull request Aug 15, 2023
@wking
ci-operator/config/openshift/release: Run credentials-request-freeze …
37b5334 
…every 48h (#42215)

Rolling back changes from 26ebda9 (Bulk frequency reduce of 4.12
periodics to limit costs of CI platform, 2023-07-07, #40924) and
similar.  These jobs are very cheap, because they do not launch a
cluster (they just compare release image content), and running them
more frequently gives plenty of post-merge time before a release gets
cut to discuss what to do about changes like [1] adding
route53:ListTagsForResources as an ingress permission in 4.12.

[1]: openshift/cluster-ingress-operator#954
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frobware frobware Awaiting requested review from frobware

@gcs278 gcs278 Awaiting requested review from gcs278

@lihongan lihongan Awaiting requested review from lihongan

Assignees

@candita candita

@lihongan lihongan

@melvinjoseph86 melvinjoseph86

@ShudiLi ShudiLi

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@Miciah @openshift-ci-robot @candita @melvinjoseph86 @openshift-merge-robot @lihongan @ShudiLi @montaguethomas