OCPBUGS-55777: Add missing Role, RoleBinding #860

stephenfin · 2025-05-21T11:52:29Z

As noted by QE, we missed this in #850. Add it now.

openshift-ci-robot · 2025-05-21T11:52:41Z

@stephenfin: This pull request references Jira Issue OCPBUGS-55777, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.20.0) matches configured target version for branch (4.20.0)
bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jianping-shu

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

As noted by QE, we missed this in #850. Add it now.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

mandre

/lgtm

This new role allows to read the cloud-provider-config configmap in the openshift-config namespace.

jstuever · 2025-05-21T23:15:13Z

/test e2e-openstack

jstuever · 2025-05-21T23:15:39Z

/assign @jianping-shu
for pre-merge testing

jianping-shu · 2025-05-22T07:16:44Z

@stephenfin The pre-merge testing failed, still the same.
(1) CCO has the following logs, looks like CCO was listing the configmap instead of get?
I0522 05:00:57.039480 1 reflector.go:349] Listing and watching *v1.ConfigMap from sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:108
W0522 05:00:57.044098 1 reflector.go:569] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:108: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope
E0522 05:00:57.044142 1 reflector.go:166] "Unhandled Error" err="sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:108: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-cloud-credential-operator:cloud-credential-operator" cannot list resource "configmaps" in API group "" at the cluster scope" logger="UnhandledError"

(2)And the output of the following command is exactly the same to the one in previous test.
oc get clusterroles.rbac.authorization.k8s.io cloud-credential-operator-role -o yaml

(3)Add ca-bundle.pem in configmap openshift-config/cloud-provider-config, the root credential secret kept no change.

jianping-shu · 2025-05-27T03:51:50Z

Tested again but still the same error.
The rbac output for below command was still not changed.
oc get clusterroles.rbac.authorization.k8s.io cloud-credential-operator-role -o yaml

Reflect their respective namespaces. Signed-off-by: Stephen Finucane <stephenfin@redhat.com>

…config CM Signed-off-by: Stephen Finucane <stephenfin@redhat.com>

Unlike the other clients, this one does not use caching (which requires the operator have cluster-wide access to config maps). This is the same thing done for AWS. Signed-off-by: Stephen Finucane <stephenfin@redhat.com>

codecov · 2025-05-29T11:02:46Z

Codecov Report

Attention: Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.

Project coverage is 47.14%. Comparing base (6a880b4) to head (a87b3b4).
Report is 6 commits behind head on master.

Files with missing lines	Patch %	Lines
...g/operator/secretannotator/openstack/reconciler.go	66.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #860      +/-   ##
==========================================
+ Coverage   46.97%   47.14%   +0.16%     
==========================================
  Files          97       97              
  Lines       11907    12011     +104     
==========================================
+ Hits         5593     5662      +69     
- Misses       5696     5727      +31     
- Partials      618      622       +4

Files with missing lines	Coverage Δ
...g/operator/secretannotator/openstack/reconciler.go	`53.62% <66.66%> (-0.06%)`	⬇️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

jianping-shu · 2025-05-30T07:03:48Z

Tested w/ OCP-82011
In summary:
(1)When ca-bundle.pem is added/modified in configmap cloud-provider-config -n openshift-config, it will be synced to the root credential secret(kube-system/openstack-credentials) then the component credential secrets. But it won't be synced immediately, instead it will be synced in next cco reconcile.
(2)When ca-bundle.pem is removed, the cacert part in the root credential secret and the component credential secrets won't removed after next cco reconcile.
Pls. check if the above behaviors are ok

stephenfin · 2025-05-30T10:54:08Z

Pls. check if the above behaviors are ok

That sounds correct, yes 👍

manifests/01-config-managed-role.yaml

pkg/operator/secretannotator/openstack/reconciler.go

jstuever · 2025-06-04T19:21:31Z

/retest

jstuever · 2025-06-04T19:22:14Z

/test e2e-openshift

openshift-ci · 2025-06-04T19:22:24Z

@jstuever: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test coverage

/test e2e-aws-ovn

/test e2e-azure-manual-oidc

/test e2e-hypershift

/test e2e-upgrade

/test images

/test security

/test unit

/test verify

/test verify-deps

The following commands are available to trigger optional jobs:

/test e2e-aws-manual-oidc

/test e2e-aws-qe

/test e2e-azure

/test e2e-azure-upgrade

/test e2e-gcp

/test e2e-gcp-manual-oidc

/test e2e-openstack

/test e2e-openstack-parallel

/test okd-scos-e2e-aws-ovn

/test okd-scos-images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-cloud-credential-operator-master-coverage

pull-ci-openshift-cloud-credential-operator-master-e2e-aws-ovn

pull-ci-openshift-cloud-credential-operator-master-e2e-aws-qe

pull-ci-openshift-cloud-credential-operator-master-e2e-hypershift

pull-ci-openshift-cloud-credential-operator-master-e2e-upgrade

pull-ci-openshift-cloud-credential-operator-master-images

pull-ci-openshift-cloud-credential-operator-master-okd-scos-e2e-aws-ovn

pull-ci-openshift-cloud-credential-operator-master-security

pull-ci-openshift-cloud-credential-operator-master-unit

pull-ci-openshift-cloud-credential-operator-master-verify

pull-ci-openshift-cloud-credential-operator-master-verify-deps

Details

In response to this:

/test e2e-openshift

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

jstuever · 2025-06-04T19:22:45Z

/test e2e-openstack

jstuever · 2025-06-04T19:23:59Z

/hold
for e2e-hypershift and e2e-openstack

jstuever · 2025-06-04T19:24:14Z

/lgtm
/approve

openshift-ci · 2025-06-04T19:24:58Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jstuever, mandre, stephenfin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

stephenfin · 2025-06-04T22:57:02Z

/test e2e-openstack

Just a slow node causing : [bz-openshift-apiserver] clusteroperator/openshift-apiserver should not change condition/Available to fail, but it would be good to have a clean run.

jianping-shu · 2025-06-05T06:06:15Z

/retest

stephenfin · 2025-06-05T13:21:19Z

/unhold

stephenfin · 2025-06-05T13:22:15Z

CI is green. No further need for the hold. Thanks for the reviews/help, @jstuever @jianping-shu

openshift-ci-robot · 2025-06-05T17:06:29Z

/retest-required

Remaining retests: 0 against base HEAD f95f61d and 2 for PR HEAD a87b3b4 in total

openshift-ci · 2025-06-05T20:20:59Z

@stephenfin: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci-robot · 2025-06-05T20:26:08Z

@stephenfin: Jira Issue OCPBUGS-55777: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-55777 has been moved to the MODIFIED state.

Details

In response to this:

As noted by QE, we missed this in #850. Add it now.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-bot · 2025-06-06T00:12:57Z

[ART PR BUILD NOTIFIER]

Distgit: ose-cloud-credential-operator
This PR has been included in build ose-cloud-credential-operator-container-v4.20.0-202506052341.p0.g92e68ab.assembly.stream.el9.
All builds following this will include this PR.

OCPBUGS-55777: Add missing Role, RoleBinding

openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels May 21, 2025

openshift-ci bot requested review from 2uasimojo, dlom and jianping-shu May 21, 2025 11:52

stephenfin mentioned this pull request May 21, 2025

[release-4.19] OCPBUGS-55798: Sync OpenStack CA Bundles from legacy location #856

Closed

mandre reviewed May 21, 2025

View reviewed changes

openshift-ci bot assigned mandre May 21, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 21, 2025

openshift-ci bot assigned jianping-shu May 21, 2025

stephenfin force-pushed the OCPBUGS-55777 branch from 0032660 to 71c537d Compare May 26, 2025 11:48

openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label May 26, 2025

stephenfin added 2 commits May 28, 2025 14:27

manifests: Rename existing Role, RoleBinding manifests

a4fd1ec

Reflect their respective namespaces. Signed-off-by: Stephen Finucane <stephenfin@redhat.com>

manifests: Add Role, RoleBinding for openshift-config/cloud-provider-…

a625272

…config CM Signed-off-by: Stephen Finucane <stephenfin@redhat.com>

stephenfin force-pushed the OCPBUGS-55777 branch 2 times, most recently from 2fbc82b to bcaa77e Compare May 28, 2025 14:33

openstack: Use a "live client" for fetching config map

a87b3b4

Unlike the other clients, this one does not use caching (which requires the operator have cluster-wide access to config maps). This is the same thing done for AWS. Signed-off-by: Stephen Finucane <stephenfin@redhat.com>

stephenfin force-pushed the OCPBUGS-55777 branch from bcaa77e to a87b3b4 Compare May 29, 2025 09:43

stephenfin mentioned this pull request May 30, 2025

[release-4.19] OCPBUGS-55798: Sync OpenStack CA Bundles from legacy location #866

Merged

jstuever reviewed Jun 4, 2025

View reviewed changes

manifests/01-config-managed-role.yaml Show resolved Hide resolved

pkg/operator/secretannotator/openstack/reconciler.go Show resolved Hide resolved

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 4, 2025

openshift-ci bot assigned jstuever Jun 4, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 4, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 4, 2025

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 5, 2025

openshift-merge-bot bot merged commit 92e68ab into openshift:master Jun 5, 2025
13 checks passed

openshift-merge-bot bot deleted the OCPBUGS-55777 branch June 5, 2025 20:26

ming1013 pushed a commit to ming1013/cloud-credential-operator that referenced this pull request Dec 15, 2025

Merge pull request openshift#860 from shiftstack/OCPBUGS-55777

5a1dd03

OCPBUGS-55777: Add missing Role, RoleBinding

OCPBUGS-55777: Add missing Role, RoleBinding #860

OCPBUGS-55777: Add missing Role, RoleBinding #860

Uh oh!

Conversation

stephenfin commented May 21, 2025

Uh oh!

openshift-ci-robot commented May 21, 2025

Uh oh!

mandre left a comment

Choose a reason for hiding this comment

Uh oh!

jstuever commented May 21, 2025

Uh oh!

jstuever commented May 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jianping-shu commented May 22, 2025

Uh oh!

jianping-shu commented May 27, 2025

Uh oh!

codecov bot commented May 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

jianping-shu commented May 30, 2025

Uh oh!

stephenfin commented May 30, 2025

Uh oh!

Uh oh!

Uh oh!

jstuever commented Jun 4, 2025

Uh oh!

jstuever commented Jun 4, 2025

Uh oh!

openshift-ci bot commented Jun 4, 2025

Uh oh!

jstuever commented Jun 4, 2025

Uh oh!

jstuever commented Jun 4, 2025

Uh oh!

jstuever commented Jun 4, 2025

Uh oh!

openshift-ci bot commented Jun 4, 2025

Uh oh!

stephenfin commented Jun 4, 2025

Uh oh!

jianping-shu commented Jun 5, 2025

Uh oh!

stephenfin commented Jun 5, 2025

Uh oh!

stephenfin commented Jun 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Jun 5, 2025

Uh oh!

openshift-ci bot commented Jun 5, 2025

Uh oh!

Uh oh!

openshift-ci-robot commented Jun 5, 2025

Uh oh!

openshift-bot commented Jun 6, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

jstuever commented May 21, 2025 •

edited

Loading

codecov bot commented May 29, 2025 •

edited

Loading

stephenfin commented Jun 5, 2025 •

edited

Loading