CORS-3931: [azure] add more permission when installing cluster in existing vnet #61374

jinyunma · 2025-02-07T04:24:49Z

Panic error is thrown from getNextAvailableIP when installing in shared VPC with minimal permissions, see failed job: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_installer/9422/pull-ci-openshift-installer-main-e2e-azure-ovn-shared-vpc/1885421707863265280 (slack thread)

Add additional permission "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read" to fix the issue

Read install-config and assign proper permission list based on various config, remove env ENABLE_MIN_PERMISSION_FOR_MARKETPLACE and ENABLE_MIN_PERMISSION_FOR_DES.
Extract custom role creation from step "azure-provision-service-principal-minimal-permission" as a separated step "azure-provision-custom-role", to cover case "install cluster with managed identity assigned minimal permissions" which only needs to custom role.
And introduce new chain "azure-provision-service-principal-minimal-permission" to include both steps.
Extract role assignment from step azure-provision-disk-encryption-set, azure-provision-vnet,ipi-conf-azure-resourcegroup as separated steps, only run role assignment steps in dedicated jobs instead of using ENV to control it.

jinyunma · 2025-02-07T04:30:26Z

/pj-rehearse pull-ci-openshift-installer-main-e2e-azure-ovn-shared-vpc

openshift-ci-robot · 2025-02-07T04:30:29Z

@jinyunma: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jinyunma · 2025-02-07T06:52:08Z

Installation on shared vpc succeeded in job

/pj-rehearse ack

cc @jianlinliu @gpei to review

openshift-ci-robot · 2025-02-07T06:52:11Z

@jinyunma: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jianlinliu · 2025-02-07T06:55:46Z

...rincipal/minimal-permission/azure-provision-service-principal-minimal-permission-commands.sh


+# optional permissions when installing cluster in existing vnet
+required_permissions="""
+\"Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read\",


The permission is needed by recent PR change, but not for all the previous OCP versions, right?

should be related with bug https://issues.redhat.com//browse/OCPBUGS-37442, which has been backported to 4.17. So this permission is required on 4.17+ CAPI install.
Will file doc bug to request to add the permission on 4.17+.

Shall we place the needed permission into the if block on line 281?

Error happens when creating manifests, this should impact both IPI and UPI.
But I can update to only apply permission on 4.17+.

@jinyunma one more question, does it only affect the installation for existing vnet? If so, do we need a separate env var to control it, so we can skip this permission for IPI install without existing vnet?

Good suggestion.
As discussed offline, will read install-config and assign proper permissions based on various config.

jianlinliu · 2025-02-07T08:07:38Z

/lgtm

jinyunma · 2025-02-07T08:11:38Z

/pj-rehearse ack

openshift-ci-robot · 2025-02-07T08:11:42Z

@jinyunma: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

jinyunma · 2025-02-07T08:13:11Z

/hold

jinyunma · 2025-02-07T11:44:15Z

/pj-rehearse pull-ci-openshift-installer-main-azure-ovn-marketplace-images periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-ipi-des-mini-perm-fips-amd-f28-destructive periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-upi-mini-perm-amd-f28-destructive periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-azure-ipi-marketplace-mini-perm-f7

openshift-ci-robot · 2025-02-07T11:44:17Z

@jinyunma: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

...taller-rehearse-azure-ipi-cco-manual-workload-identity-managed-identity-provision-chain.yaml

jinyunma · 2025-02-07T15:04:26Z

/pj-rehearse pull-ci-openshift-installer-main-e2e-azure-ovn-shared-vpc periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-ipi-des-mini-perm-fips-amd-f28-destructive periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-upi-mini-perm-amd-f28-destructive periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-ipi-oidc-mini-perm-arm-f7

patrickdillon · 2025-02-24T17:47:11Z

/approve

patrickdillon · 2025-02-24T17:51:39Z

/approve

jianlinliu · 2025-02-25T01:48:47Z

cc @liangxia to approve

jianlinliu · 2025-02-25T01:49:42Z

/lgtm

jinyunma · 2025-02-25T01:55:12Z

/pj-rehearse ack

openshift-ci-robot · 2025-02-25T01:55:14Z

@jinyunma: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

liangxia · 2025-02-25T02:04:49Z

ci-operator/config/openshift-priv/installer/openshift-priv-installer-main.yaml

-    - ref: azure-provision-service-principal-minimal-permission
    - ref: ipi-conf
    - ref: ipi-conf-azure-default
+    - chain: azure-provision-service-principal-minimal-permission


Do we really want to change openshift-priv ones ?

Are those openshift-priv jobs automatically synced up by some way? I searched them when updating this chain.
I'm not sure when this job will be triggered. Once triggered, the change is needed here.

Yeah, we updated the openshift-priv ones on purpose because of mini-perm change.

AFAIK, those openshift-priv are used by ART team. Generally we don't touch them as there are auto sync mechanism.
If you are sure this is exactly needed, I can approve it. Just let me know.

got it, the change is required regardless in which way to update them.
Thanks for approving this.

@liangxia I removed the change in openshift-priv job config, PTAL.

seems that the change must be done manually in this PR for openshift-priv jobs, otherwise job pull-ci-openshift-release-master-ci-operator-config failed, because some envs are removed on purpose in this PR.

So I changed back for openshift-priv jobs.

liangxia · 2025-02-25T05:36:20Z

/approve

openshift-ci · 2025-02-25T05:39:28Z

@jinyunma: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-azure-ipi-marketplace-mini-perm-f7	`70960ab`	link	unknown	`/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-azure-ipi-marketplace-mini-perm-f7`
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-ipi-oidc-mini-perm-amd-f28-destructive	`f6eaab0`	link	unknown	`/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-ipi-oidc-mini-perm-amd-f28-destructive`
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-ipi-des-mini-perm-arm-f14	`eff43be`	link	unknown	`/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-ipi-des-mini-perm-arm-f14`
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-ipi-private-spec-net-type-spec-perm-arm-f7	`deb286f`	link	unknown	`/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.18-multi-nightly-azure-ipi-private-spec-net-type-spec-perm-arm-f7`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci-robot · 2025-02-25T05:42:50Z

[REHEARSALNOTIFIER]
@jinyunma: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-external-dns-operator-main-e2e-azure-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-main-e2e-azure-infoblox-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-4.15-e2e-azure-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-1.2-e2e-azure-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-1.2-e2e-azure-infoblox-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-1.0-e2e-azure-ovn-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-1.0-e2e-azure-ovn-infoblox-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-0.1-e2e-azure-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-1.1-e2e-azure-ovn-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-1.1-e2e-azure-ovn-infoblox-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-4.17-e2e-azure-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-4.17-e2e-azure-infoblox-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-4.16-e2e-azure-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-external-dns-operator-release-4.16-e2e-azure-infoblox-operator	openshift/external-dns-operator	presubmit	Registry content changed
pull-ci-openshift-qe-ocp-qe-perfscale-ci-main-azure-4.15-nightly-x86-data-path-9nodes	openshift-qe/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-qe-ocp-qe-perfscale-ci-main-azure-4.16-nightly-x86-data-path-9nodes	openshift-qe/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-qe-ocp-qe-perfscale-ci-main-azure-4.19-nightly-x86-data-path-9nodes	openshift-qe/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-qe-ocp-qe-perfscale-ci-main-azure-4.16-nightly-arm-control-plane-3nodes-arm	openshift-qe/ocp-qe-perfscale-ci	presubmit	Registry content changed
pull-ci-openshift-sandboxed-containers-operator-release-1.8-sandboxed-containers-operator-e2e	openshift/sandboxed-containers-operator	presubmit	Registry content changed
pull-ci-openshift-sandboxed-containers-operator-devel-sandboxed-containers-operator-e2e	openshift/sandboxed-containers-operator	presubmit	Registry content changed
pull-ci-openshift-cluster-api-master-e2e-azure-capi-techpreview	openshift/cluster-api	presubmit	Registry content changed
pull-ci-openshift-cluster-api-release-4.20-e2e-azure-capi-techpreview	openshift/cluster-api	presubmit	Registry content changed
pull-ci-openshift-cluster-api-release-4.19-e2e-azure-capi-techpreview	openshift/cluster-api	presubmit	Registry content changed
pull-ci-openshift-cluster-api-release-4.18-e2e-azure-capi-techpreview	openshift/cluster-api	presubmit	Registry content changed
pull-ci-openshift-cluster-config-operator-master-e2e-azure	openshift/cluster-config-operator	presubmit	Registry content changed

A total of 2467 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

gpei · 2025-02-25T05:49:03Z

/lgtm

openshift-ci · 2025-02-25T05:49:31Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gpei, jianlinliu, jinyunma, liangxia, patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~ci-operator/config/openshift/installer/OWNERS~~ [liangxia,patrickdillon]
~~ci-operator/config/openshift/openshift-tests-private/OWNERS~~ [liangxia]
~~ci-operator/config/openshift/verification-tests/OWNERS~~ [gpei,jianlinliu,liangxia]
~~ci-operator/step-registry/azure/OWNERS~~ [jianlinliu,jinyunma,liangxia,patrickdillon]
~~ci-operator/step-registry/cucushift/installer/rehearse/azure/OWNERS~~ [gpei,jianlinliu,jinyunma,liangxia]
~~ci-operator/step-registry/ipi/azure/OWNERS~~ [jianlinliu,liangxia,patrickdillon]
~~ci-operator/step-registry/ipi/conf/azure/resourcegroup/OWNERS~~ [jianlinliu,liangxia,patrickdillon]
~~ci-operator/step-registry/openshift/e2e/azure/OWNERS~~ [liangxia,patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

jinyunma · 2025-02-25T05:58:09Z

/pj-rehearse ack

openshift-ci-robot · 2025-02-25T05:58:12Z

@jinyunma: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

…shift#61374)

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 7, 2025

openshift-ci bot requested review from dgoodwin and sosiouxme February 7, 2025 04:25

openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Feb 7, 2025

jianlinliu reviewed Feb 7, 2025

View reviewed changes

jinyunma force-pushed the az-byo-vpc-permission branch from 11e52b0 to 69a16bb Compare February 7, 2025 08:05

openshift-ci bot assigned jianlinliu Feb 7, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 7, 2025

openshift-ci-robot removed the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Feb 7, 2025

openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Feb 7, 2025

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 7, 2025

jinyunma force-pushed the az-byo-vpc-permission branch from 69a16bb to d85e505 Compare February 7, 2025 11:13

openshift-ci bot removed lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Feb 7, 2025

openshift-ci-robot removed the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Feb 7, 2025

jinyunma force-pushed the az-byo-vpc-permission branch from d85e505 to 70960ab Compare February 7, 2025 11:24

jianlinliu reviewed Feb 7, 2025

View reviewed changes

...taller-rehearse-azure-ipi-cco-manual-workload-identity-managed-identity-provision-chain.yaml Outdated Show resolved Hide resolved

jinyunma force-pushed the az-byo-vpc-permission branch 2 times, most recently from b32ff88 to 34d925a Compare February 7, 2025 14:58

patrickdillon mentioned this pull request Feb 24, 2025

OCPBUGS-50534: Fix error messages in available IP code openshift/installer#9503

Merged

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 25, 2025

openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Feb 25, 2025

liangxia reviewed Feb 25, 2025

View reviewed changes

jinyunma force-pushed the az-byo-vpc-permission branch from ae630e2 to 4ac0a99 Compare February 25, 2025 05:21

openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Feb 25, 2025

jinyunma force-pushed the az-byo-vpc-permission branch from 4ac0a99 to c98d27d Compare February 25, 2025 05:23

openshift-ci-robot removed the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Feb 25, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 25, 2025

[azure] add permission when installing cluster in existing vnet

e0ba71a

jinyunma force-pushed the az-byo-vpc-permission branch from c98d27d to e0ba71a Compare February 25, 2025 05:38

openshift-ci bot assigned gpei Feb 25, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 25, 2025

openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Feb 25, 2025

openshift-merge-bot bot merged commit 10c94a5 into openshift:master Feb 25, 2025
15 checks passed

jinyunma deleted the az-byo-vpc-permission branch February 25, 2025 06:02

phani2898 pushed a commit to phani2898/release that referenced this pull request Feb 26, 2025

[azure] add permission when installing cluster in existing vnet (open…

ee89417

…shift#61374)

CORS-3931: [azure] add more permission when installing cluster in existing vnet #61374

CORS-3931: [azure] add more permission when installing cluster in existing vnet #61374

Uh oh!

Conversation

jinyunma commented Feb 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jinyunma commented Feb 7, 2025

Uh oh!

openshift-ci-robot commented Feb 7, 2025

Uh oh!

jinyunma commented Feb 7, 2025

Uh oh!

openshift-ci-robot commented Feb 7, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

jianlinliu commented Feb 7, 2025

Uh oh!

jinyunma commented Feb 7, 2025

Uh oh!

openshift-ci-robot commented Feb 7, 2025

Uh oh!

jinyunma commented Feb 7, 2025

Uh oh!

jinyunma commented Feb 7, 2025

Uh oh!

openshift-ci-robot commented Feb 7, 2025

Uh oh!

Uh oh!

jinyunma commented Feb 7, 2025

Uh oh!

patrickdillon commented Feb 24, 2025

Uh oh!

patrickdillon commented Feb 24, 2025

Uh oh!

jianlinliu commented Feb 25, 2025

Uh oh!

jianlinliu commented Feb 25, 2025

Uh oh!

jinyunma commented Feb 25, 2025

Uh oh!

openshift-ci-robot commented Feb 25, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

liangxia commented Feb 25, 2025

Uh oh!

openshift-ci bot commented Feb 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Feb 25, 2025

Uh oh!

gpei commented Feb 25, 2025

Uh oh!

openshift-ci bot commented Feb 25, 2025

Uh oh!

jinyunma commented Feb 25, 2025

jinyunma commented Feb 7, 2025 •

edited

Loading

openshift-ci bot commented Feb 25, 2025 •

edited

Loading