OCPBUGS-97705: fix(azure): skip KMS validation for private Key Vaults on ARO HCP#8965
Conversation
CPO cannot reach private Key Vault endpoints — KAS pods access them through the private router (HAProxy TCP passthrough via hostAlias). Short-circuit ValidAzureKMSConfig to True for ARO HCP clusters with KeyVaultAccess=Private, deferring validation to runtime. Signed-off-by: Vimal Solanki <vsolanki@redhat.com>
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
Skipping CI for Draft Pull Request. |
|
@vsolanki12: This pull request references Jira Issue OCPBUGS-97705, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
📝 WalkthroughWalkthroughThe 🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: vsolanki12 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@vsolanki12: This pull request references Jira Issue OCPBUGS-97705, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8965 +/- ##
==========================================
+ Coverage 43.53% 43.55% +0.02%
==========================================
Files 771 771
Lines 95753 95811 +58
==========================================
+ Hits 41683 41732 +49
- Misses 51172 51179 +7
- Partials 2898 2900 +2
... and 2 files with indirect coverage changes
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
@vsolanki12: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
I have all the information needed. Here is the analysis: Test Failure Analysis CompleteJob Information
Test Failure AnalysisErrorSummaryThis failure is not caused by the PR's code changes. The Konflux pipeline task Root CauseThe root cause is a transient Quay.io registry outage (HTTP 503) that occurred during the Specifically, the Konflux pipeline runner attempted to pull the image Key facts confirming this is infrastructure flakiness, not a code issue:
Recommendations
Evidence
|
Summary
ValidAzureKMSConfigHTTPS validation for ARO HCP clusters withKeyVaultAccess: PrivateValidAzureKMSConfig: Truewith message deferring validation to runtime, matching the existing self-managed Azure patternBug
OCPBUGS-97705
validateAzureKMSConfig()loads managed identity credentials and then attempts direct HTTPS validation against the Key Vault URL. For private Key Vaults, this fails with403 ForbiddenByConnectionbecause CPO has no network path to the private endpoint.Verification
Tested on a live ARO HCP cluster on AKS (OCP
5.0.0-ec.3) with custom CPO image containing the fix:Test plan
TestValidateAzureKMSConfig_PrivateKeyVaultadded and passingmake testpassesmake verifypassesSummary by CodeRabbit