osdctl
osdctl copied to clipboard
openshift
OSD-26415: Allow pull-secret to be updated w/o transferring ownership.
This PR attempts to allow a user to update a cluster's pull secret w/o transferring ownership for both classic and HCP clusters.
- ~~This adds a new CLI arg '--pull-secret-only' (bool) which is mutually exclusive with '--new-owner'. ~~
- This adds a new command 'osdctl cluster update-pullsecret'. This cmd is a wrapper re-using the transfer-owner's pullsecret update functions and general flow.
- When 'updating the pull secret only' is used the utility will now exit after the pull secret is updated with the account's OCM accessToken values.
- The pull secret only op prompts user to choose to send an internal service log before the operation begins, and prompts to send a customer service log after the operation completes.
- This adds additional programmatic checks/comparisons of the resulting on cluster pull-secret auths for the end user to review.
- The new programmatic checks/comparisons may negate the need for printing to the terminal for visual comparison. Previously this util printed the secret data to the terminal, this PR changes this to instead warn + prompt the user to choose whether or not to print the raw data for the optional visual inspection.
- Additional information and formatting of errors.
Example usage:
osdctl cluster update-pullsecret -h
Update cluster pullsecret with current OCM accessToken data(to be done by Region Lead)
Usage:
osdctl cluster update-pullsecret [flags]
Examples:
# Update Pull Secret's OCM access token data
osdctl cluster update-pullsecret --cluster-id 1kfmyclusteristhebesteverp8m --reason "Update PullSecret per pd or jira-id"
@nephomaniac: This pull request references OSD-26415 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.
In response to this:
This PR attempts to allow a user to update a cluster's pull secret w/o transferring ownership for both classic and HCP clusters.
- This adds a new CLI arg '--pull-secret-only' (bool) which is mutually exclusive with '--new-owner'.
- When ''--pull-secret-only' is used the utility will now exit after the pull secret is updated with the account's OCM accessToken values.
- The pull secret only op prompts user to choose to send an internal service log before the operation begins, and prompts to send a customer service log after the operation completes.
- This adds additional programmatic checks/comparisons of the resulting on cluster pull-secret auths for the end user to review, in addition the previous printed raw data and added indented/pretty printed data for visual comparison and user confirmation(s).
- Additional information and formatting of errors
Example usage:
osdctl -S cluster transfer-owner -C 2ho9npdt3oeq3t604ria3lq3vcABC123 --reason "testing [OSD-26415](https://issues.redhat.com//browse/OSD-26415)" --pull-secret-only
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@nephomaniac would you mind posting the output of the command running to the PR, just as an added validation?
Example 'pull-secret rotation w/o ownership transfer ... (note stack trace is addressed in PR #704 )
(⎈|api-maclarkstatest-4...:default)➜ osdctl/ git:(OSD-26415) ./osdctl -S cluster transfer-owner -C 2hpl2shfhj34boahjiqr8j85i9ilr6k7 --reason "testing OSD-26415" --pull-secret-only
Old username:'maclark.openshift'
Given cluster is HCP, start to proceed the HCP owner transfer
Gathering all required information for the cluster transfer...
Using old account values. OwnerAccount:'maclark.openshift'
old orgID:'1HELaFOf2YHWwwvt3XMbT5Mja7M', new orgID:'1HELaFOf2YHWwwvt3XMbT5Mja7M'
Internal SL Being Sent
INFO[0006] The following clusters match the given parameters:
Name ID State Version Cloud Provider Region
maclarkstatest 2hpl2shfhj34boahjiqr8j85i9ilr6k7 ready 4.18.5 aws us-west-2
INFO[0007] The following template will be sent:
{
"severity":"Info",
"service_name":"SREManualAction",
"summary":"INTERNAL ONLY, DO NOT SHARE WITH CUSTOMER",
"description":"Pull-secret update initiated. UserName:'1455657', OwnerID:'maclark.openshift'",
"internal_only":true,
"event_stream_id":"",
"doc_references":null
}
Continue? (y/N): y
INFO[0013] Success: 1, Failed: 0
INFO[0013] Successful clusters:
ID Status
055a7a55-d0cc-4348-b2d5-74ef5bbab593 Message has been successfully sent to 055a7a55-d0cc-4348-b2d5-74ef5bbab593
INFO[0013] Backplane URL retrieved via OCM environment: https://api.stage.backplane.openshift.com
INFO[0013] No PagerDuty API Key configuration available. This will result in failure of `ocm-backplane login --pd <incident-id>` command.
INFO[0015] Backplane URL retrieved via OCM environment: https://api.stage.backplane.openshift.com
INFO[0015] No PagerDuty API Key configuration available. This will result in failure of `ocm-backplane login --pd <incident-id>` command.
Pull Secret data(Indented)...
{
"auths": {
"cloud.openshift.com": {
"auth": "**REDACTED",
"email": "[email protected]"
},
"quay.io": {
"auth": "**REDACTED",
"email": "[email protected]"
},
"registry.connect.redhat.com": {
"auth": "**REDACTED",
"email": "[email protected]"
},
"registry.redhat.io": {
"auth": "**REDACTED",
"email": "[email protected]"
}
}
}
Please review Pull Secret data to be used for update(after formatting):
{"auths":{"cloud.openshift.com":{"auth":"**REDACTED","email":"[email protected]"},"quay.io":{"auth":"**REDACTED","email":"[email protected]"},"registry.connect.redhat.com":{"auth":"**REDACTED","email":"[email protected]"},"registry.redhat.io":{"auth":"**REDACTED","email":"[email protected]"}}}
Do you want to continue? (yes/no): yes
updateManifestwork begin...
get() Manifestwork...
update() Manifestwork...
Manifest work updated.
Sleeping 60 seconds here to allow secret to be synced on guest cluster
Create cluster kubecli...
INFO[0083] Backplane URL retrieved via OCM environment: https://api.stage.backplane.openshift.com
INFO[0083] No PagerDuty API Key configuration available. This will result in failure of `ocm-backplane login --pd <incident-id>` command.
[controller-runtime] log.SetLogger(...) was never called; logs will not be displayed.
Detected at:
> goroutine 1 [running]:
> runtime/debug.Stack()
> /opt/homebrew/Cellar/go/1.23.2/libexec/src/runtime/debug/stack.go:26 +0x64
> sigs.k8s.io/controller-runtime/pkg/log.eventuallyFulfillRoot()
> /Users/maclark/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/log.go:60 +0xf4
> sigs.k8s.io/controller-runtime/pkg/log.(*delegatingLogSink).WithName(0x1400065b800, {0x104e8394a, 0x14})
> /Users/maclark/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/deleg.go:147 +0x34
> github.com/go-logr/logr.Logger.WithName({{0x106c1a208, 0x1400065b800}, 0x0}, {0x104e8394a?, 0x14000186d00?})
> /Users/maclark/go/pkg/mod/github.com/go-logr/[email protected]/logr.go:345 +0x40
> sigs.k8s.io/controller-runtime/pkg/client.newClient(0x0?, {0x0, 0x0, {0x0, 0x0}, 0x0, 0x0})
> /Users/maclark/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/client.go:118 +0xac
> sigs.k8s.io/controller-runtime/pkg/client.New(0x14000e861b0?, {0x0, 0x0, {0x0, 0x0}, 0x0, 0x0})
> /Users/maclark/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/client.go:98 +0x44
> github.com/openshift/osdctl/cmd/common.GetKubeConfigAndClient({0x14000e9af60, 0x20}, {0x1400100aa00, 0x2, 0x2})
> /Users/maclark/sandbox/osdctl_new/osdctl/cmd/common/helpers.go:56 +0x188
> github.com/openshift/osdctl/cmd/cluster.(*transferOwnerOptions).run(0x1400016fb00)
> /Users/maclark/sandbox/osdctl_new/osdctl/cmd/cluster/transferowner.go:897 +0x287c
> github.com/openshift/osdctl/cmd/cluster.newCmdTransferOwner.func2(0x14000048908?, {0x14000e9de00?, 0x4?, 0x104e36931?})
> /Users/maclark/sandbox/osdctl_new/osdctl/cmd/cluster/transferowner.go:84 +0x20
> github.com/spf13/cobra.(*Command).execute(0x14000048908, {0x14000e9dda0, 0x6, 0x6})
> /Users/maclark/go/pkg/mod/github.com/spf13/[email protected]/command.go:1019 +0x814
> github.com/spf13/cobra.(*Command).ExecuteC(0x14000856308)
> /Users/maclark/go/pkg/mod/github.com/spf13/[email protected]/command.go:1148 +0x350
> github.com/spf13/cobra.(*Command).Execute(0x106b98298?)
> /Users/maclark/go/pkg/mod/github.com/spf13/[email protected]/command.go:1071 +0x1c
> main.main()
> /Users/maclark/sandbox/osdctl_new/osdctl/main.go:23 +0xd0
Cluster kubecli created
Comparing pull-secret to expected auth sections...
Auth 'cloud.openshift.com' - tokens match
Auth 'cloud.openshift.com' - emails match
Auth 'quay.io' - tokens match
Auth 'quay.io' - emails match
Auth 'registry.connect.redhat.com' - tokens match
Auth 'registry.connect.redhat.com' - emails match
Auth 'registry.redhat.io' - tokens match
Auth 'registry.redhat.io' - emails match
Comparison shows subset of Auths from OCM AuthToken have matching tokens + emails in cluster pull-secret. PASS
Actual Cluster Pull Secret:
{"auths":{"950916221866.dkr.ecr.us-east-1.amazonaws.com":{"auth":"**REDACTED==","email":""},"cloud.openshift.com":{"auth":"**REDACTED==","email":"[email protected]"},"quay.io":{"auth":"**REDACTED==","email":"[email protected]"},"registry.connect.redhat.com":{"auth":"**REDACTED==","email":"[email protected]"},"registry.redhat.io":{"auth":"**REDACTED==","email":"[email protected]"}}}
Expected Auths from OCM AccessToken expected to be present in Pull Secret (note this can be a subset):
{"auths":{"cloud.openshift.com":{"auth":"**REDACTED==","email":"[email protected]"},"quay.io":{"auth":"**REDACTED==","email":"[email protected]"},"registry.connect.redhat.com":{"auth":"**REDACTED==","email":"[email protected]"},"registry.redhat.io":{"auth":"**REDACTED==","email":"[email protected]"}}}
Does the actual pull secret match your expectation? (yes/no): yes
Pull secret verification (by user) successful.
Notify the customer the pull-secret update is completed. Sending service log.
INFO[0094] The following clusters match the given parameters:
Name ID State Version Cloud Provider Region
maclarkstatest 2hpl2shfhj34boahjiqr8j85i9ilr6k7 ready 4.18.5 aws us-west-2
WARN[0094] A service log has been submitted in last hour
Description: Pull-secret update initiated. UserName:'1455657', OwnerID:'maclark.openshift'
Continue? (y/N): y
INFO[0096] The following template will be sent:
{
"severity":"Info",
"service_name":"SREManualAction",
"summary":"Cluster pull secret updated",
"description":"The pull secret associated with account '2g9OLHPkwDDcXvq2mt7kjfIQ0gf' has been rotated by Red Hat SRE in order to ensure that your cluster has successful connectivity to the Red Hat Registry and OpenShift Cluster Manager. Should you wish, you may download the updated copy of your pull secret from https://console.redhat.com/openshift/downloads#tool-pull-secret#. This is an informational notice and no further action is required by you.",
"internal_only":false,
"event_stream_id":"",
"doc_references":null
}
Continue? (y/N): y
INFO[0097] Success: 1, Failed: 0
INFO[0097] Successful clusters:
ID Status
055a7a55-d0cc-4348-b2d5-74ef5bbab593 Message has been successfully sent to 055a7a55-d0cc-4348-b2d5-74ef5bbab593
Pull secret update complete, exiting successfully
Example output from ownership transfer.
Note: I do not have perms to complete this, but this example shows that the errors is now presented to the usr.
Note: stack trace is addressed in PR https://github.com/openshift/osdctl/pull/704 )
(⎈|api-maclarkstatest-4...:default)➜ osdctl/ git:(OSD-26415) ✗ ./osdctl -S cluster transfer-owner -C 2hpl2shfhj34boahjiqr8j85i9ilr6k7 --reason "testing OSD-26415" --new-owner 2g9OLHPkwDDcXvq2mt7kjfIQ0gf
Given cluster is HCP, start to proceed the HCP owner transfer
Gathering all required information for the cluster transfer...
old orgID:'1HELaFOf2YHWwwvt3XMbT5Mja7M', new orgID:'1HELaFOf2YHWwwvt3XMbT5Mja7M'
Notify the customer before ownership transfer commences. Sending service log.
INFO[0007] The following clusters match the given parameters:
Name ID State Version Cloud Provider Region
maclarkstatest 2hpl2shfhj34boahjiqr8j85i9ilr6k7 ready 4.18.5 aws us-west-2
WARN[0007] A service log has been submitted in last hour
Description: The pull secret associated with account '2g9OLHPkwDDcXvq2mt7kjfIQ0gf' has been rotated by Red Hat SRE in order to ensure that your cluster has successful connectivity to the Red Hat Registry and OpenShift Cluster Manager. Should you wish, you may download the updated copy of your pull secret from https://console.redhat.com/openshift/downloads#tool-pull-secret#. This is an informational notice and no further action is required by you.
WARN[0007] A service log has been submitted in last hour
Description: Pull-secret update initiated. UserName:'1455657', OwnerID:'maclark.openshift'
Continue? (y/N): y
INFO[0010] The following template will be sent:
{
"severity":"Info",
"service_name":"SREManualAction",
"summary":"Cluster Ownership Transfer Initiated",
"description":"Your requested cluster ownership transfer has been initiated. We expect the cluster to be available during this time.",
"internal_only":false,
"event_stream_id":"",
"doc_references":null
}
Continue? (y/N): y
INFO[0011] Success: 1, Failed: 0
INFO[0011] Successful clusters:
ID Status
055a7a55-d0cc-4348-b2d5-74ef5bbab593 Message has been successfully sent to 055a7a55-d0cc-4348-b2d5-74ef5bbab593
Internal SL Being Sent
INFO[0012] The following clusters match the given parameters:
Name ID State Version Cloud Provider Region
maclarkstatest 2hpl2shfhj34boahjiqr8j85i9ilr6k7 ready 4.18.5 aws us-west-2
WARN[0013] A service log has been submitted in last hour
Description: Your requested cluster ownership transfer has been initiated. We expect the cluster to be available during this time.
WARN[0013] A service log has been submitted in last hour
Description: The pull secret associated with account '2g9OLHPkwDDcXvq2mt7kjfIQ0gf' has been rotated by Red Hat SRE in order to ensure that your cluster has successful connectivity to the Red Hat Registry and OpenShift Cluster Manager. Should you wish, you may download the updated copy of your pull secret from https://console.redhat.com/openshift/downloads#tool-pull-secret#. This is an informational notice and no further action is required by you.
WARN[0013] A service log has been submitted in last hour
Description: Pull-secret update initiated. UserName:'1455657', OwnerID:'maclark.openshift'
Continue? (y/N): y
INFO[0014] The following template will be sent:
{
"severity":"Info",
"service_name":"SREManualAction",
"summary":"INTERNAL ONLY, DO NOT SHARE WITH CUSTOMER",
"description":"From user 'maclark.openshift' in Red Hat account 1455657 => user 'maclark.openshift' in Red Hat account 1455657.",
"internal_only":true,
"event_stream_id":"",
"doc_references":null
}
Continue? (y/N): y
INFO[0015] Success: 1, Failed: 0
INFO[0015] Successful clusters:
ID Status
055a7a55-d0cc-4348-b2d5-74ef5bbab593 Message has been successfully sent to 055a7a55-d0cc-4348-b2d5-74ef5bbab593
INFO[0016] Backplane URL retrieved via OCM environment: https://api.stage.backplane.openshift.com
INFO[0016] No PagerDuty API Key configuration available. This will result in failure of `ocm-backplane login --pd <incident-id>` command.
INFO[0018] Backplane URL retrieved via OCM environment: https://api.stage.backplane.openshift.com
INFO[0018] No PagerDuty API Key configuration available. This will result in failure of `ocm-backplane login --pd <incident-id>` command.
Pull Secret data(Indented)...
{
"auths": {
"cloud.openshift.com": {
"auth": "**REDACTED",
"email": "[email protected]"
},
"quay.io": {
"auth": "**REDACTED",
"email": "[email protected]"
},
"registry.connect.redhat.com": {
"auth": "**REDACTED",
"email": "[email protected]"
},
"registry.redhat.io": {
"auth": "**REDACTED",
"email": "[email protected]"
}
}
}
Please review Pull Secret data to be used for update(after formatting):
{"auths":{"cloud.openshift.com":{"auth":"**REDACTED","email":"[email protected]"},"quay.io":{"auth":"**REDACTED","email":"[email protected]"},"registry.connect.redhat.com":{"auth":"**REDACTED","email":"[email protected]"},"registry.redhat.io":{"auth":"**REDACTED","email":"[email protected]"}}}
Do you want to continue? (yes/no): yes
updateManifestwork begin...
get() Manifestwork...
update() Manifestwork...
Manifest work updated.
Sleeping 60 seconds here to allow secret to be synced on guest cluster
Create cluster kubecli...
INFO[0085] Backplane URL retrieved via OCM environment: https://api.stage.backplane.openshift.com
INFO[0085] No PagerDuty API Key configuration available. This will result in failure of `ocm-backplane login --pd <incident-id>` command.
[controller-runtime] log.SetLogger(...) was never called; logs will not be displayed.
Detected at:
> goroutine 1 [running]:
> runtime/debug.Stack()
> /opt/homebrew/Cellar/go/1.23.2/libexec/src/runtime/debug/stack.go:26 +0x64
> sigs.k8s.io/controller-runtime/pkg/log.eventuallyFulfillRoot()
> /Users/maclark/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/log.go:60 +0xf4
> sigs.k8s.io/controller-runtime/pkg/log.(*delegatingLogSink).WithName(0x1400065b640, {0x106d3794a, 0x14})
> /Users/maclark/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/log/deleg.go:147 +0x34
> github.com/go-logr/logr.Logger.WithName({{0x108ace208, 0x1400065b640}, 0x0}, {0x106d3794a?, 0x14001202900?})
> /Users/maclark/go/pkg/mod/github.com/go-logr/[email protected]/logr.go:345 +0x40
> sigs.k8s.io/controller-runtime/pkg/client.newClient(0x0?, {0x0, 0x0, {0x0, 0x0}, 0x0, 0x0})
> /Users/maclark/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/client.go:118 +0xac
> sigs.k8s.io/controller-runtime/pkg/client.New(0x14000b9a240?, {0x0, 0x0, {0x0, 0x0}, 0x0, 0x0})
> /Users/maclark/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/client.go:98 +0x44
> github.com/openshift/osdctl/cmd/common.GetKubeConfigAndClient({0x14000e5c100, 0x20}, {0x14000a60900, 0x2, 0x2})
> /Users/maclark/sandbox/osdctl_new/osdctl/cmd/common/helpers.go:56 +0x188
> github.com/openshift/osdctl/cmd/cluster.(*transferOwnerOptions).run(0x140005babd0)
> /Users/maclark/sandbox/osdctl_new/osdctl/cmd/cluster/transferowner.go:897 +0x287c
> github.com/openshift/osdctl/cmd/cluster.newCmdTransferOwner.func2(0x14000d8c008?, {0x140005255e0?, 0x4?, 0x106cea931?})
> /Users/maclark/sandbox/osdctl_new/osdctl/cmd/cluster/transferowner.go:84 +0x20
> github.com/spf13/cobra.(*Command).execute(0x14000d8c008, {0x14000525500, 0x7, 0x7})
> /Users/maclark/go/pkg/mod/github.com/spf13/[email protected]/command.go:1019 +0x814
> github.com/spf13/cobra.(*Command).ExecuteC(0x14000325b08)
> /Users/maclark/go/pkg/mod/github.com/spf13/[email protected]/command.go:1148 +0x350
> github.com/spf13/cobra.(*Command).Execute(0x108a4c298?)
> /Users/maclark/go/pkg/mod/github.com/spf13/[email protected]/command.go:1071 +0x1c
> main.main()
> /Users/maclark/sandbox/osdctl_new/osdctl/main.go:23 +0xd0
Cluster kubecli created
Comparing pull-secret to expected auth sections...
Auth 'cloud.openshift.com' - tokens match
Auth 'cloud.openshift.com' - emails match
Auth 'quay.io' - tokens match
Auth 'quay.io' - emails match
Auth 'registry.connect.redhat.com' - tokens match
Auth 'registry.connect.redhat.com' - emails match
Auth 'registry.redhat.io' - tokens match
Auth 'registry.redhat.io' - emails match
Comparison shows subset of Auths from OCM AuthToken have matching tokens + emails in cluster pull-secret. PASS
Actual Cluster Pull Secret:
{"auths":{"950916221866.dkr.ecr.us-east-1.amazonaws.com":{"auth":"**REDACTED==","email":""},"cloud.openshift.com":{"auth":"**REDACTED==","email":"[email protected]"},"quay.io":{"auth":"**REDACTED==","email":"[email protected]"},"registry.connect.redhat.com":{"auth":"**REDACTED==","email":"[email protected]"},"registry.redhat.io":{"auth":"**REDACTED==","email":"[email protected]"}}}
Expected Auths from OCM AccessToken expected to be present in Pull Secret (note this can be a subset):
{"auths":{"cloud.openshift.com":{"auth":"**REDACTED==","email":"[email protected]"},"quay.io":{"auth":"**REDACTED==","email":"[email protected]"},"registry.connect.redhat.com":{"auth":"**REDACTED==","email":"[email protected]"},"registry.redhat.io":{"auth":"**REDACTED==","email":"[email protected]"}}}
Does the actual pull secret match your expectation? (yes/no): yes
Pull secret verification (by user) successful.
Transfer cluster: '055a7a55-d0cc-4348-b2d5-74ef5bbab593' (maclarkstatest)
from user '2g9OLHPkwDDcXvq2mt7kjfIQ0gf' to '2g9OLHPkwDDcXvq2mt7kjfIQ0gf'
Continue? (y/N): y
Error, Patch Request Response: '{"code":"ACCT-MGMT-4","href":"/api/accounts_mgmt/v1/errors/4","id":"4","kind":"Error","operation_id":"1e9e85d3-8fdf-423c-928b-a456892891d3","reason":"Permission Denied"}'
error: Subscription request to patch creator failed with status: 403, err: '{"code":"ACCT-MGMT-4","href":"/api/accounts_mgmt/v1/errors/4","id":"4","kind":"Error","operation_id":"1e9e85d3-8fdf-423c-928b-a456892891d3","reason":"Permission Denied"}'
@nephomaniac: This pull request references OSD-26415 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.
In response to this:
This PR attempts to allow a user to update a cluster's pull secret w/o transferring ownership for both classic and HCP clusters.
- ~~This adds a new CLI arg '--pull-secret-only' (bool) which is mutually exclusive with '--new-owner'. ~~
- This adds a new command 'osdctl cluster update-pullsecret'. This cmd is a wrapper re-using the transfer-owner's pullsecret update functions and general flow.
- When 'updating the pull secret only' is used the utility will now exit after the pull secret is updated with the account's OCM accessToken values.
- The pull secret only op prompts user to choose to send an internal service log before the operation begins, and prompts to send a customer service log after the operation completes.
- This adds additional programmatic checks/comparisons of the resulting on cluster pull-secret auths for the end user to review.
- The new programmatic checks/comparisons may negate the need for printing to the terminal for visual comparison. Previously this util printed the secret data to the terminal, this PR changes this to instead warn + prompt the user to choose whether or not to print the raw data for the optional visual inspection.
- Additional information and formatting of errors.
Example usage:
osdctl cluster update-pullsecret -h Update cluster pullsecret with current OCM accessToken data(to be done by Region Lead) Usage: osdctl cluster update-pullsecret [flags] Examples: # Update Pull Secret's OCM access token data osdctl cluster update-pullsecret --cluster-id 1kfmyclusteristhebesteverp8m --reason "Update PullSecret per pd or jira-id"
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@nephomaniac: This pull request references OSD-26415 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.
In response to this:
This PR attempts to allow a user to update a cluster's pull secret w/o transferring ownership for both classic and HCP clusters.
- ~~This adds a new CLI arg '--pull-secret-only' (bool) which is mutually exclusive with '--new-owner'. ~~
- This adds a new command 'osdctl cluster update-pullsecret'. This cmd is a wrapper re-using the transfer-owner's pullsecret update functions and general flow.
- When 'updating the pull secret only' is used the utility will now exit after the pull secret is updated with the account's OCM accessToken values.
- The pull secret only op prompts user to choose to send an internal service log before the operation begins, and prompts to send a customer service log after the operation completes.
- This adds additional programmatic checks/comparisons of the resulting on cluster pull-secret auths for the end user to review.
- The new programmatic checks/comparisons may negate the need for printing to the terminal for visual comparison. Previously this util printed the secret data to the terminal, this PR changes this to instead warn + prompt the user to choose whether or not to print the raw data for the optional visual inspection.
- Updates to existing 'Dry-run' when transferring-owner: Do not update pull-secret, roll pods, and pass 'dryrun' flag to service logs .
- Additional information and formatting of errors.
Example usage:
osdctl cluster update-pullsecret -h Update cluster pullsecret with current OCM accessToken data(to be done by Region Lead) Usage: osdctl cluster update-pullsecret [flags] Examples: # Update Pull Secret's OCM access token data osdctl cluster update-pullsecret --cluster-id 1kfmyclusteristhebesteverp8m --reason "Update PullSecret per pd or jira-id"
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
After merging in the recent transfer-ownership changes, and rebasing I believe this is ready for review. Would like to have both the pull-secret update and transfer of ownership tested by an RL on a production test cluster if possible? This last round of commit(s) includes:
- dryrun now skips updating the PullSecret, rolling pods, and passes the dryrun flag to the servicelog posts.
- minor code fixes, and additional information/err handling
- sensitive info (pullsecret data) is no longer printed to the screen, user is prompted to display now.
- PullSecret Data is programmatically compared to the subset of auths contained in the AccessToken now, user can review the results in addition to the now optional visual comparison of the data.
- telemetry and ocm pods are rolled per PullSecret update not just transfer of ownership.
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: nephomaniac Once this PR has been reviewed and has the lgtm label, please assign zmird-r for approval. For more information see the Code Review Process.
The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
@nephomaniac: This pull request references OSD-26415 which is a valid jira issue.
Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.
In response to this:
This PR attempts to allow a user to update a cluster's pull secret w/o transferring ownership for both classic and HCP clusters.
- This adds a new command 'osdctl cluster update-pullsecret'. This cmd is a wrapper re-using the transfer-owner's pullsecret update functions and general flow, leveraging the hidden'--pull-secret-only' (bool) flag.
- When 'updating the pull secret only' is used the utility will now exit after the pull secret is updated with the account's OCM accessToken values.
- The pull secret only op prompts user to choose to send an internal service log before the operation begins, and prompts to send a customer service log after the operation completes.
- This adds additional programmatic checks/comparisons of the resulting on cluster pull-secret auths for the end user to review. ( transfer-owner and update-pullsecret)
- The new programmatic checks/comparisons may negate the need for printing to the terminal for visual comparison. Previously this util printed the secret data to the terminal, this PR changes this to instead warn + prompt the user to choose whether or not to print the raw data for the optional visual inspection. ( transfer-owner and update-pullsecret)
- Updates to existing 'Dry-run' when transferring-owner: Do not update pull-secret, roll pods, and pass 'dryrun' flag to service logs . ( transfer-owner and update-pullsecret)
- Additional information and formatting of errors. ( transfer-owner and update-pullsecret)
Example usage:
osdctl cluster update-pullsecret -h Update cluster pullsecret with current OCM accessToken data(to be done by Region Lead) Usage: osdctl cluster update-pullsecret [flags] Examples: # Update Pull Secret's OCM access token data osdctl cluster update-pullsecret --cluster-id 1kfmyclusteristhebesteverp8m --reason "Update PullSecret per pd or jira-id"
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
@nephomaniac: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/format | 63ba5a1195ce8ce6d856f1913e6aa11ca9e713b2 | link | true | /test format |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.
Closing this older PR per PR794 . Newer PR794 does not depend on backplane cli changes to support multiple OCM contexts for hive, allowing non-prod testing.