DescriptionVladislav Walek
2018-06-15 07:20:28 UTC
Description of problem:
On a 3.9.30 cluster, when restarting the "atomic-openshift-master-controllers" service, all secrets are overwritten. This is a big issue, since this makes the cluster practically not usable. in attachment what we see, first "oc get secret", than restart the services, again "oc get secret", you can see the value changed. In the logs of the controller I see this:
Jun 14 18:17:11 master-1 atomic-openshift-master-controllers[72597]: I0614 18:17:11.439085 72597 start_master.go:652] Starting "openshift.io/serviceaccount-pull-secrets"
Jun 14 18:17:11 master-1 atomic-openshift-master-controllers[72597]: I0614 18:17:11.455637 72597 start_master.go:662] Started "openshift.io/serviceaccount-pull-secrets"
all secrets containing docker credentials for private docker repo's where changed. instead of the url to the private docker repo, they now contained the IP for the integrated registry. This means no images couldn't be pulled from the registries anymore.
and with the loglevel set to 6, and 1 secret modified to its correct value again, you see the secret gets overwritten.
Jun 14 18:37:20 master-1 atomic-openshift-master-controllers[79076]: I0614 18:37:18.237210 79076 round_trippers.go:436] PUT https://master-1:8443/api/v1/namespaces/<namespace>/secrets/registrysecret-k8s 200 OK in 22 milliseconds
Version-Release number of selected component (if applicable):
OpenShift Container Platform 3.9.30
Additional info:
will attach all the logs
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:2213