Bug 1672011

Summary: "redeploy-router-certificates.yml" makes changes to wrong "service serving certificate secrets" annotation
Product: OpenShift Container Platform Reporter: Daein Park <dapark>
Component: NetworkingAssignee: Dan Mace <dmace>
Networking sub component: router QA Contact: Hongan Li <hongli>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: medium CC: aos-bugs, dmace, nbhatt, nhashimo, rkant
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The playbooks and manual configuration steps to redeploy router certificates are replace with service serving certificates secret, it overwrite or miss the router wild certificates secret. Consequence: It cause the certificates error due to incorrect certificates redeployed. Fix: Modify playbooks or manual redeploying steps not to overwrite router certificates secret with service serving certificate secret. Result: The router certificates are redeployed configuration based on specified sub domain or custom certificates.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-11 05:38:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daein Park 2019-02-03 04:45:30 UTC 
Description of problem:

When run "redeploy-router-certificates.yml", "serving-cert-secret-name" of annotation has been changed wrong "Secret" with "router-certs".
"router-certs" secret has been stored as the wild card certificates with "openshift-signer" CA, it's not "openshift-service-serving-signer" CA.

It should be confusing and problematic in future.

The evidences of this issue are as follow.

* tls.crt of "router-certs" Secret
  ~~~
          Issuer: CN=openshift-signer@9999999999
          ...
          Subject: CN=*.apps.example.com
  ~~~

* tls.crt of "router-metrics-tls" Secret
  ~~~
          Issuer: CN=openshift-service-serving-signer@1231231234
          ...
          Subject: CN=router.default.svc
  ~~~

* Before running "redeploy-router-certificates.yml"
  ~~~
  # oc describe svc router -n default
  Name:              router
  Namespace:         default
  Labels:            router=router
  Annotations:       prometheus.openshift.io/password=abcabcabcd
                     prometheus.openshift.io/username=admin
                     service.alpha.openshift.io/serving-cert-secret-name=router-metrics-tls
                     service.alpha.openshift.io/serving-cert-signed-by=openshift-service-serving-signer@1231231234
  ~~~

* After running "redeploy-router-certificates.yml", "router-metrics-tls" has been changed to "router-certs"
  ~~~
  # oc describe svc router -n default
  Name:              router
  Namespace:         default
  Labels:            router=router
  Annotations:       prometheus.openshift.io/password=abcabcabcd
                     prometheus.openshift.io/username=admin
                     service.alpha.openshift.io/serving-cert-secret-name=router-certs
                     service.alpha.openshift.io/serving-cert-signed-by=openshift-service-serving-signer@1231231234
  ~~~


Version-Release number of the following components:
rpm -q openshift-ansible

  openshift-ansible-3.11.59-1.git.0.ba8e948.el7.noarch

rpm -q ansible

  ansible-2.6.11-1.el7ae.noarch

ansible --version

  ansible 2.6.11
    config file = /etc/ansible/ansible.cfg
    configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
    ansible python module location = /usr/lib/python2.7/site-packages/ansible
    executable location = /usr/bin/ansible
    python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

How reproducible:

You can reproduce this whenever run "playbooks/openshift-hosted/redeploy-router-certificates.yml" playbooks.

Steps to Reproduce:
1.
2.
3.

Actual results:

Ths service serving certificates secret name has been changed to "router-certs", it's wrong secret name.
e.g.>
"service.alpha.openshift.io/serving-cert-secret-name=router-certs"

Expected results:

The service serving certificates secret name should keep the same name after redeploying router certificates as follows.
e.g.>
"service.alpha.openshift.io/serving-cert-secret-name=router-metrics-tls"

Additional info:

I've reported as v3.11 here, but it can also occurred other versions, such as v3.7 ~ v3.10.
Comment 8 Hongan Li 2019-03-21 05:49:02 UTC 
verified with openshift-ansible-3.11.98-1.git.0.3cfa7c3.el7.noarch and the issue has been fixed
Comment 10 errata-xmlrpc 2019-04-11 05:38:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0636
Comment 12 Red Hat Bugzilla 2023-09-15 01:28:08 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days