Bug 1707573

Summary: Installer configures KAS with legacy CA
Product: OpenShift Container Platform Reporter: Scott Dodson <sdodson>
Component: InstallerAssignee: Sam Batschelet <sbatsche>
Installer sub component: openshift-installer QA Contact: ge liu <geliu>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: urgent    
Priority: urgent CC: eparis, sponnaga, vrutkovs, wking, wsun
Version: 4.1.0Keywords: BetaBlocker
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-10 11:49:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Scott Dodson 2019-05-07 19:37:05 UTC
During testing of the master replacement DR scenario it was discovered that KAS was reliant on the deprecated EtcdCA. This is problematic because signing assets for that CA were not installed into the cluster meaning that it became impossible to sign additional certificates in the future with the same CA.

We need to break the ties to EtcdCA

See https://github.com/openshift/installer/pull/1720

Comment 2 ge liu 2019-05-08 02:46:10 UTC
Checked latest paylaod(4.1.0-0.nightly-2019-05-08-012425) until now, the pr have not been in it. change status to modify, and I will continue to watch it.

Comment 3 W. Trevor King 2019-05-08 21:21:32 UTC
$ oc adm release info --commits registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-05-08-195152 | grep installer
  installer                                     https://github.com/openshift/installer                                     c91435c84a7ac35404b6062a45ae48b82b1f76ab
  installer-artifacts                           https://github.com/openshift/installer                                     6e5093d4e4d0e2069957a54db95c69b9eaa2b3a2
$ git log --first-parent --format='%ad %h %d %s' --date=iso -5 origin/master | cat
2019-05-08 22:52:53 +0200 3b6832c2a  (HEAD -> master, origin/release-4.2, origin/release-4.1, origin/master, origin/HEAD) Merge pull request #1727 from abhinavdahiya/infra_api_changes_public
2019-05-08 19:56:40 +0200 c91435c84  Merge pull request #1730 from abhinavdahiya/upi_image_fix
2019-05-08 05:06:26 +0200 23aac5288  Merge pull request #1718 from abhinavdahiya/infra_api_changes
2019-05-08 01:27:39 +0200 d506a01c8  Merge pull request #1720 from hexfusion/remove_etcd_ca
2019-05-07 19:56:54 +0200 6e5093d4e  Merge pull request #1711 from mandre/openstack-resolver

So the associated installer has the fix, but installer-artifacts (which is what gets extracted, I think) does not.  The disconnect may be another symptom of bug 1707928, and will hopefully be addressed by the current builds going on as part of that.

Comment 4 W. Trevor King 2019-05-08 22:55:48 UTC
$ oc adm release info --commits registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-05-08-220123 | grep installer
  installer                                     https://github.com/openshift/installer                                     3b6832c2a12e0d3e0edc91ee1266e8eba51aeebc
  installer-artifacts                           https://github.com/openshift/installer                                     3b6832c2a12e0d3e0edc91ee1266e8eba51aeebc```

Moving back to ON_QA.

Comment 5 ge liu 2019-05-09 07:11:05 UTC
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1707928

Comment 6 ge liu 2019-05-10 07:53:07 UTC
Verified with Beta 5 Final Build(4.1.0-rc.1), 
install ocp cluster on aws, and when bootstrap node is initialed, login on it and check the tls dir:
etcdca have been deprecated, and etcdsign prompted
$ pwd
/opt/openshift/tls
[core@ip-10-0-12-112 tls]$ ls *etcd*
etcd-ca-bundle.crt  etcd-client.key            etcd-metric-signer-client.crt  etcd-metric-signer.crt  etcd-signer.crt
etcd-client.crt     etcd-metric-ca-bundle.crt  etcd-metric-signer-client.key  etcd-metric-signer.key  etcd-signer.key
[core@ip-10-0-12-112 tls]$ 

check the bootstrap logs:
#journalctl -b -f -u bootkube.service

May 10 07:40:44 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-ca-bundle-configmap.yaml" configmaps.v1./etcd-ca-bundle -n openshift-config
May 10 07:40:44 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-client-secret.yaml" secrets.v1./etcd-client -n openshift-config
May 10 07:40:45 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-metric-client-secret.yaml" secrets.v1./etcd-metric-client -n openshift-config
May 10 07:40:45 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-metric-serving-ca-configmap.yaml" configmaps.v1./etcd-metric-serving-ca -n openshift-config
May 10 07:40:45 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-metric-signer-secret.yaml" secrets.v1./etcd-metric-signer -n openshift-config
May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-namespace.yaml" namespaces.v1./openshift-etcd -n
May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-service.yaml" services.v1./etcd -n openshift-etcd
May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-serving-ca-configmap.yaml" configmaps.v1./etcd-serving-ca -n openshift-config
May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-signer-secret.yaml" secrets.v1./etcd-signer -n openshift-config
May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "kube-apiserver-serving-ca-configmap.yaml" configmaps.v1./initial-kube-apiserver-server-ca -n openshift-config