|Summary:||creating the unsupported configmap for cert rotation should taint a cluster|
|Product:||OpenShift Container Platform||Reporter:||David Eads <deads>|
|Component:||kube-apiserver||Assignee:||Maciej Szulik <maszulik>|
|Status:||CLOSED ERRATA||QA Contact:||zhou ying <yinzhou>|
|Version:||4.1.0||CC:||aos-bugs, jokerman, mfojtik, mmccomas, xxia|
|Fixed In Version:||Doc Type:||Bug Fix|
Cause: Creating unsupported configmap for cert rotation shortens cert rotation. Consequence: This is unsupported and not user-facing functionality that was discovered by one of our users. Fix: Prevent upgrades by setting Upgradable to False on kubeapiserver-operator when that unsupported config map is present. Result: When an administrator creates the unsupported config map the cluster will not be upgradable.
|Last Closed:||2019-10-16 06:32:19 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description David Eads 2019-06-20 15:47:24 UTC
This setting is unsupported. Upgradeable should immediately go to false and we probably want to set degraded as well. The cluster kept working in this case, but we don't want people confused about what it does to a cluster.
Comment 1 Stefan Schimanski 2019-06-24 12:39:02 UTC
With https://github.com/openshift/cluster-kube-apiserver-operator/pull/505 every cluster will be degraded and not upgradable.
Comment 2 Michal Fojtik 2019-08-12 08:07:15 UTC
The code is already there, creating the configmap in linked PR indeed set the cluster upgradeable to false. Moving to QA to verify.
Comment 3 Xingxing Xia 2019-08-15 05:24:15 UTC
(In reply to Michal Fojtik from comment #2) > The code is already there, creating the configmap in linked PR indeed set > the cluster upgradeable to false. Moving to QA to verify. Checked latest 4.1.0-0.nightly-2019-08-14-043700 env, per the Doc Text's Fix part, the co/kube-apiserver does not have change Upgradeable (status is True) before and after creating below: oc create -f - << EOF apiVersion: v1 kind: ConfigMap metadata: name: unsupported-cert-rotation-config namespace: openshift-config data: base: 1m EOF Could you please give some hint if above verification is wrong.
Comment 4 Xingxing Xia 2019-08-15 05:55:20 UTC
Sorry, made a mistake; this bug target release is 4.2; should use 4.2 env to test later
Comment 5 Xingxing Xia 2019-08-15 07:04:48 UTC
Verified in latest 4.2.0-0.nightly-2019-08-15-033605 env. After creating unsupported-cert-rotation-config, co/kube-apiserver yaml shows Upgradeable is False: - lastTransitionTime: "2019-08-15T06:59:53Z" message: 'CertRotationTimeUpgradeable: configmap["openshift-config"]/unsupported-cert-rotation-config .data["base"]=="1m"' reason: CertRotationTimeUpgradeableCertRotationBaseOverridden status: "False" type: Upgradeable
Comment 6 errata-xmlrpc 2019-10-16 06:32:19 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922