Summary: | creating the unsupported configmap for cert rotation should taint a cluster | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | David Eads <deads> |
Component: | kube-apiserver | Assignee: | Maciej Szulik <maszulik> |
Status: | CLOSED ERRATA | QA Contact: | zhou ying <yinzhou> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 4.1.0 | CC: | aos-bugs, jokerman, mfojtik, mmccomas, xxia |
Target Milestone: | --- | ||
Target Release: | 4.2.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
Creating unsupported configmap for cert rotation shortens cert rotation.
Consequence:
This is unsupported and not user-facing functionality that was discovered by one of our users.
Fix:
Prevent upgrades by setting Upgradable to False on kubeapiserver-operator when that unsupported config map is present.
Result:
When an administrator creates the unsupported config map the cluster will not be upgradable.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-16 06:32:19 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: |
Description
David Eads
2019-06-20 15:47:24 UTC
With https://github.com/openshift/cluster-kube-apiserver-operator/pull/505 every cluster will be degraded and not upgradable. The code is already there, creating the configmap in linked PR indeed set the cluster upgradeable to false. Moving to QA to verify. (In reply to Michal Fojtik from comment #2) > The code is already there, creating the configmap in linked PR indeed set > the cluster upgradeable to false. Moving to QA to verify. Checked latest 4.1.0-0.nightly-2019-08-14-043700 env, per the Doc Text's Fix part, the co/kube-apiserver does not have change Upgradeable (status is True) before and after creating below: oc create -f - << EOF apiVersion: v1 kind: ConfigMap metadata: name: unsupported-cert-rotation-config namespace: openshift-config data: base: 1m EOF Could you please give some hint if above verification is wrong. Sorry, made a mistake; this bug target release is 4.2; should use 4.2 env to test later Verified in latest 4.2.0-0.nightly-2019-08-15-033605 env. After creating unsupported-cert-rotation-config, co/kube-apiserver yaml shows Upgradeable is False: - lastTransitionTime: "2019-08-15T06:59:53Z" message: 'CertRotationTimeUpgradeable: configmap["openshift-config"]/unsupported-cert-rotation-config .data["base"]=="1m"' reason: CertRotationTimeUpgradeableCertRotationBaseOverridden status: "False" type: Upgradeable Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922 |