Bug 1722550

Summary: creating the unsupported configmap for cert rotation should taint a cluster
Product: OpenShift Container Platform Reporter: David Eads <deads>
Component: kube-apiserverAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: high Docs Contact:
Priority: high    
Version: 4.1.0CC: aos-bugs, jokerman, mfojtik, mmccomas, xxia
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Creating unsupported configmap for cert rotation shortens cert rotation. Consequence: This is unsupported and not user-facing functionality that was discovered by one of our users. Fix: Prevent upgrades by setting Upgradable to False on kubeapiserver-operator when that unsupported config map is present. Result: When an administrator creates the unsupported config map the cluster will not be upgradable.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-16 06:32:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Eads 2019-06-20 15:47:24 UTC 
This setting is unsupported.  Upgradeable should immediately go to false and we probably want to set degraded as well.

The cluster kept working in this case, but we don't want people confused about what it does to a cluster.
Comment 1 Stefan Schimanski 2019-06-24 12:39:02 UTC 
With https://github.com/openshift/cluster-kube-apiserver-operator/pull/505 every cluster will be degraded and not upgradable.
Comment 2 Michal Fojtik 2019-08-12 08:07:15 UTC 
The code is already there, creating the configmap in linked PR indeed set the cluster upgradeable to false. Moving to QA to verify.
Comment 3 Xingxing Xia 2019-08-15 05:24:15 UTC 
(In reply to Michal Fojtik from comment #2)
> The code is already there, creating the configmap in linked PR indeed set
> the cluster upgradeable to false. Moving to QA to verify.

Checked latest 4.1.0-0.nightly-2019-08-14-043700 env, per the Doc Text's Fix part, the co/kube-apiserver does not have change Upgradeable (status is True) before and after creating below:
oc create -f - << EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: unsupported-cert-rotation-config
  namespace: openshift-config
data:
  base: 1m
EOF

Could you please give some hint if above verification is wrong.
Comment 4 Xingxing Xia 2019-08-15 05:55:20 UTC 
Sorry, made a mistake; this bug target release is 4.2; should use 4.2 env to test later
Comment 5 Xingxing Xia 2019-08-15 07:04:48 UTC 
Verified in latest 4.2.0-0.nightly-2019-08-15-033605 env. After creating unsupported-cert-rotation-config, co/kube-apiserver yaml shows Upgradeable is False:
    - lastTransitionTime: "2019-08-15T06:59:53Z"
      message: 'CertRotationTimeUpgradeable: configmap["openshift-config"]/unsupported-cert-rotation-config
        .data["base"]=="1m"'
      reason: CertRotationTimeUpgradeableCertRotationBaseOverridden
      status: "False"
      type: Upgradeable
Comment 6 errata-xmlrpc 2019-10-16 06:32:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922