Bug 1767964

Summary: oc cert deny says "approved" on the confirmation message
Product: OpenShift Container Platform Reporter: Stephen Cuppett <scuppett>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.2.0CC: aos-bugs, jokerman, mfojtik
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-23 11:10:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Cuppett 2019-11-01 18:22:54 UTC 
Description of problem:

Running a oc cert deny yields a ‘appoved’ msg on the command line (this doesn’t make sense) but shows denied on the cert listing


[root@ocp4-001 191101-cnv]# bash 191101-useful03-cert-deep-inspection |grep 006

csr-2l88b |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-7zcxk |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-cqg8d |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-fcr79 |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-gkknt |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-hc7pg |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-l9nqb |        Subject: O=system:nodes, CN=system:node:ocp4-006
 

[root@ocp4-001 191101-cnv]# oc adm certificate  deny csr-2l88b

certificatesigningrequest.certificates.k8s.io/csr-2l88b approved


Version-Release number of selected component (if applicable):

4.2.0 GA

How reproducible:

Always


Steps to Reproduce:
1. Run oc deny for an outstanding CSR
2. See the "approved" message from above.

Actual results:

It indicates it is approved

Expected results:

It should say denied


Additional info:

N/A
Comment 2 Maciej Szulik 2019-11-05 11:17:13 UTC 
Should be solved when https://github.com/openshift/oc/pull/144 merges
Comment 4 zhou ying 2019-11-08 06:54:09 UTC 
confirmed with latest oc client, the issue has fixed:
[root@dhcp-140-138 ~]# oc version
Client Version: v4.3.0
Server Version: 4.3.0-0.nightly-2019-11-07-172437
Kubernetes Version: v1.16.2


[root@dhcp-140-138 ~]#  oc adm certificate  deny csr-test-fed8d184
certificatesigningrequest.certificates.k8s.io/csr-test-fed8d184 denied
[root@dhcp-140-138 ~]# oc get csr csr-test-fed8d184
NAME                AGE   REQUESTOR      CONDITION
csr-test-fed8d184   59s   system:admin   Denied
[root@dhcp-140-138 ~]# oc describe csr csr-test-fed8d184
Name:               csr-test-fed8d184
Labels:             <none>
Annotations:        <none>
CreationTimestamp:  Fri, 08 Nov 2019 14:51:27 +0800
Requesting User:    system:admin
Status:             Denied
Subject:
  Common Name:    system:node:qe-jhou-ckg5s-worker-68rcv
  Serial Number:  
  Organization:   system:nodes
Subject Alternative Names:
         DNS Names:     qe-jhou-ckg5s-worker-68rcv
         IP Addresses:  192.168.0.23
Events:  <none>
Comment 6 errata-xmlrpc 2020-01-23 11:10:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062