Bug 1772067

Summary: Breaking change in the service annotation service.alpha.openshift.io/serving-cert-secret-name feature
Product: OpenShift Container Platform Reporter: David Kornel <dkornel>
Component: apiserver-authAssignee: Maru Newby <mnewby>
Status: CLOSED ERRATA QA Contact: scheng
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: aos-bugs, eparis, jokerman, mfojtik, mifiedle, mnewby, nagrawal, sanchezl, scuppett
Target Milestone: ---Keywords: TestBlocker
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-23 11:12:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Kornel 2019-11-13 14:52:06 UTC 
Description of problem:

We have test errors because of a breaking change in the service annotation
service.alpha.openshift.io/serving-cert-secret-name feature. 

An issue was opened in our github repo to track this error https://github.com/EnMasseProject/enmasse/issues/3457

We see a behavioural change between 4.2 and 4.3 which is breaking for our
existing application.
On 4.2, the generated secret's tls.crt entry contained both the
server's cert and the cert of its signer. On 4.3, generated
secret's tls.crt entry contains the server's cert.

This is breaking for us as we rely on this trust source to config SSL clients.

With 4.2

$ oc get secrets standard-authservice-cert -o template='{{index .data
"tls.crt"}}' | base64 -d
----BEGIN CERTIFICATE----
MIIDwDCCAqigAwIBAgIIZ9hFN01PmBIwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTU3MTgxNjU3MDAe
Fw0xOTExMTMwNzQ1NDBaFw0yMTExMTIwNzQ1NDFaMDExLzAtBgNVBAMTJnN0YW5k
...
IxWGUg==
----END CERTIFICATE----
----BEGIN CERTIFICATE----
MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDDCtvcGVu
c2hpZnQtc2VydmljZS1zZXJ2aW5nLXNpZ25lckAxNTcxODE2NTcwMB4XDTE5MTAy
MzA3NDI0OVoXDTIwMTAyMjA3NDI1MFowNjE0MDIGA1UEAwwrb3BlbnNoaWZ0LXNl
cnZpY2Utc2VydmluZy1zaWduZXJAMTU3MTgxNjU3MDCCASIwDQYJKoZIhvcNAQEB
...
e5Ki6eXXHxW8mNsFCZE=
----END CERTIFICATE----

With 4.3:

 oc get secrets standard-authservice-cert -o template='{{index .data
"tls.crt"}}' | base64 -d
----BEGIN CERTIFICATE----
MIIEAjCCAuqgAwIBAgIIPj/x4jBgKckwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTU3MzEyNDY0MDAe
Fw0xOTExMTIwOTA5MjNaFw0yMTExMTEwOTA5MjRaMDExLzAtBgNVBAMTJnN0YW5k
YXJkLWF1dGhzZXJ2aWNlLmVubWFzc2UtaW5mcmEuc3ZjMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEArB9rnPH4KStY28LpdEqb0Y6z//Y+qtr807qJJLm6
/8aPHcn/0Mwg61fCozBSo0darwLy5Mxm4P5a2ta7xBrYrLj5n1pg9sGr104wX7K4
nnl9juMWHw4DPsjKJmHq7aDLeYerOrJZX0a1VEUFwLIiNrPoPf1qHBKfLw3sc9Xg
...
pqaWd+m5XNUuovtW0UfKlUKshGa/ag==
----END CERTIFICATE----



How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Mike Fiedler 2019-11-13 16:03:45 UTC 
Please reroute if openshift-api is the incorrect component
Comment 2 Luis Sanchez 2019-11-13 16:24:25 UTC 
As per https://docs.okd.io/latest/dev_guide/secrets.html#service-serving-certificate-secrets , 

The needed CA certs are found /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt.
Comment 3 Maru Newby 2019-11-14 00:08:30 UTC 
Proposal to ensure the current behavior is retained for the alpha annotation: https://github.com/openshift/enhancements/pull/109
Implementation: https://github.com/openshift/service-ca-operator/pull/83
Comment 8 errata-xmlrpc 2020-01-23 11:12:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062