Bug 1785498
| Summary: | `regenerate-certificates` command blocked by error `illegal base64 data at input byte 3` | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | zhou ying <yinzhou> | ||||
| Component: | kube-apiserver | Assignee: | Lukasz Szaszkiewicz <lszaszki> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Xingxing Xia <xxia> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 4.3.0 | CC: | aos-bugs, lszaszki, mfojtik | ||||
| Target Milestone: | --- | ||||||
| Target Release: | 4.4.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | No Doc Update | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1789655 1802161 (view as bug list) | Environment: | |||||
| Last Closed: | 2020-05-04 11:20:55 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1789655, 1802161 | ||||||
| Attachments: |
|
||||||
|
Description
zhou ying
2019-12-20 03:15:11 UTC
[root@control-plane-0 ~]# oc adm must-gather [must-gather ] OUT the server is currently unable to handle the request (get imagestreams.image.openshift.io must-gather) [must-gather ] OUT [must-gather ] OUT Using must-gather plugin-in image: quay.io/openshift/origin-must-gather:latest [must-gather ] OUT namespace/openshift-must-gather-56qwg created [must-gather ] OUT clusterrolebinding.rbac.authorization.k8s.io/must-gather-6qml5 created [must-gather ] OUT clusterrolebinding.rbac.authorization.k8s.io/must-gather-6qml5 deleted [must-gather ] OUT namespace/openshift-must-gather-56qwg deleted Error from server (Forbidden): pods "must-gather-" is forbidden: error looking up service account openshift-must-gather-56qwg/default: serviceaccount "default" not found Created attachment 1646739 [details]
inspect result
the root cause of the issue was that the recovery API didn't know how to decrypt the encrypted content from the DB. please validate the fix on an encrypted cluster. The 4.4 certs disaster recovery bug 1771410 is verified with successful auto recovery, that process covers this bug's issue. Thus moving to VERIFIED directly. (In reply to Lukasz Szaszkiewicz from comment #3) > please validate the fix on an encrypted cluster. Ah, didn't notice this. Will try on Etcd Encrypted cluster later. Installed 4.4.0-0.nightly-2020-03-18-102708 ipi on aws env, enabled etcd encryption. Then broke the cluster per google document of bug 1771410, waited for certs expired, then re-start masters, clusters can come back well, control plane certs can recover automatically, oc get po/co/no and other oc basic operations (new-project, new-app, rsh etc) have no problem, kas 4 containers logs no abnormality. In short, the bug issue is not seen now. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581 |