Bug 1811061
Summary: | KCM and KS do not live reload client certificates | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Tomáš Nožička <tnozicka> | |
Component: | kube-controller-manager | Assignee: | Tomáš Nožička <tnozicka> | |
Status: | CLOSED ERRATA | QA Contact: | zhou ying <yinzhou> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 4.4 | CC: | aos-bugs, maszulik, mfojtik | |
Target Milestone: | --- | |||
Target Release: | 4.5.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | No Doc Update | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1811062 (view as bug list) | Environment: | ||
Last Closed: | 2020-07-13 17:18:46 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1810008, 1811062 |
Description
Tomáš Nožička
2020-03-06 14:23:14 UTC
Checked with payload: 4.5.0-0.nightly-2020-03-09-212428 , set certificate retation to 15mins , when cert updated, the kube-controller-manager pod not rollout , but the kube-scheduler pod do. [root@dhcp-140-138 roottest]# oc get po -n openshift-kube-controller-manager NAME READY STATUS RESTARTS AGE installer-12-ip-10-0-167-79.us-east-2.compute.internal 0/1 Completed 0 45m installer-13-ip-10-0-143-172.us-east-2.compute.internal 0/1 Completed 0 36m installer-13-ip-10-0-158-147.us-east-2.compute.internal 0/1 Completed 0 40m installer-13-ip-10-0-167-79.us-east-2.compute.internal 0/1 Completed 0 41m kube-controller-manager-ip-10-0-143-172.us-east-2.compute.internal 4/4 Running 2 36m kube-controller-manager-ip-10-0-158-147.us-east-2.compute.internal 4/4 Running 0 38m kube-controller-manager-ip-10-0-167-79.us-east-2.compute.internal 4/4 Running 0 41m [root@dhcp-140-138 roottest]# oc get po -n openshift-kube-scheduler NAME READY STATUS RESTARTS AGE installer-120-ip-10-0-143-172.us-east-2.compute.internal 0/1 Completed 0 43m installer-120-ip-10-0-158-147.us-east-2.compute.internal 0/1 Completed 0 37m installer-120-ip-10-0-167-79.us-east-2.compute.internal 0/1 Completed 0 41m installer-121-ip-10-0-143-172.us-east-2.compute.internal 0/1 Completed 0 32m installer-121-ip-10-0-158-147.us-east-2.compute.internal 0/1 Completed 0 35m installer-121-ip-10-0-167-79.us-east-2.compute.internal 0/1 Completed 0 33m installer-122-ip-10-0-143-172.us-east-2.compute.internal 0/1 Completed 0 27m installer-122-ip-10-0-158-147.us-east-2.compute.internal 0/1 Completed 0 25m installer-122-ip-10-0-167-79.us-east-2.compute.internal 0/1 Completed 0 28m installer-123-ip-10-0-143-172.us-east-2.compute.internal 0/1 Completed 0 19m installer-123-ip-10-0-158-147.us-east-2.compute.internal 0/1 Completed 0 17m installer-123-ip-10-0-167-79.us-east-2.compute.internal 0/1 Completed 0 20m installer-124-ip-10-0-143-172.us-east-2.compute.internal 0/1 Completed 0 11m installer-124-ip-10-0-158-147.us-east-2.compute.internal 0/1 Completed 0 10m installer-124-ip-10-0-167-79.us-east-2.compute.internal 0/1 Completed 0 13m installer-125-ip-10-0-143-172.us-east-2.compute.internal 0/1 Completed 0 4m36s installer-125-ip-10-0-158-147.us-east-2.compute.internal 0/1 Completed 0 2m27s installer-125-ip-10-0-167-79.us-east-2.compute.internal 0/1 Completed 0 5m44s openshift-kube-scheduler-ip-10-0-143-172.us-east-2.compute.internal 1/1 Running 0 4m31s openshift-kube-scheduler-ip-10-0-158-147.us-east-2.compute.internal 1/1 Running 0 2m22s openshift-kube-scheduler-ip-10-0-167-79.us-east-2.compute.internal 1/1 Running 0 5m40s Confirmed with payload: 4.5.0-0.nightly-2020-03-15-152626 , the issue has fixed: when cert updated, the kube-controller-manager and kube-scheduler do not rollout. [root@dhcp-140-138 ~]# openssl s_client -connect api.yinzhou-0316.qe.devcluster.openshift.com:6443 |openssl x509 -noout -dates depth=1 OU = openshift, CN = kube-apiserver-lb-signer verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 OU = openshift, CN = kube-apiserver-lb-signer verify return:1 depth=0 CN = api.yinzhou-0316.qe.devcluster.openshift.com verify return:1 notBefore=Mar 17 04:52:46 2020 GMT notAfter=Mar 17 05:07:47 2020 GMT ^C [root@dhcp-140-138 ~]# openssl s_client -connect api.yinzhou-0316.qe.devcluster.openshift.com:6443 |openssl x509 -noout -dates depth=1 OU = openshift, CN = kube-apiserver-lb-signer verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 OU = openshift, CN = kube-apiserver-lb-signer verify return:1 depth=0 CN = api.yinzhou-0316.qe.devcluster.openshift.com verify return:1 notBefore=Mar 17 05:00:21 2020 GMT notAfter=Mar 17 05:15:22 2020 GMT ^C [root@dhcp-140-138 ~]# oc get po -n openshift-kube-controller-manager NAME READY STATUS RESTARTS AGE kube-controller-manager-ip-10-0-128-13.us-east-2.compute.internal 4/4 Running 7 51m kube-controller-manager-ip-10-0-151-31.us-east-2.compute.internal 4/4 Running 5 50m kube-controller-manager-ip-10-0-160-206.us-east-2.compute.internal 4/4 Running 4 49m [root@dhcp-140-138 ~]# oc get po -n openshift-kube-scheduler NAME READY STATUS RESTARTS AGE openshift-kube-scheduler-ip-10-0-128-13.us-east-2.compute.internal 2/2 Running 3 47m openshift-kube-scheduler-ip-10-0-151-31.us-east-2.compute.internal 2/2 Running 2 48m openshift-kube-scheduler-ip-10-0-160-206.us-east-2.compute.internal 2/2 Running 2 46m Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |