Bug 1820610

Summary: csr-signer isn't refreshed in recovery flow
Product: OpenShift Container Platform Reporter: Tomáš Nožička <tnozicka>
Component: kube-controller-managerAssignee: Tomáš Nožička <tnozicka>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: high Docs Contact:
Priority: high    
Version: 4.4CC: aos-bugs, maszulik, mfojtik
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1820613 (view as bug list) Environment:
Last Closed: 2020-08-04 18:04:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1820613    

Description Tomáš Nožička 2020-04-03 12:59:23 UTC 
Description of problem:
KCM recovery side car isn't refreshing csr-signer and csr-signer-signer


Version-Release number of selected component (if applicable):
4.4.0-0.nightly-2020-04-01-141451

How reproducible:
always


Steps to Reproduce:
1. stop cluster for 25h
2.
3.

Actual results:
    auth.openshift.io/certificate-issuer: kubelet-signer
    auth.openshift.io/certificate-not-after: "2020-04-02T18:34:29Z"
    auth.openshift.io/certificate-not-before: "2020-04-01T18:48:01Z"


Expected results:
    auth.openshift.io/certificate-issuer: openshift-kube-controller-manager-operator_csr-signer-signer@1585915545

Additional info:
Comment 1 Tomáš Nožička 2020-04-03 13:07:16 UTC 
QA note: this is purely related to auto recovery flow, not the manual steps
Comment 4 zhou ying 2020-04-09 08:47:40 UTC 
Confirmed with payload: 4.5.0-0.nightly-2020-04-07-234835, the issue has fixed:

[root@dhcp-140-138 ~]#   oc get secrets csr-signer -o json -n openshift-kube-controller-manager-operator
{
    "apiVersion": "v1",
    "data": {
        "tls.crt": ...
    },
    "kind": "Secret",
    "metadata": {
        "annotations": {
            "auth.openshift.io/certificate-issuer": "openshift-kube-controller-manager-operator_csr-signer-signer@1586420549",
            "auth.openshift.io/certificate-not-after": "2020-05-09T08:22:30Z",
            "auth.openshift.io/certificate-not-before": "2020-04-09T08:22:29Z"
        },




[root@dhcp-140-138 ~]#   oc get secrets csr-signer -o json -n openshift-kube-controller-manager-operator
{
    "apiVersion": "v1",
    "data": {
        "tls.crt": ....
    },
    "kind": "Secret",
    "metadata": {
        "annotations": {
            "auth.openshift.io/certificate-issuer": "openshift-kube-controller-manager-operator_csr-signer-signer@1586420549",
            "auth.openshift.io/certificate-not-after": "2020-05-09T08:22:30Z",
            "auth.openshift.io/certificate-not-before": "2020-04-09T08:22:29Z"
        },
Comment 6 errata-xmlrpc 2020-08-04 18:04:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5 image release advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409