Bug 1825987
Summary: | KCM doesn't get new client certs on recovery flow | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Tomáš Nožička <tnozicka> |
Component: | kube-controller-manager | Assignee: | Tomáš Nožička <tnozicka> |
Status: | CLOSED ERRATA | QA Contact: | zhou ying <yinzhou> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 4.4 | CC: | aos-bugs, maszulik, mfojtik, scuppett, sdodson, vareti, yinzhou |
Target Milestone: | --- | ||
Target Release: | 4.4.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1825983 | Environment: | |
Last Closed: | 2020-05-18 13:35:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1825983 | ||
Bug Blocks: |
Description
Tomáš Nožička
2020-04-20 16:04:15 UTC
This along with https://bugzilla.redhat.com/show_bug.cgi?id=1817997 is required for the automatic cert-rotation to fully work. Given that there are the following items left: - https://github.com/openshift/cluster-kube-controller-manager-operator/pull/401 - Sync new client cert-key on recovery for 4.4 - https://github.com/kubernetes/kubernetes/pull/90360 - Fix client-ca dynamic reload in apiserver With the latter we need to land it upstream first and backport to the current origin master and only then back to 4.4. With all of the above tasks we'll continue to land this ASAP, but that won't make the 4.4.0 cut. We still have the manual steps described in https://docs.openshift.com/container-platform/4.3/backup_and_restore/disaster_recovery/scenario-3-expired-certs.html#dr-recovering-expired-certs working we have a fallback solution in place for 4.4.0. [root@dhcp-140-138 scripts]# ./check_secrets_experts-30.sh 2020-05-08T06:07:41Z 2020-06-07T06:07:42Z openshift-config-managed kube-controller-manager-client-cert-key 2020-05-08T06:07:41Z 2020-06-07T06:07:42Z openshift-kube-controller-manager kube-controller-manager-client-cert-key [root@dhcp-140-138 ~]# oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.4.0-0.nightly-2020-05-08-004736 True False 30h Cluster version is 4.4.0-0.nightly-2020-05-08-004736 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2133 |