Bug 1840856
| Summary: | openshift-apiserver doesn't live reload extension-apiserver-authentication trust | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Tomáš Nožička <tnozicka> | |
| Component: | openshift-apiserver | Assignee: | Lukasz Szaszkiewicz <lszaszki> | |
| Status: | CLOSED ERRATA | QA Contact: | Xingxing Xia <xxia> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.5 | CC: | aos-bugs, mfojtik | |
| Target Milestone: | --- | |||
| Target Release: | 4.5.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1840857 (view as bug list) | Environment: | ||
| Last Closed: | 2020-07-13 17:42:22 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1840857 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |
openshift-apiserver doesn't live reload extension-apiserver-authentication trust openssl verify -CAfile <( oc -n kube-system get cm extension-apiserver-authentication --template='{{index .data "requestheader-client-ca-file"}}' ) <( oc get secret -n openshift-kube-apiserver aggregator-client --template='{{index .data "tls.crt"}}' | base64 -d ) /proc/self/fd/12: OK but kube-apiserver still can't connect to discovery oc get apiservices v1.apps.openshift.io -o yaml apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1.apps.openshift.io status: conditions: - lastTransitionTime: "2020-05-26T15:08:10Z" message: 'failing or missing response from https://10.130.0.18:8443/apis/apps.openshift.io/v1: bad status from https://10.130.0.18:8443/apis/apps.openshift.io/v1: 401' reason: FailedDiscoveryCheck status: "False" type: Available Hit on recovery flow when the trust is rotated.