Bug 1840857

Summary: openshift-apiserver doesn't live reload extension-apiserver-authentication trust
Product: OpenShift Container Platform Reporter: Tomáš Nožička <tnozicka>
Component: openshift-apiserverAssignee: Lukasz Szaszkiewicz <lszaszki>
Status: CLOSED ERRATA QA Contact: Xingxing Xia <xxia>
Severity: high Docs Contact:
Priority: high    
Version: 4.4CC: aos-bugs, lszaszki, mfojtik, xxia
Target Milestone: ---   
Target Release: 4.4.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1840856 Environment:
Last Closed: 2020-06-17 22:26:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1840856    
Bug Blocks:    

Description Tomáš Nožička 2020-05-27 17:42:42 UTC 
+++ This bug was initially created as a clone of Bug #1840856 +++

openshift-apiserver doesn't live reload extension-apiserver-authentication trust 

openssl verify -CAfile <( oc -n kube-system get cm extension-apiserver-authentication --template='{{index .data "requestheader-client-ca-file"}}' ) <( oc get secret -n openshift-kube-apiserver aggregator-client --template='{{index .data "tls.crt"}}' | base64 -d )
/proc/self/fd/12: OK

but kube-apiserver still can't connect to discovery

oc get apiservices v1.apps.openshift.io -o yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1.apps.openshift.io
status:
  conditions:
  - lastTransitionTime: "2020-05-26T15:08:10Z"
    message: 'failing or missing response from https://10.130.0.18:8443/apis/apps.openshift.io/v1:
      bad status from https://10.130.0.18:8443/apis/apps.openshift.io/v1: 401'
    reason: FailedDiscoveryCheck
    status: "False"
    type: Available

Hit on recovery flow when the trust is rotated.
Comment 6 errata-xmlrpc 2020-06-17 22:26:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2445