Bug 1843949
| Summary: | stop adding service-ca to token secret in 4.5 | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Gabe Montero <gmontero> | |
| Component: | Samples | Assignee: | Gabe Montero <gmontero> | |
| Status: | CLOSED ERRATA | QA Contact: | XiuJuan Wang <xiuwang> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.6 | CC: | aos-bugs, deads, mfojtik, mnewby, sttts, tflannag, xxia | |
| Target Milestone: | --- | |||
| Target Release: | 4.6.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Removed functionality | ||
| Doc Text: |
The service-serving CA is no longer available in pods at /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt. This file has been deprecated since 4.1.
Pods that currently consume the service-serving CA bundle from /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt must migrate to obtaining the CA bundle from a configMap annotated with service.beta.openshift.io/inject-cabundle=true.
The change removes the OCP templates identified as using this removed functionality.
|
Story Points: | --- | |
| Clone Of: | 1813894 | |||
| : | 1843953 (view as bug list) | Environment: | ||
| Last Closed: | 2020-10-27 16:04:47 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1843953 | |||
|
Description
Gabe Montero
2020-06-04 13:38:59 UTC
for verification, simply instantiate one of the SSO templates Maru changed and confirm service-ca is not in the token secret visit the changed files from the PR associated with this bz for that list Instantiate one of the SSO template
$oc new-project test
$oc new-app sso73-ocp4-x509-https
$for i in `oc get secret | awk '{print $1}'`; do oc get secret $i -o json | jq '.data["service-ca.crt"]' -r ; done
Error from server (NotFound): secrets "NAME" not found
null
null
null
null
null
null
null
null
null
null
null
$oc get secret
NAME TYPE DATA AGE
builder-dockercfg-s9cjw kubernetes.io/dockercfg 1 21m
builder-token-6px6k kubernetes.io/service-account-token 3 21m
builder-token-dj9pc kubernetes.io/service-account-token 3 21m
default-dockercfg-gsbpq kubernetes.io/dockercfg 1 21m
default-token-g7r9b kubernetes.io/service-account-token 3 21m
default-token-tf4hs kubernetes.io/service-account-token 3 21m
deployer-dockercfg-4xghh kubernetes.io/dockercfg 1 21m
deployer-token-cz94g kubernetes.io/service-account-token 3 21m
deployer-token-nq245 kubernetes.io/service-account-token 3 21m
sso-x509-https-secret kubernetes.io/tls 2 21m
sso-x509-jgroups-secret kubernetes.io/tls 2 21m
[wxj@dhcp-140-124 kubeconfig]$ oc get cm
NAME DATA AGE
sso-service-ca 1 21m
[wxj@dhcp-140-124 kubeconfig]$ oc get cm -o yaml
apiVersion: v1
items:
- apiVersion: v1
data:
service-ca.crt: |
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIIGB7oiru9erkwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE
Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTU5MTc1NzI3NDAe
Fw0yMDA2MTAwMjQ3NTNaFw0yMjA4MDkwMjQ3NTRaMDYxNDAyBgNVBAMMK29wZW5z
aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE1OTE3NTcyNzQwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDu0RQJaJWEZr0IZwaUIBTBxG4LGbD0WddY
Ykon3fITh34kSeQzarz5V4VqQdxDjkMWepcDgaDNr4geOdCzKr0u9GNO/QGrGDs2
b51ETg98ql4l+t2+pz8ZwQ+bCWv1oQTzouNbitB/UjT8dBN1px+K345xMRlqgqd1
SBmmn+wQV7cXDqQH1SmIqSUMWz50QbfhYadSK2gQLVFr0KaQ4/CX5I2pO3baE2WN
l8PPPk99YXZNLqHNprADHIq7LSkMb28r6upwhxQm7CgYpzWPS7XF/mW0KEiR9LbK
LmD0aUXd8m/kyePAB7rDK3FZu6Cpn/luOJifyzp0nVIncZiuIwmhAgMBAAGjYzBh
MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRoNX0f
wv3C3BYMlHyG41QT9rT4LDAfBgNVHSMEGDAWgBRoNX0fwv3C3BYMlHyG41QT9rT4
LDANBgkqhkiG9w0BAQsFAAOCAQEA4sD89atblKn600RhUvx0VgoSA1o48Ve8wUU1
uFVDot4kBOJ2fpUO33J+ZnBVsURWht/37WqwaaX0Lmj3NwEct24lEiM9YTCTbwIW
Q/Cic2Zezv4ioos7B6TxlmtoB17liWPbiRd3Pk6mditxPboPBjiS33cW3HVQNnrT
dTD8Zocf26l2Neq+f2devx/RPUgertB7a3HsD0VOiq2ZpY0tz115U21P+h4A/ehx
rmccbTuCr9kRl/3ptoED0eUMYBHJriXSjkhVvo4NwmBWd157utPk3zLfMfTcikO7
DdesAngJHf98j+0CG817SU3i9Keia5qm1zfm4b7sseDmzqsgRQ==
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
annotations:
description: ConfigMap providing service ca bundle.
openshift.io/generated-by: OpenShiftNewApp
service.beta.openshift.io/inject-cabundle: "true"
creationTimestamp: "2020-06-10T09:01:47Z"
labels:
app: sso73-ocp4-x509-https
app.kubernetes.io/component: sso73-ocp4-x509-https
app.kubernetes.io/instance: sso73-ocp4-x509-https
application: sso
rhsso: 7.3.8.GA
template: sso73-ocp4-x509-https
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:description: {}
f:openshift.io/generated-by: {}
f:service.beta.openshift.io/inject-cabundle: {}
f:labels:
.: {}
f:app: {}
f:app.kubernetes.io/component: {}
f:app.kubernetes.io/instance: {}
f:application: {}
f:rhsso: {}
f:template: {}
manager: oc
operation: Update
time: "2020-06-10T09:01:47Z"
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:service-ca.crt: {}
manager: service-ca-operator
operation: Update
time: "2020-06-10T09:01:47Z"
name: sso-service-ca
namespace: bug
resourceVersion: "143484"
selfLink: /api/v1/namespaces/bug/configmaps/sso-service-ca
uid: 866cefb4-ef33-4774-8c4b-aba0aaddadd6
kind: List
metadata:
resourceVersion: ""
selfLink: ""
oc get pods
NAME READY STATUS RESTARTS AGE
sso-1-deploy 0/1 Completed 0 23m
sso-1-rw6zg 1/1 Running 0 23m
[wxj@dhcp-140-124 kubeconfig]$ oc rsh sso-1-rw6zg
sh-4.2$ ls /var/run/secrets/kubernetes.io/serviceaccount/
ca.crt namespace token
Mark this bug verified in 4.6.0-0.nightly-2020-06-09-234748
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |