Bug 1843953

Summary: stop adding service-ca to token secret in 4.5
Product: OpenShift Container Platform Reporter: Gabe Montero <gmontero>
Component: SamplesAssignee: Gabe Montero <gmontero>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: medium Docs Contact:
Priority: high    
Version: 4.5CC: adam.kaplan, aos-bugs, bmcelvee, deads, mfojtik, mnewby, pweil, sttts, tflannag, xiuwang, xxia
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Removed functionality
Doc Text:
The service-serving CA is no longer available in pods at /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt. This file has been deprecated since 4.1. Pods that currently consume the service-serving CA bundle from /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt must migrate to obtaining the CA bundle from a configMap annotated with service.beta.openshift.io/inject-cabundle=true. The change removes the OCP templates identified as using this removed functionality.
Story Points: ---
Clone Of: 1843949 Environment:
Last Closed: 2020-07-13 17:43:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1843949    
Bug Blocks:    

Description Gabe Montero 2020-06-04 13:42:30 UTC
+++ This bug was initially created as a clone of Bug #1843949 +++

+++ This bug was initially created as a clone of Bug #1813894 +++

with the goal of removing https://github.com/openshift/kubernetes/pull/116/commits/66d4751e4f866a9e51386eaac93bbdb3537f4813 in 4.6

1. find the initial deprecation notice in docs
2. have the value be off by default, with some ugly wiring (probably env var) to turn back on.
2.5. write a controller in the operator that removes the service-ca from all secrets.
3. create a new field in kcm.operator.openshift.io named `enableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade`.  The name is abusive and clear.  People who set it should be very aware and not call us.
4. if the value is set, set the env var and mark the cluster upgradeable==false

In 4.6, we can remove the code entirely because no one can be relying on it.

--- Additional comment from Maru Newby on 2020-03-24 02:30:59 UTC ---

Corrected commit targeted for removal: https://github.com/openshift/kubernetes/commit/46562f3b5e34287b6ef79b92e54d9bee78ab735d

--- Additional comment from Maru Newby on 2020-03-24 06:00:15 UTC ---

Initial deprecation notice: https://github.com/openshift/openshift-docs/blob/enterprise-4.1/release_notes/ocp-4-1-release-notes.adoc#service-ca-bundle-changes

--- Additional comment from Stefan Schimanski on 2020-05-06 11:03:47 UTC ---

--- Additional comment from Maru Newby on 2020-05-07 22:46:46 UTC ---

PR to remove the code has been posted, and its merge should be deferred until 4.6: 


--- Additional comment from Maru Newby on 2020-05-20 14:14:02 UTC ---

Still waiting on the updates to the following operators:

- openshift/cluster-kube-controller-manager-operator (submitted but blocked by persistent and unrelated test flake)
- openshift/cluster-samples-operator (coordinating with maintainers of jboss-container-images to get required upstream changes merged)

--- Additional comment from Maru Newby on 2020-05-29 21:22:06 UTC ---

The cluster-samples-operator fix is still in-progress, but testing the change is now possible.

The change can be tested by creating a pod in a 4.5 cluster and verifying the absence of the service serving CA in the pod filesystem:


--- Additional comment from Maru Newby on 2020-06-02 14:50:55 UTC ---

The openshift/library PR has merged: 


Tomorrow (June 3rd), once a nightly job has made the necessary updates to the branch, cluster-samples-operator will be able to vendor the change. This vendoring change will need to merge to master and then backported to 4.5.

Comment 1 Gabe Montero 2020-06-04 14:44:39 UTC
Maru - do you and your team view getting these SSO templates updated an 4.5.0 blocker?

Comment 3 Gabe Montero 2020-06-04 15:30:19 UTC
Brandy - I forget, is there some tagging or labelling of bugs we should do to note they should be release noted ?

Comment 6 Gabe Montero 2020-06-04 21:42:04 UTC
for verification, simply instantiate one of the SSO templates Maru changed and confirm service-ca is not in the token secret

visit the changed files from the PR associated with this bz for that list

Comment 7 Gabe Montero 2020-06-04 21:42:50 UTC
With the PR merged, we don't need to release note

Comment 8 XiuJuan Wang 2020-06-10 09:51:10 UTC
Instantiate one of the SSO template
$oc new-app sso74-ocp4-x509-postgresql-persistent
for i in `oc get secret | awk '{print $1}'`; do oc get secret $i  -o json | jq '.data["service-ca.crt"]' -r  ; done
Error from server (NotFound): secrets "NAME" not found
$oc get cm 
NAME             DATA   AGE
sso-service-ca   1      3m30s
$oc get pods
NAME                      READY   STATUS      RESTARTS   AGE
sso-1-9nnvx               1/1     Running     1          4m26s
sso-1-deploy              0/1     Completed   0          4m30s
sso-postgresql-1-4mmb2    1/1     Running     0          4m27s
sso-postgresql-1-deploy   0/1     Completed   0          4m30s

$ oc rsh sso-1-9nnvx
sh-4.4$ ls /var/run/secrets/kubernetes.io/serviceaccount/
ca.crt	namespace  token

Verified this issue in 4.5.0-rc.1

Comment 10 errata-xmlrpc 2020-07-13 17:43:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.