Bug 1860789

Summary: [oc compatibility] - Cannot approve csr using oc 4.5 client on 4.6 server
Product: OpenShift Container Platform Reporter: RamaKasturi <knarra>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: RamaKasturi <knarra>
Severity: high Docs Contact:
Priority: high    
Version: 4.5CC: akostadi, aos-bugs, fbrychta, jokerman, maszulik, mfojtik, rvanderp, sdodson, tnozicka, tsze, walters, wjiang, wking, yanyang
Target Milestone: ---Keywords: Regression
Target Release: 4.5.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: A new API version for CSR was introduced in OCP 4.6. Consequence: As a consequence older versions were not able to approve or deny certificates during upgrade. Fix: Tolerate different versions of CSRs in older versions of oc. Result: It is possible to deny or approve certificates with oc 4.5 against OCP server 4.6.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-19 14:54:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1874056    
Bug Blocks:    

Description RamaKasturi 2020-07-27 07:05:52 UTC 
Description of problem:
When trying to approve a csr on 4.6 cluster using oc4.5 client it fails with error "error: no kind "CertificateSigningRequest" is registered for version "certificates.k8s.io/v1" in scheme "k8s.io/kubectl/pkg/scheme/scheme.go:28"


Version-Release number of selected component (if applicable):
[ramakasturinarra@dhcp35-60 ~]$ oc version
Client Version: 4.5.0-202007240519.p0-b66f2d3
Server Version: 4.6.0-0.nightly-2020-07-25-091217
Kubernetes Version: v4.6.0-202007250017.p0-dirty


How reproducible:
Always

Steps to Reproduce:
1. Use oc 4.5 client 4.5.0-202007240519.p0-b66f2d3 to approve a csr on 4.6 server
2. oc adm certificate approve <csr-name>

Actual results:
Approving certificate fails with "error: no kind "CertificateSigningRequest" is registered for version "certificates.k8s.io/v1" in scheme "k8s.io/kubectl/pkg/scheme/scheme.go:28"

Expected results:

Approval of certificates should work with out any issues.

Additional info:
Same works fine with "openshift-clients-4.6.0-202007241012.p0.git.3670.b87fe27.el7.x86_64"
[ramakasturinarra@dhcp35-60 ~]$ oc adm certificate approve csr-r4cdq
certificatesigningrequest.certificates.k8s.io/csr-r4cdq approved
Comment 1 RamaKasturi 2020-07-27 07:28:18 UTC 
I run oc get node cmd in 4.5 server, then in .kube/cache/discovery/, it has certificates.k8s.io/v1beta1.
But for 4.6 server, has both certificates.k8s.io/v1beta1 and certificates.k8s.io/v1. oc 4.5 should work for this change, i.e. is a bug
Comment 2 Tomáš Nožička 2020-07-28 14:01:20 UTC 
yeah, we need to backport kubernetes fixes that went into 1.18 branch - we are planing a small rebase
Comment 4 Maciej Szulik 2020-08-10 15:16:15 UTC 
Now that I'm back, I'll be handling these.
Comment 5 Maciej Szulik 2020-08-11 10:23:35 UTC 
*** Bug 1861828 has been marked as a duplicate of this bug. ***
Comment 6 Maciej Szulik 2020-08-11 10:23:45 UTC 
*** Bug 1862352 has been marked as a duplicate of this bug. ***
Comment 7 Maciej Szulik 2020-08-21 14:10:22 UTC 
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
Comment 8 Aleksandar Kostadinov 2020-08-24 22:56:55 UTC 
If not fixed it needs to go to release notes as users expect oc version x.y to be compatible with cluster version x.y+1
Comment 9 Maciej Szulik 2020-08-25 10:34:19 UTC 
(In reply to Aleksandar Kostadinov from comment #8)
> If not fixed it needs to go to release notes as users expect oc version x.y
> to be compatible with cluster version x.y+1

It is planned to be fixed in 4.5
Comment 10 Aleksandar Kostadinov 2020-08-25 21:29:47 UTC 
Sounds good, thank you.

This is also failing in the same way with as early as 4.2.35 (that I had available to test with). Are earlier versions going to be fixed?
Comment 11 Maciej Szulik 2020-08-26 09:57:38 UTC 
(In reply to Aleksandar Kostadinov from comment #10)
> Sounds good, thank you.
> 
> This is also failing in the same way with as early as 4.2.35 (that I had
> available to test with). Are earlier versions going to be fixed?

Nope, we guarantee +/- 1 version compatibility, so only 4.5 will be fixed. Also earlier versions are either EOL or in maintenance.
Comment 12 Maciej Szulik 2020-09-03 15:02:47 UTC 
This will be fixed in https://github.com/openshift/oc/pull/551
Comment 13 Maciej Szulik 2020-09-11 11:18:49 UTC 
PR is waiting in the queue.
Comment 14 rvanderp 2020-09-15 16:34:44 UTC 
*** Bug 1879177 has been marked as a duplicate of this bug. ***
Comment 15 Maciej Szulik 2020-10-01 08:26:01 UTC 
The PRs are in the queue already.
Comment 20 errata-xmlrpc 2020-10-19 14:54:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.15 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4228