Bug 1887441
Summary: | ingress misconfiguration may break authentication but ingress operator keeps reporting "degraded: False" | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Standa Laznicka <slaznick> |
Component: | Networking | Assignee: | Stephen Greene <sgreene> |
Networking sub component: | router | QA Contact: | Arvind iyengar <aiyengar> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | medium | ||
Priority: | medium | CC: | aiyengar, aos-bugs, hongli, mfisher, sgreene |
Version: | 4.6 | ||
Target Milestone: | --- | ||
Target Release: | 4.7.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
Set an Ingress Controller's Spec.DefaultCertificate field to reference a secret that does not exist.
Consequence:
The operator generated default certificate for that ingress controller is deleted.
Fix:
The ingress operator now verifies that an Ingress Controller's Spec.DefaultCertificate value exists, should it be specified, before deleting the operator generated default certificate.
Result:
The operator generated default certificate for a given ingress controller is not forcibly deleted when an Ingress Controller's Spec.DefaultCertificate is updated to point to a secret that does not exist.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-24 15:24:44 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Standa Laznicka
2020-10-12 13:36:55 UTC
Adding upcoming sprint. I looked through the ingress controller status code and have a better idea of what a fix for this looks like. Adding upcoming sprint. Note that as is the ingress controller would go degraded after a period of 60 minutes in this scenario. https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/ingress/status.go#L440-L442 Creating a PR to address the main problem of the router-certs secret being deleted when the user specified Spec.DefaultCertificate in the default ingress controller does not exist. Tested in "4.7.0-0.ci.test-2020-12-23-033722-ci-ln-2lsq5dt" release. With this payload, in reference to C#4, it is now noted that the default certificates continues to remain available when the router is incorrectly configured with the wrong unavailable certificate secret: ------ $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-0.ci.test-2020-12-23-033722-ci-ln-2lsq5dt True False 49m Cluster version is 4.7.0-0.ci.test-2020-12-23-033722-ci-ln-2lsq5dt $ oc -n openshift-ingress get secret NAME TYPE DATA AGE builder-dockercfg-7ts8x kubernetes.io/dockercfg 1 56m builder-token-7z7rx kubernetes.io/service-account-token 4 56m builder-token-mvz2h kubernetes.io/service-account-token 4 56m default-dockercfg-t7kvj kubernetes.io/dockercfg 1 56m default-token-mddzf kubernetes.io/service-account-token 4 56m default-token-w67cs kubernetes.io/service-account-token 4 56m deployer-dockercfg-b4sjn kubernetes.io/dockercfg 1 56m deployer-token-4zpcc kubernetes.io/service-account-token 4 56m deployer-token-5hs8g kubernetes.io/service-account-token 4 56m router-certs-default kubernetes.io/tls 2 56m router-dockercfg-nbvck kubernetes.io/dockercfg 1 56m router-metrics-certs-default kubernetes.io/tls 2 55m router-stats-default Opaque 2 56m router-token-dfh72 kubernetes.io/service-account-token 4 56m router-token-svglw kubernetes.io/service-account-token 4 56m $ oc -n openshift-ingress get secret router-certs-default NAME TYPE DATA AGE router-certs-default kubernetes.io/tls 2 56m After adding incorrect cert secret: ~~ defaultCertificate: name: router-certs-test ~~ $ oc -n openshift-ingress-operator edit ingresscontroller default ingresscontroller.operator.openshift.io/default edited $ oc -n openshift-ingress get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES router-default-649b9cb8cb-cbgns 0/1 ContainerCreating 0 11s <none> ci-ln-2lsq5dt-f76d1-7gb45-worker-c-9vxjg <none> <none> router-default-649b9cb8cb-m57j9 0/1 ContainerCreating 0 11s <none> ci-ln-2lsq5dt-f76d1-7gb45-worker-d-l76tl <none> <none> router-default-76b758ff8b-fg6v4 1/1 Terminating 0 57m 10.128.2.10 ci-ln-2lsq5dt-f76d1-7gb45-worker-d-l76tl <none> <none> router-default-76b758ff8b-n7dzc 1/1 Running 0 57m 10.131.0.20 ci-ln-2lsq5dt-f76d1-7gb45-worker-c-9vxjg <none> <none> $ oc -n openshift-ingress get secret NAME TYPE DATA AGE builder-dockercfg-7ts8x kubernetes.io/dockercfg 1 57m builder-token-7z7rx kubernetes.io/service-account-token 4 57m builder-token-mvz2h kubernetes.io/service-account-token 4 57m default-dockercfg-t7kvj kubernetes.io/dockercfg 1 57m default-token-mddzf kubernetes.io/service-account-token 4 57m default-token-w67cs kubernetes.io/service-account-token 4 57m deployer-dockercfg-b4sjn kubernetes.io/dockercfg 1 57m deployer-token-4zpcc kubernetes.io/service-account-token 4 57m deployer-token-5hs8g kubernetes.io/service-account-token 4 57m router-certs-default kubernetes.io/tls 2 57m router-dockercfg-nbvck kubernetes.io/dockercfg 1 57m router-metrics-certs-default kubernetes.io/tls 2 57m router-stats-default Opaque 2 57m router-token-dfh72 kubernetes.io/service-account-token 4 57m router-token-svglw kubernetes.io/service-account-token 4 57m $ oc -n openshift-ingress get secret router-certs-default NAME TYPE DATA AGE router-certs-default kubernetes.io/tls 2 57m ------ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633 |