Bug 1901869

Summary: The master-cert couldn't be regenerated
Product: OpenShift Container Platform Reporter: Anping Li <anli>
Component: LoggingAssignee: Jeff Cantrill <jcantril>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: high Docs Contact: Rolfe Dlugy-Hegwer <rdlugyhe>
Priority: urgent    
Version: 4.6.zCC: aos-bugs, ikarpukh, jcantril, rdlugyhe
Target Milestone: ---Keywords: Regression
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: logging-core
Fixed In Version: Doc Type: Bug Fix
Doc Text:
* Previously, if you deleted the secret, it was not recreated. Even though the certificates were on a disk local to the operator, they weren't rewritten because they hadn't changed. That is, certificates were only written if they changed. The current release fixes this issue. It rewrites the secret if the certificate changes or is not found. Now, if you delete the master-certs, they are replaced. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1901869[*BZ#1901869*])
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 11:22:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Logging must gather none

Description Anping Li 2020-11-26 10:06:47 UTC 
Description of Problem:
Delete the secret master-cert, the secret couldn't be recreated.

Version-Release number of selected component (if applicable):
CSV: clusterlogging.4.6.0-202011260456.p0
cluster-logging-operator: v4.6.0-202011260456.p0; Last commit ID: 332dec5d433570f7e315b1629159c81abfe936d4"

How Reproducible:
Always

Steps to Reproduce:
1. Deploy cluster-logging
2. oc delete secret master-cert
3. Wait for a while, and check the secret


Actual Result:
master-cert wasn't recreated.

Expected Result:
A new master-cert was generated.
Comment 1 Anping Li 2020-11-26 10:09:30 UTC 
Created attachment 1733692 [details]
Logging must gather
Comment 2 Jeff Cantrill 2020-11-30 16:23:16 UTC 
The workaround is to delete the CLO pod as I believe the issue is certs are cached in the pods temp directory.  There is logic to not write the certs back if they have not changed.  This means if they exist on disk and have not changed or were never written then they never will be written
Comment 4 Anping Li 2020-12-08 03:49:09 UTC 
Verified on clusterlogging.4.7.0-202012072045.p0
Comment 6 Jeff Cantrill 2021-01-08 16:09:55 UTC 
Backporting to 4.6 in https://github.com/openshift/cluster-logging-operator/pull/849 via https://bugzilla.redhat.com/show_bug.cgi?id=1906641
Comment 12 errata-xmlrpc 2021-02-24 11:22:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Errata Advisory for Openshift Logging 5.0.0), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0652