Bug 1912922
Summary: | Explicitly specifying the operator generated default certificate for an ingress controller breaks the ingress controller | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Stephen Greene <sgreene> |
Component: | Networking | Assignee: | Stephen Greene <sgreene> |
Networking sub component: | router | QA Contact: | Arvind iyengar <aiyengar> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | medium | ||
Priority: | medium | CC: | aiyengar, amcdermo, aos-bugs, hongli |
Version: | 4.7 | ||
Target Milestone: | --- | ||
Target Release: | 4.7.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
Setting an ingress controller's spec.DefaultCertificate.Name field to be the name of the operator generated default certificate (ie `router-certs-default`)
Consequence:
The ingress-operator deletes the operator generated default certificate.
Fix:
Have the ingress operator only delete the generated default certificate if spec.DefaultCertificate.Name != the name of the default generated certificate.
Result:
Redundantly specifying the name of the ingress controllers operator-generated default certificate does not break the ingress controller.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-24 15:50:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stephen Greene
2021-01-05 15:43:30 UTC
Verified in "4.7.0-0.nightly-2021-01-09-144822" release payload containing the merge. With this release, it is observed that the default router certificates secret continues to persist and remain available after including it explicitly in the ingress controller under the "spec.DefaultCertificate.Name" section. ---- $ oc -n openshift-ingress get secret router-certs-default NAME TYPE DATA AGE router-certs-default kubernetes.io/tls 2 32m $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-0.nightly-2021-01-09-144822 True False 24m Cluster version is 4.7.0-0.nightly-2021-01-09-144822 $ oc -n openshift-ingress-operator edit ingresscontroller default ingresscontroller.operator.openshift.io/default edited spec: defaultCertificate: name: router-certs-default $ oc -n openshift-ingress get secret NAME TYPE DATA AGE builder-dockercfg-vvrzn kubernetes.io/dockercfg 1 52m builder-token-flkd4 kubernetes.io/service-account-token 4 52m builder-token-j48xp kubernetes.io/service-account-token 4 52m default-dockercfg-shmmn kubernetes.io/dockercfg 1 52m default-token-cd9l7 kubernetes.io/service-account-token 4 52m default-token-wvdvn kubernetes.io/service-account-token 4 52m deployer-dockercfg-rlbnm kubernetes.io/dockercfg 1 52m deployer-token-ddvdf kubernetes.io/service-account-token 4 52m deployer-token-rxjkd kubernetes.io/service-account-token 4 52m router-certs-default kubernetes.io/tls 2 52m router-dockercfg-vckg6 kubernetes.io/dockercfg 1 52m router-metrics-certs-default kubernetes.io/tls 2 51m router-stats-default Opaque 2 52m router-token-4qgvt kubernetes.io/service-account-token 4 52m router-token-hqccr kubernetes.io/service-account-token 4 52m $ oc -n openshift-ingress get secret router-certs-default NAME TYPE DATA AGE router-certs-default kubernetes.io/tls 2 54m ---- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633 |