Bug 1912922

Summary: Explicitly specifying the operator generated default certificate for an ingress controller breaks the ingress controller
Product: OpenShift Container Platform Reporter: Stephen Greene <sgreene>
Component: NetworkingAssignee: Stephen Greene <sgreene>
Networking sub component: router QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aiyengar, amcdermo, aos-bugs, hongli
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Setting an ingress controller's spec.DefaultCertificate.Name field to be the name of the operator generated default certificate (ie `router-certs-default`) Consequence: The ingress-operator deletes the operator generated default certificate. Fix: Have the ingress operator only delete the generated default certificate if spec.DefaultCertificate.Name != the name of the default generated certificate. Result: Redundantly specifying the name of the ingress controllers operator-generated default certificate does not break the ingress controller.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:50:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Greene 2021-01-05 15:43:30 UTC
Description of problem:

Setting an ingress controller's spec.DefaultCertificate.Name field to be the name of the operator generated default certificate (ie `router-certs-default`) causes the ingress operator to delete the router-certs-default certificate. See https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/certificate/default_cert.go#L31-L34.

Although unlikely, the operator should handle the case where an ingress controller's spec.DefaultCertificate.Name redundantly specifies the already in use default certificate.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. oc edit ingresscontroller default -n openshift-ingress-operator
2. set spec.DefaultCertificate.Name to `router-certs-default`
3. Check ingress operator logs

Actual results:

router-certs-default secret is deleted

Expected results:
no secrets are deleted, and the ingress controller continues to function with or without the DefaultCertificate field redundantly set.

Additional info:

Comment 2 Arvind iyengar 2021-01-11 09:50:41 UTC
Verified in "4.7.0-0.nightly-2021-01-09-144822" release payload containing the merge. With this release, it is observed that the default router certificates secret continues to persist and remain available after including it explicitly in the ingress controller under the "spec.DefaultCertificate.Name" section. 
----
$ oc -n openshift-ingress get secret router-certs-default
NAME                   TYPE                DATA   AGE
router-certs-default   kubernetes.io/tls   2      32m

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-01-09-144822   True        False         24m     Cluster version is 4.7.0-0.nightly-2021-01-09-144822

$ oc -n openshift-ingress-operator edit ingresscontroller default          
ingresscontroller.operator.openshift.io/default edited
spec:
  defaultCertificate:
    name: router-certs-default

$ oc -n openshift-ingress get secret
NAME                           TYPE                                  DATA   AGE
builder-dockercfg-vvrzn        kubernetes.io/dockercfg               1      52m
builder-token-flkd4            kubernetes.io/service-account-token   4      52m
builder-token-j48xp            kubernetes.io/service-account-token   4      52m
default-dockercfg-shmmn        kubernetes.io/dockercfg               1      52m
default-token-cd9l7            kubernetes.io/service-account-token   4      52m
default-token-wvdvn            kubernetes.io/service-account-token   4      52m
deployer-dockercfg-rlbnm       kubernetes.io/dockercfg               1      52m
deployer-token-ddvdf           kubernetes.io/service-account-token   4      52m
deployer-token-rxjkd           kubernetes.io/service-account-token   4      52m
router-certs-default           kubernetes.io/tls                     2      52m
router-dockercfg-vckg6         kubernetes.io/dockercfg               1      52m
router-metrics-certs-default   kubernetes.io/tls                     2      51m
router-stats-default           Opaque                                2      52m
router-token-4qgvt             kubernetes.io/service-account-token   4      52m
router-token-hqccr             kubernetes.io/service-account-token   4      52m

$ oc -n openshift-ingress get secret router-certs-default 
NAME                   TYPE                DATA   AGE
router-certs-default   kubernetes.io/tls   2      54m
----

Comment 5 errata-xmlrpc 2021-02-24 15:50:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633