Bug 1947165

Summary: multus daemonset doesn't participate in token / ca rotation correctly
Product: OpenShift Container Platform Reporter: Douglas Smith <dosmith>
Component: NetworkingAssignee: Douglas Smith <dosmith>
Networking sub component: multus QA Contact: Weibin Liang <weliang>
Status: CLOSED WORKSFORME Docs Contact:
Severity: high    
Priority: high    
Version: 4.8   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-13 13:54:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Douglas Smith 2021-04-07 19:51:14 UTC 
Description of problem: The Multus CNI entrypoint script does not account for the possibility of the kube ca rotating, since the entrypoint generates a kubeconfig only once -- the kube ca could be rotated and if you wait long enough, could cause a serious cluster failure upon rotation.

How reproducible: (when kube ca rotates)


Additional info: 

* The regenerated (and generated) kubeconfig should be an atomic swap of the file.
* A must-gather improvement could be nice to look at the contents of the multus.d directory (note: this should omit the actual secret)
Comment 1 Douglas Smith 2021-10-13 13:54:28 UTC 
Have a work-around in place. Will work in an ideal fashion when upgrade to a thick plugin methodology.