Bug 1981498
| Summary: | enhance service-ca injection | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | David Eads <deads> |
| Component: | service-ca | Assignee: | David Eads <deads> |
| Status: | CLOSED ERRATA | QA Contact: | liyao |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.9 | CC: | aos-bugs, mfojtik, sidsharm, surbania, xxia |
| Target Milestone: | --- | ||
| Target Release: | 4.9.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-18 17:38:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1981633 | ||
|
Description
David Eads
2021-07-12 17:10:25 UTC
For better and preciser reference for QE to check the code in case needed, could you attach all involved repos' PRs to this bug? Thx Researched the code changes of all the 4.9/4.8/4.7 repos' PRs that are attached & updated in https://github.com/openshift/service-ca-operator/pull/167 comment and figured out the test thoughts. QA Contact is verifying. Tested, no issue. Colleague liyao will help comment with the verification steps later soon. Moving to VERIFIED first to unblock backport PRs if any. Tested in 4.9.0-0.nightly-2021-07-14-002315 fresh env:
1.
$ oc get kubecontrollermanager cluster -o yaml | grep -i secure
useMoreSecureServiceCA: true
# This means secure mode is used by default.
$ oc new-project testproj
$ oc get cm openshift-service-ca.crt -o yaml
# annotation service.beta.openshift.io/inject-cabundle: "true" is seen, and only one cert in service-ca.crt field, this is secure as expected
2.
$ oc edit kubecontrollermanager cluster
Change useMoreSecureServiceCA to false in order to test service.alpha.openshift.io/inject-vulnerable-legacy-cabundle later.
This change will make KCM pods restart, watch and wait for the restart to finish.
Then check `oc get cm openshift-service-ca.crt -o yaml` again, annotation service.alpha.openshift.io/inject-vulnerable-legacy-cabundle is seen, and multiple certs in service-ca.crt field.
$ oc extract cm/openshift-service-ca.crt
$ openssl crl2pkcs7 -nocrl -certfile service-ca.crt | openssl pkcs7 -print_certs -text | grep Issuer
Issuer: CN=openshift-service-serving-signer@1626244482
Issuer: OU=openshift, CN=kube-apiserver-lb-signer
Issuer: OU=openshift, CN=kube-apiserver-localhost-signer
Issuer: OU=openshift, CN=kube-apiserver-service-network-signer
Issuer: CN=openshift-kube-apiserver-operator_localhost-recovery-serving-signer@1626244483
# Can see the multiple certs' issuer info, this means annotation service.alpha.openshift.io/inject-vulnerable-legacy-cabundle injects less secure content as expected.
3. Create other configmap
$ oc create cm testconfigmap --from-literal=key=value
$ oc annotate cm testconfigmap service.alpha.openshift.io/inject-vulnerable-legacy-cabundle=true
Check `oc get cm testconfigmap -o yaml`, no service-ca.crt field is seen, this means service.alpha.openshift.io/inject-vulnerable-legacy-cabundle=true only takes effect for configmap named "openshift-service-ca.crt".
* Will test 4.7->4.8 upgrade scenario when 4.8 clone bug is ON_QA. *
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 |