Bug 1981498

Summary: enhance service-ca injection
Product: OpenShift Container Platform Reporter: David Eads <deads>
Component: service-caAssignee: David Eads <deads>
Status: CLOSED ERRATA QA Contact: liyao
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.9CC: aos-bugs, mfojtik, sidsharm, surbania, xxia
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:38:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1981633    

Description David Eads 2021-07-12 17:10:25 UTC

Comment 4 Xingxing Xia 2021-07-13 14:00:14 UTC
For better and preciser reference for QE to check the code in case needed, could you attach all involved repos' PRs to this bug? Thx

Comment 5 Xingxing Xia 2021-07-14 09:52:13 UTC
Researched the code changes of all the 4.9/4.8/4.7 repos' PRs that are attached & updated in https://github.com/openshift/service-ca-operator/pull/167 comment and figured out the test thoughts. QA Contact is verifying.

Comment 6 Xingxing Xia 2021-07-14 11:14:55 UTC
Tested, no issue. Colleague liyao will help comment with the verification steps later soon. Moving to VERIFIED first to unblock backport PRs if any.

Comment 7 liyao 2021-07-14 12:35:59 UTC
Tested in 4.9.0-0.nightly-2021-07-14-002315 fresh env:
$ oc get kubecontrollermanager cluster -o yaml | grep -i secure
  useMoreSecureServiceCA: true
# This means secure mode is used by default.
$ oc new-project testproj
$ oc get cm openshift-service-ca.crt -o yaml 
# annotation service.beta.openshift.io/inject-cabundle: "true" is seen, and only one cert in service-ca.crt field, this is secure as expected

$ oc edit kubecontrollermanager cluster
Change useMoreSecureServiceCA to false in order to test service.alpha.openshift.io/inject-vulnerable-legacy-cabundle later.
This change will make KCM pods restart, watch and wait for the restart to finish.
Then check `oc get cm openshift-service-ca.crt -o yaml` again, annotation service.alpha.openshift.io/inject-vulnerable-legacy-cabundle is seen, and multiple certs in service-ca.crt field.
$ oc extract cm/openshift-service-ca.crt
$ openssl crl2pkcs7 -nocrl -certfile service-ca.crt | openssl pkcs7 -print_certs -text | grep Issuer 
        Issuer: CN=openshift-service-serving-signer@1626244482
        Issuer: OU=openshift, CN=kube-apiserver-lb-signer
        Issuer: OU=openshift, CN=kube-apiserver-localhost-signer
        Issuer: OU=openshift, CN=kube-apiserver-service-network-signer
        Issuer: CN=openshift-kube-apiserver-operator_localhost-recovery-serving-signer@1626244483
# Can see the multiple certs' issuer info, this means annotation service.alpha.openshift.io/inject-vulnerable-legacy-cabundle injects less secure content as expected.

3. Create other configmap
$ oc create cm testconfigmap --from-literal=key=value
$ oc annotate cm testconfigmap service.alpha.openshift.io/inject-vulnerable-legacy-cabundle=true
Check `oc get cm testconfigmap -o yaml`, no service-ca.crt field is seen, this means service.alpha.openshift.io/inject-vulnerable-legacy-cabundle=true only takes effect for configmap named "openshift-service-ca.crt".

* Will test 4.7->4.8 upgrade scenario when 4.8 clone bug is ON_QA. *

Comment 11 errata-xmlrpc 2021-10-18 17:38:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.