Bug 2026363

Summary: kubemacpool is rotating kubernetes-nmstate certificates
Product: Container Native Virtualization (CNV) Reporter: Quique Llorente <ellorent>
Component: NetworkingAssignee: Quique Llorente <ellorent>
Status: CLOSED ERRATA QA Contact: Adi Zavalkovsky <azavalko>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.10.0CC: awax, azavalko, cnv-qe-bugs, phoracek
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes-nmstate-handler v4.10.0-21 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-16 15:57:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Quique Llorente 2021-11-24 13:16:56 UTC 
Description of problem:
When CNV 4.10 is deployed it takes some time for kubemacpool and nmstate-webhook to settle do to secrets rotation, looking at the looks like like the kubemacpool-cert-manager and nmstate-cert-manager are additionally rotation the other secerts so they enter in a loop and takes some time to settle.


Version-Release number of selected component (if applicable):
it affects kubernetes-nmstate and kubemacpool


How reproducible: Always


Steps to Reproduce:
1. Install kubemacpool and kubernetes-nmstate with NetworkAddonsConfig
2.
3.

Actual results:


Expected results:
kubemacpool-cert-manager should rotate only kubemacpool certs and nmstate-cert-manager should rotate only kubernetes-nmstate certs.


Additional info:
Comment 1 Quique Llorente 2021-12-01 11:13:55 UTC 
PR reconciling only secrets from the admission webhook configuration https://github.com/qinqon/kube-admission-webhook/pull/60
Comment 2 Adi Zavalkovsky 2022-01-17 14:58:46 UTC 
Verified. CNV Version - 4.10. OCP version - 4.10.

Deleting nmstate secret trigger only said secret redeployment, not kubemacpool.

[cnv-qe-jenkins@n-azav410-kgdb4-executor ~]$ oc delete secret -n openshift-cnv nmstate-webhook
secret "nmstate-webhook" deleted
[cnv-qe-jenkins@n-azav410-kgdb4-executor ~]$ oc get secrets -n openshift-cnv 
NAME                                                           TYPE                                  DATA   AGE
kubemacpool-mutator-ca                                         Opaque                                2      92m
kubemacpool-service                                            kubernetes.io/tls                     2      92m
nmstate-ca                                                     Opaque                                2      92m
nmstate-handler-dockercfg-r6gnb                                kubernetes.io/dockercfg               1      93m
nmstate-handler-token-6rjbr                                    kubernetes.io/service-account-token   4      93m
nmstate-handler-token-6rs2f                                    kubernetes.io/service-account-token   4      93m
nmstate-webhook                                                kubernetes.io/tls                     2      1s

And the other way around - 

[cnv-qe-jenkins@n-azav410-kgdb4-executor ~]$ oc delete secret -n openshift-cnv kubemacpool-service
secret "kubemacpool-service" deleted
[cnv-qe-jenkins@n-azav410-kgdb4-executor ~]$ oc get secrets -n openshift-cnv 
NAME                                                           TYPE                                  DATA   AGE
kubemacpool-mutator-ca                                         Opaque                                2      93m
kubemacpool-service                                            kubernetes.io/tls                     2      2s
nmstate-ca                                                     Opaque                                2      93m
nmstate-handler-dockercfg-r6gnb                                kubernetes.io/dockercfg               1      93m
nmstate-handler-token-6rjbr                                    kubernetes.io/service-account-token   4      93m
nmstate-handler-token-6rs2f                                    kubernetes.io/service-account-token   4      93m
nmstate-webhook                                                kubernetes.io/tls                     2      37s
Comment 7 errata-xmlrpc 2022-03-16 15:57:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0947