Bug 2030574
| Summary: | console service uses older "service.alpha.openshift.io" for the service serving certificates. | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Arvind iyengar <aiyengar> |
| Component: | Management Console | Assignee: | Jakub Hadvig <jhadvig> |
| Status: | CLOSED ERRATA | QA Contact: | Xiyun Zhao <xiyuzhao> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.10 | CC: | aos-bugs, yapei |
| Target Milestone: | --- | ||
| Target Release: | 4.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-10 16:32:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug has been verified on payload 4.10.0-0.nightly-2022-01-11-065245
Verification Step:
1. Log in CLI
2. Use below command to check the annotation for the service serving certificate configuration, verify if console resources are update to 'service.beta.openshift.io/serving-cert-secret-name: console-serving-cert', especially for the service/console. Also, verify the changes are not impact the correct resources, like prometheus-k8s or thanos-querier
$ oc get clusterversion
$ oc -n openshift-console get service/console -o yaml
$ oc -n openshift-monitoring get svc prometheus-k8s -o yaml
$ oc -n openshift-monitoring get svc thanos-querier -o yaml
Result:
2. The console resources are being updated, check below list result for more details
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.10.0-0.nightly-2022-01-11-065245 True False 10h Cluster version is 4.10.0-0.nightly-2022-01-11-065245
$ oc -n openshift-console get service/console -o yaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473
service.beta.openshift.io/serving-cert-secret-name: console-serving-cert <----
service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473
$ oc -n openshift-monitoring get svc prometheus-k8s -o yaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473
service.beta.openshift.io/serving-cert-secret-name: prometheus-k8s-tls <----
service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473
$ oc -n openshift-monitoring get svc thanos-querier -o yaml
apiVersion: v1
kind: Service
metadata:
annotations:
service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473
service.beta.openshift.io/serving-cert-secret-name: thanos-querier-tls <----
service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |
Description of problem: The console service IP appears to use an older "service.alpha.openshift.io" annotation for the service serving certificate configuration whereas all the default created REEN routes presently use the newer "service.beta.openshift.io" annotation which is the current recommended method. ---- oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2021-12-06-201335 True False 163m Cluster version is 4.10.0-0.nightly-2021-12-06-201335 oc -n openshift-console get service/console -o yaml apiVersion: v1 kind: Service metadata: annotations: service.alpha.openshift.io/serving-cert-secret-name: console-serving-cert <--- service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608 service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608 creationTimestamp: "2021-12-09T04:46:34Z" labels: app: console name: console namespace: openshift-console resourceVersion: "23015" uid: 02aa32c1-ab4a-4e2f-a7ff-272d5cb58c02 oc -n openshift-monitoring get svc prometheus-k8s -o yaml apiVersion: v1 kind: Service metadata: annotations: service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608 service.beta.openshift.io/serving-cert-secret-name: prometheus-k8s-tls <---- service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608 creationTimestamp: "2021-12-09T04:48:41Z" oc -n openshift-monitoring get svc thanos-querier -o yaml apiVersion: v1 kind: Service metadata: annotations: service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608 service.beta.openshift.io/serving-cert-secret-name: thanos-querier-tls <---- service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608 ---- Version-Release number of selected component (if applicable): 4.10.0-0.nightly-2021-12-06-201335 How reproducible: * Frequently Steps to Reproduce: 1. deploy an OCP environment and check the console service-ip configuration. Expected results: Though this does not appear to impact the operation, the service-serving-certificate config related to console component should ideally use the current "beta" annotation. Additional info: The "beta" annotation has been made available since v4.1. Doc reference: https://docs.openshift.com/container-platform/4.9/security/certificates/service-serving-certificate.html. https://docs.openshift.com/container-platform/4.1/authentication/certificates/service-serving-certificate.html