Bug 2070562

Summary: Base64 data value for java keystore secret changing automatically, when we edit it from the console and saving it without doing any changes
Product: OpenShift Container Platform Reporter: Mayur Deore <mdeore>
Component: Management ConsoleAssignee: Jakub Hadvig <jhadvig>
Status: CLOSED ERRATA QA Contact: Xiyun Zhao <xiyuzhao>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.9CC: aos-bugs, jhadvig, yapei
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:48:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mayur Deore 2022-03-31 12:46:20 UTC 
Description of problem:
Secret created for java Keystore changing its base64 value inside secret when we edit that secret from the console and saving it again without doing any changes   

Version-Release number of selected component (if applicable):
RHCOP 4.9.23


Steps to Reproduce:
1. Create a dummy Java keystore for the test
~~~
$ keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
~~~
2. Create a secret on the test project using a java key-store file 
~~~
$ oc create secret generic test1 --from-file=data1=./original.jks
~~~
2. Check the secret, and take a backup.
~~~
$ oc get secret test1 -o yaml > secret1.yaml
~~~
3. Open RHOCP console, Go Workload-->Secret-->Select project-->Click on test1 secret-->Action-->Edit secret-->Save it without changing anything
4. Check the secret again, and compare it with the original one. 
~~~
$ oc get secret test1 -o yaml > secret2.yaml
~~~
Actual results:
- The value for key data1 is changing.

Expected results:
- The value for key data1 should remain the same.

Additional info:
- Find similar results when we create secrets directly from the console.
Comment 3 Xiyun Zhao 2022-08-01 08:34:14 UTC 
This issue has been verified on payload 4.12.0-0.nightly-2022-07-31-235028, the issue can be reproduced on 4.10.25 and 4.11.0-0.nightly-2022-07-29-173905

Verification Step: (follow the description)
1. Create a dummy Java keystore for the test
   $ keytool -genkey -v -keystore original.jks -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
2. Create a secret on the test project using a java key-store file 
   $ oc create secret generic test1 --from-file=data1=./original.jks
3. Check the secret, and take a backup.
   $ oc get secret test1 -o yaml > secret1.yaml
4. Open OCP console, Go to Workload-->Secret-->Select project-->Click on test1 secret-->Action-->Edit secret-->Save it without changing anything
   Or Go to the Scrects page -> Click the Kebab button of the test1 secret -> choose "Edit secret" -> Save without change anything
5. Check the secret again, and compare it with the original one. 
   $ oc get secret test1 -o yaml > secret2.yaml
6. $diff secret1.yaml secret2.yaml
7. Re-create the secrets through UI, repeat steps 3-6 again

Result:
5. The value for key data1 are the same, the data will not change automatically anymore
Comment 7 errata-xmlrpc 2023-01-17 19:48:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399