Bug 2117524

Summary: openshift-ingress-operator with mTLS does not download CRL
Product: OpenShift Container Platform Reporter: mmayeras
Component: NetworkingAssignee: Ryan Fredette <rfredette>
Networking sub component: router QA Contact: Hongan Li <hongli>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: cholman, fgrosjea, jfindysz, mfisher, opayne, openshift-bugs-escalate, rfredette
Version: 4.9   
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
* Previously, when the Ingress Operator was configured to enable the use of mTLS, the Operator would not check if CRLs were due to be updated until some other event caused it to reconcile. As a result, CRLs used for mTLS could become out of date. With this update, the Ingress Operator now automatically reconciles when any CRL expires, and CRLs will be updated at the time specified by their `nextUpdate` field. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2117524[*BZ#2117524*]
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:54:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 16 Hongan Li 2022-10-18 08:39:11 UTC 
Thank you for the explanation, Ryan. then the PR works as expected and test passed.

$ oc get clusterversion
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.12.0-0.ci.test-2022-10-18-070104-ci-ln-h8rlvyk-latest   True        False         55m     Cluster version is 4.12.0-0.ci.test-2022-10-18-070104-ci-ln-h8rlvyk-latest

1st CRL:
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = ne_mtls_ca
        Last Update: Oct 18 07:32:45 2022 GMT
        Next Update: Oct 18 08:32:45 2022 GMT

2nd CRL:
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = ne_mtls_ca
        Last Update: Oct 18 08:24:30 2022 GMT
        Next Update: Oct 18 09:24:30 2022 GMT

from below ingress-operator log, we can see the "next update" time is expected.

2022-10-18T08:26:42.074Z	INFO	operator.crl	crl/crl_configmap.go:69	retrieving certificate revocation list	{"subject key identifier": "0725174660fd8aa39e5831d5af80b8ab8ca5b0d7"}
2022-10-18T08:26:42.084Z	INFO	operator.crl	crl/crl_configmap.go:69	new certificate revocation list	{"subject key identifier": "0725174660fd8aa39e5831d5af80b8ab8ca5b0d7", "next update": "2022-10-18 08:32:45 +0000 UTC"}
2022-10-18T08:32:45.008Z	INFO	operator.crl	crl/crl_configmap.go:69	certificate revocation list has expired	{"subject key identifier": "0725174660fd8aa39e5831d5af80b8ab8ca5b0d7"}
2022-10-18T08:32:45.008Z	INFO	operator.crl	crl/crl_configmap.go:69	retrieving certificate revocation list	{"subject key identifier": "0725174660fd8aa39e5831d5af80b8ab8ca5b0d7"}
2022-10-18T08:32:45.017Z	INFO	operator.crl	crl/crl_configmap.go:69	new certificate revocation list	{"subject key identifier": "0725174660fd8aa39e5831d5af80b8ab8ca5b0d7", "next update": "2022-10-18 09:24:30 +0000 UTC"}
Comment 22 errata-xmlrpc 2023-01-17 19:54:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399