Bug 1651393 - rotate-server-certificates gets set to false when set separately
Summary: rotate-server-certificates gets set to false when set separately
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.11.z
Assignee: Ryan Phillips
QA Contact: Sunil Choudhary
URL:
Whiteboard:
: 1656355 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-19 22:23 UTC by Ryan Howe
Modified: 2024-03-25 15:10 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-06 02:00:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0794 0 None None None 2019-06-06 02:00:41 UTC

Description Ryan Howe 2018-11-19 22:23:03 UTC 
Description of problem:

When node-config.yaml has the following configuration: 

  feature-gates:
  - RotateKubeletClientCertificate=true
  - RotateKubeletServerCertificate=true

The node service does not set rotate-server-certificates equal to true instead logs show the following: 

  FLAG: --rotate-server-certificates="false"

Version-Release number of selected component (if applicable):
v3.11.16

How reproducible:
100% 

Steps to Reproduce:
1. Set  node-config to the following for feature-gates

  feature-gates:
  - RotateKubeletClientCertificate=true
  - RotateKubeletServerCertificate=true

Actual results:

 atomic-openshift-node[15600]: I1119 11:55:26.681107   15600 flags.go:27] FLAG: --rotate-certificates="true"
 atomic-openshift-node[15600]: I1119 11:55:26.681114   15600 flags.go:27] FLAG: --rotate-server-certificates="false"


Expected results:


 atomic-openshift-node[15600]: I1119 11:55:26.681107   15600 flags.go:27] FLAG: --rotate-certificates="true"
 atomic-openshift-node[15600]: I1119 11:55:26.681114   15600 flags.go:27] FLAG: --rotate-server-certificates="true"

Additional info:

The following config still works: 

  feature-gates:
  - RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true
Comment 1 Ryan Howe 2018-11-19 22:32:55 UTC 
Adding: 

kubeletArguments:
  rotate-server-certificates:
  - 'true'


Allows for the following configuration to work: 

kubeletArguments:
  rotate-server-certificates:
  - 'true'
  feature-gates:
  - RotateKubeletClientCertificate=true
  - RotateKubeletServerCertificate=true
  

With out rotate-server-certificates set to true, the above configuration does not set it to true. 

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_node_group/templates/node-config.yaml.j2#L38
Comment 4 Seth Jennings 2018-12-19 17:05:47 UTC 
*** Bug 1656355 has been marked as a duplicate of this bug. ***
Comment 5 Ryan Phillips 2018-12-19 21:57:47 UTC 
The feature-gates are intended to be a one-liner (example: https://docs.openshift.com/container-platform/3.11/install_config/configuring_local.html#local-volume-raw-block-devices). This is working as expected.
Comment 9 Michael Burke 2019-04-03 20:51:41 UTC 
https://github.com/openshift/openshift-docs/pull/14347
Comment 11 weiwei jiang 2019-04-11 10:15:54 UTC 
Checked and the changes for the doc can be approved, so move to verified.
Comment 13 errata-xmlrpc 2019-06-06 02:00:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0794
Note You need to log in before you can comment on or make changes to this bug.