Bug 1672011 - "redeploy-router-certificates.yml" makes changes to wrong "service serving certificate secrets" annotation [NEEDINFO]
Summary: "redeploy-router-certificates.yml" makes changes to wrong "service serving ce...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: ---
: 3.11.z
Assignee: Dan Mace
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-03 04:45 UTC by Daein Park
Modified: 2019-04-11 12:50 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The playbooks and manual configuration steps to redeploy router certificates are replace with service serving certificates secret, it overwrite or miss the router wild certificates secret. Consequence: It cause the certificates error due to incorrect certificates redeployed. Fix: Modify playbooks or manual redeploying steps not to overwrite router certificates secret with service serving certificate secret. Result: The router certificates are redeployed configuration based on specified sub domain or custom certificates.
Clone Of:
Environment:
Last Closed: 2019-04-11 05:38:26 UTC
Target Upstream Version:
rkant: needinfo? (dmace)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift openshift-ansible pull 11119 'None' 'closed' '[release-3.11] Correct service serving secret name in the annotation' 2019-11-19 15:01:27 UTC
Red Hat Product Errata RHBA-2019:0636 None None None 2019-04-11 05:38:35 UTC

Internal Links: 1635613

Description Daein Park 2019-02-03 04:45:30 UTC
Description of problem:

When run "redeploy-router-certificates.yml", "serving-cert-secret-name" of annotation has been changed wrong "Secret" with "router-certs".
"router-certs" secret has been stored as the wild card certificates with "openshift-signer" CA, it's not "openshift-service-serving-signer" CA.

It should be confusing and problematic in future.

The evidences of this issue are as follow.

* tls.crt of "router-certs" Secret
  ~~~
          Issuer: CN=openshift-signer@9999999999
          ...
          Subject: CN=*.apps.example.com
  ~~~

* tls.crt of "router-metrics-tls" Secret
  ~~~
          Issuer: CN=openshift-service-serving-signer@1231231234
          ...
          Subject: CN=router.default.svc
  ~~~

* Before running "redeploy-router-certificates.yml"
  ~~~
  # oc describe svc router -n default
  Name:              router
  Namespace:         default
  Labels:            router=router
  Annotations:       prometheus.openshift.io/password=abcabcabcd
                     prometheus.openshift.io/username=admin
                     service.alpha.openshift.io/serving-cert-secret-name=router-metrics-tls
                     service.alpha.openshift.io/serving-cert-signed-by=openshift-service-serving-signer@1231231234
  ~~~

* After running "redeploy-router-certificates.yml", "router-metrics-tls" has been changed to "router-certs"
  ~~~
  # oc describe svc router -n default
  Name:              router
  Namespace:         default
  Labels:            router=router
  Annotations:       prometheus.openshift.io/password=abcabcabcd
                     prometheus.openshift.io/username=admin
                     service.alpha.openshift.io/serving-cert-secret-name=router-certs
                     service.alpha.openshift.io/serving-cert-signed-by=openshift-service-serving-signer@1231231234
  ~~~


Version-Release number of the following components:
rpm -q openshift-ansible

  openshift-ansible-3.11.59-1.git.0.ba8e948.el7.noarch

rpm -q ansible

  ansible-2.6.11-1.el7ae.noarch

ansible --version

  ansible 2.6.11
    config file = /etc/ansible/ansible.cfg
    configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
    ansible python module location = /usr/lib/python2.7/site-packages/ansible
    executable location = /usr/bin/ansible
    python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

How reproducible:

You can reproduce this whenever run "playbooks/openshift-hosted/redeploy-router-certificates.yml" playbooks.

Steps to Reproduce:
1.
2.
3.

Actual results:

Ths service serving certificates secret name has been changed to "router-certs", it's wrong secret name.
e.g.>
"service.alpha.openshift.io/serving-cert-secret-name=router-certs"

Expected results:

The service serving certificates secret name should keep the same name after redeploying router certificates as follows.
e.g.>
"service.alpha.openshift.io/serving-cert-secret-name=router-metrics-tls"

Additional info:

I've reported as v3.11 here, but it can also occurred other versions, such as v3.7 ~ v3.10.

Comment 8 Hongan Li 2019-03-21 05:49:02 UTC
verified with openshift-ansible-3.11.98-1.git.0.3cfa7c3.el7.noarch and the issue has been fixed

Comment 10 errata-xmlrpc 2019-04-11 05:38:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0636


Note You need to log in before you can comment on or make changes to this bug.