1672011 – "redeploy-router-certificates.yml" makes changes to wrong "service serving certificate secrets" annotation

Bug 1672011 - "redeploy-router-certificates.yml" makes changes to wrong "service serving certificate secrets" annotation

Summary: "redeploy-router-certificates.yml" makes changes to wrong "service serving ce...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Dan Mace
QA Contact:	Hongan Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-02-03 04:45 UTC by Daein Park
Modified:	2023-09-15 01:28 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: The playbooks and manual configuration steps to redeploy router certificates are replace with service serving certificates secret, it overwrite or miss the router wild certificates secret. Consequence: It cause the certificates error due to incorrect certificates redeployed. Fix: Modify playbooks or manual redeploying steps not to overwrite router certificates secret with service serving certificate secret. Result: The router certificates are redeployed configuration based on specified sub domain or custom certificates.
Clone Of:
Environment:
Last Closed:	2019-04-11 05:38:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift openshift-ansible pull 11119	0	'None'	closed	[release-3.11] Correct service serving secret name in the annotation	2021-01-24 14:28:42 UTC
Red Hat Product Errata	RHBA-2019:0636	0	None	None	None	2019-04-11 05:38:35 UTC

Internal Links: 1635613

Description Daein Park 2019-02-03 04:45:30 UTC

Description of problem:

When run "redeploy-router-certificates.yml", "serving-cert-secret-name" of annotation has been changed wrong "Secret" with "router-certs".
"router-certs" secret has been stored as the wild card certificates with "openshift-signer" CA, it's not "openshift-service-serving-signer" CA.

It should be confusing and problematic in future.

The evidences of this issue are as follow.

* tls.crt of "router-certs" Secret
  ~~~
          Issuer: CN=openshift-signer@9999999999
          ...
          Subject: CN=*.apps.example.com
  ~~~

* tls.crt of "router-metrics-tls" Secret
  ~~~
          Issuer: CN=openshift-service-serving-signer@1231231234
          ...
          Subject: CN=router.default.svc
  ~~~

* Before running "redeploy-router-certificates.yml"
  ~~~
  # oc describe svc router -n default
  Name:              router
  Namespace:         default
  Labels:            router=router
  Annotations:       prometheus.openshift.io/password=abcabcabcd
                     prometheus.openshift.io/username=admin
                     service.alpha.openshift.io/serving-cert-secret-name=router-metrics-tls
                     service.alpha.openshift.io/serving-cert-signed-by=openshift-service-serving-signer@1231231234
  ~~~

* After running "redeploy-router-certificates.yml", "router-metrics-tls" has been changed to "router-certs"
  ~~~
  # oc describe svc router -n default
  Name:              router
  Namespace:         default
  Labels:            router=router
  Annotations:       prometheus.openshift.io/password=abcabcabcd
                     prometheus.openshift.io/username=admin
                     service.alpha.openshift.io/serving-cert-secret-name=router-certs
                     service.alpha.openshift.io/serving-cert-signed-by=openshift-service-serving-signer@1231231234
  ~~~


Version-Release number of the following components:
rpm -q openshift-ansible

  openshift-ansible-3.11.59-1.git.0.ba8e948.el7.noarch

rpm -q ansible

  ansible-2.6.11-1.el7ae.noarch

ansible --version

  ansible 2.6.11
    config file = /etc/ansible/ansible.cfg
    configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
    ansible python module location = /usr/lib/python2.7/site-packages/ansible
    executable location = /usr/bin/ansible
    python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

How reproducible:

You can reproduce this whenever run "playbooks/openshift-hosted/redeploy-router-certificates.yml" playbooks.

Steps to Reproduce:
1.
2.
3.

Actual results:

Ths service serving certificates secret name has been changed to "router-certs", it's wrong secret name.
e.g.>
"service.alpha.openshift.io/serving-cert-secret-name=router-certs"

Expected results:

The service serving certificates secret name should keep the same name after redeploying router certificates as follows.
e.g.>
"service.alpha.openshift.io/serving-cert-secret-name=router-metrics-tls"

Additional info:

I've reported as v3.11 here, but it can also occurred other versions, such as v3.7 ~ v3.10.

Comment 8 Hongan Li 2019-03-21 05:49:02 UTC

verified with openshift-ansible-3.11.98-1.git.0.3cfa7c3.el7.noarch and the issue has been fixed

Comment 10 errata-xmlrpc 2019-04-11 05:38:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0636

Comment 12 Red Hat Bugzilla 2023-09-15 01:28:08 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days

Note You need to log in before you can comment on or make changes to this bug.