Bug 1672011 - "redeploy-router-certificates.yml" makes changes to wrong "service serving certificate secrets" annotation [NEEDINFO]
Summary: "redeploy-router-certificates.yml" makes changes to wrong "service serving ce...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.11.z
Assignee: Dan Mace
QA Contact: Hongan Li
Depends On:
TreeView+ depends on / blocked
Reported: 2019-02-03 04:45 UTC by Daein Park
Modified: 2022-08-04 22:20 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The playbooks and manual configuration steps to redeploy router certificates are replace with service serving certificates secret, it overwrite or miss the router wild certificates secret. Consequence: It cause the certificates error due to incorrect certificates redeployed. Fix: Modify playbooks or manual redeploying steps not to overwrite router certificates secret with service serving certificate secret. Result: The router certificates are redeployed configuration based on specified sub domain or custom certificates.
Clone Of:
Last Closed: 2019-04-11 05:38:26 UTC
Target Upstream Version:
rkant: needinfo? (dmace)

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift openshift-ansible pull 11119 0 'None' closed [release-3.11] Correct service serving secret name in the annotation 2021-01-24 14:28:42 UTC
Red Hat Product Errata RHBA-2019:0636 0 None None None 2019-04-11 05:38:35 UTC

Internal Links: 1635613

Description Daein Park 2019-02-03 04:45:30 UTC
Description of problem:

When run "redeploy-router-certificates.yml", "serving-cert-secret-name" of annotation has been changed wrong "Secret" with "router-certs".
"router-certs" secret has been stored as the wild card certificates with "openshift-signer" CA, it's not "openshift-service-serving-signer" CA.

It should be confusing and problematic in future.

The evidences of this issue are as follow.

* tls.crt of "router-certs" Secret
          Issuer: CN=openshift-signer@9999999999
          Subject: CN=*.apps.example.com

* tls.crt of "router-metrics-tls" Secret
          Issuer: CN=openshift-service-serving-signer@1231231234
          Subject: CN=router.default.svc

* Before running "redeploy-router-certificates.yml"
  # oc describe svc router -n default
  Name:              router
  Namespace:         default
  Labels:            router=router
  Annotations:       prometheus.openshift.io/password=abcabcabcd

* After running "redeploy-router-certificates.yml", "router-metrics-tls" has been changed to "router-certs"
  # oc describe svc router -n default
  Name:              router
  Namespace:         default
  Labels:            router=router
  Annotations:       prometheus.openshift.io/password=abcabcabcd

Version-Release number of the following components:
rpm -q openshift-ansible


rpm -q ansible


ansible --version

  ansible 2.6.11
    config file = /etc/ansible/ansible.cfg
    configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
    ansible python module location = /usr/lib/python2.7/site-packages/ansible
    executable location = /usr/bin/ansible
    python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

How reproducible:

You can reproduce this whenever run "playbooks/openshift-hosted/redeploy-router-certificates.yml" playbooks.

Steps to Reproduce:

Actual results:

Ths service serving certificates secret name has been changed to "router-certs", it's wrong secret name.

Expected results:

The service serving certificates secret name should keep the same name after redeploying router certificates as follows.

Additional info:

I've reported as v3.11 here, but it can also occurred other versions, such as v3.7 ~ v3.10.

Comment 8 Hongan Li 2019-03-21 05:49:02 UTC
verified with openshift-ansible-3.11.98-1.git.0.3cfa7c3.el7.noarch and the issue has been fixed

Comment 10 errata-xmlrpc 2019-04-11 05:38:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.