1672011 – "redeploy-router-certificates.yml" makes changes to wrong "service serving certificate secrets" annotation

Bug 1672011 - "redeploy-router-certificates.yml" makes changes to wrong "service serving certificate secrets" annotation [NEEDINFO]

Summary: "redeploy-router-certificates.yml" makes changes to wrong "service serving ce...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Dan Mace
QA Contact:	Hongan Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-02-03 04:45 UTC by Daein Park
Modified:	2022-08-04 22:20 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: The playbooks and manual configuration steps to redeploy router certificates are replace with service serving certificates secret, it overwrite or miss the router wild certificates secret. Consequence: It cause the certificates error due to incorrect certificates redeployed. Fix: Modify playbooks or manual redeploying steps not to overwrite router certificates secret with service serving certificate secret. Result: The router certificates are redeployed configuration based on specified sub domain or custom certificates.
Clone Of:
Environment:
Last Closed:	2019-04-11 05:38:26 UTC
Target Upstream Version:
Flags:	rkant: needinfo? (dmace)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift openshift-ansible pull 11119	0	'None'	closed	[release-3.11] Correct service serving secret name in the annotation	2021-01-24 14:28:42 UTC
Red Hat Product Errata	RHBA-2019:0636	0	None	None	None	2019-04-11 05:38:35 UTC

Internal Links: 1635613

Description Daein Park 2019-02-03 04:45:30 UTC

Description of problem:

When run "redeploy-router-certificates.yml", "serving-cert-secret-name" of annotation has been changed wrong "Secret" with "router-certs".
"router-certs" secret has been stored as the wild card certificates with "openshift-signer" CA, it's not "openshift-service-serving-signer" CA.

It should be confusing and problematic in future.

The evidences of this issue are as follow.

* tls.crt of "router-certs" Secret
  ~~~
          Issuer: CN=openshift-signer@9999999999
          ...
          Subject: CN=*.apps.example.com
  ~~~

* tls.crt of "router-metrics-tls" Secret
  ~~~
          Issuer: CN=openshift-service-serving-signer@1231231234
          ...
          Subject: CN=router.default.svc
  ~~~

* Before running "redeploy-router-certificates.yml"
  ~~~
  # oc describe svc router -n default
  Name:              router
  Namespace:         default
  Labels:            router=router
  Annotations:       prometheus.openshift.io/password=abcabcabcd
                     prometheus.openshift.io/username=admin
                     service.alpha.openshift.io/serving-cert-secret-name=router-metrics-tls
                     service.alpha.openshift.io/serving-cert-signed-by=openshift-service-serving-signer@1231231234
  ~~~

* After running "redeploy-router-certificates.yml", "router-metrics-tls" has been changed to "router-certs"
  ~~~
  # oc describe svc router -n default
  Name:              router
  Namespace:         default
  Labels:            router=router
  Annotations:       prometheus.openshift.io/password=abcabcabcd
                     prometheus.openshift.io/username=admin
                     service.alpha.openshift.io/serving-cert-secret-name=router-certs
                     service.alpha.openshift.io/serving-cert-signed-by=openshift-service-serving-signer@1231231234
  ~~~


Version-Release number of the following components:
rpm -q openshift-ansible

  openshift-ansible-3.11.59-1.git.0.ba8e948.el7.noarch

rpm -q ansible

  ansible-2.6.11-1.el7ae.noarch

ansible --version

  ansible 2.6.11
    config file = /etc/ansible/ansible.cfg
    configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
    ansible python module location = /usr/lib/python2.7/site-packages/ansible
    executable location = /usr/bin/ansible
    python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

How reproducible:

You can reproduce this whenever run "playbooks/openshift-hosted/redeploy-router-certificates.yml" playbooks.

Steps to Reproduce:
1.
2.
3.

Actual results:

Ths service serving certificates secret name has been changed to "router-certs", it's wrong secret name.
e.g.>
"service.alpha.openshift.io/serving-cert-secret-name=router-certs"

Expected results:

The service serving certificates secret name should keep the same name after redeploying router certificates as follows.
e.g.>
"service.alpha.openshift.io/serving-cert-secret-name=router-metrics-tls"

Additional info:

I've reported as v3.11 here, but it can also occurred other versions, such as v3.7 ~ v3.10.

Comment 8 Hongan Li 2019-03-21 05:49:02 UTC

verified with openshift-ansible-3.11.98-1.git.0.3cfa7c3.el7.noarch and the issue has been fixed

Comment 10 errata-xmlrpc 2019-04-11 05:38:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0636

Note You need to log in before you can comment on or make changes to this bug.