Bug 1683982 - The cert data in the configmap not update when signing CA secret recreated
Summary: The cert data in the configmap not update when signing CA secret recreated
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.1.0
Assignee: Matt Rogers
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-28 08:54 UTC by Chuan Yu
Modified: 2019-06-04 10:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:44:42 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:44:49 UTC

Description Chuan Yu 2019-02-28 08:54:11 UTC 
Description of problem:
The cert data in the configmap not update when signing CA secret recreated(service-serving-cert-signer-signing-key)

Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.0.0-0.nightly-2019-02-26-125216   True        False         26h     Cluster version is 4.0.0-0.nightly-2019-02-26-125216

How reproducible:
always

Steps to Reproduce:
1. create a configmap and annotate it with service.alpha.openshift.io/inject-cabundle=true

2. check the cert data in the configmap

3. delete secret service-serving-cert-signer-signing-key in openshift-service-cert-signer project, the service pod service-serving-cert-signer- will restarted automatically

4. waiting the pod ready,  check the cert data in the configmap, not updated, the same as step 2

Actual results:
The cert data in the configmap, not updated

Expected results:
The cert data in the configmap should be updated.

Additional info:
https://jira.coreos.com/browse/AUTH-109
Comment 1 Chuan Yu 2019-03-12 07:21:11 UTC 
Have checked alpha build, the issue still not fix.
$ oc get clusterversion
NAME      VERSION                           AVAILABLE   PROGRESSING   SINCE     STATUS
version   4.0.0-0.alpha-2019-03-12-005310   True        False         4h20m     Cluster version is 4.0.0-0.alpha-2019-03-12-005310
Comment 5 Wei Sun 2019-04-10 03:25:48 UTC 
Could you please help check if it has been fixed?
Comment 6 Chuan Yu 2019-04-10 07:02:41 UTC 
The latest Accepted build 4.0.0-0.nightly-2019-04-05-165550 not include this fix.
Comment 7 Wei Sun 2019-04-10 10:12:52 UTC 
Please check if the fix is in 4.0.0-0.nightly-2019-04-08-225815
Comment 8 Chuan Yu 2019-04-11 06:14:46 UTC 
Verified.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.0.0-0.nightly-2019-04-10-182914   True        False         171m    Cluster version is 4.0.0-0.nightly-2019-04-10-182914
Comment 10 errata-xmlrpc 2019-06-04 10:44:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758
Note You need to log in before you can comment on or make changes to this bug.