1707573 – Installer configures KAS with legacy CA

Bug 1707573 - Installer configures KAS with legacy CA

Summary: Installer configures KAS with legacy CA

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	4.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.1.0
Assignee:	Sam Batschelet
QA Contact:	ge liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-07 19:37 UTC by Scott Dodson
Modified:	2019-05-10 11:49 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-05-10 11:49:53 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Description Scott Dodson 2019-05-07 19:37:05 UTC

During testing of the master replacement DR scenario it was discovered that KAS was reliant on the deprecated EtcdCA. This is problematic because signing assets for that CA were not installed into the cluster meaning that it became impossible to sign additional certificates in the future with the same CA.

We need to break the ties to EtcdCA

See https://github.com/openshift/installer/pull/1720

Comment 2 ge liu 2019-05-08 02:46:10 UTC

Checked latest paylaod(4.1.0-0.nightly-2019-05-08-012425) until now, the pr have not been in it. change status to modify, and I will continue to watch it.

Comment 3 W. Trevor King 2019-05-08 21:21:32 UTC

$ oc adm release info --commits registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-05-08-195152 | grep installer
  installer                                     https://github.com/openshift/installer                                     c91435c84a7ac35404b6062a45ae48b82b1f76ab
  installer-artifacts                           https://github.com/openshift/installer                                     6e5093d4e4d0e2069957a54db95c69b9eaa2b3a2
$ git log --first-parent --format='%ad %h %d %s' --date=iso -5 origin/master | cat
2019-05-08 22:52:53 +0200 3b6832c2a  (HEAD -> master, origin/release-4.2, origin/release-4.1, origin/master, origin/HEAD) Merge pull request #1727 from abhinavdahiya/infra_api_changes_public
2019-05-08 19:56:40 +0200 c91435c84  Merge pull request #1730 from abhinavdahiya/upi_image_fix
2019-05-08 05:06:26 +0200 23aac5288  Merge pull request #1718 from abhinavdahiya/infra_api_changes
2019-05-08 01:27:39 +0200 d506a01c8  Merge pull request #1720 from hexfusion/remove_etcd_ca
2019-05-07 19:56:54 +0200 6e5093d4e  Merge pull request #1711 from mandre/openstack-resolver

So the associated installer has the fix, but installer-artifacts (which is what gets extracted, I think) does not.  The disconnect may be another symptom of bug 1707928, and will hopefully be addressed by the current builds going on as part of that.

Comment 4 W. Trevor King 2019-05-08 22:55:48 UTC

$ oc adm release info --commits registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-05-08-220123 | grep installer
  installer                                     https://github.com/openshift/installer                                     3b6832c2a12e0d3e0edc91ee1266e8eba51aeebc
  installer-artifacts                           https://github.com/openshift/installer                                     3b6832c2a12e0d3e0edc91ee1266e8eba51aeebc```

Moving back to ON_QA.

Comment 5 ge liu 2019-05-09 07:11:05 UTC

Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1707928

Comment 6 ge liu 2019-05-10 07:53:07 UTC

Verified with Beta 5 Final Build(4.1.0-rc.1), 
install ocp cluster on aws, and when bootstrap node is initialed, login on it and check the tls dir:
etcdca have been deprecated, and etcdsign prompted
$ pwd
/opt/openshift/tls
[core@ip-10-0-12-112 tls]$ ls *etcd*
etcd-ca-bundle.crt  etcd-client.key            etcd-metric-signer-client.crt  etcd-metric-signer.crt  etcd-signer.crt
etcd-client.crt     etcd-metric-ca-bundle.crt  etcd-metric-signer-client.key  etcd-metric-signer.key  etcd-signer.key
[core@ip-10-0-12-112 tls]$ 

check the bootstrap logs:
#journalctl -b -f -u bootkube.service

May 10 07:40:44 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-ca-bundle-configmap.yaml" configmaps.v1./etcd-ca-bundle -n openshift-config
May 10 07:40:44 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-client-secret.yaml" secrets.v1./etcd-client -n openshift-config
May 10 07:40:45 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-metric-client-secret.yaml" secrets.v1./etcd-metric-client -n openshift-config
May 10 07:40:45 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-metric-serving-ca-configmap.yaml" configmaps.v1./etcd-metric-serving-ca -n openshift-config
May 10 07:40:45 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-metric-signer-secret.yaml" secrets.v1./etcd-metric-signer -n openshift-config
May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-namespace.yaml" namespaces.v1./openshift-etcd -n
May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-service.yaml" services.v1./etcd -n openshift-etcd
May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-serving-ca-configmap.yaml" configmaps.v1./etcd-serving-ca -n openshift-config
May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-signer-secret.yaml" secrets.v1./etcd-signer -n openshift-config
May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "kube-apiserver-serving-ca-configmap.yaml" configmaps.v1./initial-kube-apiserver-server-ca -n openshift-config

Note You need to log in before you can comment on or make changes to this bug.