During testing of the master replacement DR scenario it was discovered that KAS was reliant on the deprecated EtcdCA. This is problematic because signing assets for that CA were not installed into the cluster meaning that it became impossible to sign additional certificates in the future with the same CA. We need to break the ties to EtcdCA See https://github.com/openshift/installer/pull/1720
Checked latest paylaod(4.1.0-0.nightly-2019-05-08-012425) until now, the pr have not been in it. change status to modify, and I will continue to watch it.
$ oc adm release info --commits registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-05-08-195152 | grep installer installer https://github.com/openshift/installer c91435c84a7ac35404b6062a45ae48b82b1f76ab installer-artifacts https://github.com/openshift/installer 6e5093d4e4d0e2069957a54db95c69b9eaa2b3a2 $ git log --first-parent --format='%ad %h %d %s' --date=iso -5 origin/master | cat 2019-05-08 22:52:53 +0200 3b6832c2a (HEAD -> master, origin/release-4.2, origin/release-4.1, origin/master, origin/HEAD) Merge pull request #1727 from abhinavdahiya/infra_api_changes_public 2019-05-08 19:56:40 +0200 c91435c84 Merge pull request #1730 from abhinavdahiya/upi_image_fix 2019-05-08 05:06:26 +0200 23aac5288 Merge pull request #1718 from abhinavdahiya/infra_api_changes 2019-05-08 01:27:39 +0200 d506a01c8 Merge pull request #1720 from hexfusion/remove_etcd_ca 2019-05-07 19:56:54 +0200 6e5093d4e Merge pull request #1711 from mandre/openstack-resolver So the associated installer has the fix, but installer-artifacts (which is what gets extracted, I think) does not. The disconnect may be another symptom of bug 1707928, and will hopefully be addressed by the current builds going on as part of that.
$ oc adm release info --commits registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-05-08-220123 | grep installer installer https://github.com/openshift/installer 3b6832c2a12e0d3e0edc91ee1266e8eba51aeebc installer-artifacts https://github.com/openshift/installer 3b6832c2a12e0d3e0edc91ee1266e8eba51aeebc``` Moving back to ON_QA.
Blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1707928
Verified with Beta 5 Final Build(4.1.0-rc.1), install ocp cluster on aws, and when bootstrap node is initialed, login on it and check the tls dir: etcdca have been deprecated, and etcdsign prompted $ pwd /opt/openshift/tls [core@ip-10-0-12-112 tls]$ ls *etcd* etcd-ca-bundle.crt etcd-client.key etcd-metric-signer-client.crt etcd-metric-signer.crt etcd-signer.crt etcd-client.crt etcd-metric-ca-bundle.crt etcd-metric-signer-client.key etcd-metric-signer.key etcd-signer.key [core@ip-10-0-12-112 tls]$ check the bootstrap logs: #journalctl -b -f -u bootkube.service May 10 07:40:44 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-ca-bundle-configmap.yaml" configmaps.v1./etcd-ca-bundle -n openshift-config May 10 07:40:44 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-client-secret.yaml" secrets.v1./etcd-client -n openshift-config May 10 07:40:45 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-metric-client-secret.yaml" secrets.v1./etcd-metric-client -n openshift-config May 10 07:40:45 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-metric-serving-ca-configmap.yaml" configmaps.v1./etcd-metric-serving-ca -n openshift-config May 10 07:40:45 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-metric-signer-secret.yaml" secrets.v1./etcd-metric-signer -n openshift-config May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-namespace.yaml" namespaces.v1./openshift-etcd -n May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-service.yaml" services.v1./etcd -n openshift-etcd May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-serving-ca-configmap.yaml" configmaps.v1./etcd-serving-ca -n openshift-config May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "etcd-signer-secret.yaml" secrets.v1./etcd-signer -n openshift-config May 10 07:40:46 ip-10-0-12-112 bootkube.sh[1398]: Created "kube-apiserver-serving-ca-configmap.yaml" configmaps.v1./initial-kube-apiserver-server-ca -n openshift-config