1721336 – [3.10]redeploy-certificates playbook redeploys service signer certificate - causing internal apps not working

Bug 1721336 - [3.10]redeploy-certificates playbook redeploys service signer certificate - causing internal apps not working

Summary: [3.10]redeploy-certificates playbook redeploys service signer certificate - c...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.10.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.10.z
Assignee:	Joseph Callen
QA Contact:	Gaoyun Pei
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-18 01:08 UTC by Vladislav Walek
Modified:	2023-09-14 05:30 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: The service-signer was deleted and regenerated at each redeploy-certificates Consequence: Internal applications that depend on a service signer certificate would need to be regenerated or was invalid Fix: Remove service-signer from the list of certificates to be removed during a normal non-CA certificate redeployment Result: service-signer is only updated when the openshift ca has been renewed.
Clone Of:
Clones:	1748982 (view as bug list)
Environment:
Last Closed:	2019-10-14 08:49:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift openshift-ansible pull 11826	None	closed	Bug 1721336: Only delete and regenerate service signer cert when updating CA	2020-03-10 00:28:28 UTC
Github	openshift openshift-ansible pull 11830	None	closed	[release-3.10] Bug 1721336: Only delete and regenerate service signer cert when updating CA	2020-03-10 00:28:28 UTC
Red Hat Product Errata	RHBA-2019:2987	None	None	None	2019-10-14 08:49:45 UTC

Description Vladislav Walek 2019-06-18 01:08:05 UTC

Description of problem:

when running /usr/share/ansible/openshift-ansible/playbooks/redeploy-certificates.yml, it redeploys also the service signer certificate, which is used to sign the internal services.

This causes that internal services stop working due certificate is invalid.
Only manual intervention fixes the issue.
The secrets are not reconfigured, admin must delete them to recreate them.

Version-Release number of the following components:
openshift 3.10 playbooks

How reproducible:
execute the playbook and check the service signer

Steps to Reproduce:
1.
2.
3.

Actual results:
the internal service will stop working

Expected results:
service signer should not be redeployed by default
only should be redeployed when new CA is deployed.

Additional info:

Comment 8 Gaoyun Pei 2019-10-09 09:22:47 UTC

Verify this bug with openshift-ansible-3.10.175-1.git.0.19fd261.el7.noarch.rpm

openshift-ansible/playbooks/redeploy-certificates.yml wont't update service-signer certificates by default.

TASK [Remove service signer certificates] **************************************
skipping: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.crt)  => {"changed": false, "item": "service-signer.crt", "skip_reason": "Conditional result was False", "skipped": true}
skipping: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.key)  => {"changed": false, "item": "service-signer.key", "skip_reason": "Conditional result was False", "skipped": true}


With openshift_redeploy_openshift_ca=true set in inventory file, the service-signer certificates will be removed and regenerated.

TASK [Remove service signer certificates] **************************************
changed: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.crt) => {"changed": true, "failed": false, "item": "service-signer.crt", "path": "/etc/origin/master/service-signer.crt", "state": "absent"}
changed: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.key) => {"changed": true, "failed": false, "item": "service-signer.key", "path": "/etc/origin/master/service-signer.key", "state": "absent"}

Comment 10 errata-xmlrpc 2019-10-14 08:49:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2987

Comment 11 Red Hat Bugzilla 2023-09-14 05:30:28 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.