Bug 1722550 - creating the unsupported configmap for cert rotation should taint a cluster
Summary: creating the unsupported configmap for cert rotation should taint a cluster
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.2.0
Assignee: Maciej Szulik
QA Contact: zhou ying
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-20 15:47 UTC by David Eads
Modified: 2019-10-16 06:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Creating unsupported configmap for cert rotation shortens cert rotation. Consequence: This is unsupported and not user-facing functionality that was discovered by one of our users. Fix: Prevent upgrades by setting Upgradable to False on kubeapiserver-operator when that unsupported config map is present. Result: When an administrator creates the unsupported config map the cluster will not be upgradable.
Clone Of:
Environment:
Last Closed: 2019-10-16 06:32:19 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2922 None None None 2019-10-16 06:32:31 UTC

Description David Eads 2019-06-20 15:47:24 UTC 
This setting is unsupported.  Upgradeable should immediately go to false and we probably want to set degraded as well.

The cluster kept working in this case, but we don't want people confused about what it does to a cluster.
Comment 1 Stefan Schimanski 2019-06-24 12:39:02 UTC 
With https://github.com/openshift/cluster-kube-apiserver-operator/pull/505 every cluster will be degraded and not upgradable.
Comment 2 Michal Fojtik 2019-08-12 08:07:15 UTC 
The code is already there, creating the configmap in linked PR indeed set the cluster upgradeable to false. Moving to QA to verify.
Comment 3 Xingxing Xia 2019-08-15 05:24:15 UTC 
(In reply to Michal Fojtik from comment #2)
> The code is already there, creating the configmap in linked PR indeed set
> the cluster upgradeable to false. Moving to QA to verify.

Checked latest 4.1.0-0.nightly-2019-08-14-043700 env, per the Doc Text's Fix part, the co/kube-apiserver does not have change Upgradeable (status is True) before and after creating below:
oc create -f - << EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: unsupported-cert-rotation-config
  namespace: openshift-config
data:
  base: 1m
EOF

Could you please give some hint if above verification is wrong.
Comment 4 Xingxing Xia 2019-08-15 05:55:20 UTC 
Sorry, made a mistake; this bug target release is 4.2; should use 4.2 env to test later
Comment 5 Xingxing Xia 2019-08-15 07:04:48 UTC 
Verified in latest 4.2.0-0.nightly-2019-08-15-033605 env. After creating unsupported-cert-rotation-config, co/kube-apiserver yaml shows Upgradeable is False:
    - lastTransitionTime: "2019-08-15T06:59:53Z"
      message: 'CertRotationTimeUpgradeable: configmap["openshift-config"]/unsupported-cert-rotation-config
        .data["base"]=="1m"'
      reason: CertRotationTimeUpgradeableCertRotationBaseOverridden
      status: "False"
      type: Upgradeable
Comment 6 errata-xmlrpc 2019-10-16 06:32:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922
Note You need to log in before you can comment on or make changes to this bug.