Description of problem: We have test errors because of a breaking change in the service annotation service.alpha.openshift.io/serving-cert-secret-name feature. An issue was opened in our github repo to track this error https://github.com/EnMasseProject/enmasse/issues/3457 We see a behavioural change between 4.2 and 4.3 which is breaking for our existing application. On 4.2, the generated secret's tls.crt entry contained both the server's cert and the cert of its signer. On 4.3, generated secret's tls.crt entry contains the server's cert. This is breaking for us as we rely on this trust source to config SSL clients. With 4.2 $ oc get secrets standard-authservice-cert -o template='{{index .data "tls.crt"}}' | base64 -d ----BEGIN CERTIFICATE---- MIIDwDCCAqigAwIBAgIIZ9hFN01PmBIwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTU3MTgxNjU3MDAe Fw0xOTExMTMwNzQ1NDBaFw0yMTExMTIwNzQ1NDFaMDExLzAtBgNVBAMTJnN0YW5k ... IxWGUg== ----END CERTIFICATE---- ----BEGIN CERTIFICATE---- MIIDCjCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDDCtvcGVu c2hpZnQtc2VydmljZS1zZXJ2aW5nLXNpZ25lckAxNTcxODE2NTcwMB4XDTE5MTAy MzA3NDI0OVoXDTIwMTAyMjA3NDI1MFowNjE0MDIGA1UEAwwrb3BlbnNoaWZ0LXNl cnZpY2Utc2VydmluZy1zaWduZXJAMTU3MTgxNjU3MDCCASIwDQYJKoZIhvcNAQEB ... e5Ki6eXXHxW8mNsFCZE= ----END CERTIFICATE---- With 4.3: oc get secrets standard-authservice-cert -o template='{{index .data "tls.crt"}}' | base64 -d ----BEGIN CERTIFICATE---- MIIEAjCCAuqgAwIBAgIIPj/x4jBgKckwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTU3MzEyNDY0MDAe Fw0xOTExMTIwOTA5MjNaFw0yMTExMTEwOTA5MjRaMDExLzAtBgNVBAMTJnN0YW5k YXJkLWF1dGhzZXJ2aWNlLmVubWFzc2UtaW5mcmEuc3ZjMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEArB9rnPH4KStY28LpdEqb0Y6z//Y+qtr807qJJLm6 /8aPHcn/0Mwg61fCozBSo0darwLy5Mxm4P5a2ta7xBrYrLj5n1pg9sGr104wX7K4 nnl9juMWHw4DPsjKJmHq7aDLeYerOrJZX0a1VEUFwLIiNrPoPf1qHBKfLw3sc9Xg ... pqaWd+m5XNUuovtW0UfKlUKshGa/ag== ----END CERTIFICATE---- How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Please reroute if openshift-api is the incorrect component
As per https://docs.okd.io/latest/dev_guide/secrets.html#service-serving-certificate-secrets , The needed CA certs are found /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt.
Proposal to ensure the current behavior is retained for the alpha annotation: https://github.com/openshift/enhancements/pull/109 Implementation: https://github.com/openshift/service-ca-operator/pull/83
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062