Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1805791

Summary: add dynamic reloading for CSR signing controllers
Product: OpenShift Container Platform Reporter: Maciej Szulik <maszulik>
Component: kube-controller-managerAssignee: Lukasz Szaszkiewicz <lszaszki>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.4CC: aos-bugs, lszaszki, mfojtik, tnozicka, yinzhou
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1804239 Environment:
Last Closed: 2020-05-04 11:38:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1804239    
Bug Blocks:    

Description Maciej Szulik 2020-02-21 14:51:08 UTC 
+++ This bug was initially created as a clone of Bug #1804239 +++

Pick https://github.com/kubernetes/kubernetes/pull/86816 into origin to provide  dynamic reloading for CSR signing controllers to match the kube-apiserver for cert/key pair reloading behavior.
Comment 5 zhou ying 2020-03-02 08:49:55 UTC 
Confirmed with latest payload: 4.4.0-0.nightly-2020-03-01-215047, the issue has fixed:

1) One terminal , delete secrets :
oc delete secrets/csr-signer -n openshift-kube-controller-manager-operator

2) At the same time , check logs from pod in project openshift-kube-controller-manager:

oc logs -f po/kube-controller-manager-ip-xxxx.compute.internal -n openshift-kube-controller-manager
I0302 08:42:20.410480       1 tlsconfig.go:179] loaded client CA [2/"client-ca-bundle::/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt,request-header::/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"]: "kubelet-signer" [] issuer="<self>" (2020-03-02 01:47:23 +0000 UTC to 2020-03-03 01:47:23 +0000 UTC (now=2020-03-02 08:42:20.410468037 +0000 UTC))
I0302 08:42:20.410501       1 tlsconfig.go:179] loaded client CA [3/"client-ca-bundle::/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt,request-header::/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"]: "kube-csr-signer_@1583138324" [] issuer="kubelet-signer" (2020-03-02 08:38:44 +0000 UTC to 2020-03-03 01:47:23 +0000 UTC (now=2020-03-02 08:42:20.410493045 +0000 UTC))
I0302 08:42:20.410517       1 tlsconfig.go:179] loaded client CA [4/"client-ca-bundle::/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt,request-header::/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"]: "kube-csr-signer_@1583138505" [] issuer="kubelet-signer" (2020-03-02 08:41:44 +0000 UTC to 2020-03-03 01:47:23 +0000 UTC (now=2020-03-02 08:42:20.410509826 +0000 UTC))
I0302 08:42:20.410533       1 tlsconfig.go:179] loaded client CA [5/"client-ca-bundle::/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt,request-header::/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"]: "kube-apiserver-to-kubelet-signer" [] issuer="<self>" (2020-03-02 01:47:24 +0000 UTC to 2021-03-02 01:47:24 +0000 UTC (now=2020-03-02 08:42:20.410525853 +0000 UTC))
I0302 08:42:20.410548       1 tlsconfig.go:179] loaded client CA [6/"client-ca-bundle::/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt,request-header::/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"]: "kube-control-plane-signer" [] issuer="<self>" (2020-03-02 01:47:24 +0000 UTC to 2021-03-02 01:47:24 +0000 UTC (now=2020-03-02 08:42:20.410541207 +0000 UTC))
I0302 08:42:20.410564       1 tlsconfig.go:179] loaded client CA [7/"client-ca-bundle::/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt,request-header::/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"]: "kubelet-bootstrap-kubeconfig-signer" [] issuer="<self>" (2020-03-02 01:47:13 +0000 UTC to 2030-02-28 01:47:13 +0000 UTC (now=2020-03-02 08:42:20.410556791 +0000 UTC))
I0302 08:42:20.410579       1 tlsconfig.go:179] loaded client CA [8/"client-ca-bundle::/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt,request-header::/etc/kubernetes/static-pod-certs/configmaps/aggregator-client-ca/ca-bundle.crt"]: "aggregator-signer" [] issuer="<self>" (2020-03-02 01:47:19 +0000 UTC to 2020-03-03 01:47:19 +0000 UTC (now=2020-03-02 08:42:20.410572403 +0000 UTC))
I0302 08:42:20.410827       1 tlsconfig.go:201] loaded serving cert ["serving-cert::/etc/kubernetes/static-pod-resources/secrets/serving-cert/tls.crt::/etc/kubernetes/static-pod-resources/secrets/serving-cert/tls.key"]: "kube-controller-manager.openshift-kube-controller-manager.svc" [serving] validServingFor=[kube-controller-manager.openshift-kube-controller-manager.svc,kube-controller-manager.openshift-kube-controller-manager.svc.cluster.local] issuer="openshift-service-serving-signer@1583114629" (2020-03-02 02:03:57 +0000 UTC to 2022-03-02 02:03:58 +0000 UTC (now=2020-03-02 08:42:20.410814728 +0000 UTC))
I0302 08:42:20.411060       1 named_certificates.go:53] loaded SNI cert [0/"self-signed loopback"]: "apiserver-loopback-client@1583115200" [serving] validServingFor=[apiserver-loopback-client] issuer="apiserver-loopback-client-ca@1583115199" (2020-03-02 01:13:19 +0000 UTC to 2021-03-02 01:13:19 +0000 UTC (now=2020-03-02 08:42:20.411046069 +0000 UTC))
Comment 7 errata-xmlrpc 2020-05-04 11:38:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581