Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1812570 - cluster etcd operator should have a for change in its metrics endpoint certs
Summary: cluster etcd operator should have a for change in its metrics endpoint certs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Etcd
Version: 4.4
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
: 4.6.0
Assignee: Dan Mace
QA Contact: ge liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-11 15:33 UTC by Alay Patel
Modified: 2020-10-27 15:57 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 15:57:02 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-etcd-operator pull 374 0 None closed Bug 1812570: Restart operator when metrics serving cert is modified 2020-10-08 14:16:55 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 15:57:05 UTC

Description Alay Patel 2020-03-11 15:33:18 UTC
Description:

The server certs for cluster-etcd-operator pod metrics endpoint are provisioned by service.alpha.openshift.io/serving-cert-secret-name: etcd-operator-serving-cert which can be rotated. The operator binary needs suicider on the metrics serving cert change

Comment 2 Michal Fojtik 2020-05-15 00:35:22 UTC
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.

Comment 3 Sam Batschelet 2020-05-20 14:25:05 UTC
moving to 4.6 we operator does do not perform cert rotation today. But Alay is right certs are not auto reloaded on every request like etcd server. So cert change would require a restart of metrics container.

Comment 4 Michal Fojtik 2020-05-27 00:02:02 UTC
This bug hasn't had any activity 7 days after it was marked as LifecycleStale, so we are closing this bug as WONTFIX. If you consider this bug still valuable, please reopen it or create new bug.

Comment 6 Dan Mace 2020-05-29 19:38:25 UTC
We may be able to solve this by adding the `--terminate-on-files` flag to the operator container command in the operator's deployment so that the process is restarted when the certs change.

Comment 7 Dan Mace 2020-05-29 19:41:46 UTC
If we _also_ need to bounce the grpc metrics proxy in front of etcd itself, we'll have to add logic to the init container which can induce exit on change to the file. I don't know if there's already an established pattern or piece of code we can use in this context.

Comment 8 Dan Mace 2020-05-29 19:47:56 UTC
Having discussed this a little more with Sam, because new cert contents for etcd itself imply a new revision, a restart is also implied and so there's nothing extra to do on the operand side. We do want to cause the operator itself to restart to reload certs.

Comment 14 errata-xmlrpc 2020-10-27 15:57:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.