Bug 1820610 - csr-signer isn't refreshed in recovery flow
Summary: csr-signer isn't refreshed in recovery flow
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-controller-manager
Version: 4.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.5.0
Assignee: Tomáš Nožička
QA Contact: zhou ying
URL:
Whiteboard:
Depends On:
Blocks: 1820613
TreeView+ depends on / blocked
 
Reported: 2020-04-03 12:59 UTC by Tomáš Nožička
Modified: 2020-08-04 18:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1820613 (view as bug list)
Environment:
Last Closed: 2020-08-04 18:04:08 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-controller-manager-operator pull 385 0 None closed Bug 1820610: Refresh csr-signer in recovery flow 2020-10-20 02:42:58 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-08-04 18:04:12 UTC

Description Tomáš Nožička 2020-04-03 12:59:23 UTC
Description of problem:
KCM recovery side car isn't refreshing csr-signer and csr-signer-signer


Version-Release number of selected component (if applicable):
4.4.0-0.nightly-2020-04-01-141451

How reproducible:
always


Steps to Reproduce:
1. stop cluster for 25h
2.
3.

Actual results:
    auth.openshift.io/certificate-issuer: kubelet-signer
    auth.openshift.io/certificate-not-after: "2020-04-02T18:34:29Z"
    auth.openshift.io/certificate-not-before: "2020-04-01T18:48:01Z"


Expected results:
    auth.openshift.io/certificate-issuer: openshift-kube-controller-manager-operator_csr-signer-signer@1585915545

Additional info:

Comment 1 Tomáš Nožička 2020-04-03 13:07:16 UTC
QA note: this is purely related to auto recovery flow, not the manual steps

Comment 4 zhou ying 2020-04-09 08:47:40 UTC
Confirmed with payload: 4.5.0-0.nightly-2020-04-07-234835, the issue has fixed:

[root@dhcp-140-138 ~]#   oc get secrets csr-signer -o json -n openshift-kube-controller-manager-operator
{
    "apiVersion": "v1",
    "data": {
        "tls.crt": ...
    },
    "kind": "Secret",
    "metadata": {
        "annotations": {
            "auth.openshift.io/certificate-issuer": "openshift-kube-controller-manager-operator_csr-signer-signer@1586420549",
            "auth.openshift.io/certificate-not-after": "2020-05-09T08:22:30Z",
            "auth.openshift.io/certificate-not-before": "2020-04-09T08:22:29Z"
        },




[root@dhcp-140-138 ~]#   oc get secrets csr-signer -o json -n openshift-kube-controller-manager-operator
{
    "apiVersion": "v1",
    "data": {
        "tls.crt": ....
    },
    "kind": "Secret",
    "metadata": {
        "annotations": {
            "auth.openshift.io/certificate-issuer": "openshift-kube-controller-manager-operator_csr-signer-signer@1586420549",
            "auth.openshift.io/certificate-not-after": "2020-05-09T08:22:30Z",
            "auth.openshift.io/certificate-not-before": "2020-04-09T08:22:29Z"
        },

Comment 6 errata-xmlrpc 2020-08-04 18:04:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5 image release advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.