+++ This bug was initially created as a clone of Bug #1843949 +++ +++ This bug was initially created as a clone of Bug #1813894 +++ with the goal of removing https://github.com/openshift/kubernetes/pull/116/commits/66d4751e4f866a9e51386eaac93bbdb3537f4813 in 4.6 1. find the initial deprecation notice in docs 2. have the value be off by default, with some ugly wiring (probably env var) to turn back on. 2.5. write a controller in the operator that removes the service-ca from all secrets. 3. create a new field in kcm.operator.openshift.io named `enableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade`. The name is abusive and clear. People who set it should be very aware and not call us. 4. if the value is set, set the env var and mark the cluster upgradeable==false In 4.6, we can remove the code entirely because no one can be relying on it. --- Additional comment from Maru Newby on 2020-03-24 02:30:59 UTC --- Corrected commit targeted for removal: https://github.com/openshift/kubernetes/commit/46562f3b5e34287b6ef79b92e54d9bee78ab735d --- Additional comment from Maru Newby on 2020-03-24 06:00:15 UTC --- Initial deprecation notice: https://github.com/openshift/openshift-docs/blob/enterprise-4.1/release_notes/ocp-4-1-release-notes.adoc#service-ca-bundle-changes --- Additional comment from Stefan Schimanski on 2020-05-06 11:03:47 UTC --- --- Additional comment from Maru Newby on 2020-05-07 22:46:46 UTC --- PR to remove the code has been posted, and its merge should be deferred until 4.6: https://github.com/openshift/origin/pull/24393 --- Additional comment from Maru Newby on 2020-05-20 14:14:02 UTC --- Still waiting on the updates to the following operators: - openshift/cluster-kube-controller-manager-operator (submitted but blocked by persistent and unrelated test flake) - openshift/cluster-samples-operator (coordinating with maintainers of jboss-container-images to get required upstream changes merged) --- Additional comment from Maru Newby on 2020-05-29 21:22:06 UTC --- The cluster-samples-operator fix is still in-progress, but testing the change is now possible. The change can be tested by creating a pod in a 4.5 cluster and verifying the absence of the service serving CA in the pod filesystem: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt --- Additional comment from Maru Newby on 2020-06-02 14:50:55 UTC --- The openshift/library PR has merged: https://github.com/openshift/library/pull/219 Tomorrow (June 3rd), once a nightly job has made the necessary updates to the branch, cluster-samples-operator will be able to vendor the change. This vendoring change will need to merge to master and then backported to 4.5.
Maru - do you and your team view getting these SSO templates updated an 4.5.0 blocker?
Brandy - I forget, is there some tagging or labelling of bugs we should do to note they should be release noted ?
for verification, simply instantiate one of the SSO templates Maru changed and confirm service-ca is not in the token secret visit the changed files from the PR associated with this bz for that list
With the PR merged, we don't need to release note
Instantiate one of the SSO template $oc new-app sso74-ocp4-x509-postgresql-persistent for i in `oc get secret | awk '{print $1}'`; do oc get secret $i -o json | jq '.data["service-ca.crt"]' -r ; done Error from server (NotFound): secrets "NAME" not found null null null null null null null null null null null $oc get cm NAME DATA AGE sso-service-ca 1 3m30s $oc get pods NAME READY STATUS RESTARTS AGE sso-1-9nnvx 1/1 Running 1 4m26s sso-1-deploy 0/1 Completed 0 4m30s sso-postgresql-1-4mmb2 1/1 Running 0 4m27s sso-postgresql-1-deploy 0/1 Completed 0 4m30s $ oc rsh sso-1-9nnvx sh-4.4$ ls /var/run/secrets/kubernetes.io/serviceaccount/ ca.crt namespace token Verified this issue in 4.5.0-rc.1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409