Bug 1843953 - stop adding service-ca to token secret in 4.5
Summary: stop adding service-ca to token secret in 4.5
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Samples
Version: 4.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.5.0
Assignee: Gabe Montero
QA Contact: XiuJuan Wang
Depends On: 1843949
TreeView+ depends on / blocked
Reported: 2020-06-04 13:42 UTC by Gabe Montero
Modified: 2020-07-13 17:43 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Removed functionality
Doc Text:
The service-serving CA is no longer available in pods at /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt. This file has been deprecated since 4.1. Pods that currently consume the service-serving CA bundle from /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt must migrate to obtaining the CA bundle from a configMap annotated with service.beta.openshift.io/inject-cabundle=true. The change removes the OCP templates identified as using this removed functionality.
Clone Of: 1843949
Last Closed: 2020-07-13 17:43:18 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-samples-operator pull 286 0 None closed [release-4.5] Bug 1843953: pull in sso compatibility fixes for 4.5 and above 2021-02-11 18:36:13 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:43:38 UTC

Description Gabe Montero 2020-06-04 13:42:30 UTC
+++ This bug was initially created as a clone of Bug #1843949 +++

+++ This bug was initially created as a clone of Bug #1813894 +++

with the goal of removing https://github.com/openshift/kubernetes/pull/116/commits/66d4751e4f866a9e51386eaac93bbdb3537f4813 in 4.6

1. find the initial deprecation notice in docs
2. have the value be off by default, with some ugly wiring (probably env var) to turn back on.
2.5. write a controller in the operator that removes the service-ca from all secrets.
3. create a new field in kcm.operator.openshift.io named `enableDeprecatedAndRemovedServiceCAKeyUntilNextRelease_ThisMakesClusterImpossibleToUpgrade`.  The name is abusive and clear.  People who set it should be very aware and not call us.
4. if the value is set, set the env var and mark the cluster upgradeable==false

In 4.6, we can remove the code entirely because no one can be relying on it.

--- Additional comment from Maru Newby on 2020-03-24 02:30:59 UTC ---

Corrected commit targeted for removal: https://github.com/openshift/kubernetes/commit/46562f3b5e34287b6ef79b92e54d9bee78ab735d

--- Additional comment from Maru Newby on 2020-03-24 06:00:15 UTC ---

Initial deprecation notice: https://github.com/openshift/openshift-docs/blob/enterprise-4.1/release_notes/ocp-4-1-release-notes.adoc#service-ca-bundle-changes

--- Additional comment from Stefan Schimanski on 2020-05-06 11:03:47 UTC ---

--- Additional comment from Maru Newby on 2020-05-07 22:46:46 UTC ---

PR to remove the code has been posted, and its merge should be deferred until 4.6: 


--- Additional comment from Maru Newby on 2020-05-20 14:14:02 UTC ---

Still waiting on the updates to the following operators:

- openshift/cluster-kube-controller-manager-operator (submitted but blocked by persistent and unrelated test flake)
- openshift/cluster-samples-operator (coordinating with maintainers of jboss-container-images to get required upstream changes merged)

--- Additional comment from Maru Newby on 2020-05-29 21:22:06 UTC ---

The cluster-samples-operator fix is still in-progress, but testing the change is now possible.

The change can be tested by creating a pod in a 4.5 cluster and verifying the absence of the service serving CA in the pod filesystem:


--- Additional comment from Maru Newby on 2020-06-02 14:50:55 UTC ---

The openshift/library PR has merged: 


Tomorrow (June 3rd), once a nightly job has made the necessary updates to the branch, cluster-samples-operator will be able to vendor the change. This vendoring change will need to merge to master and then backported to 4.5.

Comment 1 Gabe Montero 2020-06-04 14:44:39 UTC
Maru - do you and your team view getting these SSO templates updated an 4.5.0 blocker?

Comment 3 Gabe Montero 2020-06-04 15:30:19 UTC
Brandy - I forget, is there some tagging or labelling of bugs we should do to note they should be release noted ?

Comment 6 Gabe Montero 2020-06-04 21:42:04 UTC
for verification, simply instantiate one of the SSO templates Maru changed and confirm service-ca is not in the token secret

visit the changed files from the PR associated with this bz for that list

Comment 7 Gabe Montero 2020-06-04 21:42:50 UTC
With the PR merged, we don't need to release note

Comment 8 XiuJuan Wang 2020-06-10 09:51:10 UTC
Instantiate one of the SSO template
$oc new-app sso74-ocp4-x509-postgresql-persistent
for i in `oc get secret | awk '{print $1}'`; do oc get secret $i  -o json | jq '.data["service-ca.crt"]' -r  ; done
Error from server (NotFound): secrets "NAME" not found
$oc get cm 
NAME             DATA   AGE
sso-service-ca   1      3m30s
$oc get pods
NAME                      READY   STATUS      RESTARTS   AGE
sso-1-9nnvx               1/1     Running     1          4m26s
sso-1-deploy              0/1     Completed   0          4m30s
sso-postgresql-1-4mmb2    1/1     Running     0          4m27s
sso-postgresql-1-deploy   0/1     Completed   0          4m30s

$ oc rsh sso-1-9nnvx
sh-4.4$ ls /var/run/secrets/kubernetes.io/serviceaccount/
ca.crt	namespace  token

Verified this issue in 4.5.0-rc.1

Comment 10 errata-xmlrpc 2020-07-13 17:43:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.