Bug 1860789 - [oc compatibility] - Cannot approve csr using oc 4.5 client on 4.6 server
Summary: [oc compatibility] - Cannot approve csr using oc 4.5 client on 4.6 server
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.5.z
Assignee: Maciej Szulik
QA Contact: RamaKasturi
URL:
Whiteboard:
: 1861828 1862352 1879177 (view as bug list)
Depends On: 1874056
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-27 07:05 UTC by RamaKasturi
Modified: 2020-10-19 14:54 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: A new API version for CSR was introduced in OCP 4.6. Consequence: As a consequence older versions were not able to approve or deny certificates during upgrade. Fix: Tolerate different versions of CSRs in older versions of oc. Result: It is possible to deny or approve certificates with oc 4.5 against OCP server 4.6.
Clone Of:
Environment:
Last Closed: 2020-10-19 14:54:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kubernetes-client-go pull 19 0 None closed Bug 1860789: UPSTREAM: <carry>: stop defaulting kubeconfig to http://localhost:8080 2021-02-16 16:59:21 UTC
Github openshift oc pull 551 0 None closed Bug 1860789: Rebase k8s to 1.18.8 to enable approving CSRs on a 4.6 server 2021-02-16 16:59:21 UTC
Github openshift origin pull 25560 0 None closed Bug 1860789: test: Report an error message when a pod fails in a cmd test 2021-02-16 16:59:21 UTC
Red Hat Bugzilla 1692670 0 low CLOSED user must know which version of OpenShift is running 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2020:4228 0 None None None 2020-10-19 14:54:40 UTC

Description RamaKasturi 2020-07-27 07:05:52 UTC
Description of problem:
When trying to approve a csr on 4.6 cluster using oc4.5 client it fails with error "error: no kind "CertificateSigningRequest" is registered for version "certificates.k8s.io/v1" in scheme "k8s.io/kubectl/pkg/scheme/scheme.go:28"


Version-Release number of selected component (if applicable):
[ramakasturinarra@dhcp35-60 ~]$ oc version
Client Version: 4.5.0-202007240519.p0-b66f2d3
Server Version: 4.6.0-0.nightly-2020-07-25-091217
Kubernetes Version: v4.6.0-202007250017.p0-dirty


How reproducible:
Always

Steps to Reproduce:
1. Use oc 4.5 client 4.5.0-202007240519.p0-b66f2d3 to approve a csr on 4.6 server
2. oc adm certificate approve <csr-name>

Actual results:
Approving certificate fails with "error: no kind "CertificateSigningRequest" is registered for version "certificates.k8s.io/v1" in scheme "k8s.io/kubectl/pkg/scheme/scheme.go:28"

Expected results:

Approval of certificates should work with out any issues.

Additional info:
Same works fine with "openshift-clients-4.6.0-202007241012.p0.git.3670.b87fe27.el7.x86_64"
[ramakasturinarra@dhcp35-60 ~]$ oc adm certificate approve csr-r4cdq
certificatesigningrequest.certificates.k8s.io/csr-r4cdq approved

Comment 1 RamaKasturi 2020-07-27 07:28:18 UTC
I run oc get node cmd in 4.5 server, then in .kube/cache/discovery/, it has certificates.k8s.io/v1beta1.
But for 4.6 server, has both certificates.k8s.io/v1beta1 and certificates.k8s.io/v1. oc 4.5 should work for this change, i.e. is a bug

Comment 2 Tomáš Nožička 2020-07-28 14:01:20 UTC
yeah, we need to backport kubernetes fixes that went into 1.18 branch - we are planing a small rebase

Comment 4 Maciej Szulik 2020-08-10 15:16:15 UTC
Now that I'm back, I'll be handling these.

Comment 5 Maciej Szulik 2020-08-11 10:23:35 UTC
*** Bug 1861828 has been marked as a duplicate of this bug. ***

Comment 6 Maciej Szulik 2020-08-11 10:23:45 UTC
*** Bug 1862352 has been marked as a duplicate of this bug. ***

Comment 7 Maciej Szulik 2020-08-21 14:10:22 UTC
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 8 Aleksandar Kostadinov 2020-08-24 22:56:55 UTC
If not fixed it needs to go to release notes as users expect oc version x.y to be compatible with cluster version x.y+1

Comment 9 Maciej Szulik 2020-08-25 10:34:19 UTC
(In reply to Aleksandar Kostadinov from comment #8)
> If not fixed it needs to go to release notes as users expect oc version x.y
> to be compatible with cluster version x.y+1

It is planned to be fixed in 4.5

Comment 10 Aleksandar Kostadinov 2020-08-25 21:29:47 UTC
Sounds good, thank you.

This is also failing in the same way with as early as 4.2.35 (that I had available to test with). Are earlier versions going to be fixed?

Comment 11 Maciej Szulik 2020-08-26 09:57:38 UTC
(In reply to Aleksandar Kostadinov from comment #10)
> Sounds good, thank you.
> 
> This is also failing in the same way with as early as 4.2.35 (that I had
> available to test with). Are earlier versions going to be fixed?

Nope, we guarantee +/- 1 version compatibility, so only 4.5 will be fixed. Also earlier versions are either EOL or in maintenance.

Comment 12 Maciej Szulik 2020-09-03 15:02:47 UTC
This will be fixed in https://github.com/openshift/oc/pull/551

Comment 13 Maciej Szulik 2020-09-11 11:18:49 UTC
PR is waiting in the queue.

Comment 14 rvanderp 2020-09-15 16:34:44 UTC
*** Bug 1879177 has been marked as a duplicate of this bug. ***

Comment 15 Maciej Szulik 2020-10-01 08:26:01 UTC
The PRs are in the queue already.

Comment 20 errata-xmlrpc 2020-10-19 14:54:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.15 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4228


Note You need to log in before you can comment on or make changes to this bug.