1901869 – The master-cert couldn't be regenerated

Bug 1901869 - The master-cert couldn't be regenerated

Summary: The master-cert couldn't be regenerated

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	4.6.z
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Jeff Cantrill
QA Contact:	Anping Li
Docs Contact:	Rolfe Dlugy-Hegwer
URL:
Whiteboard:	logging-core
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-26 10:06 UTC by Anping Li
Modified:	2021-02-24 11:23 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	* Previously, if you deleted the secret, it was not recreated. Even though the certificates were on a disk local to the operator, they weren't rewritten because they hadn't changed. That is, certificates were only written if they changed. The current release fixes this issue. It rewrites the secret if the certificate changes or is not found. Now, if you delete the master-certs, they are replaced. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1901869[BZ#1901869])
Clone Of:
Environment:
Last Closed:	2021-02-24 11:22:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Logging must gather (1.13 MB, application/gzip) 2020-11-26 10:09 UTC, Anping Li	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-logging-operator pull 819	0	None	closed	Bug 1901869: Recreate master-certs if deleted	2021-02-09 00:47:44 UTC
Red Hat Product Errata	RHBA-2021:0652	0	None	None	None	2021-02-24 11:23:16 UTC

Description Anping Li 2020-11-26 10:06:47 UTC

Description of Problem:
Delete the secret master-cert, the secret couldn't be recreated.

Version-Release number of selected component (if applicable):
CSV: clusterlogging.4.6.0-202011260456.p0
cluster-logging-operator: v4.6.0-202011260456.p0; Last commit ID: 332dec5d433570f7e315b1629159c81abfe936d4"

How Reproducible:
Always

Steps to Reproduce:
1. Deploy cluster-logging
2. oc delete secret master-cert
3. Wait for a while, and check the secret


Actual Result:
master-cert wasn't recreated.

Expected Result:
A new master-cert was generated.

Comment 1 Anping Li 2020-11-26 10:09:30 UTC

Created attachment 1733692 [details]
Logging must gather

Comment 2 Jeff Cantrill 2020-11-30 16:23:16 UTC

The workaround is to delete the CLO pod as I believe the issue is certs are cached in the pods temp directory.  There is logic to not write the certs back if they have not changed.  This means if they exist on disk and have not changed or were never written then they never will be written

Comment 4 Anping Li 2020-12-08 03:49:09 UTC

Verified on clusterlogging.4.7.0-202012072045.p0

Comment 6 Jeff Cantrill 2021-01-08 16:09:55 UTC

Backporting to 4.6 in https://github.com/openshift/cluster-logging-operator/pull/849 via https://bugzilla.redhat.com/show_bug.cgi?id=1906641

Comment 12 errata-xmlrpc 2021-02-24 11:22:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Errata Advisory for Openshift Logging 5.0.0), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0652

Note You need to log in before you can comment on or make changes to this bug.