Bug 1902059 - Wire a real signer for service accout issuer
Summary: Wire a real signer for service accout issuer
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.0
Assignee: Standa Laznicka
QA Contact: scheng
Depends On:
TreeView+ depends on / blocked
Reported: 2020-11-26 16:56 UTC by Tomáš Nožička
Modified: 2021-02-24 15:36 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2021-02-24 15:36:28 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 1019 0 None closed Bug 1902059: bootstrap: always wire bound SA keys 2021-02-17 13:50:28 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:36:52 UTC

Description Tomáš Nožička 2020-11-26 16:56:11 UTC
https://github.com/openshift/cluster-kube-apiserver-operator/pull/1013 has wired a random cert to make kube 1.20 work because it started to require the service account issuer and the associated signing cert to be set. The reason it didn't wire it directly is because the cert requires to be plumbed from the installer and it was blocking the rebase. This is the follow up to fix it.

Comment 7 errata-xmlrpc 2021-02-24 15:36:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.