Description of problem: Setting an ingress controller's spec.DefaultCertificate.Name field to be the name of the operator generated default certificate (ie `router-certs-default`) causes the ingress operator to delete the router-certs-default certificate. See https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/certificate/default_cert.go#L31-L34. Although unlikely, the operator should handle the case where an ingress controller's spec.DefaultCertificate.Name redundantly specifies the already in use default certificate. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. oc edit ingresscontroller default -n openshift-ingress-operator 2. set spec.DefaultCertificate.Name to `router-certs-default` 3. Check ingress operator logs Actual results: router-certs-default secret is deleted Expected results: no secrets are deleted, and the ingress controller continues to function with or without the DefaultCertificate field redundantly set. Additional info:
Verified in "4.7.0-0.nightly-2021-01-09-144822" release payload containing the merge. With this release, it is observed that the default router certificates secret continues to persist and remain available after including it explicitly in the ingress controller under the "spec.DefaultCertificate.Name" section. ---- $ oc -n openshift-ingress get secret router-certs-default NAME TYPE DATA AGE router-certs-default kubernetes.io/tls 2 32m $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.7.0-0.nightly-2021-01-09-144822 True False 24m Cluster version is 4.7.0-0.nightly-2021-01-09-144822 $ oc -n openshift-ingress-operator edit ingresscontroller default ingresscontroller.operator.openshift.io/default edited spec: defaultCertificate: name: router-certs-default $ oc -n openshift-ingress get secret NAME TYPE DATA AGE builder-dockercfg-vvrzn kubernetes.io/dockercfg 1 52m builder-token-flkd4 kubernetes.io/service-account-token 4 52m builder-token-j48xp kubernetes.io/service-account-token 4 52m default-dockercfg-shmmn kubernetes.io/dockercfg 1 52m default-token-cd9l7 kubernetes.io/service-account-token 4 52m default-token-wvdvn kubernetes.io/service-account-token 4 52m deployer-dockercfg-rlbnm kubernetes.io/dockercfg 1 52m deployer-token-ddvdf kubernetes.io/service-account-token 4 52m deployer-token-rxjkd kubernetes.io/service-account-token 4 52m router-certs-default kubernetes.io/tls 2 52m router-dockercfg-vckg6 kubernetes.io/dockercfg 1 52m router-metrics-certs-default kubernetes.io/tls 2 51m router-stats-default Opaque 2 52m router-token-4qgvt kubernetes.io/service-account-token 4 52m router-token-hqccr kubernetes.io/service-account-token 4 52m $ oc -n openshift-ingress get secret router-certs-default NAME TYPE DATA AGE router-certs-default kubernetes.io/tls 2 54m ----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633