Bug 1912922 - Explicitly specifying the operator generated default certificate for an ingress controller breaks the ingress controller
Summary: Explicitly specifying the operator generated default certificate for an ingre...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.7.0
Assignee: Stephen Greene
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-05 15:43 UTC by Stephen Greene
Modified: 2022-08-04 22:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Setting an ingress controller's spec.DefaultCertificate.Name field to be the name of the operator generated default certificate (ie `router-certs-default`) Consequence: The ingress-operator deletes the operator generated default certificate. Fix: Have the ingress operator only delete the generated default certificate if spec.DefaultCertificate.Name != the name of the default generated certificate. Result: Redundantly specifying the name of the ingress controllers operator-generated default certificate does not break the ingress controller.
Clone Of:
Environment:
Last Closed: 2021-02-24 15:50:09 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-ingress-operator pull 521 0 None closed Bug 1912922: default_cert.go: Handle redundantly specified default certificate 2021-01-11 03:30:12 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:50:25 UTC

Description Stephen Greene 2021-01-05 15:43:30 UTC
Description of problem:

Setting an ingress controller's spec.DefaultCertificate.Name field to be the name of the operator generated default certificate (ie `router-certs-default`) causes the ingress operator to delete the router-certs-default certificate. See https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/certificate/default_cert.go#L31-L34.

Although unlikely, the operator should handle the case where an ingress controller's spec.DefaultCertificate.Name redundantly specifies the already in use default certificate.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. oc edit ingresscontroller default -n openshift-ingress-operator
2. set spec.DefaultCertificate.Name to `router-certs-default`
3. Check ingress operator logs

Actual results:

router-certs-default secret is deleted

Expected results:
no secrets are deleted, and the ingress controller continues to function with or without the DefaultCertificate field redundantly set.

Additional info:

Comment 2 Arvind iyengar 2021-01-11 09:50:41 UTC
Verified in "4.7.0-0.nightly-2021-01-09-144822" release payload containing the merge. With this release, it is observed that the default router certificates secret continues to persist and remain available after including it explicitly in the ingress controller under the "spec.DefaultCertificate.Name" section. 
----
$ oc -n openshift-ingress get secret router-certs-default
NAME                   TYPE                DATA   AGE
router-certs-default   kubernetes.io/tls   2      32m

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-01-09-144822   True        False         24m     Cluster version is 4.7.0-0.nightly-2021-01-09-144822

$ oc -n openshift-ingress-operator edit ingresscontroller default          
ingresscontroller.operator.openshift.io/default edited
spec:
  defaultCertificate:
    name: router-certs-default

$ oc -n openshift-ingress get secret
NAME                           TYPE                                  DATA   AGE
builder-dockercfg-vvrzn        kubernetes.io/dockercfg               1      52m
builder-token-flkd4            kubernetes.io/service-account-token   4      52m
builder-token-j48xp            kubernetes.io/service-account-token   4      52m
default-dockercfg-shmmn        kubernetes.io/dockercfg               1      52m
default-token-cd9l7            kubernetes.io/service-account-token   4      52m
default-token-wvdvn            kubernetes.io/service-account-token   4      52m
deployer-dockercfg-rlbnm       kubernetes.io/dockercfg               1      52m
deployer-token-ddvdf           kubernetes.io/service-account-token   4      52m
deployer-token-rxjkd           kubernetes.io/service-account-token   4      52m
router-certs-default           kubernetes.io/tls                     2      52m
router-dockercfg-vckg6         kubernetes.io/dockercfg               1      52m
router-metrics-certs-default   kubernetes.io/tls                     2      51m
router-stats-default           Opaque                                2      52m
router-token-4qgvt             kubernetes.io/service-account-token   4      52m
router-token-hqccr             kubernetes.io/service-account-token   4      52m

$ oc -n openshift-ingress get secret router-certs-default 
NAME                   TYPE                DATA   AGE
router-certs-default   kubernetes.io/tls   2      54m
----

Comment 5 errata-xmlrpc 2021-02-24 15:50:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.