For better and preciser reference for QE to check the code in case needed, could you attach all involved repos' PRs to this bug? Thx
Researched the code changes of all the 4.9/4.8/4.7 repos' PRs that are attached & updated in https://github.com/openshift/service-ca-operator/pull/167 comment and figured out the test thoughts. QA Contact is verifying.
Tested, no issue. Colleague liyao will help comment with the verification steps later soon. Moving to VERIFIED first to unblock backport PRs if any.
Tested in 4.9.0-0.nightly-2021-07-14-002315 fresh env:
$ oc get kubecontrollermanager cluster -o yaml | grep -i secure
# This means secure mode is used by default.
$ oc new-project testproj
$ oc get cm openshift-service-ca.crt -o yaml
# annotation service.beta.openshift.io/inject-cabundle: "true" is seen, and only one cert in service-ca.crt field, this is secure as expected
$ oc edit kubecontrollermanager cluster
Change useMoreSecureServiceCA to false in order to test service.alpha.openshift.io/inject-vulnerable-legacy-cabundle later.
This change will make KCM pods restart, watch and wait for the restart to finish.
Then check `oc get cm openshift-service-ca.crt -o yaml` again, annotation service.alpha.openshift.io/inject-vulnerable-legacy-cabundle is seen, and multiple certs in service-ca.crt field.
$ oc extract cm/openshift-service-ca.crt
$ openssl crl2pkcs7 -nocrl -certfile service-ca.crt | openssl pkcs7 -print_certs -text | grep Issuer
Issuer: OU=openshift, CN=kube-apiserver-lb-signer
Issuer: OU=openshift, CN=kube-apiserver-localhost-signer
Issuer: OU=openshift, CN=kube-apiserver-service-network-signer
# Can see the multiple certs' issuer info, this means annotation service.alpha.openshift.io/inject-vulnerable-legacy-cabundle injects less secure content as expected.
3. Create other configmap
$ oc create cm testconfigmap --from-literal=key=value
$ oc annotate cm testconfigmap service.alpha.openshift.io/inject-vulnerable-legacy-cabundle=true
Check `oc get cm testconfigmap -o yaml`, no service-ca.crt field is seen, this means service.alpha.openshift.io/inject-vulnerable-legacy-cabundle=true only takes effect for configmap named "openshift-service-ca.crt".
* Will test 4.7->4.8 upgrade scenario when 4.8 clone bug is ON_QA. *
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.