Hide Forgot
For better and preciser reference for QE to check the code in case needed, could you attach all involved repos' PRs to this bug? Thx
Researched the code changes of all the 4.9/4.8/4.7 repos' PRs that are attached & updated in https://github.com/openshift/service-ca-operator/pull/167 comment and figured out the test thoughts. QA Contact is verifying.
Tested, no issue. Colleague liyao will help comment with the verification steps later soon. Moving to VERIFIED first to unblock backport PRs if any.
Tested in 4.9.0-0.nightly-2021-07-14-002315 fresh env: 1. $ oc get kubecontrollermanager cluster -o yaml | grep -i secure useMoreSecureServiceCA: true # This means secure mode is used by default. $ oc new-project testproj $ oc get cm openshift-service-ca.crt -o yaml # annotation service.beta.openshift.io/inject-cabundle: "true" is seen, and only one cert in service-ca.crt field, this is secure as expected 2. $ oc edit kubecontrollermanager cluster Change useMoreSecureServiceCA to false in order to test service.alpha.openshift.io/inject-vulnerable-legacy-cabundle later. This change will make KCM pods restart, watch and wait for the restart to finish. Then check `oc get cm openshift-service-ca.crt -o yaml` again, annotation service.alpha.openshift.io/inject-vulnerable-legacy-cabundle is seen, and multiple certs in service-ca.crt field. $ oc extract cm/openshift-service-ca.crt $ openssl crl2pkcs7 -nocrl -certfile service-ca.crt | openssl pkcs7 -print_certs -text | grep Issuer Issuer: CN=openshift-service-serving-signer@1626244482 Issuer: OU=openshift, CN=kube-apiserver-lb-signer Issuer: OU=openshift, CN=kube-apiserver-localhost-signer Issuer: OU=openshift, CN=kube-apiserver-service-network-signer Issuer: CN=openshift-kube-apiserver-operator_localhost-recovery-serving-signer@1626244483 # Can see the multiple certs' issuer info, this means annotation service.alpha.openshift.io/inject-vulnerable-legacy-cabundle injects less secure content as expected. 3. Create other configmap $ oc create cm testconfigmap --from-literal=key=value $ oc annotate cm testconfigmap service.alpha.openshift.io/inject-vulnerable-legacy-cabundle=true Check `oc get cm testconfigmap -o yaml`, no service-ca.crt field is seen, this means service.alpha.openshift.io/inject-vulnerable-legacy-cabundle=true only takes effect for configmap named "openshift-service-ca.crt". * Will test 4.7->4.8 upgrade scenario when 4.8 clone bug is ON_QA. *
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759