Bug 1981498 - enhance service-ca injection
Summary: enhance service-ca injection
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: service-ca
Version: 4.9
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.9.0
Assignee: David Eads
QA Contact: liyao
URL:
Whiteboard:
Depends On:
Blocks: 1981633
TreeView+ depends on / blocked
 
Reported: 2021-07-12 17:10 UTC by David Eads
Modified: 2021-10-18 17:38 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:38:52 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift service-ca-operator pull 167 0 None open bug 1981498: add vulnerable legacy injector to allow for upgrade clusters to use ... 2021-07-12 17:20:07 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:38:55 UTC

Description David Eads 2021-07-12 17:10:25 UTC

Comment 4 Xingxing Xia 2021-07-13 14:00:14 UTC
For better and preciser reference for QE to check the code in case needed, could you attach all involved repos' PRs to this bug? Thx

Comment 5 Xingxing Xia 2021-07-14 09:52:13 UTC
Researched the code changes of all the 4.9/4.8/4.7 repos' PRs that are attached & updated in https://github.com/openshift/service-ca-operator/pull/167 comment and figured out the test thoughts. QA Contact is verifying.

Comment 6 Xingxing Xia 2021-07-14 11:14:55 UTC
Tested, no issue. Colleague liyao will help comment with the verification steps later soon. Moving to VERIFIED first to unblock backport PRs if any.

Comment 7 liyao 2021-07-14 12:35:59 UTC
Tested in 4.9.0-0.nightly-2021-07-14-002315 fresh env:
1. 
$ oc get kubecontrollermanager cluster -o yaml | grep -i secure
  useMoreSecureServiceCA: true
# This means secure mode is used by default.
$ oc new-project testproj
$ oc get cm openshift-service-ca.crt -o yaml 
# annotation service.beta.openshift.io/inject-cabundle: "true" is seen, and only one cert in service-ca.crt field, this is secure as expected

2. 
$ oc edit kubecontrollermanager cluster
Change useMoreSecureServiceCA to false in order to test service.alpha.openshift.io/inject-vulnerable-legacy-cabundle later.
This change will make KCM pods restart, watch and wait for the restart to finish.
Then check `oc get cm openshift-service-ca.crt -o yaml` again, annotation service.alpha.openshift.io/inject-vulnerable-legacy-cabundle is seen, and multiple certs in service-ca.crt field.
$ oc extract cm/openshift-service-ca.crt
$ openssl crl2pkcs7 -nocrl -certfile service-ca.crt | openssl pkcs7 -print_certs -text | grep Issuer 
        Issuer: CN=openshift-service-serving-signer@1626244482
        Issuer: OU=openshift, CN=kube-apiserver-lb-signer
        Issuer: OU=openshift, CN=kube-apiserver-localhost-signer
        Issuer: OU=openshift, CN=kube-apiserver-service-network-signer
        Issuer: CN=openshift-kube-apiserver-operator_localhost-recovery-serving-signer@1626244483
# Can see the multiple certs' issuer info, this means annotation service.alpha.openshift.io/inject-vulnerable-legacy-cabundle injects less secure content as expected.

3. Create other configmap
$ oc create cm testconfigmap --from-literal=key=value
$ oc annotate cm testconfigmap service.alpha.openshift.io/inject-vulnerable-legacy-cabundle=true
Check `oc get cm testconfigmap -o yaml`, no service-ca.crt field is seen, this means service.alpha.openshift.io/inject-vulnerable-legacy-cabundle=true only takes effect for configmap named "openshift-service-ca.crt".

* Will test 4.7->4.8 upgrade scenario when 4.8 clone bug is ON_QA. *

Comment 11 errata-xmlrpc 2021-10-18 17:38:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.