Description of problem: When CNV 4.10 is deployed it takes some time for kubemacpool and nmstate-webhook to settle do to secrets rotation, looking at the looks like like the kubemacpool-cert-manager and nmstate-cert-manager are additionally rotation the other secerts so they enter in a loop and takes some time to settle. Version-Release number of selected component (if applicable): it affects kubernetes-nmstate and kubemacpool How reproducible: Always Steps to Reproduce: 1. Install kubemacpool and kubernetes-nmstate with NetworkAddonsConfig 2. 3. Actual results: Expected results: kubemacpool-cert-manager should rotate only kubemacpool certs and nmstate-cert-manager should rotate only kubernetes-nmstate certs. Additional info:
PR reconciling only secrets from the admission webhook configuration https://github.com/qinqon/kube-admission-webhook/pull/60
Verified. CNV Version - 4.10. OCP version - 4.10. Deleting nmstate secret trigger only said secret redeployment, not kubemacpool. [cnv-qe-jenkins@n-azav410-kgdb4-executor ~]$ oc delete secret -n openshift-cnv nmstate-webhook secret "nmstate-webhook" deleted [cnv-qe-jenkins@n-azav410-kgdb4-executor ~]$ oc get secrets -n openshift-cnv NAME TYPE DATA AGE kubemacpool-mutator-ca Opaque 2 92m kubemacpool-service kubernetes.io/tls 2 92m nmstate-ca Opaque 2 92m nmstate-handler-dockercfg-r6gnb kubernetes.io/dockercfg 1 93m nmstate-handler-token-6rjbr kubernetes.io/service-account-token 4 93m nmstate-handler-token-6rs2f kubernetes.io/service-account-token 4 93m nmstate-webhook kubernetes.io/tls 2 1s And the other way around - [cnv-qe-jenkins@n-azav410-kgdb4-executor ~]$ oc delete secret -n openshift-cnv kubemacpool-service secret "kubemacpool-service" deleted [cnv-qe-jenkins@n-azav410-kgdb4-executor ~]$ oc get secrets -n openshift-cnv NAME TYPE DATA AGE kubemacpool-mutator-ca Opaque 2 93m kubemacpool-service kubernetes.io/tls 2 2s nmstate-ca Opaque 2 93m nmstate-handler-dockercfg-r6gnb kubernetes.io/dockercfg 1 93m nmstate-handler-token-6rjbr kubernetes.io/service-account-token 4 93m nmstate-handler-token-6rs2f kubernetes.io/service-account-token 4 93m nmstate-webhook kubernetes.io/tls 2 37s
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0947