Bug 2030574 - console service uses older "service.alpha.openshift.io" for the service serving certificates.
Summary: console service uses older "service.alpha.openshift.io" for the service servi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 4.10.0
Assignee: Jakub Hadvig
QA Contact: Xiyun Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-09 08:01 UTC by Arvind iyengar
Modified: 2022-03-10 16:33 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:32:55 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console-operator pull 621 0 None open Bug 2030574: Console resources are using older 'service.alpha.openshift.io' annotation 2022-01-03 09:19:21 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:33:08 UTC

Description Arvind iyengar 2021-12-09 08:01:23 UTC
Description of problem:
The console service IP appears to use an older "service.alpha.openshift.io" annotation for the service serving certificate configuration whereas all the default created REEN routes presently use the newer "service.beta.openshift.io" annotation which is the current recommended method.
----
oc get clusterversion                     
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2021-12-06-201335   True        False         163m    Cluster version is 4.10.0-0.nightly-2021-12-06-201335

oc -n openshift-console get service/console -o yaml       
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.alpha.openshift.io/serving-cert-secret-name: console-serving-cert  <---
    service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608 
    service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608
  creationTimestamp: "2021-12-09T04:46:34Z"
  labels:
    app: console
  name: console
  namespace: openshift-console
  resourceVersion: "23015"
  uid: 02aa32c1-ab4a-4e2f-a7ff-272d5cb58c02


oc -n openshift-monitoring get svc prometheus-k8s -o yaml        
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608
    service.beta.openshift.io/serving-cert-secret-name: prometheus-k8s-tls <----
    service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608
  creationTimestamp: "2021-12-09T04:48:41Z"


oc -n openshift-monitoring get svc thanos-querier -o yaml        
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608
    service.beta.openshift.io/serving-cert-secret-name: thanos-querier-tls <----
    service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1639024608

----

Version-Release number of selected component (if applicable):
4.10.0-0.nightly-2021-12-06-201335

How reproducible:
* Frequently

Steps to Reproduce:
1. deploy an OCP environment and check the console service-ip configuration.


Expected results:
Though this does not appear to impact the operation, the service-serving-certificate config related to console component should ideally use the current "beta" annotation. 

Additional info:
The "beta" annotation has been made available since v4.1.  

Doc reference: 
https://docs.openshift.com/container-platform/4.9/security/certificates/service-serving-certificate.html. 
https://docs.openshift.com/container-platform/4.1/authentication/certificates/service-serving-certificate.html

Comment 4 Xiyun Zhao 2022-01-13 11:00:57 UTC
This bug has been verified on payload 4.10.0-0.nightly-2022-01-11-065245

Verification Step:
1. Log in CLI
2. Use below command to check the annotation for the service serving certificate configuration, verify if console resources are update to 'service.beta.openshift.io/serving-cert-secret-name: console-serving-cert', especially for the service/console. Also, verify the changes are not impact the correct resources, like prometheus-k8s or thanos-querier
  $ oc get clusterversion                     
  $ oc -n openshift-console get service/console -o yaml       
  $ oc -n openshift-monitoring get svc prometheus-k8s -o yaml        
  $ oc -n openshift-monitoring get svc thanos-querier -o yaml

Result:
2. The console resources are being updated, check below list result for more details
  $ oc get clusterversion 
    NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
    version   4.10.0-0.nightly-2022-01-11-065245   True        False         10h     Cluster version is 4.10.0-0.nightly-2022-01-11-065245
                    
  $ oc -n openshift-console get service/console -o yaml 
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473
        service.beta.openshift.io/serving-cert-secret-name: console-serving-cert                          <----
        service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473      
  
  $ oc -n openshift-monitoring get svc prometheus-k8s -o yaml
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473
        service.beta.openshift.io/serving-cert-secret-name: prometheus-k8s-tls                            <----
        service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473
        
  $ oc -n openshift-monitoring get svc thanos-querier -o yaml
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473
        service.beta.openshift.io/serving-cert-secret-name: thanos-querier-tls                            <----
        service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1642029473

Comment 7 errata-xmlrpc 2022-03-10 16:32:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.