2058295 – ACM doesn't accept secret type opaque for cluster api certificate

Bug 2058295 - ACM doesn't accept secret type opaque for cluster api certificate

Summary: ACM doesn't accept secret type opaque for cluster api certificate

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Advanced Cluster Management for Kubernetes
Classification:	Red Hat
Component:	Cluster Lifecycle
Sub Component:
Version:	rhacm-2.4
Hardware:	x86_64
OS:	Other
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	rhacm-2.4.3
Assignee:	Jian Qiu
QA Contact:	txue
Docs Contact:	Christopher Dawson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-24 16:27 UTC by hhemied
Modified:	2022-05-03 16:44 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ACM 2.4.3
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-03 16:44:03 UTC
Target Upstream Version:
Embargoed:
Flags:	bot-tracker-sync: rhacm-2.4.z+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	stolostron backlog issues 20219	0	None	None	None	2022-02-24 18:52:52 UTC
Red Hat Product Errata	RHSA-2022:1681	0	None	None	None	2022-05-03 16:44:35 UTC

Description hhemied 2022-02-24 16:27:15 UTC

Description of the problem:
I installed ACM 2.4 on openshift 4.824 cluster, the issue appeared when importing the local-cluster, 
I see the following error in the  managedcluster-import-controller-v2 pod

```
        /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime.3-0.20210709165254-650ea59f19cc/pkg/internal/controller/controller.go:214
2022-02-24T16:16:35.468Z        INFO    importconfig-controller Reconciling managed cluster import secret       {"Request.Name": "local-cluster"}
2022-02-24T16:16:35.502Z        ERROR   controller-runtime.manager.controller.importconfig-controller   Reconciler error        {"name": "local-cluster", "namespace": "", "error": "secret openshift-config/cbk-api-certificate-ocpazrs01 should have type=kubernetes.io/tls"}
```

Release version:
ACM 2.4


Operator snapshot version:

OCP version:
OCP 4.8.24

Browser Info:

Steps to reproduce:
1. create openshift custom API certificate in the type opaque
2. install ACM 2.4
3. wait until importing the local-cluster and check the controller-import pod logs

Actual results:

Can't import the local-cluster or anyone with the type opaque certificate for the cluster API.

Expected results:
import the cluster with whatever kind of secret type for the certificate.

Additional info:

Comment 1 zyin@redhat.com 2022-03-04 09:49:08 UTC

we will fix this issue in 2.4.3.

Comment 2 Eveline Cai 2022-04-19 04:57:00 UTC

@hhemied can you verify this bug with our ACM 2.4.3?

Comment 4 txue 2022-04-22 02:35:43 UTC

@hhemied 
can you please provide more background info?
1. is this a customer use case?
2. can you provide more detailed info/doc/step about how did you create openshift custom API certificate in the type opaque

Comment 5 txue 2022-04-22 02:37:35 UTC

@hhemied 
can you please provide more background info?
1. is this a customer use case?
2. can you provide more detailed info/doc/step about how did you create openshift custom API certificate in the type opaque

Comment 6 hhemied 2022-04-25 07:55:25 UTC

The ACM version: 2.4.3
I can confirm that I could import a cluster with apiserever certificate with the type: Opaque

Comment 7 hhemied 2022-04-25 07:56:22 UTC

@txue this bug can be closed as resolved

Comment 8 txue 2022-04-25 13:13:28 UTC

close as per reporter's comment.
@hhemied If you can provide the steps to create "apiserever certificate with the type: Opaque" that will help us to reproduce this for our regression test. I can only find the redhat document that uses tls secret(https://docs.openshift.com/container-platform/4.8/security/certificates/api-server.html)

Comment 10 hhemied 2022-04-27 14:47:27 UTC

This was created by some partner a long time ago for multiple clusters using ansible.

Comment 14 errata-xmlrpc 2022-05-03 16:44:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Advanced Cluster Management 2.4.4 security updates and bug fixes), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1681

Note You need to log in before you can comment on or make changes to this bug.