Bug 2117524 - openshift-ingress-operator with mTLS does not download CRL
Summary: openshift-ingress-operator with mTLS does not download CRL
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.9
Hardware: x86_64
OS: Unspecified
high
high
Target Milestone: ---
: 4.12.0
Assignee: Ryan Fredette
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-08-11 08:52 UTC by mmayeras
Modified: 2023-01-17 19:55 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
* Previously, when the Ingress Operator was configured to enable the use of mTLS, the Operator would not check if CRLs were due to be updated until some other event caused it to reconcile. As a result, CRLs used for mTLS could become out of date. With this update, the Ingress Operator now automatically reconciles when any CRL expires, and CRLs will be updated at the time specified by their `nextUpdate` field. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2117524[*BZ#2117524*]
Clone Of:
Environment:
Last Closed: 2023-01-17 19:54:46 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-ingress-operator pull 828 0 None open Bug 2117524: Update CRLs when they expire 2022-10-06 20:56:05 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:55:07 UTC

Comment 16 Hongan Li 2022-10-18 08:39:11 UTC 
Thank you for the explanation, Ryan. then the PR works as expected and test passed.

$ oc get clusterversion
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.12.0-0.ci.test-2022-10-18-070104-ci-ln-h8rlvyk-latest   True        False         55m     Cluster version is 4.12.0-0.ci.test-2022-10-18-070104-ci-ln-h8rlvyk-latest

1st CRL:
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = ne_mtls_ca
        Last Update: Oct 18 07:32:45 2022 GMT
        Next Update: Oct 18 08:32:45 2022 GMT

2nd CRL:
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = ne_mtls_ca
        Last Update: Oct 18 08:24:30 2022 GMT
        Next Update: Oct 18 09:24:30 2022 GMT

from below ingress-operator log, we can see the "next update" time is expected.

2022-10-18T08:26:42.074Z	INFO	operator.crl	crl/crl_configmap.go:69	retrieving certificate revocation list	{"subject key identifier": "0725174660fd8aa39e5831d5af80b8ab8ca5b0d7"}
2022-10-18T08:26:42.084Z	INFO	operator.crl	crl/crl_configmap.go:69	new certificate revocation list	{"subject key identifier": "0725174660fd8aa39e5831d5af80b8ab8ca5b0d7", "next update": "2022-10-18 08:32:45 +0000 UTC"}
2022-10-18T08:32:45.008Z	INFO	operator.crl	crl/crl_configmap.go:69	certificate revocation list has expired	{"subject key identifier": "0725174660fd8aa39e5831d5af80b8ab8ca5b0d7"}
2022-10-18T08:32:45.008Z	INFO	operator.crl	crl/crl_configmap.go:69	retrieving certificate revocation list	{"subject key identifier": "0725174660fd8aa39e5831d5af80b8ab8ca5b0d7"}
2022-10-18T08:32:45.017Z	INFO	operator.crl	crl/crl_configmap.go:69	new certificate revocation list	{"subject key identifier": "0725174660fd8aa39e5831d5af80b8ab8ca5b0d7", "next update": "2022-10-18 09:24:30 +0000 UTC"}
Comment 22 errata-xmlrpc 2023-01-17 19:54:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399
Note You need to log in before you can comment on or make changes to this bug.