use RotatedSigningCASecret and RotatedSelfSignedCertKeySecret only in update mode #1234
Conversation
…cret only in update mode UseSecretUpdateOnly is intended as a short term hack for a very specific use case, and it works in tandem with a particular carry patch applied to the openshift kube-apiserver. (openshift/kubernetes#1924) we will remove this when we migrate all of the affected secret objects to their intended type: https://issues.redhat.com/browse/API-1800 in short tls secrets used by this operator are reconciled by multiple controllers at the same time without any coordination. the issue is that the secret's crypto material can be regenerated, which has serious consequences for the platform as it can break external clients and the cluster itself.
openshift-ci-robot
added
jira/severity-critical
|
@p0lyn0mial: This pull request references Jira Issue OCPBUGS-31384, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: p0lyn0mial The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@p0lyn0mial I think we don't need to have that flag set, none of the certs that you tag are created with the SecretTLS type AFAIK |
I'm still testing, so far we have at least |
|
That's for CEO, we can simply patch that out. |
|
@p0lyn0mial: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
We should, we should also make sure that the secret created in the previous versions will be safely migrated to the new type.
Vadim created a 4.6 cluster and below is the list of secrets with the old type. |
|
Great list, I think we might be OK still, given the clients can be updated safely. Let me know how your testing goes. Keep in mind that most secrets outside of openshift-etcd will be simply copied through the resource controller. |
p0lyn0mial
changed the title
openshift-ci-robot
removed
jira/severity-critical
|
@p0lyn0mial: No Jira issue is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
removed
the
jira/valid-bug
|
/close a fix (if any) will be delivered via https://issues.redhat.com/browse/API-1800 |
|
@p0lyn0mial: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
UseSecretUpdateOnly is intended as a short term hack for a very specific use case,
and it works in tandem with a particular carry patch applied to the openshift kube-apiserver.
(openshift/kubernetes#1924)
we will remove this when we migrate all of the affected secret
objects to their intended type: https://issues.redhat.com/browse/API-1800
the issue is that the secret's crypto material
can be regenerated, which has serious consequences for the platform
as it can break external clients and the cluster itself.
xref: openshift/library-go#1705
xref: openshift/kubernetes#1924