Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-10844

Keystore in secret corrupted after editing the secret in the Console

XMLWordPrintable

    • +
    • Important
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      When modifying a secret in the Management Console that has a binary file inclued (such as a keystore), the keystore will get corrupted post the modification and therefore impact application functionality (as the keystore can not be read).
      
      $ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
      $ cat cert.pem key.pem > file.crt.txt
      $ openssl pkcs12 -export -in file.crt.txt -out mykeystore.pkcs12 -name myAlias -noiter -nomaciter
      $ oc create secret generic keystore --from-file=mykeystore.pkcs12 --from-file=cert.pem --from-file=key.pem -n project-300
      
      apiVersion: v1
      kind: Pod
      metadata:
        name: mypod
        namespace: project-300
      spec:
        containers:
        - name: mypod
          image: quay.io/rhn_support_sreber/curl:latest
          volumeMounts:
          - name: foo
            mountPath: "/keystore"
            readOnly: true
        volumes:
        - name: foo
          secret:
            secretName: keystore
            optional: true
      
      # Getting the md5sum from the file on the local Laptop to compare with what is available in the pod
      $ md5sum mykeystore.pkcs12
      c189536854e59ab444720efaaa76a34a  mykeystore.pkcs12
      
      sh-5.2# ls -al /keystore/..data/
      total 16
      drwxr-xr-x. 2 root root  100 Mar 24 11:19 .
      drwxrwxrwt. 3 root root  140 Mar 24 11:19 ..
      -rw-r--r--. 1 root root 1992 Mar 24 11:19 cert.pem
      -rw-r--r--. 1 root root 3414 Mar 24 11:19 key.pem
      -rw-r--r--. 1 root root 4380 Mar 24 11:19 mykeystore.pkcs12
      
      sh-5.2# md5sum /keystore/..data/mykeystore.pkcs12
      c189536854e59ab444720efaaa76a34a  /keystore/..data/mykeystore.pkcs12
      sh-5.2#
      
      Edit cert.pem in secret using the Management Console
      
      $ oc delete pod mypod -n project-300
      
      apiVersion: v1
      kind: Pod
      metadata:
        name: mypod
        namespace: project-300
      spec:
        containers:
        - name: mypod
          image: quay.io/rhn_support_sreber/curl:latest
          volumeMounts:
          - name: foo
            mountPath: "/keystore"
            readOnly: true
        volumes:
        - name: foo
          secret:
            secretName: keystore
            optional: true
      
      sh-5.2# ls -al /keystore/..data/
      total 20
      drwxr-xr-x. 2 root root   100 Mar 24 12:52 .
      drwxrwxrwt. 3 root root   140 Mar 24 12:52 ..
      -rw-r--r--. 1 root root  1992 Mar 24 12:52 cert.pem
      -rw-r--r--. 1 root root  3414 Mar 24 12:52 key.pem
      -rw-r--r--. 1 root root 10782 Mar 24 12:52 mykeystore.pkcs12
      
      sh-5.2# md5sum /keystore/..data/mykeystore.pkcs12
      56f04fa8059471896ed5a3c54ade707c  /keystore/..data/mykeystore.pkcs12
      sh-5.2#      
      
      $ oc get clusterversion
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.13.0-0.nightly-2023-03-23-204038   True        False         91m     Cluster version is 4.13.0-0.nightly-2023-03-23-204038
      
      The modification was done in the Management Console, selecting the secret and then use: Actions -> Edit Secrets -> Modifying the value of cert.pem and submiting via Save button
      

      Version-Release number of selected component (if applicable):

      OpenShift Container Platform 4.13.0-0.nightly-2023-03-23-204038 and 4.12.6
      

      How reproducible:

      Always
      

      Steps to Reproduce:

      1. See above the details steps
      

      Actual results:

      # md5sum on the Laptop for the file
      $ md5sum mykeystore.pkcs12
      c189536854e59ab444720efaaa76a34a  mykeystore.pkcs12
      
      # md5sum of the file in the pod after the modification in the Management Console
      sh-5.2# md5sum /keystore/..data/mykeystore.pkcs12
      56f04fa8059471896ed5a3c54ade707c  /keystore/..data/mykeystore.pkcs12
      
      The file got corrupted and is not usable anymore. The binary file though should not be modified if no changes was made on it's value, when editing the secret in the Mansgement Console.
      
      

      Expected results:

      The binary file though should not be modified if no changes was made on it's value, when editing the secret in the Mansgement Console.
      

      Additional info:

      A similar problem was alredy fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1879638 but that was, when the binary file was uploaded. Possible that the secret edit functionality is also missing binary file support.

              jcaiani@redhat.com Joseph Caiani
              rhn-support-sreber Simon Reber
              Xiyun Zhao Xiyun Zhao
              Joseph Caiani
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: