-
Bug
-
Resolution: Done-Errata
-
Critical
-
4.10.0
This is a clone of issue OCPBUGS-10844. The following is the description of the original issue:
—
Description of problem:
When modifying a secret in the Management Console that has a binary file inclued (such as a keystore), the keystore will get corrupted post the modification and therefore impact application functionality (as the keystore can not be read). $ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 $ cat cert.pem key.pem > file.crt.txt $ openssl pkcs12 -export -in file.crt.txt -out mykeystore.pkcs12 -name myAlias -noiter -nomaciter $ oc create secret generic keystore --from-file=mykeystore.pkcs12 --from-file=cert.pem --from-file=key.pem -n project-300 apiVersion: v1 kind: Pod metadata: name: mypod namespace: project-300 spec: containers: - name: mypod image: quay.io/rhn_support_sreber/curl:latest volumeMounts: - name: foo mountPath: "/keystore" readOnly: true volumes: - name: foo secret: secretName: keystore optional: true # Getting the md5sum from the file on the local Laptop to compare with what is available in the pod $ md5sum mykeystore.pkcs12 c189536854e59ab444720efaaa76a34a mykeystore.pkcs12 sh-5.2# ls -al /keystore/..data/ total 16 drwxr-xr-x. 2 root root 100 Mar 24 11:19 . drwxrwxrwt. 3 root root 140 Mar 24 11:19 .. -rw-r--r--. 1 root root 1992 Mar 24 11:19 cert.pem -rw-r--r--. 1 root root 3414 Mar 24 11:19 key.pem -rw-r--r--. 1 root root 4380 Mar 24 11:19 mykeystore.pkcs12 sh-5.2# md5sum /keystore/..data/mykeystore.pkcs12 c189536854e59ab444720efaaa76a34a /keystore/..data/mykeystore.pkcs12 sh-5.2# Edit cert.pem in secret using the Management Console $ oc delete pod mypod -n project-300 apiVersion: v1 kind: Pod metadata: name: mypod namespace: project-300 spec: containers: - name: mypod image: quay.io/rhn_support_sreber/curl:latest volumeMounts: - name: foo mountPath: "/keystore" readOnly: true volumes: - name: foo secret: secretName: keystore optional: true sh-5.2# ls -al /keystore/..data/ total 20 drwxr-xr-x. 2 root root 100 Mar 24 12:52 . drwxrwxrwt. 3 root root 140 Mar 24 12:52 .. -rw-r--r--. 1 root root 1992 Mar 24 12:52 cert.pem -rw-r--r--. 1 root root 3414 Mar 24 12:52 key.pem -rw-r--r--. 1 root root 10782 Mar 24 12:52 mykeystore.pkcs12 sh-5.2# md5sum /keystore/..data/mykeystore.pkcs12 56f04fa8059471896ed5a3c54ade707c /keystore/..data/mykeystore.pkcs12 sh-5.2# $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.13.0-0.nightly-2023-03-23-204038 True False 91m Cluster version is 4.13.0-0.nightly-2023-03-23-204038 The modification was done in the Management Console, selecting the secret and then use: Actions -> Edit Secrets -> Modifying the value of cert.pem and submiting via Save button
Version-Release number of selected component (if applicable):
OpenShift Container Platform 4.13.0-0.nightly-2023-03-23-204038 and 4.12.6
How reproducible:
Always
Steps to Reproduce:
1. See above the details steps
Actual results:
# md5sum on the Laptop for the file $ md5sum mykeystore.pkcs12 c189536854e59ab444720efaaa76a34a mykeystore.pkcs12 # md5sum of the file in the pod after the modification in the Management Console sh-5.2# md5sum /keystore/..data/mykeystore.pkcs12 56f04fa8059471896ed5a3c54ade707c /keystore/..data/mykeystore.pkcs12 The file got corrupted and is not usable anymore. The binary file though should not be modified if no changes was made on it's value, when editing the secret in the Mansgement Console.
Expected results:
The binary file though should not be modified if no changes was made on it's value, when editing the secret in the Mansgement Console.
Additional info:
A similar problem was alredy fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1879638 but that was, when the binary file was uploaded. Possible that the secret edit functionality is also missing binary file support.
- clones
-
OCPBUGS-16040 Keystore in secret corrupted after editing the secret in the Console
- Closed
- depends on
-
OCPBUGS-16040 Keystore in secret corrupted after editing the secret in the Console
- Closed
- is duplicated by
-
OCPBUGS-36173 Secret key with binary file changes when edited via Console
- POST
- links to
-
RHBA-2023:5151 OpenShift Container Platform 4.12.z bug fix update