-
Bug
-
Resolution: Obsolete
-
Undefined
-
None
-
4.10
-
None
-
No
-
False
-
Description of problem:
When the Service CA secret is renewed, the corresponding CM bundle was missed. And is never validated, causing outages.
Version-Release number of selected component (if applicable):
4.10 however this would affect newer version as the code base is the same.
How reproducible:
not sure at this time.
Steps to Reproduce:
1. 2. 3.
Actual results:
omc get cm -n openshift-service-ca signing-cabundle -o json | jq -r '.data["ca-bundle.crt"]' | openssl x509 -noout -text
Serial Number: 82760325906678489 (0x1260613f329c2d9)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = openshift-service-serving-signer@1658380961
Validity
Not Before: Jul 21 05:22:41 2022 GMT
Not After : Sep 18 05:22:42 2024 GMT
Expected results:
omc get secrets -n openshift-service-ca signing-key -o json | jq '.data["tls.crt"]' -r | base64 -d | openssl x509 -noout -text
Serial Number: 468841172446146030 (0x681a88ff3baedee)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = openshift-service-serving-signer@1658380961
Validity
Not Before: Aug 20 05:22:48 2023 GMT
Not After : Oct 18 05:22:49 2025 GMT
Additional info:
the controllers never validate that the CM (cert bundle) matches the secret (ca). we also require a pod restart, I can clearly see that the CA bundle is only read once at start https://github.com/openshift/service-ca-operator/blob/5e9dfaadeb46f3ca7ff4343ed4f76f1186ea3003/pkg/controller/cabundleinjector/starter.go#L51C6-L51C27 So even if the CM was updated it still would not get injected correctly. Therefor i do not see how this controller can actually reconcile the CA bundle CM after a CA renews.
