Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-24744

[enterprise-4.12] Issue in file security/certificates/replacing-default-ingress-certificate.adoc

XMLWordPrintable

    • Moderate
    • No
    • 3
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

      Description of problem:

      Opportunity to explain that when we modify the ingress CA with custom certs, this will trigger a rollout of MCP update as the following local cert file needs to get updated on all nodes: `/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt`. 

      Version-Release number of selected component (if applicable):

      4.11, 4.12, 4.13, 4.14* (see caveat)

      How reproducible:

      Every time; this is expected, but not documented

      Steps to Reproduce:

          1. Follow steps in docs page: https://docs.openshift.com/container-platform/4.12/security/certificates/replacing-default-ingress-certificate.html
          2. create the configmap as outlined in docs:
      ~~~
      $ oc create configmap custom-ca \
           --from-file=ca-bundle.crt=</path/to/example-ca.crt> \
           -n openshift-config
      ~~~
          3. Observe that a new machine-config file is generated, triggering rollout to all nodes.
          

      Actual results:

      MCP update may put cluster into unexpected/undesired rollout condition interrupting workloads.     

      Expected results:

          If a rollout is expected, should be documented to advise customers of possible interruption to production workloads.

      Additional info:

      *4.14 has a new update that explicitly addresses a change in this behavior:
      
      https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/release_notes/index#ocp-4-14-new-cert-process
      
      Which highlights the following (as pertains to a 4.14 release update): (therefore in 4.14 docs at this page, should be stated that this does NOT trigger a MCP rollout, compared to other existing/earlier versions of openshift (4.11,4.12,4.13) I believe this was also present in earlier builds but am not certain when it was introduced/how far backported you need to go with this warning.
      
      ~~~
      1.3.16.4. Certificates are now handled by the Machine Config Daemon
      In previous OpenShift Container Platform versions, the MCO read and handled certificates directly from machine configuration files. This led to rotation issues and created unwanted situations, such as certificates getting stuck behind a paused machine config pool.
      
      With this release, certificates are no longer templated from bootstrap into machine configuration files. Instead, they are put directly into the Ignition object, written onto a disk using the controller config, and handled by the Machine Config Daemon (MCD) during regular cluster operation. The certs are then visible by using the ControllerConfig resource.
      
      The Machine Config Controller (MCC) holds the following certificate data:
      
      /etc/kubernetes/kubelet-ca.crt
      /etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem
      /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt
      ~~~
      
      
      Objectively seeking a warning alert box appraising that this change will cause a machine-config update automatically and to prepare accordingly on the highlighted docs page to avoid future confusion/interruptions to customers who aren't expecting it.

              rhn-support-stk Subhashini T K
              rhn-support-wrussell Will Russell
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: