Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-28653

userCA and cloudCA certfiicates are not removed from nodes and ignition config

XMLWordPrintable

      Description of problem:

      When we configure a userCA or a cloudCA MCO adds those certificates to the ignition config and the nodes. Nevertheless, when we remove those certificates MCO does not remove them from the nodes and the ignition config.
      
          

      Version-Release number of selected component (if applicable):

      $ oc get clusterversion
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.16.0-0.nightly-2024-01-24-133352   True        False         5h49m   Cluster version is 4.16.0-0.nightly-2024-01-24-133352
      
          

      How reproducible:

      Always
          

      Steps to Reproduce:

          1. Create a new certificate
      
      $ openssl genrsa -out privateKey.pem 4096
      $ openssl req -new -x509 -nodes -days 3600 -key privateKey.pem -out ca-bundle.crt -subj "/OU=MCO qe/CN=example.com"
      
      
          2. Configure a userCA
      # Create the configmap with the certificate
      $ oc create cm cm-test-cert -n openshift-config --from-file=ca-bundle.crt
      configmap/cm-test-cert created
      
      #Configure the proxy with the new test certificate
      $ oc patch proxy/cluster --type merge -p '{"spec": {"trustedCA": {"name": "cm-test-cert"}}}'
      proxy.config.openshift.io/cluster patched
      
          3. Configure a cloudCA
      $ oc set data -n openshift-config ConfigMap cloud-provider-config  --from-file=ca-bundle.pem=ca-bundle.crt
      
          4. Check that the certificates have been added
      
      
      $  oc debug -q  node/$(oc get nodes -l node-role.kubernetes.io/worker -ojsonpath="{.items[0].metadata.name}") -- chroot /host cat "/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt" 
      $  oc debug -q  node/$(oc get nodes -l node-role.kubernetes.io/worker -ojsonpath="{.items[0].metadata.name}") -- chroot /host cat "/etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem" 
      
          5. Remove the configured userCA and cloudCA certificates
      
      $ oc patch proxy/cluster --type merge -p '{"spec": {"trustedCA": {"name": ""}}}'
      
      
      $ oc edit  -n openshift-config ConfigMap cloud-provider-config  ### REMOVE THE ca-bundle.pem KEY
      
      
      
      
          

      Actual results:

          Even though we have removed the certificates from the cluster config those can be found in the nodes
      
      $  oc debug -q  node/$(oc get nodes -l node-role.kubernetes.io/worker -ojsonpath="{.items[0].metadata.name}") -- chroot /host cat "/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt" 
      $  oc debug -q  node/$(oc get nodes -l node-role.kubernetes.io/worker -ojsonpath="{.items[0].metadata.name}") -- chroot /host cat "/etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem" 
      
      
          

      Expected results:

      
      The certificates should be removed from the nodes and the ignition config when they are removed from the cluster config
          

      Additional info:

          

            dkhater@redhat.com Dalia Khater
            sregidor@redhat.com Sergio Regidor de la Rosa
            Sergio Regidor de la Rosa Sergio Regidor de la Rosa
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: