-
Bug
-
Resolution: Done
-
Normal
-
None
-
4.16, 4.17.0, 4.17.z
-
+
-
Moderate
-
No
-
5
-
MCO Sprint 253, MCO Sprint 254
-
2
-
False
-
-
Description of problem:
When we configure a userCA or a cloudCA MCO adds those certificates to the ignition config and the nodes. Nevertheless, when we remove those certificates MCO does not remove them from the nodes and the ignition config.
Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.16.0-0.nightly-2024-01-24-133352 True False 5h49m Cluster version is 4.16.0-0.nightly-2024-01-24-133352
How reproducible:
Always
Steps to Reproduce:
1. Create a new certificate
$ openssl genrsa -out privateKey.pem 4096
$ openssl req -new -x509 -nodes -days 3600 -key privateKey.pem -out ca-bundle.crt -subj "/OU=MCO qe/CN=example.com"
2. Configure a userCA
# Create the configmap with the certificate
$ oc create cm cm-test-cert -n openshift-config --from-file=ca-bundle.crt
configmap/cm-test-cert created
#Configure the proxy with the new test certificate
$ oc patch proxy/cluster --type merge -p '{"spec": {"trustedCA": {"name": "cm-test-cert"}}}'
proxy.config.openshift.io/cluster patched
3. Configure a cloudCA
$ oc set data -n openshift-config ConfigMap cloud-provider-config --from-file=ca-bundle.pem=ca-bundle.crt
4. Check that the certificates have been added
$ oc debug -q node/$(oc get nodes -l node-role.kubernetes.io/worker -ojsonpath="{.items[0].metadata.name}") -- chroot /host cat "/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt"
$ oc debug -q node/$(oc get nodes -l node-role.kubernetes.io/worker -ojsonpath="{.items[0].metadata.name}") -- chroot /host cat "/etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem"
5. Remove the configured userCA and cloudCA certificates
$ oc patch proxy/cluster --type merge -p '{"spec": {"trustedCA": {"name": ""}}}'
$ oc edit -n openshift-config ConfigMap cloud-provider-config ### REMOVE THE ca-bundle.pem KEY
Actual results:
Even though we have removed the certificates from the cluster config those can be found in the nodes
$ oc debug -q node/$(oc get nodes -l node-role.kubernetes.io/worker -ojsonpath="{.items[0].metadata.name}") -- chroot /host cat "/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt"
$ oc debug -q node/$(oc get nodes -l node-role.kubernetes.io/worker -ojsonpath="{.items[0].metadata.name}") -- chroot /host cat "/etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem"
Expected results:
The certificates should be removed from the nodes and the ignition config when they are removed from the cluster config
Additional info:
- blocks
-
-
- New
-
- is cloned by
-
-
- New
-
- is depended on by
-
-
- Closed
-
- links to
