Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29303

No Functionality Exists To Revoke Break-Glass Signer Certificates

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • 4.15.z
    • 4.16.0
    • HyperShift
    • None
    • No
    • False
    • Hide

      None

      Show
      None

      This is a clone of issue OCPBUGS-29088. The following is the description of the original issue:

      Description of problem:

          Customer has no method to revoke break-glass signer certificate for HCP.

      Version-Release number of selected component (if applicable):

          4.16.0

      How reproducible:

          always

      Steps to Reproduce:

          1. not possible

      Actual results:

          nothing

      Expected results:

          expected a path to do this

      Additional info:

      In order to use the new flow introduced to fix this, create a CertificateRevocationRequest in the namespace of a HostedControlPlane as described in the test:

      1. create a private key, certificate and certificate signing request using e.g. openssl
      2. create admin credentials for the cluster by using a CertificateSigningRequest and {{CertificateSigningRequestApproval }}{{
        }}
      3. revoke the break-glass signing certificate using the CertificateRevocationRequest
      4. wait for the CRR status to show that it succeeded
      5. ensure that the credentials created in step 2 are no longer valid

            skuznets@redhat.com Steve Kuznetsov
            openshift-crt-jira-prow OpenShift Prow Bot
            Jie Zhao Jie Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: