Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29303

No Functionality Exists To Revoke Break-Glass Signer Certificates

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Undefined
    • 4.15.z
    • 4.16.0
    • HyperShift
    • None
    • No
    • False
    • Hide

      None

      Show
      None

    Description

      This is a clone of issue OCPBUGS-29088. The following is the description of the original issue:

      Description of problem:

          Customer has no method to revoke break-glass signer certificate for HCP.

      Version-Release number of selected component (if applicable):

          4.16.0

      How reproducible:

          always

      Steps to Reproduce:

          1. not possible
          

      Actual results:

          nothing

      Expected results:

          expected a path to do this

      Additional info:

          

      In order to use the new flow introduced to fix this, create a CertificateRevocationRequest in the namespace of a HostedControlPlane as described in the test:

      1. create a private key, certificate and certificate signing request using e.g. openssl
      2. create admin credentials for the cluster by using a CertificateSigningRequest and {{CertificateSigningRequestApproval }}{{
        }}
      3. revoke the break-glass signing certificate using the CertificateRevocationRequest
      4. wait for the CRR status to show that it succeeded
      5. ensure that the credentials created in step 2 are no longer valid

      Attachments

        Issue Links

          Activity

            People

              skuznets@redhat.com Steve Kuznetsov
              openshift-crt-jira-prow OpenShift Prow Bot
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: