Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29715

Signed Certificate Credentials for SRE Break-Glass Signer Invalid

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.16
    • HyperShift
    • No
    • False
    • Hide

      None

      Show
      None

      This is a test flake but might somehow affect production capabilities of HyperShift. More info needed.

      Description of problem:

           === RUN   TestCreateCluster/Main/break-glass-credentials/sre-break-glass/CSR_flow
          pki.go:61: loading certificate/key pair from disk for signer sre-break-glass, use $REGENERATE_PKI to generate new ones
          control_plane_pki_operator.go:111: creating CSR "1csbngcgyx7vfa1kj5zd9t880uyblwry45q685icuw30" for signer "hypershift.openshift.io/e2e-clusters-xdrg7-example-zh247.sre-break-glass", requesting client auth usages
          control_plane_pki_operator.go:121: creating CSRA e2e-clusters-xdrg7-example-zh247/1csbngcgyx7vfa1kj5zd9t880uyblwry45q685icuw30 to trigger automatic approval of the CSR
          control_plane_pki_operator.go:127: waiting for CSR "1csbngcgyx7vfa1kj5zd9t880uyblwry45q685icuw30" to be approved and signed
          control_plane_pki_operator.go:141: CSR "1csbngcgyx7vfa1kj5zd9t880uyblwry45q685icuw30" observed at RV 97067 after 6.553836ms
          control_plane_pki_operator.go:150: CSR "1csbngcgyx7vfa1kj5zd9t880uyblwry45q685icuw30" status: Approved=True: ApprovalPresent(The requisite approval resource exists.)
          control_plane_pki_operator.go:141: CSR "1csbngcgyx7vfa1kj5zd9t880uyblwry45q685icuw30" observed at RV 97070 after 107.659677ms
          control_plane_pki_operator.go:150: CSR "1csbngcgyx7vfa1kj5zd9t880uyblwry45q685icuw30" status: Approved=True: ApprovalPresent(The requisite approval resource exists.)
          control_plane_pki_operator.go:54: validating that the client certificate provides the appropriate access
          control_plane_pki_operator.go:40: amending the existing kubeconfig to use break-glass client certificate credentials
          control_plane_pki_operator.go:58: issuing SSR to identify the subject we are given using the client certificate
          control_plane_pki_operator.go:61: could not send SSR: Unauthorized 

       

      https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_hypershift/3607/pull-ci-openshift-hypershift-release-4.15-e2e-kubevirt-aws-ovn/1759622199557230592

            skuznets@redhat.com Steve Kuznetsov
            skuznets@redhat.com Steve Kuznetsov
            Jie Zhao Jie Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: