Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-34662

service-ca annotation should not be in services running in HCP

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Critical
    • No
    • Rejected
    • Hypershift Sprint 258, Hypershift Sprint 259, Hypershift Sprint 260, Hypershift Sprint 261, Hypershift Sprint 262, Hypershift Sprint 263
    • 6
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem

      The service-ca operator annotation should not be present in services running on the hosted control plane (HCP). Currently, some services in the HCP namespace are using the service.beta.openshift.io/serving-cert-secret-name annotation to have the service-ca operator create their TLS secrets.

      In a hosted control plane environment, the Control Plane Operator (CPO) should be responsible for creating these secrets, not the service-ca operator running in the hosted cluster.

      Version-Release number

      4.16.z / 4.17.z

      How reproducible

      Always

      Steps to Reproduce

      1. Deploy a ROSA HCP or ARO HCP cluster
      2. Access the hosted control plane namespace
      3. Check services for service-ca annotations: 
        oc get services/aws-ebs-csi-driver-controller-metrics -ojsonpath='{.metadata.annotations}' | jq .
      4. Observe the service-ca annotations present

      Actual results

      Services in the HCP namespace have service-ca operator annotations:

      {
  "operator.openshift.io/spec-hash": "b32a5b8b48a82ba70fefa6157b22955dc345e4a062012daea7983203a179ed85",
  "service.alpha.openshift.io/serving-cert-signed-by": "openshift-service-serving-signer@1764641955",
  "service.beta.openshift.io/serving-cert-secret-name": "aws-ebs-csi-driver-controller-metrics-serving-cert",
  "service.beta.openshift.io/serving-cert-signed-by": "openshift-service-serving-signer@1764641955"
}

      This creates a dependency on the service-ca operator in the hosted cluster to create secrets for control plane services.

      Expected results

      • The service-ca annotation (service.beta.openshift.io/serving-cert-secret-name) is NOT present on any services running in the HCP namespace
      • The Control Plane Operator (CPO) creates and manages the TLS secrets required by these services
      • No dependency on the hosted cluster's service-ca operator for control plane service certificates

      Additional info

      Known affected services:

      • aws-ebs-csi-driver-controller-metrics
      • (Additional services may need investigation)

      Why this matters:

      • Control plane services should not depend on operators running in the hosted cluster
      • Certificate lifecycle management should be handled by the CPO for better control plane isolation
      • This improves the security boundary between control plane and hosted cluster

              hypershift-automation hypershift-team automation
              rh-ee-brcox Bryan Cox
              None
              Cesar Wong, Seth Jennings
              Wen Wang Wen Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: