-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.14.z, 4.15.z, 4.16.0
-
Critical
-
Yes
-
Hypershift Sprint 254, Hypershift Sprint 255, Hypershift Sprint 256, Hypershift Sprint 257
-
4
-
Rejected
-
False
-
-
N/A
-
Release Note Not Required
-
Done
This is a clone of issue OCPBUGS-30986. The following is the description of the original issue:
—
Description of problem:
After we applied the old tlsSecurityProfile to the Hypershift hosted clsuter, the apiserver ran into CrashLoopBackOff failure, this blocked our test.
Version-Release number of selected component (if applicable):
$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.16.0-0.nightly-2024-03-13-061822 True False 129m Cluster version is 4.16.0-0.nightly-2024-03-13-061822
How reproducible:
always
Steps to Reproduce:
1. Specify KUBECONFIG with kubeconfig of the Hypershift management cluster 2. hostedcluster=$( oc get -n clusters hostedclusters -o json | jq -r .items[].metadata.name) 3. oc patch hostedcluster $hostedcluster -n clusters --type=merge -p '{"spec": {"configuration": {"apiServer": {"tlsSecurityProfile":{"old":{},"type":"Old"}}}}}' hostedcluster.hypershift.openshift.io/hypershift-ci-270930 patched 4. Checked the tlsSecurityProfile, $ oc get HostedCluster $hostedcluster -n clusters -ojson | jq .spec.configuration.apiServer { "audit": { "profile": "Default" }, "tlsSecurityProfile": { "old": {}, "type": "Old" } }
Actual results:
One of the kube-apiserver of Hosted cluster ran into CrashLoopBackOff, stuck in this status, unable to complete the old tlsSecurityProfile configuration. $ oc get pods -l app=kube-apiserver -n clusters-${hostedcluster} NAME READY STATUS RESTARTS AGE kube-apiserver-5b6fc94b64-c575p 5/5 Running 0 70m kube-apiserver-5b6fc94b64-tvwtl 5/5 Running 0 70m kube-apiserver-84c7c8dd9d-pnvvk 4/5 CrashLoopBackOff 6 (20s ago) 7m38s
Expected results:
Applying the old tlsSecurityProfile should be successful.
Additional info:
This also can be reproduced on 4.14, 4.15. We have the last passed log of the test case as below: passed API_Server 2024-02-19 13:34:25(UTC) aws 4.14.0-0.nightly-2024-02-18-123855 hypershift passed API_Server 2024-02-08 02:24:15(UTC) aws 4.15.0-0.nightly-2024-02-07-062935 hypershift passed API_Server 2024-02-17 08:33:37(UTC) aws 4.16.0-0.nightly-2024-02-08-073857 hypershift From the history of the test, it seems that some code changes were introduced in February that caused the bug.
- blocks
-
OCPBUGS-34904 Removing old weak ciphers from security profile for Hypershift hosted cluster
- Closed
- clones
-
OCPBUGS-30986 Removing old weak ciphers from security profile for Hypershift hosted cluster
- Closed
- is blocked by
-
OCPBUGS-30986 Removing old weak ciphers from security profile for Hypershift hosted cluster
- Closed
- is cloned by
-
OCPBUGS-34904 Removing old weak ciphers from security profile for Hypershift hosted cluster
- Closed
- links to
-
RHBA-2024:5422 OpenShift Container Platform 4.16.z bug fix update