Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-34801

Hypershift hosted cluster does not work with old tlsSecurityProfile


    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • 4.16.0
    • 4.14.z, 4.15.z, 4.16.0
    • HyperShift
    • Critical
    • Yes
    • Hypershift Sprint 254, Hypershift Sprint 255, Hypershift Sprint 256
    • 3
    • Rejected
    • False
    • Hide


    • Release Note Not Required
    • In Progress

      This is a clone of issue OCPBUGS-30986. The following is the description of the original issue:

      Description of problem:

      After we applied the old tlsSecurityProfile to the Hypershift hosted clsuter, the apiserver ran into CrashLoopBackOff failure, this blocked our test.

      Version-Release number of selected component (if applicable):

      $ oc get clusterversion
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.16.0-0.nightly-2024-03-13-061822   True        False         129m    Cluster version is 4.16.0-0.nightly-2024-03-13-061822

      How reproducible:


      Steps to Reproduce:

          1. Specify KUBECONFIG with kubeconfig of the Hypershift management cluster
          2. hostedcluster=$( oc get -n clusters hostedclusters -o json | jq -r .items[].metadata.name)
          3. oc patch hostedcluster $hostedcluster -n clusters --type=merge -p '{"spec": {"configuration": {"apiServer": {"tlsSecurityProfile":{"old":{},"type":"Old"}}}}}'
      hostedcluster.hypershift.openshift.io/hypershift-ci-270930 patched
          4. Checked the tlsSecurityProfile,
          $ oc get HostedCluster $hostedcluster -n clusters -ojson | jq .spec.configuration.apiServer
        "audit": {
          "profile": "Default"
        "tlsSecurityProfile": {
          "old": {},
          "type": "Old"

      Actual results:

      One of the kube-apiserver of Hosted cluster ran into CrashLoopBackOff, stuck in this status, unable to complete the old tlsSecurityProfile configuration.
      $ oc get pods -l app=kube-apiserver  -n clusters-${hostedcluster}
      NAME                              READY   STATUS             RESTARTS      AGE
      kube-apiserver-5b6fc94b64-c575p   5/5     Running            0             70m
      kube-apiserver-5b6fc94b64-tvwtl   5/5     Running            0             70m
      kube-apiserver-84c7c8dd9d-pnvvk   4/5     CrashLoopBackOff   6 (20s ago)   7m38s

      Expected results:

          Applying the old tlsSecurityProfile should be successful.

      Additional info:

         This also can be reproduced on 4.14, 4.15. We have the last passed log of the test case as below:
        passed      API_Server       2024-02-19 13:34:25(UTC)    aws 	4.14.0-0.nightly-2024-02-18-123855   hypershift 	
        passed      API_Server	  2024-02-08 02:24:15(UTC)   aws 	4.15.0-0.nightly-2024-02-07-062935 	hypershift
        passed      API_Server	  2024-02-17 08:33:37(UTC)   aws 	4.16.0-0.nightly-2024-02-08-073857 	hypershift
      From the history of the test, it seems that some code changes were introduced in February that caused the bug.

            sjenning Seth Jennings
            openshift-crt-jira-prow OpenShift Prow Bot
            Ke Wang Ke Wang
            0 Vote for this issue
            6 Start watching this issue