Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-35277

openshift-config-user-ca-bundle.crt file is rebooting the nodes when techpreview is enabled

XMLWordPrintable

      Description of problem:

      When a new user-ca certificate is added MCO creates a MC with the new /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt file content.

If we use techpreview, when this configuration is applied to the nodes, the nodes are rebooted. ( No need to restart crio because the reboot will do it, and no need to execute update-ca-trust because coreos will launch the update-ca-trust service).

The certificate is properly added, but the behaviour is not the same as when techpreview is disabled.

      Version-Release number of selected component (if applicable):

      IPI on CGP

Version:
registry.ci.openshift.org/ocp/release:4.16.0-0.nightly-2024-06-11-104727

      How reproducible:

      Always

      Steps to Reproduce:

      1. Create a MC to deploy a new user-ca certificate

(We are using here a random certificate here)

    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: worker
      name: mco-tc-71991-nb6hudw5
    spec:
      config:
        ignition:
          version: 3.4.0
        storage:
          files:
            - contents:
                source: data:text/plain;charset=utf-8;base64,LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZMekNDQXhlZ0F3SUJBZ0lVRElDQ09FTnRtNnd6c1hFdGdFenNTN2RFZmIwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0p6RVBNQTBHQTFVRUN3d0dUVU5QSUZGRk1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweQpOREEyTVRFeE1EVTFOVEphRncwek5EQTBNakF4TURVMU5USmFNQ2N4RHpBTkJnTlZCQXNNQmsxRFR5QlJSVEVVCk1CSUdBMVVFQXd3TFpYaGhiWEJzWlM1amIyMHdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRRHJzU1h4MkdzTVROcDBQYSszMkV6cHlQOUhxWlhpWUFpeGpjc29UeFJ6QWdSNjduQXAyZG8wNkhnMQpsdXlGS1ZGdmVNUVQ4RzE1a05sRS9QcWtxRTU2bFl3bjYwb3FlQk9lVXZTOUI3U2VndGVqN1J2UjMwUW8vdnMxCnQ5cTVCNldxVEpNcS81c1NvbXNoVXpPaE8ydzYxYzU3YUhsS2xEVlFTQVVsUUdQa2RsNElxU1Exd3pSTVliZnQKTVZDU1FNY1JkdmdjTG40QXV2emdiclgwcFpZSExoTFprN2Q2TWN5RW9GU0xHOGY0eFVDd3RocnFwUzd6TVYvZgpjWHdFMW83LzN0R0Q5QnBOY0hMOEtOQXpiSnhFbDRHTElQdkkxZFpqYXJoWXZveTIrb3dUcXBEOFRDZE9UQndqCkJvdDgyNDlRNFhnck5ZZ09XTUh2Mm9NbjFQanp5aFAzSUZ2SEFvNnlYRDh4NjhaRWFMM1JVZzkyT29yWU13SUgKenhmRlVzczVDY0MyQVRkU2U5dEJ1cEtRT2FDSXIyOEUrVENTOThqUUMyUGtDcVpCNjZSaFhtZXNkM3V6dXRTRQpqa3FxMUNCVEVZMjFKOVhnOUx2TlcyT2VSc1RtY09hUW1UbHNDVDBGSmV0eEZXaXd2MkxFK1hvbDZyM2JWcFJ5CklvME0wLzNPc20vWDZRY3NNYTQyOGRsWXZUWU9ucXlXZ25HNEQ0YndqRlQwWE8yWTJkaHkvVlFlTEJPaHg4Tk0KWUNoc050T3RocDZFVnNCQ2ZQUlNWQkcwNEJvQ2ducmRTdTBmcHA2K2g4SExxb2pxalUwK2pLTmxPdU8ydWhBQgpXM2pwM3NpZVcvYUVEYVdkc1pMTXBQZkN1b242Rk1ENkNzYkZRcmpQUnY3OHZuRG9Fd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVVpyWEtYdmwxQnQrSit4TG82My9hdXhqdXlCNHdId1lEVlIwakJCZ3dGb0FVWnJYS1h2bDEKQnQrSit4TG82My9hdXhqdXlCNHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBeEozS0w3SGJqcDBQUlpVN2dVT2lvckhadFZaemplMVpBZSs3TVZWd1IyRUp5S3dnKzFCb1dqWFFyemQ4Ckc4TkRIUG5BSUQ3UDZsdC9WREtuVUZhaUEvUTFnMWpUQzIzdG82RnhDMVFDYnp5enFVUEpZTnZKQUh4ODVpTU4Kc0daamtjMFpLSkxKZXJBaEFIR2YyWHVmbzliZFZ5ZjB5SWNFVU1vaXBJclgxODlZRDQ5eFpJK0JhaFRVMWtrTQpiM2RrOFlQNkhCZnlqTkM1MFhVaW9aTmVnbVlDRVFZdTQyS3dzWG83TXJXMzY1YUxkWjFqRTRPeFN5Q2VCZWI4ClAvUUhWY2tqYnpCOVZFVE9uME5UMWdoZ1lRQVRjNWVsRUlFZ0JYWHQ0TmlCZ3FIRmowZFhuK0VVVGo0V0lSS28KOWNwdW9lNVJlT2k3WXY2Q3ZNVytrajRKdWljdFZPcFhaRmRrc1FtWWU0RXJyaHhvcit4YmVRQlNXeGhlVC8yNwpFZmM4aWhqWnRnVDRjQllZZ0RrcHhUT1Z5ZlVZYWdsamhIQ1dwc3hnUmc5ZkxEbWJHODZpOUNpanp3OFJCMDhuCitRYU1YejJONlFkZ0JYSG1nRXkrd1JoWlo2NUdZNnR3cGc1VW56bTFUZ3FjOGJIZHlJSmwwQWF4Zjh6NmpVNE0KSlhnUXlEM3k5SDZRbDhHVCtLTEdNek1GWnp2bmFXSHZ4enNYOCs2TlZhNENlUU9QYmZZOVRMQ0hzbHcyZ2FBTQpLZkVWc2JDZ0JWM09PKy9EalBvNGdkSlBJZWZLSDhKMHFORytzZzMrU0luQ0dUcVo3d2ZYczVLaEpvZTBXUzMyCnp6RU1zV1hQSmQzYnlQMVRQc1ROcFQ1cXFoT05KdkJxbHhNL2VJUjVTQ3ZrVW9ZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
              mode: 420
              path: /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt

      Actual results:

      The nodes are rebooted

      Expected results:

      
The behviour should be the same that we see when techpreview is not enabled.

      Additional info:

      
We can get  the same behaviour that we get when techpreview is not eanbled by adding this machineconfiguration


  apiVersion: operator.openshift.io/v1
  kind: MachineConfiguration
  metadata:
    creationTimestamp: "2024-06-11T09:03:41Z"
    generation: 5
    name: cluster
    resourceVersion: "192544"
    uid: 78fd4b8c-7787-4485-891d-ac9034467d35
  spec:
    logLevel: Normal
    managementState: Managed
    nodeDisruptionPolicy:
      files:
      - actions:
        - restart:
            serviceName: coreos-update-ca-trust.service
          type: Restart
        - restart:
            serviceName: crio.service
          type: Restart
        path: /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt
    operatorLogLevel: Normal

            team-mco Team MCO
            sregidor@redhat.com Sergio Regidor de la Rosa
            Sergio Regidor de la Rosa Sergio Regidor de la Rosa
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: