-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.15.z
-
None
Description of problem:
When we remove additionalTrustBundle CA of mirror registry(user-ca-bundle) that was passed via the install-config.yaml for agent installer installation, MCO does not remove certificatefrom the nodes.
$ oc version Client Version: 4.15.23 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: 4.15.23 Kubernetes Version: v1.28.11+add48d0 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.15.23 True False 3h2m Cluster version is 4.15.23
How reproducible:
Always
Steps to Reproduce:
1.Create cluster with additionalTrustBundle CA in install-config 2.Locate the mirror reg CA certificate stored on the node's /etc/pki/ directory ~~~ cd /etc/pki/ca-trust/source/anchors [root@master1 anchors]# ls -la total 216 drwxr-xr-x. 2 root root 49 Sep 18 05:23 . drwxr-xr-x. 4 root root 80 Sep 18 05:20 .. -rw-------. 1 root root 220593 Sep 18 05:23 openshift-config-user-ca-bundle.crt ~~~ 3. back up and delete the CM (user-ca-bundle) ~~~ $ oc delete configmap/user-ca-bundle -n openshift-config configmap "user-ca-bundle" deleted ~~~ 4. Observer if some changes happens at the MCO/MCP level due to the same. 5. Switch to the node and check same /etc/pki/../ to see if CA is present or not
Actual results:
Certificate still present under "/etc/pki/ca-trust/source/anchors" on the nodes. No new MC got generated # cd /etc/pki/ca-trust/source/anchors [root@master1 anchors]# ls -la total 216 drwxr-xr-x. 2 root root 49 Sep 18 05:23 . drwxr-xr-x. 4 root root 80 Sep 18 05:20 .. -rw-------. 1 root root 220593 Sep 18 05:23 openshift-config-user-ca-bundle.crt [root@master1 anchors]# cat openshift-config-user-ca-bundle.crt | grep "MIID2TCCAsGgAwIBAgIUb1e2U0GXeW5qmTlgzE8SSDvht2YwDQYJKoZIhvcNAQEL" MIID2TCCAsGgAwIBAgIUb1e2U0GXeW5qmTlgzE8SSDvht2YwDQYJKoZIhvcNAQEL MIID2TCCAsGgAwIBAgIUb1e2U0GXeW5qmTlgzE8SSDvht2YwDQYJKoZIhvcNAQEL
Expected results:
New MC should get created once the user-ca-bundle has been removed and roll out of MC should happen on the node. Certificate should be removed on the nodes.
Additional info:
- depends on
-
OCPBUGS-44337 Removal of additionalTrustBundle CA that was passed via install-config.yaml during agent-based installation, does not remove certificate from node
- Closed
- links to
-
RHBA-2024:10142 OpenShift Container Platform 4.15.z bug fix update