Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-42137

Removal of additionalTrustBundle CA that was passed via install-config.yaml during agent-based installation, does not remove certificate from node

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.15.z
    • 4.15.z
    • None
    • Moderate
    • No
    • MCO Sprint 262
    • 1
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required
    • Done

      Description of problem:

       When we remove additionalTrustBundle CA of mirror registry(user-ca-bundle) that was passed via the install-config.yaml for agent installer installation,
      MCO does not remove certificatefrom the nodes.
      $ oc version
      Client Version: 4.15.23
      Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
      Server Version: 4.15.23
      Kubernetes Version: v1.28.11+add48d0
      $ oc get clusterversion
      NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.15.23   True        False         3h2m    Cluster version is 4.15.23
      

      How reproducible:

          Always

      Steps to Reproduce:

          1.Create cluster with additionalTrustBundle CA in install-config
          2.Locate the mirror reg CA certificate stored on the node's /etc/pki/ directory
           ~~~
           cd /etc/pki/ca-trust/source/anchors
      [root@master1 anchors]# ls -la
      total 216
      drwxr-xr-x. 2 root root     49 Sep 18 05:23 .
      drwxr-xr-x. 4 root root     80 Sep 18 05:20 ..
      -rw-------. 1 root root 220593 Sep 18 05:23 openshift-config-user-ca-bundle.crt
          ~~~
      
          3. back up and delete the CM (user-ca-bundle)
           ~~~
         $ oc delete configmap/user-ca-bundle -n openshift-config
      configmap "user-ca-bundle" deleted
           ~~~
      
          4. Observer if some changes happens at the MCO/MCP level due to the same.
          5. Switch to the node and check same /etc/pki/../ to see if CA is present or not 
          

      Actual results:

      Certificate still present under  "/etc/pki/ca-trust/source/anchors" on the nodes. No new MC got generated
      
      # cd /etc/pki/ca-trust/source/anchors
      [root@master1 anchors]# ls -la
      total 216
      drwxr-xr-x. 2 root root     49 Sep 18 05:23 .
      drwxr-xr-x. 4 root root     80 Sep 18 05:20 ..
      -rw-------. 1 root root 220593 Sep 18 05:23 openshift-config-user-ca-bundle.crt
      
      [root@master1 anchors]# cat openshift-config-user-ca-bundle.crt | grep "MIID2TCCAsGgAwIBAgIUb1e2U0GXeW5qmTlgzE8SSDvht2YwDQYJKoZIhvcNAQEL"
      
      MIID2TCCAsGgAwIBAgIUb1e2U0GXeW5qmTlgzE8SSDvht2YwDQYJKoZIhvcNAQEL
      MIID2TCCAsGgAwIBAgIUb1e2U0GXeW5qmTlgzE8SSDvht2YwDQYJKoZIhvcNAQEL
      

      Expected results:

          New MC should get created once the user-ca-bundle has been removed and roll out of MC should happen on the node. Certificate should be removed on the nodes.

      Additional info:

          

              dkhater@redhat.com Dalia Khater
              rhn-support-sar Santhiya R
              Sergio Regidor de la Rosa Sergio Regidor de la Rosa
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: