Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: 4.16.z
Affects Version/s: 4.16.z
Component/s: Machine Config Operator
Labels:
None

Regression:
None
Sprint:
MCO Sprint 262
sprint_count:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Type:
Release Note Not Required
Release Note Status:
In Progress
Target Version:

4.16.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

 When we remove additionalTrustBundle CA of mirror registry(user-ca-bundle) that was passed via the install-config.yaml for agent installer installation,
MCO does not remove certificatefrom the nodes.

$ oc version
Client Version: 4.15.23
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: 4.15.23
Kubernetes Version: v1.28.11+add48d0
$ oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.15.23   True        False         3h2m    Cluster version is 4.15.23

How reproducible:

    Always

Steps to Reproduce:

    1.Create cluster with additionalTrustBundle CA in install-config
    2.Locate the mirror reg CA certificate stored on the node's /etc/pki/ directory
     ~~~
     cd /etc/pki/ca-trust/source/anchors
[root@master1 anchors]# ls -la
total 216
drwxr-xr-x. 2 root root     49 Sep 18 05:23 .
drwxr-xr-x. 4 root root     80 Sep 18 05:20 ..
-rw-------. 1 root root 220593 Sep 18 05:23 openshift-config-user-ca-bundle.crt
    ~~~

    3. back up and delete the CM (user-ca-bundle)
     ~~~
   $ oc delete configmap/user-ca-bundle -n openshift-config
configmap "user-ca-bundle" deleted
     ~~~

    4. Observer if some changes happens at the MCO/MCP level due to the same.
    5. Switch to the node and check same /etc/pki/../ to see if CA is present or not

Actual results:

Certificate still present under  "/etc/pki/ca-trust/source/anchors" on the nodes. No new MC got generated

# cd /etc/pki/ca-trust/source/anchors
[root@master1 anchors]# ls -la
total 216
drwxr-xr-x. 2 root root     49 Sep 18 05:23 .
drwxr-xr-x. 4 root root     80 Sep 18 05:20 ..
-rw-------. 1 root root 220593 Sep 18 05:23 openshift-config-user-ca-bundle.crt

[root@master1 anchors]# cat openshift-config-user-ca-bundle.crt | grep "MIID2TCCAsGgAwIBAgIUb1e2U0GXeW5qmTlgzE8SSDvht2YwDQYJKoZIhvcNAQEL"

MIID2TCCAsGgAwIBAgIUb1e2U0GXeW5qmTlgzE8SSDvht2YwDQYJKoZIhvcNAQEL
MIID2TCCAsGgAwIBAgIUb1e2U0GXeW5qmTlgzE8SSDvht2YwDQYJKoZIhvcNAQEL

Expected results:

    New MC should get created once the user-ca-bundle has been removed and roll out of MC should happen on the node. Certificate should be removed on the nodes.

Additional info:

depends on

OCPBUGS-28653 userCA and cloudCA certfiicates are not removed from nodes and ignition config

Closed

is depended on by

OCPBUGS-42137 Removal of additionalTrustBundle CA that was passed via install-config.yaml during agent-based installation, does not remove certificate from node

ON_QA

links to

openshift/machine-config-operator#4688: [release-4.16] OCPBUGS-44337: Removal of additionalTrustBundle CA does not remove certificate from node backport

RHBA-2024:9615 OpenShift Container Platform 4.16.z bug fix update

Assignee:: Dalia Khater

Reporter:: Dalia Khater

QA Contact:: Sergio Regidor de la Rosa

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/11/07 4:17 PM

Updated:: 2024/11/14 2:36 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates