-
Bug
-
Resolution: Unresolved
-
Undefined
-
4.16.z
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
In Progress
-
Bug Fix
-
-
None
-
None
-
None
-
None
Description of problem:
If you annotate a service with with an invalid name, it will cause a hotloop
oc annotate service myservice service.beta.openshift.io/serving-cert-secret-name=foobla-${FOO}
Validation will catch and report the error via the serving-cert-generation-error annotation:
service.alpha.openshift.io/serving-cert-generation-error: 'Secret "foobla-${FOO}" is invalid: metadata.name: Invalid value: "foobla-${FOO}": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, ''-'' or ''.'', and must start and end with an alphanumeric character (e.g. ''example.com'', regex used for validation is ''[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'')'
This will also trigger serving-cert-generation-error-num to be updated
service.alpha.openshift.io/serving-cert-generation-error-num: '452'
This causes the service to be processed again, updating the error and incrementing the error-num.
system:serviceaccount:openshift-service-ca:service-ca updates the service multiple time per second looking at the audit logs.
This occurs continually putting unnecessary load on the cluster.
Version-Release number of selected component (if applicable):
4.16.34
How reproducible:
Steps to Reproduce:
1. Annotate a service the an invalid serving-cert-secret-name like: oc annotate service myservice service.beta.openshift.io/serving-cert-secret-name=foobla-${FOO} 2. Watch it continually process and update
Actual results:
Continual updates to the service
Expected results:
Should not continually loop over it's own error updates
- blocks
-
OCPBUGS-61966 Service CA Operator Hotloops on Invalid serving-cert-secret-name
-
- Verified
-
- is cloned by
-
OCPBUGS-61966 Service CA Operator Hotloops on Invalid serving-cert-secret-name
-
- Verified
-
- links to