Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-56599

Service CA Operator Hotloops on Invalid serving-cert-secret-name

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • 4.21.0
    • 4.16.z
    • service-ca
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
      Before this update, setting an invalid certificate secret name in the service annotation `service.beta.openshift.io/serving-cert-secret-name` caused the service CA Operator to hotloop. With this release, the Operator stops retrying to create the secret after 10 tries. The number of retries cannot be changed. (link:https://issues.redhat.com/browse/OCPBUGS-56599[OCPBUGS-56599])
      Show
      Before this update, setting an invalid certificate secret name in the service annotation `service.beta.openshift.io/serving-cert-secret-name` caused the service CA Operator to hotloop. With this release, the Operator stops retrying to create the secret after 10 tries. The number of retries cannot be changed. (link: https://issues.redhat.com/browse/OCPBUGS-56599 [ OCPBUGS-56599 ])
    • None
    • None
    • None
    • None

      Description of problem:

      If you annotate a service with with an invalid name, it will cause a hotloop 

      oc annotate service myservice service.beta.openshift.io/serving-cert-secret-name=foobla-${FOO}

      Validation will catch and report the error via the serving-cert-generation-error annotation:

      service.alpha.openshift.io/serving-cert-generation-error: 'Secret "foobla-${FOO}" is invalid: metadata.name: Invalid value: "foobla-${FOO}": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, ''-'' or ''.'', and must start and end with an alphanumeric character (e.g. ''example.com'', regex used for validation is ''[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'')'

      This will also trigger serving-cert-generation-error-num to be updated

      service.alpha.openshift.io/serving-cert-generation-error-num: '452'

      This causes the service to be processed again, updating the error and incrementing the error-num.

      system:serviceaccount:openshift-service-ca:service-ca updates the service multiple time per second looking at the audit logs.

      This occurs continually putting unnecessary load on the cluster.

      Version-Release number of selected component (if applicable):

      4.16.34

      How reproducible:

      Steps to Reproduce:

          1. Annotate a service the an invalid serving-cert-secret-name like:
oc annotate service myservice service.beta.openshift.io/serving-cert-secret-name=foobla-${FOO}
    2. Watch it continually process and update

      Actual results:

      Continual updates to the service

      Expected results:

      Should not continually loop over it's own error updates

              fmissi Flavian Missi
              rhn-support-mrobson Matt Robson
              None
              None
              Xingxing Xia Xingxing Xia
              None
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: