Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-56599

Service CA Operator Hotloops on Invalid serving-cert-secret-name

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • 4.21.0
    • 4.16.z
    • service-ca
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • In Progress
    • Bug Fix
    • Hide
      In previous versions, setting an invalid certificate secret name in the service annotation `service.beta.openshift.io/serving-cert-secret-name` would cause the service CA operator to hotloop. This fix allows the operator to stop retrying to create the secret after 10 tries. The number of retries cannot be changed.
      Show
      In previous versions, setting an invalid certificate secret name in the service annotation `service.beta.openshift.io/serving-cert-secret-name` would cause the service CA operator to hotloop. This fix allows the operator to stop retrying to create the secret after 10 tries. The number of retries cannot be changed.
    • None
    • None
    • None
    • None

      Description of problem:

      If you annotate a service with with an invalid name, it will cause a hotloop

      oc annotate service myservice service.beta.openshift.io/serving-cert-secret-name=foobla-${FOO}
      

      Validation will catch and report the error via the serving-cert-generation-error annotation:

      service.alpha.openshift.io/serving-cert-generation-error: 'Secret "foobla-${FOO}" is invalid: metadata.name: Invalid value: "foobla-${FOO}": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, ''-'' or ''.'', and must start and end with an alphanumeric character (e.g. ''example.com'', regex used for validation is ''[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'')'
      

      This will also trigger serving-cert-generation-error-num to be updated

      service.alpha.openshift.io/serving-cert-generation-error-num: '452'
      

      This causes the service to be processed again, updating the error and incrementing the error-num.

      system:serviceaccount:openshift-service-ca:service-ca updates the service multiple time per second looking at the audit logs.

      This occurs continually putting unnecessary load on the cluster.

      Version-Release number of selected component (if applicable):

      4.16.34
      

      How reproducible:

      
      

      Steps to Reproduce:

          1. Annotate a service the an invalid serving-cert-secret-name like:
      oc annotate service myservice service.beta.openshift.io/serving-cert-secret-name=foobla-${FOO}
          2. Watch it continually process and update
      
      

      Actual results:

      Continual updates to the service
      

      Expected results:

      Should not continually loop over it's own error updates
      

              fmissi Flavian Missi
              rhn-support-mrobson Matt Robson
              None
              None
              Xingxing Xia Xingxing Xia
              None
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: