Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-59780

ARO clusters cannot scale on upgrade to 4.19

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • 5
    • None
    • None
    • None
    • MCO Sprint 274
    • 1
    • Done
    • Bug Fix
    • Hide
      Previously, Machine Config Operator (MCO) certificate management failed during an Azure Red Hat OpenShift (ARO) upgrade to 4.19 due to missing infrastructure status fields. Because of this, certificates were refreshed without required SAN IPs, causing connectivity issues for upgraded ARO clusters. With this fix, the MCO now adds SAN IPs during certificate management in ARO, preventing immediate rotation on upgrade to 4.19. As a result, certificates now retain SAN IPs during ARO upgrades to 4.19, preventing immediate rotation and ensuring smooth operation. (link:https://issues.redhat.com/browse/OCPBUGS-59780[OCPBUGS-59780])
      Show
      Previously, Machine Config Operator (MCO) certificate management failed during an Azure Red Hat OpenShift (ARO) upgrade to 4.19 due to missing infrastructure status fields. Because of this, certificates were refreshed without required SAN IPs, causing connectivity issues for upgraded ARO clusters. With this fix, the MCO now adds SAN IPs during certificate management in ARO, preventing immediate rotation on upgrade to 4.19. As a result, certificates now retain SAN IPs during ARO upgrades to 4.19, preventing immediate rotation and ensuring smooth operation. (link: https://issues.redhat.com/browse/OCPBUGS-59780 [ OCPBUGS-59780 ])
    • None
    • None
    • None
    • None

      Currently, the MCO uses the infrastructure status to infer the hostnames during cert management. In ARO, those fields don't exist, so when the MCO's cert reconcile loop runs on upgrade to 4.19, it refreshes the cert without the required SAN IPs.

      The certcontroller in the MCO is vendored from library-go, which uses annotations on the secret to determine if the certs are due for rotation. Clusters in <4.18 do not have these annotations; and hence will have an immediate rotation when upgraded. 4.19 installer creates the secret with these annotations; so we will not see an immediate rotation when the MCO comes up during 4.19 installation and 

      See https://issues.redhat.com/browse/ARO-20086 for some more context. 

              djoshy David Joshy
              djoshy David Joshy
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: