Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-61776

Ignition Server certificate secrets deleted if disable-pki-reconciliation annotation is present

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • 4.21.0
    • 4.20, 4.21
    • HyperShift
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • Proposed
    • Bug Fix
    • Hide
      Cause: Deploying Hypershift 4.20+ with user-supplied ignition-server-serving-cert and ignition-server-ca-cert secrets, along with the disable-pki-reconciliation annotation.
      Consequence: The user-supplied ignition secrets are removed, and the ignition-server pods fail to start.
      Fix: The ignition-server reconciliation does not remove ignition-server secrets when the disable-pki-reconciliation annotation is present.
      Result: User-supplied ignition-server secrets are preserved.
      Show
      Cause: Deploying Hypershift 4.20+ with user-supplied ignition-server-serving-cert and ignition-server-ca-cert secrets, along with the disable-pki-reconciliation annotation. Consequence: The user-supplied ignition secrets are removed, and the ignition-server pods fail to start. Fix: The ignition-server reconciliation does not remove ignition-server secrets when the disable-pki-reconciliation annotation is present. Result: User-supplied ignition-server secrets are preserved.
    • None
    • None
    • None
    • None

      Description of problem:

      If the disable-pki-reconciliation annotation is present, the ignition-server-serving-cert and ignition-server-ca-cert secrets are deleted during ignition-server reconciliation. This prevents ignition-server pods from starting up completely.

      Version-Release number of selected component (if applicable):

      4.20, 4.21

      How reproducible:

      Always

      Steps to Reproduce:

       
      1. Create 4.20 HostedCluster with user-supplied ignition-server-serving-cert and ignition-server-ca-cert secrets, as well as the disable-pki-reconciliation annotation
          

      Actual results:

      control-plane-operator deletes the user-supplied secrets, ignition-servers won't start up completely
          

      Expected results:

      User-supplied secrets are preserved, ignition-server pods start up completely
          

      Additional info:

          

              mate-lajko Máté Lajkó
              mate-lajko Máté Lajkó
              None
              None
              Máté Lajkó Máté Lajkó
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: