Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-63541

ccoctl aws always generates new keys when the private key file is missing

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Critical
    • None
    • In Progress
    • Bug Fix
    • Hide
      Previously, the ccoctl utility would always generate a new keypair when the private key was not found in the output directory. Several documented procedures instruct the user to extract only the public key from an existing cluster prior to using the ccoctl utility in order to reduce the risk of the private key being compromised. As a result, users following these processes were experiencing service outages due to the newly generated keypair not matching the cluster itself.

      This change ensures that a new keypair is never generated when a public key is specified with the --public-key-file parameter. It also ensures this parameter exists on all of the create-all functions in order to extend this functionality. As a result, specifying the --public-key-file will ensure the specified public key is used and the cluster will continue to function as expected.
      Show
      Previously, the ccoctl utility would always generate a new keypair when the private key was not found in the output directory. Several documented procedures instruct the user to extract only the public key from an existing cluster prior to using the ccoctl utility in order to reduce the risk of the private key being compromised. As a result, users following these processes were experiencing service outages due to the newly generated keypair not matching the cluster itself. This change ensures that a new keypair is never generated when a public key is specified with the --public-key-file parameter. It also ensures this parameter exists on all of the create-all functions in order to extend this functionality. As a result, specifying the --public-key-file will ensure the specified public key is used and the cluster will continue to function as expected.
    • None
    • None
    • None
    • None

      Description of problem:

          The ccoctl aws commands always generate a new keypair when the private key file does not exist in the output dir. This forces the user to get the private key from the cluster when performing day-2 ccoctl operations. The private key is only needed for pre-install processes where there is no public key to be obtained from the cluster. And, we want to avoid forcing the user to download the private key as that poses security concerns.

      Version-Release number of selected component (if applicable):

          4.20

      How reproducible:

          Always

      Steps to Reproduce:

          1. Install an AWS cluster.
    2. Follow the process[1] to enable token based authentication
    3. 2.2.4 Step 1 - ccoctl aws create-all
     
[1] https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/updating_clusters/preparing-to-update-a-cluster#cco-ccoctl-upgrading_preparing-manual-creds-update

      Actual results:

      $ ccoctl aws create-all --output-dir "${CLUSTER_NAME}" \
  --name "${CLUSTER_NAME}" \
  --region "${CLUSTER_LOCATION}" \
  --credentials-requests-dir "${CLUSTER_NAME}/creds/aws"
2025/10/24 12:43:38 Generating RSA keypair
2025/10/24 12:43:39 Writing private key to jstueversts3186/serviceaccount-signer.private
2025/10/24 12:43:39 Writing public key to jstueversts3186/serviceaccount-signer.public                                                                                                

      Expected results:

      $ ccoctl aws create-all --output-dir "${CLUSTER_NAME}" \
  --name "${CLUSTER_NAME}" \
  --region "${CLUSTER_LOCATION}" \
  --credentials-requests-dir "${CLUSTER_NAME}/creds/aws" \
  --public-key-file "${CLUSTER_NAME}/service-signer.public"

      Additional info:

       

              jstuever@redhat.com Jeremiah Stuever
              jstuever@redhat.com Jeremiah Stuever
              None
              None
              Jianping Shu Jianping Shu
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: