Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-63546

ccoctl aws always generates new keys when the private key file is missing

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Critical
    • None
    • None
    • Proposed
    • None
    • Done
    • Bug Fix
    • Hide
      Before this release, the `ccoctl` utility would automatically generate a new keypair if the private key was not found, even when users intentionally provided only the public key as per documented security procedures. This behavior caused a problem, as the newly generated keys would not match the cluster's keys, resulting in service outages for users following the correct process. With this update, the utility was changed to ensure a new keypair is never generated when the `--public-key-file` parameter is specified, and this parameter was added to all create-all functions for consistency. As a result, specifying the public key file now guarantees the provided key is used, ensuring the cluster continues to function as expected without interruption. (link:https://issues.redhat.com/browse/OCPBUGS-63546[OCPBUGS-63546])
      Show
      Before this release, the `ccoctl` utility would automatically generate a new keypair if the private key was not found, even when users intentionally provided only the public key as per documented security procedures. This behavior caused a problem, as the newly generated keys would not match the cluster's keys, resulting in service outages for users following the correct process. With this update, the utility was changed to ensure a new keypair is never generated when the `--public-key-file` parameter is specified, and this parameter was added to all create-all functions for consistency. As a result, specifying the public key file now guarantees the provided key is used, ensuring the cluster continues to function as expected without interruption. (link: https://issues.redhat.com/browse/OCPBUGS-63546 [ OCPBUGS-63546 ])
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-63541. The following is the description of the original issue:

      Description of problem:

          The ccoctl aws commands always generate a new keypair when the private key file does not exist in the output dir. This forces the user to get the private key from the cluster when performing day-2 ccoctl operations. The private key is only needed for pre-install processes where there is no public key to be obtained from the cluster. And, we want to avoid forcing the user to download the private key as that poses security concerns.

      Version-Release number of selected component (if applicable):

          4.20

      How reproducible:

          Always

      Steps to Reproduce:

          1. Install an AWS cluster.
    2. Follow the process[1] to enable token based authentication
    3. 10.4.3 Step 2.ii - ./ccoctl aws create-identity-provider
     
[1] https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/postinstallation_configuration/changing-cloud-credentials-configuration#post-install-enable-token-auth_changing-cloud-credentials-configuration

      Actual results:

      $ ccoctl aws create-all --output-dir "${CLUSTER_NAME}" \
  --name "${CLUSTER_NAME}" \
  --region "${CLUSTER_LOCATION}" \
  --credentials-requests-dir "${CLUSTER_NAME}/creds/aws"
2025/10/24 12:43:38 Generating RSA keypair
2025/10/24 12:43:39 Writing private key to jstueversts3186/serviceaccount-signer.private
2025/10/24 12:43:39 Writing public key to jstueversts3186/serviceaccount-signer.public                                                                                                

      Expected results:

      $ ccoctl aws create-all --output-dir "${CLUSTER_NAME}" \
  --name "${CLUSTER_NAME}" \
  --region "${CLUSTER_LOCATION}" \
  --credentials-requests-dir "${CLUSTER_NAME}/creds/aws"
2025/10/24 13:01:05 Using existing RSA keypair found at jstueversts3186/serviceaccount-signer.public

      Additional info:

       

              jstuever@redhat.com Jeremiah Stuever
              jstuever@redhat.com Jeremiah Stuever
              None
              None
              Jianping Shu Jianping Shu
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: