Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-70267

The sa-signing-key secret in the hcp namespace need be manually deleted to trigger its update

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.22
    • HyperShift
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • None
    • Rejected
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      After update the .Spec.ServiceAccountSigningKey , hc reports ReconciliationError "configuration is invalid: invalid service account signing key: existing
       control plane service account signing key does not match private key", until I delete the sa-signing-key secret in the hcp namespace manually, this error is gone and new  sa-signing-key secret created with new update sa key.

      Version-Release number of selected component (if applicable):

      4.22.0-0.nightly-2025-12-29-152753

      How reproducible:

      always

      Steps to Reproduce:

          1. openssl genrsa -traditional -out rsa_pkcs1_private.key 2048 
oc set data secret/xiuwang-aks-hc-cn2119-dsa-token-issuer-key --from-file=key=${PATH}/feature-OCPSTRAT-2533/key3/rsa_pkcs1_private.key  -n clusters
    2. oc get hc xiuwang-aks-hc-cn2119-d -n  clusters
 - lastTransitionTime: "2025-12-30T06:47:34Z"
     message: 'ValidConfiguration condition is false: invalid service account signing
       key: existing control plane service account signing key does not match private
       key'
     observedGeneration: 5
     reason: Blocked
     status: "False"
     type: Progressing
   - lastTransitionTime: "2025-12-30T06:47:34Z"
     message: Required platform credentials are found
     observedGeneration: 2
     reason: AsExpected
     status: "True"
     type: PlatformCredentialsFound
   - lastTransitionTime: "2025-12-30T09:24:03Z"
     message: 'configuration is invalid: invalid service account signing key: existing
       control plane service account signing key does not match private key'
     observedGeneration: 5
     reason: ReconciliationError
     status: "False"
     type: ReconciliationSucceeded" 
    3.Delete the secret 
oc delete secret sa-signing-key -n clusters-xiuwang-aks-hc-cn2119-d
4. oc get secret | grep sa
sa-signing-key                                          Opaque                           2      3m59s
5. oc get secret sa-signing-key -n "${HCP_NAMESPACE}" \                                                               
  -o jsonpath='{.data.service-account\.key}' |base64 -d  > /tmp/current-key.pem
6.  diff -uNr /tmp/current-key.pem rsa_pkcs1_private.key
sa-signing-key secret has been updated to use new sa key

      Actual results:

      Expected results:

      Should update sa-signing-key secret automaticlly after update Spec.ServiceAccountSigningKey secret

      Additional info:

              rh-ee-mraee Mulham Raee
              rh-ee-xiuwang XiuJuan Wang
              None
              None
              XiuJuan Wang XiuJuan Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: