-
Bug
-
Resolution: Won't Do
-
Normal
-
None
-
4.13.0
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
No
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Users can initiate an encryption key migration by updating the relevant apiserver object with the following unsupported config:
"unsupportedConfigOverrides": {
"encryption": {
"reason": "test-key-rotation"
}
}
However when the rotation happen, the operator doesn't remove the unsupported config override and the unsupported config override detects it and report the cluster operator as being non upgradeable.
This is inconvenient and the operator should remove the unsupported config when the migration is completed.
This can make our e2e fail: https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_cluster-kube-apiserver-operator/1446/pull-ci-openshift-cluster-kube-apiserver-operator-master-e2e-gcp-operator-encryption-rotation-single-node/1626273509623730176
It shouldn't be too urgent because we don't advertise this force rotation mechanism in the doc so very few customers should be impacted and it is easy to fix for them.