Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: None
Affects Version/s: 4.13
Component/s: cert-manager
Labels:
- cfeplan

Severity:
Moderate
Regression:
No
Epic Link:
cert-manager operator 1.12 release
Story Points:
3
Sprint:
CFE Sprint 234, CFE Sprint 235, CFE Sprint 240
sprint_count:
3
Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

When acme issuer sets "disableAccountKeyGeneration: true", updating privateKeySecretRef secret won't change the acme account.

Version-Release number of selected component (if applicable):

cert-manager installed with cert-manager-operator-bundle-container-v1.10.2-18 on OCP 4.13.0-0.nightly-2023-02-27-101545

How reproducible:

Always

Steps to Reproduce:

1. Install OCP env. Then install cert-manager Operator for Red Hat OpenShift.

2. Prepare secrets
$ aws_access_key_id=$(grep aws_access_key_id ~/.aws/credentials | cut -d = -f 2)
$ aws_secret_access_key=$(grep aws_secret_access_key ~/.aws/credentials | cut -d = -f 2)

$ oc create secret generic route53-creds --from-literal=aws_access_key_id="$aws_access_key_id" --from-literal=aws_secret_access_key="$aws_secret_access_key" -n cert-manager

3. Create clusterissuer one
$ cat cluster-issuer-one.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-one
spec:
  acme:
    preferredChain: ""
    privateKeySecretRef:
      name: letsencrypt-one
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
    - selector:
        dnsZones:
          - qe1.devcluster.openshift.com
      dns01:
        route53:
          accessKeyIDSecretRef:
            key: aws_access_key_id
            name: route53-creds
          hostedZoneID: <snipped_hosted_zone_id>
          region: us-east-1
          secretAccessKeySecretRef:
            key: aws_secret_access_key
            name: route53-creds

$ oc create -f cluster-issuer-one.yaml

$ oc get clusterissuer -o wide
NAME              READY   STATUS                                                 AGE
letsencrypt-one   True    The ACME account was registered with the ACME server   2m11s

$ oc get clusterissuer letsencrypt-one -o yaml
...
    uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/90569434
...

Save the secret letsencrypt-one:
$ oc get secret letsencrypt-one -n cert-manager -o yaml > secret-letsencrypt-one.yaml

4. Create cluster issuer two
$ sed 's/letsencrypt-one/letsencrypt-two/g' cluster-issuer-one.yaml | oc create -f -
clusterissuer.cert-manager.io/letsencrypt-two created

$ oc get clusterissuer letsencrypt-two -o yaml
...
    uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/90750464
...

Save the secret letsencrypt-two:
$ oc get secret letsencrypt-two -n cert-manager -o yaml > secret-letsencrypt-two.yaml

5. Create a new clusterissuer using existing privateKeySecretRef account of "letsencrypt-one" with disableAccountKeyGeneration:
$ sed 's/letsencrypt-one/letsencrypt-one/g' secret-letsencrypt-one.yaml | oc create -n cert-manager -f -
secret/letsencrypt created

$ cat cluster-issuer-using-existing-account.yaml # it uses secret "letsencrypt" which includes same account as secret "letsencrypt-one"
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    disableAccountKeyGeneration: true
    preferredChain: ""
    privateKeySecretRef:
      key: tls.key
      name: letsencrypt
...snipped lines which are same as previous yaml file...

$ oc create -f cluster-issuer-using-existing-account.yaml
clusterissuer.cert-manager.io/letsencrypt created

$ oc get clusterissuer letsencrypt -o yaml
...
    uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/90569434
...

We can see it uses same account 90569434 as previous.

6. Update the content of secret "letsencrypt" to be the content of secret letsencrypt-two.
$ sed 's/letsencrypt-two/letsencrypt/g' secret-letsencrypt-two.yaml | oc replace -n cert-manager -f -
secret/letsencrypt replaced

Wait a moment, check the account in clusterissuer "letsencrypt" again, it is still account 90569434.

7. Change privateKeySecretRef secret name
$ oc edit clusterissuer letsencrypt # change secret name from "letsencrypt" to "letsencrypt-two" 

Wait a moment, check the account in clusterissuer "letsencrypt" again, it is still account 90569434.

8. Check logs of cert-manager
$ oc logs cert-manager-d464b7449-5m7nn -n cert-manager
I0302 04:18:03.215124       1 setup.go:202] cert-manager/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt" "resource_namespace"="" "resource_version"="v1"
I0302 05:19:51.202405       1 setup.go:202] cert-manager/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-two" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt" "resource_namespace"="" "resource_version"="v1"

Actual results:

In step 6 and 7, no matter updating content of existing secret or changing secret name to another one, the clusterissuer won't change the acme account.

Expected results:

Given the secret content of privateKeySecretRef changed to another account's secret key, the clusterissuer should change the acme account accordingly.

Additional info:

Attachments

Issue Links

links to

RHEA-2023:5339 cert-manager Operator for Red Hat OpenShift 1.12.0

Activity

People

Assignee:: Trilok Geer

Reporter:: Xingxing Xia

QA Contact:: Yuedong Wu

Contributors:: Thejas N (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2023/03/02 8:12 AM

Updated:: 2023/10/02 12:49 AM

Resolved:: 2023/10/02 12:49 AM