-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
4.13
-
Quality / Stability / Reliability
-
False
-
-
3
-
Moderate
-
No
-
None
-
None
-
None
-
CFE Sprint 234, CFE Sprint 235, CFE Sprint 240
-
3
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
When acme issuer sets "disableAccountKeyGeneration: true", updating privateKeySecretRef secret won't change the acme account.
Version-Release number of selected component (if applicable):
cert-manager installed with cert-manager-operator-bundle-container-v1.10.2-18 on OCP 4.13.0-0.nightly-2023-02-27-101545
How reproducible:
Always
Steps to Reproduce:
1. Install OCP env. Then install cert-manager Operator for Red Hat OpenShift.
2. Prepare secrets
$ aws_access_key_id=$(grep aws_access_key_id ~/.aws/credentials | cut -d = -f 2)
$ aws_secret_access_key=$(grep aws_secret_access_key ~/.aws/credentials | cut -d = -f 2)
$ oc create secret generic route53-creds --from-literal=aws_access_key_id="$aws_access_key_id" --from-literal=aws_secret_access_key="$aws_secret_access_key" -n cert-manager
3. Create clusterissuer one
$ cat cluster-issuer-one.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-one
spec:
acme:
preferredChain: ""
privateKeySecretRef:
name: letsencrypt-one
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- selector:
dnsZones:
- qe1.devcluster.openshift.com
dns01:
route53:
accessKeyIDSecretRef:
key: aws_access_key_id
name: route53-creds
hostedZoneID: <snipped_hosted_zone_id>
region: us-east-1
secretAccessKeySecretRef:
key: aws_secret_access_key
name: route53-creds
$ oc create -f cluster-issuer-one.yaml
$ oc get clusterissuer -o wide
NAME READY STATUS AGE
letsencrypt-one True The ACME account was registered with the ACME server 2m11s
$ oc get clusterissuer letsencrypt-one -o yaml
...
uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/90569434
...
Save the secret letsencrypt-one:
$ oc get secret letsencrypt-one -n cert-manager -o yaml > secret-letsencrypt-one.yaml
4. Create cluster issuer two
$ sed 's/letsencrypt-one/letsencrypt-two/g' cluster-issuer-one.yaml | oc create -f -
clusterissuer.cert-manager.io/letsencrypt-two created
$ oc get clusterissuer letsencrypt-two -o yaml
...
uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/90750464
...
Save the secret letsencrypt-two:
$ oc get secret letsencrypt-two -n cert-manager -o yaml > secret-letsencrypt-two.yaml
5. Create a new clusterissuer using existing privateKeySecretRef account of "letsencrypt-one" with disableAccountKeyGeneration:
$ sed 's/letsencrypt-one/letsencrypt-one/g' secret-letsencrypt-one.yaml | oc create -n cert-manager -f -
secret/letsencrypt created
$ cat cluster-issuer-using-existing-account.yaml # it uses secret "letsencrypt" which includes same account as secret "letsencrypt-one"
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
disableAccountKeyGeneration: true
preferredChain: ""
privateKeySecretRef:
key: tls.key
name: letsencrypt
...snipped lines which are same as previous yaml file...
$ oc create -f cluster-issuer-using-existing-account.yaml
clusterissuer.cert-manager.io/letsencrypt created
$ oc get clusterissuer letsencrypt -o yaml
...
uri: https://acme-staging-v02.api.letsencrypt.org/acme/acct/90569434
...
We can see it uses same account 90569434 as previous.
6. Update the content of secret "letsencrypt" to be the content of secret letsencrypt-two.
$ sed 's/letsencrypt-two/letsencrypt/g' secret-letsencrypt-two.yaml | oc replace -n cert-manager -f -
secret/letsencrypt replaced
Wait a moment, check the account in clusterissuer "letsencrypt" again, it is still account 90569434.
7. Change privateKeySecretRef secret name
$ oc edit clusterissuer letsencrypt # change secret name from "letsencrypt" to "letsencrypt-two"
Wait a moment, check the account in clusterissuer "letsencrypt" again, it is still account 90569434.
8. Check logs of cert-manager
$ oc logs cert-manager-d464b7449-5m7nn -n cert-manager
I0302 04:18:03.215124 1 setup.go:202] cert-manager/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt" "resource_namespace"="" "resource_version"="v1"
I0302 05:19:51.202405 1 setup.go:202] cert-manager/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-two" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt" "resource_namespace"="" "resource_version"="v1"
Actual results:
In step 6 and 7, no matter updating content of existing secret or changing secret name to another one, the clusterissuer won't change the acme account.
Expected results:
Given the secret content of privateKeySecretRef changed to another account's secret key, the clusterissuer should change the acme account accordingly.
Additional info:
- links to
-
RHEA-2023:5339
cert-manager Operator for Red Hat OpenShift 1.12.0