Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 4.12.z
Affects Version/s: 4.10
Component/s: Networking / router
Labels:

Test Coverage:

+
Test Link:
https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-62530
Severity:
Critical
Regression:
None
Sprint:
Sprint 224, Sprint 225, Sprint 226, Sprint 227
sprint_count:
4
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Previously, the Ingress Operator published certificates and keys of all Ingress Controllers to the `router-certs` secret in the `openshift-config-managed` namespace. The Authentication Operator is the only operator that uses the `router-certs` secret to access the cluster Ingress domain. Publishing unnecessary certificates and keys can impact the generation of the secret, because the secret exceeds the maximum resource size limit.

For the {product-title} {product-version} release, the Ingress Operator publishes certificates and keys for any Ingress Controllers that relate to the cluster Ingress domain. This change ensures that the Ingress Operator can generate a `router-certs` secret that the Authentication Operator can access for OAuth authentication purposes.

(link:https://issues.redhat.com/browse/OCPBUGS-853[*~~OCPBUGS-853~~*]

Show
Previously, the Ingress Operator published certificates and keys of all Ingress Controllers to the `router-certs` secret in the `openshift-config-managed` namespace. The Authentication Operator is the only operator that uses the `router-certs` secret to access the cluster Ingress domain. Publishing unnecessary certificates and keys can impact the generation of the secret, because the secret exceeds the maximum resource size limit. For the {product-title} {product-version} release, the Ingress Operator publishes certificates and keys for any Ingress Controllers that relate to the cluster Ingress domain. This change ensures that the Ingress Operator can generate a `router-certs` secret that the Authentication Operator can access for OAuth authentication purposes. (link: https://issues.redhat.com/browse/OCPBUGS-853 [* OCPBUGS-853 *]
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.12.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Priority Data:

Description of problem:

Large OpenShift Container Platform 4.10.24 - Cluster is failing to update router-certs secret in openshift-config-managed namespace as the given secret is too big.

2022-09-01T06:24:15.157333294Z 2022-09-01T06:24:15.157Z ERROR operator.init.controller.certificate_publisher_controller controller/controller.go:266  Reconciler error  {"name": "foo-bar", "namespace": "openshift-ingress-operator", "error": "failed to ensure global secret: failed to update published router certificates secret: Secret \"router-certs\" is invalid: data: Too long: must have at most 1048576 bytes"}

The OpenShift Container Platform 4 - Cluster has 180 IngressController configured with endpointPublishingStrategy set to private.

Now the default certificate needs to be replaced but is not properly replicated to openshift-authentication namespace and potentially other location because of the problem mentioned (since the required secret can not be updated)

Version-Release number of selected component (if applicable):

OpenShift Container Platform 4.10.24

How reproducible:

Always

Steps to Reproduce:

1. Install OpenShift Container Platform 4.10
2. Create 180 IngressController with specific certificates
3. Check openshift-ingress-operator logs to see how it fails to update/create the necessary secret in openshift-config-managed

Actual results:

2022-09-01T06:24:15.157333294Z 2022-09-01T06:24:15.157Z ERROR operator.init.controller.certificate_publisher_controller controller/controller.go:266  Reconciler error  {"name": "foo-bar", "namespace": "openshift-ingress-operator", "error": "failed to ensure global secret: failed to update published router certificates secret: Secret \"router-certs\" is invalid: data: Too long: must have at most 1048576 bytes"}

Expected results:

No matter how many IngressController is created, secret management taken care by Operators need to work, even if data exceed 1 MB size limitation. In that case an approach needs to exist to split data into multiple secrets or handle it otherwise.

Additional info:

is cloned by

OCPBUGS-8000 openshift-ingress-operator is failing to update router-certs because "Too long: must have at most 1048576 bytes" message

Closed

is depended on by

OCPBUGS-8000 openshift-ingress-operator is failing to update router-certs because "Too long: must have at most 1048576 bytes" message

Closed

links to

openshift-ingress-operator is failing to update router-certs because "Too long: must have at most 1048576 bytes" message

openshift/cluster-ingress-operator#824: OCPBUGS-853: certificate-publisher: Don't publish extraneous certificates

Assignee:: Miciah Masters

Reporter:: Simon Reber

QA Contact:: Shudi Li

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2022/09/02 11:40 AM

Updated:: 2024/02/15 3:34 PM

Resolved:: 2023/01/17 7:38 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates