Skip to content

[release-4.2] Bug 1810421: Set a random serial number for signing certificate templates #730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mfojtik merged 1 commit into from
Mar 18, 2020
Merged

[release-4.2] Bug 1810421: Set a random serial number for signing certificate templates #730

mfojtik merged 1 commit into from
Mar 18, 2020

Conversation

@openshift-cherrypick-robot
Copy link

@openshift-cherrypick-robot openshift-cherrypick-robot commented Mar 6, 2020

This is an automated cherry-pick of #726

/assign marun

@marun
Set a random serial number for signing certificate templates
e9866f0 
Previously a serial number of 1 was used when generating signing
certificates. If such a certificate was ever rotated, the new signing
certificate would have the same issuer+serial number which violates
the rfc. Setting a random serial number ensures that signing
certificates can be uniquely identified for a given issuer when rotated.
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Mar 6, 2020
Merged
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 6, 2020

@openshift-cherrypick-robot: This pull request references Bugzilla bug 1810036, which is invalid:

  • expected the bug to target the "4.2.z" release, but it targets "4.5.0" instead
  • expected Bugzilla bug 1810036 to depend on a bug targeting the "4.3.z" release and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

[release-4.2] Bug 1810036: Set a random serial number for signing certificate templates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 6, 2020
@marun
Copy link
Contributor

marun commented Mar 6, 2020
edited
Loading

@deads2k BZ in the title is for 4.5. 4.2 BZ is 1810421. I don't have permission to edit the title.

@marun
Copy link
Contributor

marun commented Mar 9, 2020

/retitle [release-4.2] Bug 1810421: Set a random serial number for signing certificate templates

@openshift-ci-robot openshift-ci-robot changed the title [release-4.2] Bug 1810036: Set a random serial number for signing certificate templates [release-4.2] Bug 1810421: Set a random serial number for signing certificate templates Mar 9, 2020
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 9, 2020

@openshift-cherrypick-robot: This pull request references Bugzilla bug 1810421, which is invalid:

  • expected dependent Bugzilla bug 1810036 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is ON_QA instead
  • expected dependent Bugzilla bug 1810418 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is NEW instead
  • expected dependent Bugzilla bug 1810420 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is NEW instead
  • expected dependent Bugzilla bug 1810036 to target the "4.3.z" release, but it targets "4.5.0" instead
  • expected dependent Bugzilla bug 1810418 to target the "4.3.z" release, but it targets "4.4.0" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

[release-4.2] Bug 1810421: Set a random serial number for signing certificate templates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sttts
Copy link
Contributor

sttts commented Mar 10, 2020

/lgtm
/approve

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 10, 2020
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 10, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: openshift-cherrypick-robot, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 10, 2020
@marun marun mentioned this pull request Mar 15, 2020
Merged
@marun
Copy link
Contributor

marun commented Mar 18, 2020

/bugzilla refresh

@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 18, 2020

@marun: This pull request references Bugzilla bug 1810421, which is invalid:

  • expected dependent Bugzilla bug 1810420 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mfojtik mfojtik added bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. and removed bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Mar 18, 2020
@mfojtik
Copy link
Contributor

mfojtik commented Mar 18, 2020

/refresh

@mfojtik mfojtik added the priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. label Mar 18, 2020
@mfojtik
Copy link
Contributor

mfojtik commented Mar 18, 2020

there is nothing else in the release-4.2 queue that might conflict, merging this by hand as this is blocking critical 4.2 fix.

@mfojtik mfojtik merged commit d58edcb into openshift:release-4.2 Mar 18, 2020
wking added a commit to wking/cincinnati-graph-data that referenced this pull request Mar 18, 2020
@wking
blocked-edges/4.2.23: Block all incoming edges on the service CA bug …
ff82608 
…1810036

Also tombstone affected releases to avoid further channel promotion
for affected releases.  Details on the bug:

* 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go
  d9c73bb [3].

* 4.4: Introduced by [4] (no PR?).  Fixed by [5], service-ca-operator
  e5a04d6 [6], which included library-go 3c25293 [7].

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ git --no-pager log -2 --first-parent --oneline origin/release-4.4
  e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
  094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics

  So both RCs are affected.

* 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by
  [10], service-ca-operator dd7235b [11], which includes library-go
  5844159 [12].

  Fix has not been released yet.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           774c394da334dec446703545d4baaf89611ccb9d
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           8395d65888b0a4249277989f18ee03f45383e409

  So this was introduced in 4.3.5 (there was no 4.3.4).

* 4.2: Introduced by [13], service-ca-operator 0324055 [14], which
  includes library-go 2cf86bb [15] and API 8ce0047 [16].  Fix in
  flight with [17,18].  [19] has already landed with library-go
  d58edcb.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           f6720573b9b63147436374e51e6fda44683b1e9f
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           0324055c3bad3a857dcf3471c024bf42c20d549e

  So this was introduced in 4.2.22.

* 4.1: Backport stream introducing the bug is still ASSIGNED [20], so
  no 4.1 impact yet.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[2]: openshift/service-ca-operator#110 (comment)
[3]: openshift/library-go#726 (comment)
[4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[6]: openshift/service-ca-operator#111 (comment)
[7]: openshift/library-go#728 (comment)
[8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[9]: openshift/service-ca-operator#104 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[11]: openshift/service-ca-operator#112 (comment)
[12]: openshift/library-go#729 (comment)
[13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[14]: openshift/service-ca-operator#105 (comment)
[15]: openshift/library-go#684 (comment)
[16]: openshift/api#577 (comment)
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[18]: openshift/service-ca-operator#113
[19]: openshift/library-go#730 (comment)
[20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking added a commit to wking/cincinnati-graph-data that referenced this pull request Mar 18, 2020
@wking
blocked-edges/4.2.23: Block all incoming edges on the service CA bug …
b386abf 
…1810036

Also tombstone affected releases to avoid further channel promotion
for affected releases.  Details on the bug:

* 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go
  d9c73bb [3].

* 4.4: Introduced by [4] (no PR?).  Fixed by [5], service-ca-operator
  e5a04d6 [6], which included library-go 3c25293 [7].

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ git --no-pager log -2 --first-parent --oneline origin/release-4.4
  e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
  094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics

  So both RCs are affected.

* 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by
  [10], service-ca-operator dd7235b [11], which includes library-go
  5844159 [12].

  Fix has not been released yet.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           774c394da334dec446703545d4baaf89611ccb9d
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           8395d65888b0a4249277989f18ee03f45383e409

  So this was introduced in 4.3.5 (there was no 4.3.4).

* 4.2: Introduced by [13], service-ca-operator 0324055 [14], which
  includes library-go 2cf86bb [15] and API 8ce0047 [16].  Fix in
  flight with [17,18].  [19] has already landed with library-go
  d58edcb.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           f6720573b9b63147436374e51e6fda44683b1e9f
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           0324055c3bad3a857dcf3471c024bf42c20d549e

  So this was introduced in 4.2.22.

* 4.1: Backport stream introducing the bug is still ASSIGNED [20], so
  no 4.1 impact yet.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[2]: openshift/service-ca-operator#110 (comment)
[3]: openshift/library-go#726 (comment)
[4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[6]: openshift/service-ca-operator#111 (comment)
[7]: openshift/library-go#728 (comment)
[8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[9]: openshift/service-ca-operator#104 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[11]: openshift/service-ca-operator#112 (comment)
[12]: openshift/library-go#729 (comment)
[13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[14]: openshift/service-ca-operator#105 (comment)
[15]: openshift/library-go#684 (comment)
[16]: openshift/api#577 (comment)
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[18]: openshift/service-ca-operator#113
[19]: openshift/library-go#730 (comment)
[20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking added a commit to wking/cincinnati-graph-data that referenced this pull request Mar 18, 2020
@wking
blocked-edges/4.2.23: Block all incoming edges on the service CA bug …
7609562 
…1810036

Also tombstone affected releases to avoid further channel promotion
for affected releases.  Details on the bug:

* 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go
  d9c73bb [3].

* 4.4: Introduced by [4] (no PR?).  Fixed by [5], service-ca-operator
  e5a04d6 [6], which included library-go 3c25293 [7].

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ git --no-pager log -2 --first-parent --oneline origin/release-4.4
  e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
  094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics

  So both RCs are affected.

* 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by
  [10], service-ca-operator dd7235b [11], which includes library-go
  5844159 [12].

  Fix has not been released yet.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           774c394da334dec446703545d4baaf89611ccb9d
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           8395d65888b0a4249277989f18ee03f45383e409

  So this was introduced in 4.3.5 (there was no 4.3.4).

* 4.2: Introduced by [13], service-ca-operator 0324055 [14], which
  includes library-go 2cf86bb [15] and API 8ce0047 [16].  Fix in
  flight with [17,18].  [19] has already landed with library-go
  d58edcb.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           f6720573b9b63147436374e51e6fda44683b1e9f
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           0324055c3bad3a857dcf3471c024bf42c20d549e

  So this was introduced in 4.2.22.

* 4.1: Backport stream introducing the bug is still ASSIGNED [20], so
  no 4.1 impact yet.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[2]: openshift/service-ca-operator#110 (comment)
[3]: openshift/library-go#726 (comment)
[4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[6]: openshift/service-ca-operator#111 (comment)
[7]: openshift/library-go#728 (comment)
[8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[9]: openshift/service-ca-operator#104 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[11]: openshift/service-ca-operator#112 (comment)
[12]: openshift/library-go#729 (comment)
[13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[14]: openshift/service-ca-operator#105 (comment)
[15]: openshift/library-go#684 (comment)
[16]: openshift/api#577 (comment)
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[18]: openshift/service-ca-operator#113
[19]: openshift/library-go#730 (comment)
[20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking added a commit to wking/cincinnati-graph-data that referenced this pull request Mar 18, 2020
@wking
blocked-edges/4.2.23: Block all incoming edges on the service CA bug …
e669fcd 
…1810036

The bugs were introduced by the [1] series, and fixed by the
combination of [2,3].  This commit also tombstones affected releases
to avoid further channel promotion.  Details on the bug:

* 4.5: Introduced by [1] (no PR?).  Fixed by [2], service-ca-operator
  74b5ce2 [4], which included library-go d9c73bb [5].

  Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
  4.4/4.5 split.

* 4.4: Introduced by [1] (no PR?).  Fixed by [7], service-ca-operator
  e5a04d6 [7], which included library-go 3c25293 [9].

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ git --no-pager log -2 --first-parent --oneline origin/release-4.4
  e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
  094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics

  So both RCs are affected.

  Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
  4.4/4.5 split.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
    oauth-proxy                                    https://github.com/openshift/oauth-proxy                                    3d0621eb72c9dd1c036505363032468a9016f381
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
  oauth-proxy                                    https://github.com/openshift/oauth-proxy                                    3d0621eb72c9dd1c036505363032468a9016f381

  So both RCs have OAuth fix, but neither has the service-ca-operator
  fix.

* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
  [12], service-ca-operator dd7235b [13], which includes library-go
  5844159 [14].

  Fix has not been released yet.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           774c394da334dec446703545d4baaf89611ccb9d
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           8395d65888b0a4249277989f18ee03f45383e409

  So this was introduced in 4.3.5 (there was no 4.3.4).

  Fix also requires the OAuth proxy fix [15,16], which is still in
  flight.

* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
  includes library-go 2cf86bb [19] and API 8ce0047 [20].  Fix in
  flight with [21,22].  [23] has already landed with library-go
  d58edcb.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           f6720573b9b63147436374e51e6fda44683b1e9f
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           0324055c3bad3a857dcf3471c024bf42c20d549e

  So this was introduced in 4.2.22.

  Fix also requires the OAuth proxy fix [24,25], which is still in
  flight.

* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
  no 4.1 impact yet.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking added a commit to wking/cincinnati-graph-data that referenced this pull request Mar 18, 2020
@wking
blocked-edges/4.2.23: Block all incoming edges on the service CA bug …
6a23da6 
…1810036

The bugs were introduced by the [1] series, and fixed by the
combination of [2,3].  This commit also tombstones affected releases
to avoid further channel promotion.  Details on the bug:

* 4.5: Introduced by [1] (no linked PR, so not sure exactly when it
  was introduced).  Fixed by [2], service-ca-operator 74b5ce2 [4],
  which included library-go d9c73bb [5].

  Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
  4.4/4.5 split.

* 4.4: Introduced by [1] (no linked PR, so not sure exactly when it
  was introduced).  Fixed by [7], service-ca-operator e5a04d6 [7],
  which included library-go 3c25293 [9].

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ git --no-pager log -2 --first-parent --oneline origin/release-4.4
  e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
  094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics

  So both RCs are affected.

  Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
  4.4/4.5 split.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
    oauth-proxy                                    https://github.com/openshift/oauth-proxy                                    3d0621eb72c9dd1c036505363032468a9016f381
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
  oauth-proxy                                    https://github.com/openshift/oauth-proxy                                    3d0621eb72c9dd1c036505363032468a9016f381

  So both RCs have OAuth fix, but neither has the service-ca-operator
  fix.

* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
  [12], service-ca-operator dd7235b [13], which includes library-go
  5844159 [14].

  Fix has not been released yet.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           774c394da334dec446703545d4baaf89611ccb9d
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           8395d65888b0a4249277989f18ee03f45383e409

  So this was introduced in 4.3.5 (there was no 4.3.4).

  Fix also requires the OAuth proxy fix [15,16], which is still in
  flight.

* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
  includes library-go 2cf86bb [19] and API 8ce0047 [20].  Fix in
  flight with [21,22].  [23] has already landed with library-go
  d58edcb.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           f6720573b9b63147436374e51e6fda44683b1e9f
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           0324055c3bad3a857dcf3471c024bf42c20d549e

  So this was introduced in 4.2.22.

  Fix also requires the OAuth proxy fix [24,25], which is still in
  flight.

* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
  no 4.1 impact yet.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking added a commit to wking/cincinnati-graph-data that referenced this pull request Mar 18, 2020
@wking
blocked-edges/4.2.23: Block all incoming edges on the service CA bug …
5d96970 
…1810036

The bugs were introduced by the [1] series, and fixed by the
combination of [2,3].  This commit also tombstones affected releases
to avoid further channel promotion.  Details on the bug:

* 4.5: Introduced by [1] (no linked PR, so not sure exactly when it
  was introduced).  Fixed by [2], service-ca-operator 74b5ce2 [4],
  which included library-go d9c73bb [5].

  Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
  4.4/4.5 split.

* 4.4: Introduced by [1] (no linked PR, so not sure exactly when it
  was introduced).  Fixed by [7], service-ca-operator e5a04d6 [7],
  which included library-go 3c25293 [9].

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
    service-ca-operator                            https://github.com/openshift/service-ca-operator                            094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
  $ git --no-pager log -2 --first-parent --oneline origin/release-4.4
  e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
  094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics

  So both RCs are affected.

  Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
  4.4/4.5 split.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
    oauth-proxy                                    https://github.com/openshift/oauth-proxy                                    3d0621eb72c9dd1c036505363032468a9016f381
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
  oauth-proxy                                    https://github.com/openshift/oauth-proxy                                    3d0621eb72c9dd1c036505363032468a9016f381

  So both RCs have OAuth fix, but neither has the service-ca-operator
  fix.

* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
  [12], service-ca-operator dd7235b [13], which includes library-go
  5844159 [14].

  Fix has not been released yet.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           774c394da334dec446703545d4baaf89611ccb9d
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           8395d65888b0a4249277989f18ee03f45383e409

  So this was introduced in 4.3.5 (there was no 4.3.4).

  Fix also requires the OAuth proxy fix [15,16], which is still in
  flight.

* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
  includes library-go 2cf86bb [19] and API 8ce0047 [20].  Fix in
  flight with [21,22].  [23] has already landed with library-go
  d58edcb.

  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           f6720573b9b63147436374e51e6fda44683b1e9f
  $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
    service-ca-operator                           https://github.com/openshift/service-ca-operator                           0324055c3bad3a857dcf3471c024bf42c20d549e

  So this was introduced in 4.2.22.

  Fix also requires the OAuth proxy fix [24,25], which is still in
  flight.

* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
  no 4.1 impact yet.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

@sttts sttts Awaiting requested review from sttts

Assignees

@marun marun

@sttts sttts

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@openshift-cherrypick-robot @openshift-ci-robot @marun @sttts @mfojtik