[release-4.3] Bug 1809253: Reload serving certs #160
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@marun: This pull request references Bugzilla bug 1809253, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 6 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
bugzilla/valid-bug
marun
force-pushed
the
4.3-reload-serving-cert
branch
from
11b045c to
b2d9064
Compare
marun
force-pushed
the
4.3-reload-serving-cert
branch
from
b2d9064 to
658cafa
Compare
Author
|
What's up with travis? The failure appears unrelated to the code, and I have no way to kick it. |
|
@marun: This pull request references Bugzilla bug 1809253, which is valid. 6 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1 similar comment
|
@marun: This pull request references Bugzilla bug 1809253, which is valid. 6 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Author
|
@stlaz Travis passed, hooray! |
|
/lgtm |
|
/approve |
1 similar comment
|
/approve |
mfojtik
added
the
priority/critical-urgent
|
/approve |
1 similar comment
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marun, mfojtik, stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
mrunalp
added
the
cherry-pick-approved
|
@marun: once the present PR merges, I will cherry-pick it on top of release-4.2 in a new PR and assign it to you. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
The bugs were introduced by the [1] series, and fixed by the
combination of [2,3]. This commit also tombstones affected releases
to avoid further channel promotion. Details on the bug:
* 4.5: Introduced by [1] (no PR?). Fixed by [2], service-ca-operator
74b5ce2 [4], which included library-go d9c73bb [5].
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
* 4.4: Introduced by [1] (no PR?). Fixed by [7], service-ca-operator
e5a04d6 [7], which included library-go 3c25293 [9].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
So both RCs have OAuth fix, but neither has the service-ca-operator
fix.
* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
[12], service-ca-operator dd7235b [13], which includes library-go
5844159 [14].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
Fix also requires the OAuth proxy fix [15,16], which is still in
flight.
* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in
flight with [21,22]. [23] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
Fix also requires the OAuth proxy fix [24,25], which is still in
flight.
* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
The bugs were introduced by the [1] series, and fixed by the
combination of [2,3]. This commit also tombstones affected releases
to avoid further channel promotion. Details on the bug:
* 4.5: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [2], service-ca-operator 74b5ce2 [4],
which included library-go d9c73bb [5].
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
* 4.4: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [7], service-ca-operator e5a04d6 [7],
which included library-go 3c25293 [9].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
So both RCs have OAuth fix, but neither has the service-ca-operator
fix.
* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
[12], service-ca-operator dd7235b [13], which includes library-go
5844159 [14].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
Fix also requires the OAuth proxy fix [15,16], which is still in
flight.
* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in
flight with [21,22]. [23] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
Fix also requires the OAuth proxy fix [24,25], which is still in
flight.
* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
The bugs were introduced by the [1] series, and fixed by the
combination of [2,3]. This commit also tombstones affected releases
to avoid further channel promotion. Details on the bug:
* 4.5: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [2], service-ca-operator 74b5ce2 [4],
which included library-go d9c73bb [5].
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
* 4.4: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [7], service-ca-operator e5a04d6 [7],
which included library-go 3c25293 [9].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
So both RCs have OAuth fix, but neither has the service-ca-operator
fix.
* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
[12], service-ca-operator dd7235b [13], which includes library-go
5844159 [14].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
Fix also requires the OAuth proxy fix [15,16], which is still in
flight.
* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in
flight with [21,22]. [23] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
Fix also requires the OAuth proxy fix [24,25], which is still in
flight.
* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
|
/retest Please review the full test history for this PR and help us cut down flakes. |
Author
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I attempted updating the 4.2 and 4.3 branches to kube 1.17, but given how far behind oauth-proxy seems to be (e.g. it doesn't know about
k8s.io/apiand still sources API types from client-go) it was much simpler to fork the dynamiccertificates code required to ensure cert reload. I've taken care to separate the forking from the changes required for the code to work. Hopefully this also makes for a happier patch manager./cc @deads2k @mfojtik @stlaz
Edit: Note that the forked code is contained to the
dynamiccertificatespath. If in future we decide to bump, it will be trivial to remove that path and rely on vendored code instead.