[release-4.3] Bug 1810420: Ensure service CA certs are created with unique serial numbers #112
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci-robot
added
the
do-not-merge/work-in-progress
Contributor
|
@marun: This pull request references Bugzilla bug 1810420, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
bugzilla/invalid-bug
This change ensures that an intermediate CA cert is generated with a unique serial number so that serving cert bundles can be loaded without error. Previously, intermediate CA certs were created with the same serial number as their template. Since a serving cert bundle includes the issuing CA cert and an intermediate CA cert (created by signing the issuing CA cert with the previous CA's private key), this lack of serial number differentiation resulted in SEC_ERROR_REUSED_ISSUER_AND_SERIAL when the bundle was read by curl due to the issuing and intermediate CAs sharing the same issuer and serial number.
marun
changed the title
openshift-ci-robot
added
bugzilla/valid-bug
Contributor
|
@marun: This pull request references Bugzilla bug 1810420, which is valid. 6 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Contributor
Author
|
Updated and ready for review. |
Contributor
|
/lgtm |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marun, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
Contributor
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
Contributor
|
/retest Please review the full test history for this PR and help us cut down flakes. |
mfojtik
added
the
priority/critical-urgent
mrunalp
added
the
cherry-pick-approved
Contributor
|
@marun: All pull requests linked via external trackers have merged. Bugzilla bug 1810420 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
Also tombstone affected releases to avoid further channel promotion
for affected releases. Details on the bug:
* 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go
d9c73bb [3].
* 4.4: Introduced by [4] (no PR?). Fixed by [5], service-ca-operator
e5a04d6 [6], which included library-go 3c25293 [7].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
* 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by
[10], service-ca-operator dd7235b [11], which includes library-go
5844159 [12].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
* 4.2: Introduced by [13], service-ca-operator 0324055 [14], which
includes library-go 2cf86bb [15] and API 8ce0047 [16]. Fix in
flight with [17,18]. [19] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
* 4.1: Backport stream introducing the bug is still ASSIGNED [20], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[2]: openshift/service-ca-operator#110 (comment)
[3]: openshift/library-go#726 (comment)
[4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[6]: openshift/service-ca-operator#111 (comment)
[7]: openshift/library-go#728 (comment)
[8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[9]: openshift/service-ca-operator#104 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[11]: openshift/service-ca-operator#112 (comment)
[12]: openshift/library-go#729 (comment)
[13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[14]: openshift/service-ca-operator#105 (comment)
[15]: openshift/library-go#684 (comment)
[16]: openshift/api#577 (comment)
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[18]: openshift/service-ca-operator#113
[19]: openshift/library-go#730 (comment)
[20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
Also tombstone affected releases to avoid further channel promotion
for affected releases. Details on the bug:
* 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go
d9c73bb [3].
* 4.4: Introduced by [4] (no PR?). Fixed by [5], service-ca-operator
e5a04d6 [6], which included library-go 3c25293 [7].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
* 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by
[10], service-ca-operator dd7235b [11], which includes library-go
5844159 [12].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
* 4.2: Introduced by [13], service-ca-operator 0324055 [14], which
includes library-go 2cf86bb [15] and API 8ce0047 [16]. Fix in
flight with [17,18]. [19] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
* 4.1: Backport stream introducing the bug is still ASSIGNED [20], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[2]: openshift/service-ca-operator#110 (comment)
[3]: openshift/library-go#726 (comment)
[4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[6]: openshift/service-ca-operator#111 (comment)
[7]: openshift/library-go#728 (comment)
[8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[9]: openshift/service-ca-operator#104 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[11]: openshift/service-ca-operator#112 (comment)
[12]: openshift/library-go#729 (comment)
[13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[14]: openshift/service-ca-operator#105 (comment)
[15]: openshift/library-go#684 (comment)
[16]: openshift/api#577 (comment)
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[18]: openshift/service-ca-operator#113
[19]: openshift/library-go#730 (comment)
[20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
Also tombstone affected releases to avoid further channel promotion
for affected releases. Details on the bug:
* 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go
d9c73bb [3].
* 4.4: Introduced by [4] (no PR?). Fixed by [5], service-ca-operator
e5a04d6 [6], which included library-go 3c25293 [7].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
* 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by
[10], service-ca-operator dd7235b [11], which includes library-go
5844159 [12].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
* 4.2: Introduced by [13], service-ca-operator 0324055 [14], which
includes library-go 2cf86bb [15] and API 8ce0047 [16]. Fix in
flight with [17,18]. [19] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
* 4.1: Backport stream introducing the bug is still ASSIGNED [20], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[2]: openshift/service-ca-operator#110 (comment)
[3]: openshift/library-go#726 (comment)
[4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[6]: openshift/service-ca-operator#111 (comment)
[7]: openshift/library-go#728 (comment)
[8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[9]: openshift/service-ca-operator#104 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[11]: openshift/service-ca-operator#112 (comment)
[12]: openshift/library-go#729 (comment)
[13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[14]: openshift/service-ca-operator#105 (comment)
[15]: openshift/library-go#684 (comment)
[16]: openshift/api#577 (comment)
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[18]: openshift/service-ca-operator#113
[19]: openshift/library-go#730 (comment)
[20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
The bugs were introduced by the [1] series, and fixed by the
combination of [2,3]. This commit also tombstones affected releases
to avoid further channel promotion. Details on the bug:
* 4.5: Introduced by [1] (no PR?). Fixed by [2], service-ca-operator
74b5ce2 [4], which included library-go d9c73bb [5].
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
* 4.4: Introduced by [1] (no PR?). Fixed by [7], service-ca-operator
e5a04d6 [7], which included library-go 3c25293 [9].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
So both RCs have OAuth fix, but neither has the service-ca-operator
fix.
* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
[12], service-ca-operator dd7235b [13], which includes library-go
5844159 [14].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
Fix also requires the OAuth proxy fix [15,16], which is still in
flight.
* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in
flight with [21,22]. [23] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
Fix also requires the OAuth proxy fix [24,25], which is still in
flight.
* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
The bugs were introduced by the [1] series, and fixed by the
combination of [2,3]. This commit also tombstones affected releases
to avoid further channel promotion. Details on the bug:
* 4.5: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [2], service-ca-operator 74b5ce2 [4],
which included library-go d9c73bb [5].
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
* 4.4: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [7], service-ca-operator e5a04d6 [7],
which included library-go 3c25293 [9].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
So both RCs have OAuth fix, but neither has the service-ca-operator
fix.
* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
[12], service-ca-operator dd7235b [13], which includes library-go
5844159 [14].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
Fix also requires the OAuth proxy fix [15,16], which is still in
flight.
* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in
flight with [21,22]. [23] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
Fix also requires the OAuth proxy fix [24,25], which is still in
flight.
* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
The bugs were introduced by the [1] series, and fixed by the
combination of [2,3]. This commit also tombstones affected releases
to avoid further channel promotion. Details on the bug:
* 4.5: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [2], service-ca-operator 74b5ce2 [4],
which included library-go d9c73bb [5].
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
* 4.4: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [7], service-ca-operator e5a04d6 [7],
which included library-go 3c25293 [9].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
So both RCs have OAuth fix, but neither has the service-ca-operator
fix.
* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
[12], service-ca-operator dd7235b [13], which includes library-go
5844159 [14].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
Fix also requires the OAuth proxy fix [15,16], which is still in
flight.
* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in
flight with [21,22]. [23] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
Fix also requires the OAuth proxy fix [24,25], which is still in
flight.
* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cherry-pick of #110