StarlingX

The old CA cert is not removed from controller-manager.conf after kube root CA update complete

Bug #1955675 reported by Andy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Andy

Bug Description

Brief Description
-----------------
After kube root CA update complete, the old root CA certificate is not removed from controller-manager.conf

Severity
--------
Minor: System/Feature is usable with minor issue

Steps to Reproduce
------------------
Follow kube root CA update procedure to update root CA with a new certificate (can use system kube-rootca-update-generate-cert to generate the new CA certificate)

Once the update complete, check controller-manager.conf.

Expected Behavior
------------------
There is only one CA certificate in the "certificate-authority-data" field of controller-manager.conf, which is the new root CA certificate.

Actual Behavior
----------------
The old root CA certificate is also in the "certificate-authority-data" field of controller-manager.conf.

Reproducibility
---------------
100%

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
STX master

Last Pass
---------
Unknown

Timestamp/Logs
--------------
- After kube root CA update complete:

cat /etc/kubernetes/controller-manager.conf
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU0VENDQXNtZ0F3SUJBZ0lEQUs2OE1BMEdDU3FHU0liM0RRRUJDd1VBTUJVeEV6QVJCZ05WQkFNTUNtdDEKWW1WeWJtVjBaWE13SGhjTk1qRXhNVEl4TVRZME5ETXlXaGNOTXpFeE1URTVNVFkwTkRNeVdqQVZNUk13RVFZRApWUVFEREFwcmRXSmxjbTVsZEdWek1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBCjRhZDF2ajVrbFZsNHV3VHFXTXJRMTZjT3lhaFR2bmVOY3k1aE82MUtMMVdYSE14MHByYnJTSngvRFlzcmZLdzQKQ1BZc1loRk5ZMENnWFpYOVczbXFqNW0yV0JuZEg5dFREWm5pN1NYYXgwV0FhY1hGMCtjbUtrMER4QnhyZEs5aQovdk5qUlFvZkJzdEtROWQzT0ZwdVFMZ2ZVZ1JnUWhUUC9TNFpyU2V2NGUvL3BreUlJSFpRbFFNZzdWamk3U2oyCk1VZHJ4V3dPWWo5L0Q2WFNVQUxmQWhlV0tLaGtqMXBzWEhlbWJHM2tYUUZidkJ5djRlNHMrV2lVMDlHRnBGY2cKK2ptMDdUZjF4ZjByelZGOFpUbWZuZzZXQ3cvUENNSk8yQllYc0tTWkhvMXI4eEh5aWhuSm15aWU5S1Zua0lnagpBMmlJU1BtQ2FJWmFOSDQyQ2JmOVR3RW02bU5xcUdLcDVzUlo1eUtGOFJEOHpKMkRoemNzYmlFaGh1RytTWG1jCmRZR2hIaDhqVkJjVlorZGhUVTlzSk11RmtuQXFTb1NKWTdtZElQbXJKRGJ3Mm1SMmlJQ3I5dTdsN3dLTWQ1VWMKSFA2SGVkRFFUa2V6NVRoaE5pYUNWS1BkOTVRM3FUMUtxd1pNZVpPNlRsMmNONUxZVlBkcTVPY1phdERsYUVhNgp0UjNWcndlTWF5RFNNaERZaUpiTDFPVUxjNWxENlptNG5ya2t2bG40aFN5MzlxUjYyMEV4dU1KZEFxQ0JXMEFkCm1nVC9hTGl0dktYdE9iWGNwQzVEYlpQdXQzclVRTkRsTWt2VmxmQjBxNVhZa3RXQjYxUFU3b1FLeHpCVi81NW0KSTNOSnMydCs3bTkyMEVOU3pQZlV2NHd6Zk16T1Y5RExZTTJlSW1EYTNZRUNBd0VBQWFNNk1EZ3dGUVlEVlIwUgpCQTR3RElJS2EzVmlaWEp1WlhSbGN6QUxCZ05WSFE4RUJBTUNBcVF3RWdZRFZSMFRBUUgvQkFnd0JnRUIvd0lCCkFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUF5a05sbk1WdjNTVGx6N0VmWDNJb00wSHhZMnd6cFhudS8vdm0KVjhCaWQvdXRWWnNueGhXcWx1bGRmZGJlRGRFbjhNTk5FQVlrMlRHNmpTVDlzWis2eG5QbnpDdFhpV3lFaVpIMgphM2JHUU1Fb1F2RmN5M0Y5VDlQanhpVUVWbVVUc0thZ2dDcjAzYlVjK2ZFTjhJMUFHU00yK3pKQ1Q3eXlOU1ZLCnlOT25NbEdCTXBPQlZXTFBPa2IxNjVWV1FHZXVMNm9hYTh1WEN0UzV1anQvZytGVm1vRjYxS0xjL205UTR4RWoKTDFOVWZldkpwM05kWmZPcmRWYTRzVVo3Ymp3MVk1MWd4RVVEL1pXNFQwOGxOOHRJNjRGRGsyZWpCaXVuNENlegpwMVN5aUFTN0huSDBDOUM0dlNJTDNCVHNsVHAra0dzVmhWSXFrVExCYlcrUHhjQW80R2NnVnJwVk52M0QzdFJECmtuczlFWENaNW5SUnRnMWN1My9RZ0RFeEMxR3M2dXhCMEJKVlRCZWlHdDlFQ2UxMW5WbEVuVEtkeS9GUmlQbHIKQmFoOThMUW5TdkgwVGtTekJRWDBDT0JmbUpEeE5MV2N4NWpxQ2ZLVkp4OFl0SXhFdmFHYTBvYTZhR3JaYUg4aQpWYWRQb0RSU09oVkhxdUdybjNVTllPYVBsMFlkdFB5L2FWaE1OWlAzbVNrZkdQOXV4M3RZN3EwZUo1YXdTT1U2Cm1PRHNqTjlPbHE3OW0rVnJQdGZBeVNIOFdoN3IxNzhITWV1YzFUclplRUZWellhY0IwWU9qeEh3cTlmR1Rja2wKa0NnRlVHS05zTGxESHpLbGxSTEcyRWRZbXZuRDZ5SHBuSnJHaG9oRVFCdjhRN2l1NHlBVmFQTGtMMFA1QUY1Mwo4aTJld1RRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlDMkRDQ0FjQ2dBd0lCQWdJUkFPd05YcElnY1c0ME9BRnF2bE55NHRVd0RRWUpLb1pJaHZjTkFRRUxCUUF3CkZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1URXlNRGd5TVRVeU5UTmFGdzB6TVRFeU1EWXkKTVRVeU5UTmFNQlV4RXpBUkJnTlZCQU1UQ210MVltVnlibVYwWlhNd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQQpBNElCRHdBd2dnRUtBb0lCQVFETFB5NldYRWRkTnE5NmRFcVVxUDE1TE9wQTg2Y25rOUduR2t2b1lPemhxMFhoClpxSlliL3E5OGlMR0VFTmlMV3d6b2tLVzhEbnFTRzRwNDYvOTliNUFxcHBKeGVzTDFLK3l3ODlEWjBWZGJ4OTgKR0h0elR0NDc1a3oyb09pYnE3SVUwcEltNDQxeDZEYmpHZlRNc0JIclhzRjVrekNqaU5ydER3NUVOOHZIa1NUWAp0SXRiSm8wNDRFY0ZVL2VTR2ZydGtWUTZ3V3BOVDMwdnlOZVJHbkY4RDc5a3lhVXdoWHNnNFRDOGllMXNZdEdQClQ0U0tLenJERkJTMDRPTWRWalZLMzhDTyt3Q1RMaDNLV2JHeEsrQUN5WmxNYmJYNTlNZGZBN1NEdThzTUh2eUEKTEpKdWwwajF4ZWtSWkpNNlBLUExPaVFpNXpmbkxJcmxiK3BDNUFpeEFnTUJBQUdqSXpBaE1BNEdBMVVkRHdFQgovd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQU1ZWWlFCkNLZGIycTBaS3FaVU5HSFZXQk9MbS85TE9Hb3JNSzZuL2tlYi9LRnJ2Y2VJTlFxZmhiWU12NHB3OURDWXNrRlYKL2xNdTQrREk4Q2hlK1JTWGNJVkhCTkpqcHdTTXlHc2hLWDZmSU50OXovWXlVcjUxb0dUbE1zSzcrR2Z2TE9ZLwptZEloaDMwTGRlTmxEc2tSaEk1WlJoeTA5THlIL2Q4KzIrZU5lM3BvVlh0WldwL1hiMUZoMW91NWVGQzA2RDhVCnNXVExkN0psS3phZkRlRlFWRWRaMHVRSGVTZWFhM3BTdnFmQnl5Q3lyU3J6eWZLY1ZHaTYzU2psR1czL0hIT0kKK2NoSGxmcXB6K05INUNuSWhsMEU3OEtqbUVRZFhrVVZoaU5kazZodTNFaHpOcUYyR09kakkvT2gxUEVpUXBnRApaTCsveUc5aHc3RjMzZXpjCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://192.168.206.3:6443
  name: kubernetes

- Decode the "certificate-authority-data":

echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU0VENDQXNtZ0F3SUJBZ0lEQUs2OE1BMEdDU3FHU0liM0RRRUJDd1VBTUJVeEV6QVJCZ05WQkFNTUNtdDEKWW1WeWJtVjBaWE13SGhjTk1qRXhNVEl4TVRZME5ETXlXaGNOTXpFeE1URTVNVFkwTkRNeVdqQVZNUk13RVFZRApWUVFEREFwcmRXSmxjbTVsZEdWek1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBCjRhZDF2ajVrbFZsNHV3VHFXTXJRMTZjT3lhaFR2bmVOY3k1aE82MUtMMVdYSE14MHByYnJTSngvRFlzcmZLdzQKQ1BZc1loRk5ZMENnWFpYOVczbXFqNW0yV0JuZEg5dFREWm5pN1NYYXgwV0FhY1hGMCtjbUtrMER4QnhyZEs5aQovdk5qUlFvZkJzdEtROWQzT0ZwdVFMZ2ZVZ1JnUWhUUC9TNFpyU2V2NGUvL3BreUlJSFpRbFFNZzdWamk3U2oyCk1VZHJ4V3dPWWo5L0Q2WFNVQUxmQWhlV0tLaGtqMXBzWEhlbWJHM2tYUUZidkJ5djRlNHMrV2lVMDlHRnBGY2cKK2ptMDdUZjF4ZjByelZGOFpUbWZuZzZXQ3cvUENNSk8yQllYc0tTWkhvMXI4eEh5aWhuSm15aWU5S1Zua0lnagpBMmlJU1BtQ2FJWmFOSDQyQ2JmOVR3RW02bU5xcUdLcDVzUlo1eUtGOFJEOHpKMkRoemNzYmlFaGh1RytTWG1jCmRZR2hIaDhqVkJjVlorZGhUVTlzSk11RmtuQXFTb1NKWTdtZElQbXJKRGJ3Mm1SMmlJQ3I5dTdsN3dLTWQ1VWMKSFA2SGVkRFFUa2V6NVRoaE5pYUNWS1BkOTVRM3FUMUtxd1pNZVpPNlRsMmNONUxZVlBkcTVPY1phdERsYUVhNgp0UjNWcndlTWF5RFNNaERZaUpiTDFPVUxjNWxENlptNG5ya2t2bG40aFN5MzlxUjYyMEV4dU1KZEFxQ0JXMEFkCm1nVC9hTGl0dktYdE9iWGNwQzVEYlpQdXQzclVRTkRsTWt2VmxmQjBxNVhZa3RXQjYxUFU3b1FLeHpCVi81NW0KSTNOSnMydCs3bTkyMEVOU3pQZlV2NHd6Zk16T1Y5RExZTTJlSW1EYTNZRUNBd0VBQWFNNk1EZ3dGUVlEVlIwUgpCQTR3RElJS2EzVmlaWEp1WlhSbGN6QUxCZ05WSFE4RUJBTUNBcVF3RWdZRFZSMFRBUUgvQkFnd0JnRUIvd0lCCkFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUF5a05sbk1WdjNTVGx6N0VmWDNJb00wSHhZMnd6cFhudS8vdm0KVjhCaWQvdXRWWnNueGhXcWx1bGRmZGJlRGRFbjhNTk5FQVlrMlRHNmpTVDlzWis2eG5QbnpDdFhpV3lFaVpIMgphM2JHUU1Fb1F2RmN5M0Y5VDlQanhpVUVWbVVUc0thZ2dDcjAzYlVjK2ZFTjhJMUFHU00yK3pKQ1Q3eXlOU1ZLCnlOT25NbEdCTXBPQlZXTFBPa2IxNjVWV1FHZXVMNm9hYTh1WEN0UzV1anQvZytGVm1vRjYxS0xjL205UTR4RWoKTDFOVWZldkpwM05kWmZPcmRWYTRzVVo3Ymp3MVk1MWd4RVVEL1pXNFQwOGxOOHRJNjRGRGsyZWpCaXVuNENlegpwMVN5aUFTN0huSDBDOUM0dlNJTDNCVHNsVHAra0dzVmhWSXFrVExCYlcrUHhjQW80R2NnVnJwVk52M0QzdFJECmtuczlFWENaNW5SUnRnMWN1My9RZ0RFeEMxR3M2dXhCMEJKVlRCZWlHdDlFQ2UxMW5WbEVuVEtkeS9GUmlQbHIKQmFoOThMUW5TdkgwVGtTekJRWDBDT0JmbUpEeE5MV2N4NWpxQ2ZLVkp4OFl0SXhFdmFHYTBvYTZhR3JaYUg4aQpWYWRQb0RSU09oVkhxdUdybjNVTllPYVBsMFlkdFB5L2FWaE1OWlAzbVNrZkdQOXV4M3RZN3EwZUo1YXdTT1U2Cm1PRHNqTjlPbHE3OW0rVnJQdGZBeVNIOFdoN3IxNzhITWV1YzFUclplRUZWellhY0IwWU9qeEh3cTlmR1Rja2wKa0NnRlVHS05zTGxESHpLbGxSTEcyRWRZbXZuRDZ5SHBuSnJHaG9oRVFCdjhRN2l1NHlBVmFQTGtMMFA1QUY1Mwo4aTJld1RRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlDMkRDQ0FjQ2dBd0lCQWdJUkFPd05YcElnY1c0ME9BRnF2bE55NHRVd0RRWUpLb1pJaHZjTkFRRUxCUUF3CkZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1URXlNRGd5TVRVeU5UTmFGdzB6TVRFeU1EWXkKTVRVeU5UTmFNQlV4RXpBUkJnTlZCQU1UQ210MVltVnlibVYwWlhNd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQQpBNElCRHdBd2dnRUtBb0lCQVFETFB5NldYRWRkTnE5NmRFcVVxUDE1TE9wQTg2Y25rOUduR2t2b1lPemhxMFhoClpxSlliL3E5OGlMR0VFTmlMV3d6b2tLVzhEbnFTRzRwNDYvOTliNUFxcHBKeGVzTDFLK3l3ODlEWjBWZGJ4OTgKR0h0elR0NDc1a3oyb09pYnE3SVUwcEltNDQxeDZEYmpHZlRNc0JIclhzRjVrekNqaU5ydER3NUVOOHZIa1NUWAp0SXRiSm8wNDRFY0ZVL2VTR2ZydGtWUTZ3V3BOVDMwdnlOZVJHbkY4RDc5a3lhVXdoWHNnNFRDOGllMXNZdEdQClQ0U0tLenJERkJTMDRPTWRWalZLMzhDTyt3Q1RMaDNLV2JHeEsrQUN5WmxNYmJYNTlNZGZBN1NEdThzTUh2eUEKTEpKdWwwajF4ZWtSWkpNNlBLUExPaVFpNXpmbkxJcmxiK3BDNUFpeEFnTUJBQUdqSXpBaE1BNEdBMVVkRHdFQgovd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQU1ZWWlFCkNLZGIycTBaS3FaVU5HSFZXQk9MbS85TE9Hb3JNSzZuL2tlYi9LRnJ2Y2VJTlFxZmhiWU12NHB3OURDWXNrRlYKL2xNdTQrREk4Q2hlK1JTWGNJVkhCTkpqcHdTTXlHc2hLWDZmSU50OXovWXlVcjUxb0dUbE1zSzcrR2Z2TE9ZLwptZEloaDMwTGRlTmxEc2tSaEk1WlJoeTA5THlIL2Q4KzIrZU5lM3BvVlh0WldwL1hiMUZoMW91NWVGQzA2RDhVCnNXVExkN0psS3phZkRlRlFWRWRaMHVRSGVTZWFhM3BTdnFmQnl5Q3lyU3J6eWZLY1ZHaTYzU2psR1czL0hIT0kKK2NoSGxmcXB6K05INUNuSWhsMEU3OEtqbUVRZFhrVVZoaU5kazZodTNFaHpOcUYyR09kakkvT2gxUEVpUXBnRApaTCsveUc5aHc3RjMzZXpjCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" | base64 -d
-----BEGIN CERTIFICATE-----
MIIE4TCCAsmgAwIBAgIDAK68MA0GCSqGSIb3DQEBCwUAMBUxEzARBgNVBAMMCmt1
YmVybmV0ZXMwHhcNMjExMTIxMTY0NDMyWhcNMzExMTE5MTY0NDMyWjAVMRMwEQYD
VQQDDAprdWJlcm5ldGVzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
4ad1vj5klVl4uwTqWMrQ16cOyahTvneNcy5hO61KL1WXHMx0prbrSJx/DYsrfKw4
CPYsYhFNY0CgXZX9W3mqj5m2WBndH9tTDZni7SXax0WAacXF0+cmKk0DxBxrdK9i
/vNjRQofBstKQ9d3OFpuQLgfUgRgQhTP/S4ZrSev4e//pkyIIHZQlQMg7Vji7Sj2
MUdrxWwOYj9/D6XSUALfAheWKKhkj1psXHembG3kXQFbvByv4e4s+WiU09GFpFcg
+jm07Tf1xf0rzVF8ZTmfng6WCw/PCMJO2BYXsKSZHo1r8xHyihnJmyie9KVnkIgj
A2iISPmCaIZaNH42Cbf9TwEm6mNqqGKp5sRZ5yKF8RD8zJ2DhzcsbiEhhuG+SXmc
dYGhHh8jVBcVZ+dhTU9sJMuFknAqSoSJY7mdIPmrJDbw2mR2iICr9u7l7wKMd5Uc
HP6HedDQTkez5ThhNiaCVKPd95Q3qT1KqwZMeZO6Tl2cN5LYVPdq5OcZatDlaEa6
tR3VrweMayDSMhDYiJbL1OULc5lD6Zm4nrkkvln4hSy39qR620ExuMJdAqCBW0Ad
mgT/aLitvKXtObXcpC5DbZPut3rUQNDlMkvVlfB0q5XYktWB61PU7oQKxzBV/55m
I3NJs2t+7m920ENSzPfUv4wzfMzOV9DLYM2eImDa3YECAwEAAaM6MDgwFQYDVR0R
BA4wDIIKa3ViZXJuZXRlczALBgNVHQ8EBAMCAqQwEgYDVR0TAQH/BAgwBgEB/wIB
ATANBgkqhkiG9w0BAQsFAAOCAgEAykNlnMVv3STlz7EfX3IoM0HxY2wzpXnu//vm
V8Bid/utVZsnxhWqluldfdbeDdEn8MNNEAYk2TG6jST9sZ+6xnPnzCtXiWyEiZH2
a3bGQMEoQvFcy3F9T9PjxiUEVmUTsKaggCr03bUc+fEN8I1AGSM2+zJCT7yyNSVK
yNOnMlGBMpOBVWLPOkb165VWQGeuL6oaa8uXCtS5ujt/g+FVmoF61KLc/m9Q4xEj
L1NUfevJp3NdZfOrdVa4sUZ7bjw1Y51gxEUD/ZW4T08lN8tI64FDk2ejBiun4Cez
p1SyiAS7HnH0C9C4vSIL3BTslTp+kGsVhVIqkTLBbW+PxcAo4GcgVrpVNv3D3tRD
kns9EXCZ5nRRtg1cu3/QgDExC1Gs6uxB0BJVTBeiGt9ECe11nVlEnTKdy/FRiPlr
Bah98LQnSvH0TkSzBQX0COBfmJDxNLWcx5jqCfKVJx8YtIxEvaGa0oa6aGrZaH8i
VadPoDRSOhVHquGrn3UNYOaPl0YdtPy/aVhMNZP3mSkfGP9ux3tY7q0eJ5awSOU6
mODsjN9Olq79m+VrPtfAySH8Wh7r178HMeuc1TrZeEFVzYacB0YOjxHwq9fGTckl
kCgFUGKNsLlDHzKllRLG2EdYmvnD6yHpnJrGhohEQBv8Q7iu4yAVaPLkL0P5AF53
8i2ewTQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC2DCCAcCgAwIBAgIRAOwNXpIgcW40OAFqvlNy4tUwDQYJKoZIhvcNAQELBQAw
FTETMBEGA1UEAxMKa3ViZXJuZXRlczAeFw0yMTEyMDgyMTUyNTNaFw0zMTEyMDYy
MTUyNTNaMBUxEzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDLPy6WXEddNq96dEqUqP15LOpA86cnk9GnGkvoYOzhq0Xh
ZqJYb/q98iLGEENiLWwzokKW8DnqSG4p46/99b5AqppJxesL1K+yw89DZ0Vdbx98
GHtzTt475kz2oOibq7IU0pIm441x6DbjGfTMsBHrXsF5kzCjiNrtDw5EN8vHkSTX
tItbJo044EcFU/eSGfrtkVQ6wWpNT30vyNeRGnF8D79kyaUwhXsg4TC8ie1sYtGP
T4SKKzrDFBS04OMdVjVK38CO+wCTLh3KWbGxK+ACyZlMbbX59MdfA7SDu8sMHvyA
LJJul0j1xekRZJM6PKPLOiQi5zfnLIrlb+pC5AixAgMBAAGjIzAhMA4GA1UdDwEB
/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAMYYiE
CKdb2q0ZKqZUNGHVWBOLm/9LOGorMK6n/keb/KFrvceINQqfhbYMv4pw9DCYskFV
/lMu4+DI8Che+RSXcIVHBNJjpwSMyGshKX6fINt9z/YyUr51oGTlMsK7+GfvLOY/
mdIhh30LdeNlDskRhI5ZRhy09LyH/d8+2+eNe3poVXtZWp/Xb1Fh1ou5eFC06D8U
sWTLd7JlKzafDeFQVEdZ0uQHeSeaa3pSvqfByyCyrSrzyfKcVGi63SjlGW3/HHOI
+chHlfqpz+NH5CnIhl0E78KjmEQdXkUVhiNdk6hu3EhzNqF2GOdjI/Oh1PEiQpgD
ZL+/yG9hw7F33ezc
-----END CERTIFICATE-----

- Both the old and new root CA certs are in it.

Test Activity
-------------
Developer Testing

Workaround
----------
Run "KUBECONFIG=/etc/kubernetes/controller-manager.conf; kubectl config set-cluster kubernetes --certificate-authority /etc/kubernetes/pki/ca.crt --embed-certs" to remove the old CA cert from controller-manager.conf

Andy (andy.wrs)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/822856

Changed in starlingx:
status: New → In Progress
Revision history for this message
Ghada Khalil (gkhalil) wrote :

screening: stx.7.0 / low - minor issue w/ no serious system impact

Changed in starlingx:
importance: Undecided → Low
tags: added: stx.7.0 stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/822856
Committed: https://opendev.org/starlingx/stx-puppet/commit/c0cce20dc85a94e3c00ba5163d293c1a58ed96ff
Submitter: "Zuul (22348)"
Branch: master

commit c0cce20dc85a94e3c00ba5163d293c1a58ed96ff
Author: Andy Ning <email address hidden>
Date: Thu Dec 23 14:43:17 2021 -0500

    Remove old root CA certificate from controller-manager.conf

    Currently after kube root CA update complete, the old root CA
    certificate is still in controller-manager.conf. This update
    added code to puppet class to remove the old root CA certificate
    from the kubeconfig file in update phase trust-new-ca.

    Test Plan:
    PASS: Successful kube root CA update
    PASS: Check controller-manager.conf after update complete and
          the old root CA certificate is removed from it.

    Closes-Bug: 1955675
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: Id6fe9cac5ad36e1bbb9070791910da983aed9ac2

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.