Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Cryostat certificate is signed by old CA after upgrade #896

Closed
ebaron opened this issue Jun 14, 2024 · 0 comments · Fixed by #897
Closed

[Bug] Cryostat certificate is signed by old CA after upgrade #896

ebaron opened this issue Jun 14, 2024 · 0 comments · Fixed by #897
Assignees
@ebaron
Labels
bug Something isn't working

Comments

@ebaron
Copy link
Member

ebaron commented Jun 14, 2024
edited
Loading

With 3.0, we change the name of the secret used for the Cryostat CA to avoid name collisions. This causes cert-manager to generate a new certificate when upgrading from 2.4 to 3.0. cert-manager does not detect that the CA has been changed and does not reissue Cryostat's certificate. This leads to not being able to connect to Cryostat using the Route, which does use the updated CA certificate.

To reproduce:

  1. make deploy_bundle BUNDLE_IMG=quay.io/cryostat/cryostat-operator-bundle:2.4.0
  2. oc create -f config/samples/operator_v1beta1_cryostat.yaml
  3. Wait for ready
  4. ./bin/operator-sdk run bundle-upgrade quay.io/cryostat/cryostat-operator-bundle:3.0.0-dev
  5. Wait for ready
  6. curl -k -sSI https://cryostat-sample-cryostat-test.apps.example.com 
    HTTP/1.0 503 Service Unavailable
pragma: no-cache
cache-control: private, max-age=0, no-cache, no-store
content-type: text/html

See: cert-manager/cert-manager#5851
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ebaron ebaron

Labels
bug Something isn't working
Projects
No open projects
3.0.0 release
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(tls): detect modified CA and reissue certs ebaron/cryostat-operator
1 participant
@ebaron