Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1356446

Summary: Can't create the cluster-created secrets for service
Product: OpenShift Container Platform Reporter: zhou ying <yinzhou>
Component: Command Line InterfaceAssignee: David Eads <deads>
Status: CLOSED NOTABUG QA Contact: Xingxing Xia <xxia>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.0CC: aos-bugs, jokerman, mmccomas, yinzhou
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 12:19:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description zhou ying 2016-07-14 07:07:08 UTC
Description of problem:
Can't create the cluster-created secrets for the service when use the `oc annotate svc/hello  service.alpha.openshift.io/serving-cert-secret-name=ssl-key` command.

Version-Release number of selected component (if applicable):
openshift v3.3.0.5
kubernetes v1.3.0+57fb9ac
etcd 2.3.0+git


How reproducible:
always

Steps to Reproduce:
1. Login OpenShift and create project;
2. Use the file to create service :

apiVersion: v1
kind: Service
metadata:
  name: hello
spec:
  ports:
  - targetPort: 443
    port: 8443
    protocol: TCP
  selector:
    name: nginx

3. Annotate the service to use the cluster-created certificate:
   `oc annotate svc/hello  service.alpha.openshift.io/serving-cert-secret-name=ssl-key` 


4. Check the service and secrets;


Actual results:
4. The service annotations contain the cluster-created certificate, but can't  create the 'ssl-key' secrets.
 [root@zhouy testjson]# oc get secrets  ssl-key
Error from server: secrets "ssl-key" not found

[root@zhouy testjson]# oc get svc hello -o yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.alpha.openshift.io/serving-cert-secret-name: ssl-key
  creationTimestamp: 2016-07-14T06:57:20Z
  name: hello
  namespace: zhouy
  resourceVersion: "4561"
  selfLink: /api/v1/namespaces/zhouy/services/hello
  uid: 3594bb37-4990-11e6-a17f-fa163e5e5cf6
spec:
  clusterIP: 172.30.55.87
  portalIP: 172.30.55.87
  ports:
  - port: 8443
    protocol: TCP
    targetPort: 443
  selector:
    name: nginx
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

Expected results:
4. Should create the 'ssl-key' secrets for the service and pod.

Additional info:
Origin works ok, feature may not be merged in OSE.

Comment 1 David Eads 2016-07-14 12:27:32 UTC
Are you starting from a master-config.yaml file that doesn't contain the 

controllerConfig:
  serviceServingCert:
    signer:
      certFile: service-signer.crt
      keyFile: service-signer.key

stanza?  I just pulled OSE 3.3.0.5 and confirmed that it does have the serving cert generator and it worked by default (no config).

If everything seems to be in order, can you provide the master logs at loglevel=4?

Comment 2 zhou ying 2016-07-19 07:36:37 UTC
 David Eads 
  yes, start from a master-config.yaml without the serviceServingCert stanza. 
This is the loglevel=5 from master:
http://pastebin.test.redhat.com/393491

Comment 3 David Eads 2016-07-19 12:19:25 UTC
Ok, without the serviceServingCert there's not enough information for the controller to start, so the feature is disabled and your log supports that happening (no debug info coming out for that controller).

You'll need to generate the cert and the stanza to use the new (alpha) feature.  You can do this by running a `--write-config` and picking the pieces you need.