Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1356446 - Can't create the cluster-created secrets for service
Summary: Can't create the cluster-created secrets for service
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Command Line Interface
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: David Eads
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-14 07:07 UTC by zhou ying
Modified: 2016-07-19 12:19 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-19 12:19:25 UTC


Attachments (Terms of Use)

Description zhou ying 2016-07-14 07:07:08 UTC
Description of problem:
Can't create the cluster-created secrets for the service when use the `oc annotate svc/hello  service.alpha.openshift.io/serving-cert-secret-name=ssl-key` command.

Version-Release number of selected component (if applicable):
openshift v3.3.0.5
kubernetes v1.3.0+57fb9ac
etcd 2.3.0+git


How reproducible:
always

Steps to Reproduce:
1. Login OpenShift and create project;
2. Use the file to create service :

apiVersion: v1
kind: Service
metadata:
  name: hello
spec:
  ports:
  - targetPort: 443
    port: 8443
    protocol: TCP
  selector:
    name: nginx

3. Annotate the service to use the cluster-created certificate:
   `oc annotate svc/hello  service.alpha.openshift.io/serving-cert-secret-name=ssl-key` 


4. Check the service and secrets;


Actual results:
4. The service annotations contain the cluster-created certificate, but can't  create the 'ssl-key' secrets.
 [root@zhouy testjson]# oc get secrets  ssl-key
Error from server: secrets "ssl-key" not found

[root@zhouy testjson]# oc get svc hello -o yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.alpha.openshift.io/serving-cert-secret-name: ssl-key
  creationTimestamp: 2016-07-14T06:57:20Z
  name: hello
  namespace: zhouy
  resourceVersion: "4561"
  selfLink: /api/v1/namespaces/zhouy/services/hello
  uid: 3594bb37-4990-11e6-a17f-fa163e5e5cf6
spec:
  clusterIP: 172.30.55.87
  portalIP: 172.30.55.87
  ports:
  - port: 8443
    protocol: TCP
    targetPort: 443
  selector:
    name: nginx
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

Expected results:
4. Should create the 'ssl-key' secrets for the service and pod.

Additional info:
Origin works ok, feature may not be merged in OSE.

Comment 1 David Eads 2016-07-14 12:27:32 UTC
Are you starting from a master-config.yaml file that doesn't contain the 

controllerConfig:
  serviceServingCert:
    signer:
      certFile: service-signer.crt
      keyFile: service-signer.key

stanza?  I just pulled OSE 3.3.0.5 and confirmed that it does have the serving cert generator and it worked by default (no config).

If everything seems to be in order, can you provide the master logs at loglevel=4?

Comment 2 zhou ying 2016-07-19 07:36:37 UTC
 David Eads 
  yes, start from a master-config.yaml without the serviceServingCert stanza. 
This is the loglevel=5 from master:
http://pastebin.test.redhat.com/393491

Comment 3 David Eads 2016-07-19 12:19:25 UTC
Ok, without the serviceServingCert there's not enough information for the controller to start, so the feature is disabled and your log supports that happening (no debug info coming out for that controller).

You'll need to generate the cert and the stanza to use the new (alpha) feature.  You can do this by running a `--write-config` and picking the pieces you need.


Note You need to log in before you can comment on or make changes to this bug.