Details
-
Bug
-
Resolution: Done
-
Critical
-
4.10.0
-
+
-
Important
-
No
-
Rejected
-
False
-
Description
Description of problem:
When modifying a secret in the Management Console that has a binary file inclued (such as a keystore), the keystore will get corrupted post the modification and therefore impact application functionality (as the keystore can not be read).
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
$ cat cert.pem key.pem > file.crt.txt
$ openssl pkcs12 -export -in file.crt.txt -out mykeystore.pkcs12 -name myAlias -noiter -nomaciter
$ oc create secret generic keystore --from-file=mykeystore.pkcs12 --from-file=cert.pem --from-file=key.pem -n project-300
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: project-300
spec:
containers:
- name: mypod
image: quay.io/rhn_support_sreber/curl:latest
volumeMounts:
- name: foo
mountPath: "/keystore"
readOnly: true
volumes:
- name: foo
secret:
secretName: keystore
optional: true
# Getting the md5sum from the file on the local Laptop to compare with what is available in the pod
$ md5sum mykeystore.pkcs12
c189536854e59ab444720efaaa76a34a mykeystore.pkcs12
sh-5.2# ls -al /keystore/..data/
total 16
drwxr-xr-x. 2 root root 100 Mar 24 11:19 .
drwxrwxrwt. 3 root root 140 Mar 24 11:19 ..
-rw-r--r--. 1 root root 1992 Mar 24 11:19 cert.pem
-rw-r--r--. 1 root root 3414 Mar 24 11:19 key.pem
-rw-r--r--. 1 root root 4380 Mar 24 11:19 mykeystore.pkcs12
sh-5.2# md5sum /keystore/..data/mykeystore.pkcs12
c189536854e59ab444720efaaa76a34a /keystore/..data/mykeystore.pkcs12
sh-5.2#
Edit cert.pem in secret using the Management Console
$ oc delete pod mypod -n project-300
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: project-300
spec:
containers:
- name: mypod
image: quay.io/rhn_support_sreber/curl:latest
volumeMounts:
- name: foo
mountPath: "/keystore"
readOnly: true
volumes:
- name: foo
secret:
secretName: keystore
optional: true
sh-5.2# ls -al /keystore/..data/
total 20
drwxr-xr-x. 2 root root 100 Mar 24 12:52 .
drwxrwxrwt. 3 root root 140 Mar 24 12:52 ..
-rw-r--r--. 1 root root 1992 Mar 24 12:52 cert.pem
-rw-r--r--. 1 root root 3414 Mar 24 12:52 key.pem
-rw-r--r--. 1 root root 10782 Mar 24 12:52 mykeystore.pkcs12
sh-5.2# md5sum /keystore/..data/mykeystore.pkcs12
56f04fa8059471896ed5a3c54ade707c /keystore/..data/mykeystore.pkcs12
sh-5.2#
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.13.0-0.nightly-2023-03-23-204038 True False 91m Cluster version is 4.13.0-0.nightly-2023-03-23-204038
The modification was done in the Management Console, selecting the secret and then use: Actions -> Edit Secrets -> Modifying the value of cert.pem and submiting via Save button
Version-Release number of selected component (if applicable):
OpenShift Container Platform 4.13.0-0.nightly-2023-03-23-204038 and 4.12.6
How reproducible:
Always
Steps to Reproduce:
1. See above the details steps
Actual results:
# md5sum on the Laptop for the file $ md5sum mykeystore.pkcs12 c189536854e59ab444720efaaa76a34a mykeystore.pkcs12 # md5sum of the file in the pod after the modification in the Management Console sh-5.2# md5sum /keystore/..data/mykeystore.pkcs12 56f04fa8059471896ed5a3c54ade707c /keystore/..data/mykeystore.pkcs12 The file got corrupted and is not usable anymore. The binary file though should not be modified if no changes was made on it's value, when editing the secret in the Mansgement Console.
Expected results:
The binary file though should not be modified if no changes was made on it's value, when editing the secret in the Mansgement Console.
Additional info:
A similar problem was alredy fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1879638 but that was, when the binary file was uploaded. Possible that the secret edit functionality is also missing binary file support.
Attachments
Issue Links
- blocks
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
- links to