Skip to content

[release-4.20] OCPBUGS-62057: OpenShift cluster got degraded after rotating the kube-apiserver-service-network-signer cert #1961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 11, 2025
Merged

[release-4.20] OCPBUGS-62057: OpenShift cluster got degraded after rotating the kube-apiserver-service-network-signer cert #1961

merged 1 commit into from
Nov 11, 2025

Conversation

@sanchezl
Copy link
Contributor

@sanchezl sanchezl commented Nov 10, 2025
edited
Loading

This is a manual cherry-pick of #1928.
Simply a bump of library-go.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 10, 2025
@coderabbitai
Copy link

coderabbitai bot commented Nov 10, 2025
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Three independent changes: a priority field is added to the kube-apiserver Pod specification, a module replacement directive is added to redirect openshift/library-go to a forked version, and development-time cycle acceleration is reverted in the certificate rotation controller by removing a divisor override.

Changes

Cohort / File(s) Summary
kube-apiserver Pod Configuration
bindata/assets/kube-apiserver/pod.yaml		 Adds priority: 2000001000 field to the kube-apiserver Pod spec immediately after hostNetwork.
Module Dependency Management
go.mod		 Adds replace directive: github.com/openshift/library-gogithub.com/sanchezl/library-go v0.0.0-20251110151207-59957acf7431.
Certificate Rotation Controller
pkg/operator/certrotationcontroller/certrotationcontroller.go		 Removes development-time rotation cycle acceleration (division by 60), restoring rotationDay to standard 24-hour timing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

  • bindata/assets/kube-apiserver/pod.yaml: Verify the priority value (2000001000) is intentional and properly positioned in the spec.
  • go.mod: Confirm the forked library version and its compatibility with existing code; verify no breaking changes from the fork.
  • pkg/operator/certrotationcontroller/certrotationcontroller.go: Ensure removal of the divisor doesn't affect any dependent timing logic or test expectations.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 10, 2025
@sanchezl sanchezl changed the title PROOF: bump library-go PROOF: OCPBUGS-62057: bump library-go Nov 10, 2025
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 10, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 10, 2025

@sanchezl: This pull request references Jira Issue OCPBUGS-62057, which is invalid:

  • expected the bug to target either version "4.21." or "openshift-4.21.", but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

  • revert dev cert rotation
  • Add priority field to prevent early shutdown
  • WIP: bump library-go
  • WIP: bump library-go

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@sanchezl sanchezl mentioned this pull request Nov 10, 2025
Closed
coderabbitai[bot]
coderabbitai bot reviewed Nov 10, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between c5e4320 and 2615423.

⛔ Files ignored due to path filters (8)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/certrotation/target.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/generic.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/networking.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/storage.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/networking.go is excluded by !vendor/**, !**/vendor/**
  • vendor/modules.txt is excluded by !vendor/**, !**/vendor/**
📒 Files selected for processing (3)
  • bindata/assets/kube-apiserver/pod.yaml (1 hunks)
  • go.mod (1 hunks)
  • pkg/operator/certrotationcontroller/certrotationcontroller.go (0 hunks)
💤 Files with no reviewable changes (1)
  • pkg/operator/certrotationcontroller/certrotationcontroller.go
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • bindata/assets/kube-apiserver/pod.yaml
  • go.mod
🔇 Additional comments (1)
go.mod (1)

137-137: Justify the use of a forked library-go dependency and its WIP status.

The replace directive at line 137 redirects github.com/openshift/library-go to a personal fork (github.com/sanchezl/library-go) at a pseudo-version with no documentation or justification in the codebase. Combined with the PR's "WIP" status, this raises concerns:

  • Forked dependency: Using a personal fork instead of the upstream library-go or an official OpenShift fork is non-standard. No comments or documentation explain why this fork is necessary.
  • WIP status: The PR description marks this change as "work in progress," indicating incomplete status. Confirm this is ready for merge to main.
  • No justification: The codebase contains no explanation for why the fork is needed (e.g., unmerged patches, incompatible upstream, pending PR).

Provide clarity on the fork's purpose and ensure this change is production-ready before merging.

@sanchezl sanchezl changed the base branch from main to release-4.20 November 10, 2025 16:16
@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Nov 10, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 10, 2025

@sanchezl: This pull request references Jira Issue OCPBUGS-62057, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.z) matches configured target version for branch (4.20.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-60045 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-60045 targets the "4.21.0" version, which is one of the valid target versions: 4.21.0
  • bug has dependents

Requesting review from QA contact:
/cc @wangke19

In response to this:

  • revert dev cert rotation
  • Add priority field to prevent early shutdown
  • WIP: bump library-go
  • WIP: bump library-go

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Nov 10, 2025
@openshift-ci openshift-ci bot requested a review from wangke19 November 10, 2025 16:16
@sanchezl sanchezl marked this pull request as draft November 10, 2025 16:20
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 10, 2025
@sanchezl
Copy link
Contributor Author

sanchezl commented Nov 10, 2025

/test all

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 10, 2025
@sanchezl sanchezl force-pushed the cherry-pick-1928-to-release-4.20 branch from 2615423 to 73738df Compare November 10, 2025 20:09
@sanchezl sanchezl changed the title PROOF: OCPBUGS-62057: bump library-go OCPBUGS-62057: bump library-go Nov 10, 2025
@sanchezl sanchezl marked this pull request as ready for review November 10, 2025 20:13
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 10, 2025
@openshift-ci openshift-ci bot requested review from deads2k and tkashem November 10, 2025 20:14
@sanchezl
Copy link
Contributor Author

sanchezl commented Nov 10, 2025

/jira cherrypick OCPBUGS-60045

@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 10, 2025

@sanchezl: Detected clone of Jira Issue OCPBUGS-60045 with correct target version. Will retitle the PR to link to the clone.
/retitle OCPBUGS-62057: OCPBUGS-62057: bump library-go

In response to this:

/jira cherrypick OCPBUGS-60045

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot changed the title OCPBUGS-62057: bump library-go OCPBUGS-62057: OCPBUGS-62057: bump library-go Nov 10, 2025
@sanchezl sanchezl changed the title OCPBUGS-62057: OCPBUGS-62057: bump library-go OCPBUGS-62057: OpenShift cluster got degraded after rotating the kube-apiserver-service-network-signer cert Nov 10, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 10, 2025

@sanchezl: This pull request references Jira Issue OCPBUGS-62057, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.z) matches configured target version for branch (4.20.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-60045 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-60045 targets the "4.21.0" version, which is one of the valid target versions: 4.21.0
  • bug has dependents

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is a manual cherry-pick of #1928.
Simply a bump of library-go.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

sanchezl
sanchezl commented Nov 10, 2025
View reviewed changes
Copy link
Contributor Author

@sanchezl sanchezl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 10, 2025

@sanchezl: you cannot LGTM your own PR.

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sanchezl sanchezl changed the title OCPBUGS-62057: OpenShift cluster got degraded after rotating the kube-apiserver-service-network-signer cert [release-4.20] OCPBUGS-62057: OpenShift cluster got degraded after rotating the kube-apiserver-service-network-signer cert Nov 10, 2025
@benluddy
Copy link
Contributor

benluddy commented Nov 10, 2025

/lgtm
/label backport-risk-assessed

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Nov 10, 2025
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 10, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 10, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benluddy, sanchezl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 10, 2025

@sanchezl: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-serial-2of2 2615423 link true /test e2e-aws-ovn-serial-2of2
ci/prow/images 2615423 link true /test images
ci/prow/verify-deps 2615423 link true /test verify-deps
ci/prow/e2e-aws-ovn-upgrade 2615423 link true /test e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn 2615423 link true /test e2e-aws-ovn
ci/prow/e2e-gcp-operator 2615423 link true /test e2e-gcp-operator
ci/prow/verify 2615423 link true /test verify
ci/prow/okd-scos-e2e-aws-ovn 2615423 link false /test okd-scos-e2e-aws-ovn
ci/prow/okd-scos-images 2615423 link true /test okd-scos-images
ci/prow/unit 2615423 link true /test unit
ci/prow/e2e-aws-ovn-serial-1of2 2615423 link true /test e2e-aws-ovn-serial-1of2
ci/prow/k8s-e2e-gcp 2615423 link true /test k8s-e2e-gcp

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@wangke19
Copy link
Contributor

wangke19 commented Nov 11, 2025

/hold
A pre-merge verification is ongoing.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 11, 2025
@wangke19
Copy link
Contributor

wangke19 commented Nov 11, 2025

Pre-mrege verified, looks good, detail see https://issues.redhat.com/browse/OCPBUGS-62057?focusedId=28432603&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-28432603

@wangke19
Copy link
Contributor

wangke19 commented Nov 11, 2025

/verified by @wangke19

@wangke19
Copy link
Contributor

wangke19 commented Nov 11, 2025

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 11, 2025
@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Nov 11, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 11, 2025

@wangke19: This PR has been marked as verified by @wangke19.

In response to this:

/verified by @wangke19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot openshift-merge-bot bot merged commit a3414ab into openshift:release-4.20 Nov 11, 2025
14 checks passed
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 11, 2025

@sanchezl: Jira Issue OCPBUGS-62057: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-62057 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

In response to this:

This is a manual cherry-pick of #1928.
Simply a bump of library-go.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@sanchezl sanchezl mentioned this pull request Nov 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benluddy benluddy benluddy left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@dgrisonnet dgrisonnet Awaiting requested review from dgrisonnet

@dinhxuanvu dinhxuanvu Awaiting requested review from dinhxuanvu

@wangke19 wangke19 Awaiting requested review from wangke19

@deads2k deads2k Awaiting requested review from deads2k

@tkashem tkashem Awaiting requested review from tkashem

Assignees

@benluddy benluddy

@xingxingxia xingxingxia

@wangke19 wangke19

@gangwgr gangwgr

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@sanchezl @openshift-ci-robot @benluddy @wangke19 @xingxingxia @openshift-merge-robot @gangwgr