Red Hat SummitChapter 4. Bug fixes
In this release of Red Hat Trusted Artifact Signer (RHTAS), we fixed the following bugs. In addition to these fixes, we also list the descriptions of previously known issues found in earlier versions that we fixed.
- Browser redirect now shows correct Red Hat signing page after
cosignupdate -
After signing an artifact with
cosign, the web browser redirect displayed the wrong Sigstore page, instead of the Red Hat successful signing page, leading to users seeing incorrect branding after completing the signing workflow. With this release, thecosigntool now redirects to the correct Red Hat successful signing HTML page after completing the browser-based signing workflow. Consequently, users now see the Red Hat successful signing page upon signing with cosign.
- Update memory limits for the RHTAS Operator
- Previously, the RHTAS Operator controller manager could run out of memory (OOM) on production clusters with many workloads. This was caused by the Operator’s internal caches tracking all objects of certain Kubernetes types cluster-wide. In this release, those caches are scoped to only RHTAS-managed resources, reducing peak memory usage from over 256 MB to approximately 80 MB. The default memory limit has also been increased to 512 MB as an additional safety margin.
- Helm chart disables
PodDisruptionBudgetby default -
The Helm chart included a
PodDisruptionBudget(PDB) that previously defaulted tominAvailable=1, which coincided with the defaultreplicaCountof1for RHTAS components. This arrangement led to deadlocks during node draining, and OpenShift cluster upgrades. With this release, the PDB is disabled by default within the Helm chart, ensuring smooth progression of node draining, and when performing OpenShift cluster upgrades. Users running multiple replicas can re-enable the PDB for added availability guarantees during disruptions.
- Cosign does not respect individual TSA certificate chains during rotation
With this release, we updated
cosignto version 3. This update fixes the issue wherecosignexpects only one single Timestamp Authority (TSA) certificate chain. You can rotating the TSA certificate chain by giving the whole TSA certificate chain to The Update Framework (TUF) as an individual target. During the rotation process, setting the new TSA certificate chain as the new TUF target, and expiring the old TSA certificate chain no longer displays the following error message.main.go:74: error during command execution: unable to load TSA certificates: TSA certificate chain must contain exactly one leaf certificateFor information about rotating the TSA signer key and certificate chain see our procedure for Red Hat OpenShift Container Platform, or Red Hat Enterprise Linux.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}