Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 5. Known issues
Resolved known issues for this release of Red Hat Trusted Artifact Signer (RHTAS):
A list of unresolved known issues found in this release, and earlier releases of RHTAS:
- Client-side load balancing does not balance traffic properly
-
In RHTAS high availability (HA) deployments, gRPC services, such as
trillian-logserver, uses the defaultpick_firstload balancing policy. Combined with theClusterIPOpenShift service, this results in all requests being directed to only one or two back-end replicas. This issue makes horizontal scaling ineffective, as the workload is not evenly distributed, thus limiting overall throughput to the capacity of a single instance. Currently there is no workaround available.
- Cosign OIDC provider selection is ignored when using the
--oidc-issuerflag We found an issue on how Cosign selects an OpenID Connect (OIDC) provider when using Cosign version 3 or later. Cosign adheres to the
signing_config.v0.2.jsonprovided by The Update Framework (TUF) to determine the service URLs for RHTAS components. Cosign follows the "winner-takes-all" logic for selecting which OIDC provider to use for authentication by identifying which OIDC entry has the highest compatible API version within a certain period of time. If there are multiple OIDC providers that meet this criteria, then the first OIDC provider is selected, and the others are ignored. This logic prevents the user from manually selecting which OIDC provider they want to used, even if using the--oidc-issuerflag, because thesigning_config.v0.2.jsonis active. This can result in a hard failure, with the following message:Error: cannot specify service URLs and use signing configTo workaround this issue, you must bypass the automated signing configuration by setting the
--use-signing-configtofalse. This allows you to explicitly set the OIDC provider of your choice when using the--oidc-issuerflag.
- Restoring RHTAS data to new OpenShift cluster
When restoring RHTAS data to a new Red Hat OpenShift cluster, you must regenerate the TLS certificates due to a change of the CA authority for the cluster. This change disrupts secure communication between components, leading some pods to halt during the restoration process. To resolve this issue, initiate the restoration, then before scaling the operator, delete all the TLS certificates by running the following commands:
$ oc delete secret securesign-sample-ctlog-tls securesign-sample-rekor-redis-tls securesign-sample-trillian-db-tls securesign-sample-trillian-logserver-tls securesign-sample-trillian-logsigner-tls $ oc scale deploy rhtas-operator-controller-manager --replicas=1 -n openshift-operatorsAs a result, all pods will start, and communication between components will be re-established.
- The Trillian CR status update fails
-
The Trillian custom resource (CR) fails to update the
status.replicasfield within the CR after a user specifies a custom number of replicas. This results in a mismatch between the number of replicas defined and the number reported in the CR status. Although the correct number of pods are deployed, the status field incorrectly displays the default value, which might cause confusion during monitoring. To work around this issue, manually update thestatus.replicasfield in the CR to match the actual number of replicas. As a result of this workaround, the status field accurately reflects the number of replicas.
- Rekor Search UI does not show records after upgrade
After upgrading the RHTAS Operator to the latest version, the existing Rekor data is not found when searching by email address. The
backfill-redisCron job, which ensures that Rekor Search UI can query the transparency log only runs once per day, at midnight. To workaround this issue, you can trigger thebackfill-redisjob manually, instead of waiting until midnight.To trigger the
backfill-redisjob from the command-line interface, run the following command:$ oc create job --from=cronjob/backfill-redis backfill-redis -n trusted-artifact-signerDoing this adds the missing data back to the Rekor Search UI.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}