Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 4. Known issues
A list of unresolved known issues found in this release, and earlier releases of RHTAS:
- An Operator Lifecycle Manager catalog incident causes the RHTAS Operator version mismatch on Red Hat OpenShift 4.15 clusters
- An incident involving the Operator Lifecycle Manager (OLM) catalog has caused Red Hat OpenShift to incorrectly update the RHTAS Operator from version 1.2.1 to version 1.3.2. This is happening on the stable channel for Red Hat OpenShift 4.15 clusters when auto-update is enabled. This mismatch effects Red Hat OpenShift 4.15 clusters by locking them on version RHTAS 1.3.2 when they should not be. To resolve this issue, do a full backup of your RHTAS data, upgrade the Red Hat OpenShift cluster to at least version 4.18, and then manually update the RHTAS Operator to version 1.2.2, or you can remain on the 1.3.x stable channel, if required. Next, restore your data. If you did a backup on RHTAS 1.3.2, then you must restore your data to the same version. The backup and restore process is not cross-version compatible. Upgrading the underlying Red Hat OpenShift cluster ensures platform compatibility with the RHTAS Operator versioning requirements, thereby resolving the OLM routing conflict and enabling future security patches and functional updates moving forward.
- Cosign fails verification of signed timestamps after rotating the TSA certification chain
The current version of
cosignexpects only one single Timestamp Authority (TSA) certificate chain. When rotating the TSA certificate chain, you give the whole TSA certificate chain to The Update Framework (TUF) as an individual target. During the rotation process, setting the new TSA certificate chain as the new TUF target, and expiring the old TSA certificate chain gives the following error message.main.go:74: error during command execution: unable to load TSA certificates: TSA certificate chain must contain exactly one leaf certificateCurrently, there is no workaround for this issue.
For information about rotating the TSA signer key and certificate chain see our procedure for Red Hat OpenShift Container Platform, or Red Hat Enterprise Linux.
- The
ownerReferencesare lost when restoring Trusted Artifact Signer to a different OpenShift cluster -
When restoring the RHTAS data to a new Red Hat OpenShift cluster, the
ownerReferencesfor components are lost. This happens because the Securesign UUID changes when restoring on a new cluster, and theownerReferencesfor each component gets deleted since they are no longer valid. To workaound this issue, run the provided script after the Securesign resource is restored. This script recreates theownerReferenceswith the new Securesign UUID.
- Specifying a PVC name for the TUF repository fails the initialization process
When specifying a persistent volume claim (PVC) name in The Update Framework (TUF) resource causes the RHTAS operator to fail the initialization of the TUF repository. For example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow To workaround this issue, do not specify a PVC name in the TUF resource. This allows the RHTAS operator to automatically create the PVC, names it
tuf, and properly initializes the TUF repository.
- Rekor Search UI does not show records after upgrade
After upgrading the RHTAS operator to the latest version (1.0.1), the existing Rekor data is not found when searching by email address. The
backfill-redisCronJob, which ensures that Rekor Search UI can query the transparency log only runs once per day, at midnight. To workaround this issue, you can trigger thebackfill-redisjob manually, instead of waiting until midnight.To trigger the
backfill-redisjob from the command-line interface, run the following command:oc create job --from=cronjob/backfill-redis backfill-redis -n trusted-artifact-signer
$ oc create job --from=cronjob/backfill-redis backfill-redis -n trusted-artifact-signerCopy to Clipboard Copied! Toggle word wrap Toggle overflow Doing this adds the missing data back to the Rekor Search UI.
- The Trusted Artifact Signer Operator does not apply configuration changes
We found a potential issue with the RHTAS Operator logic that can cause an unexpected state when redeploying. This inconsistent state can happen if removing configurations from RHTAS resources and the Operator tries to redeploy those resources. To workaround this potential issue, you can delete the specific resource, and then re-create that resource by using the previous instance’s configuration, such as keys, and persistent volumes. The RHTAS resources are: Securesign, Fulcio, The Update Framework (TUF), Rekor, Certificate Transparency (CT) log, or Trillian.
For example, to delete the
Securesignresource:oc delete Securesign securesing-sample
$ oc delete Securesign securesing-sampleCopy to Clipboard Copied! Toggle word wrap Toggle overflow For example, to re-create the
Securesignresource from a configuration file:oc create -f ./securesign-sample.yaml
$ oc create -f ./securesign-sample.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
- Operator does not update the component status after doing a restore to a different OpenShift cluster
When restoring the RHTAS signer data from a backup to a new OpenShift cluster, the component status links do not update as expected. Currently, you have to manually delete the
securesign-sample-trillian-db-tlsresource, and manually update the component status links. The RHTAS operator will automatically re-create an updatedsecuresign-sample-trillian-db-tlsresource, after it has been removed.After the backup procedure starts, and the secrets restored, delete the
securesign-sample-trillian-db-tlsresource:oc delete secret securesign-sample-trillian-db-tls
$ oc delete secret securesign-sample-trillian-db-tlsCopy to Clipboard Copied! Toggle word wrap Toggle overflow Once all the pods start, then update the status files for
Securesign, andTimestampAuthority:oc edit --subresource=status Securesign securesign-sample oc edit --subresource=status TimestampAuthority securesign-sample
$ oc edit --subresource=status Securesign securesign-sample $ oc edit --subresource=status TimestampAuthority securesign-sampleCopy to Clipboard Copied! Toggle word wrap Toggle overflow
- Trusted Artifact Signer requires
cosign2.2 or later -
Because of recent changes to how we generate The Update Framework (TUF) repository, and making use of different checksum algorithms, we require the use of
cosignversion 2.2 or later. With this release of RHTAS, you can downloadcosignversion 2.4 for use with Trusted Artifact Signer.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}