红帽全球峰会此内容没有您所选择的语言版本。
Chapter 5. Known issues
Resolved known issues for this release of Red Hat Trusted Artifact Signer (RHTAS):
A list of unresolved known issues found in this release, and earlier releases of RHTAS:
- The Trillian CR status update fails
-
The Trillian custom resource (CR) fails to update the
status.replicasfield within the CR after a user specifies a custom number of replicas. This results in a mismatch between the number of replicas defined and the number reported in the CR status. Although the correct number of pods are deployed, the status field incorrectly displays the default value, which might cause confusion during monitoring. To work around this issue, manually update thestatus.replicasfield in the CR to match the actual number of replicas. As a result of this workaround, the status field accurately reflects the number of replicas.
- Cosign fails verification of signed timestamps after rotating the TSA certification chain
The current version of
cosignexpects only one single Timestamp Authority (TSA) certificate chain. When rotating the TSA certificate chain, you give the whole TSA certificate chain to The Update Framework (TUF) as an individual target. During the rotation process, setting the new TSA certificate chain as the new TUF target, and expiring the old TSA certificate chain gives the following error message:main.go:74: error during command execution: unable to load TSA certificates: TSA certificate chain must contain exactly one leaf certificateCurrently, there is no workaround for this issue.
For information about rotating the TSA signer key and certificate chain see our procedure for Red Hat OpenShift Container Platform, or Red Hat Enterprise Linux.
- The
ownerReferencesare lost when restoring Trusted Artifact Signer to a different OpenShift cluster -
When restoring the RHTAS data to a new Red Hat OpenShift cluster, the
ownerReferencesfor components are lost. This happens because the Securesign UUID changes when restoring on a new cluster, and theownerReferencesfor each component gets deleted since they are no longer valid. To workaround this issue, run the provided script after the Securesign resource is restored. This script recreates theownerReferenceswith the new Securesign UUID.
- Rekor Search UI does not show records after upgrade
After upgrading the RHTAS Operator to the latest version, the existing Rekor data is not found when searching by email address. The
backfill-redisCron job, which ensures that Rekor Search UI can query the transparency log only runs once per day, at midnight. To workaround this issue, you can trigger thebackfill-redisjob manually, instead of waiting until midnight.To trigger the
backfill-redisjob from the command-line interface, run the following command:oc create job --from=cronjob/backfill-redis backfill-redis -n trusted-artifact-signer
$ oc create job --from=cronjob/backfill-redis backfill-redis -n trusted-artifact-signerCopy to Clipboard Copied! Toggle word wrap Toggle overflow Doing this adds the missing data back to the Rekor Search UI.
- Operator does not update the component status after doing a restore to a different OpenShift cluster
When restoring the RHTAS signer data from a backup to a new OpenShift cluster, the component status links do not update as expected. Currently, you have to manually delete the
securesign-sample-trillian-db-tlsresource, and manually update the component status links. The RHTAS operator will automatically recreate an updatedsecuresign-sample-trillian-db-tlsresource, after it has been removed.After the backup procedure starts, and the secrets restored, delete the
securesign-sample-trillian-db-tlsresource:oc delete secret securesign-sample-trillian-db-tls
$ oc delete secret securesign-sample-trillian-db-tlsCopy to Clipboard Copied! Toggle word wrap Toggle overflow Once all the pods start, then update the status files for
Securesign, andTimestampAuthority:oc edit --subresource=status Securesign securesign-sample oc edit --subresource=status TimestampAuthority securesign-sample
$ oc edit --subresource=status Securesign securesign-sample $ oc edit --subresource=status TimestampAuthority securesign-sampleCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}