Magnum

Bug #2061314
Activity log

Activity log for bug #2061314

Date	Who	What changed	Old value	New value	Message
2024-04-14 19:13:59	Mariusz Adamski	bug			added bug
2024-04-14 19:32:45	OpenStack Infra	magnum: status	New	In Progress
2024-04-15 05:53:43	Mariusz Adamski	description	It seems that since separate CA certs ware added for etcd and front proxy in https://review.opendev.org/c/openstack/magnum/+/746864, the cleanup code to remove these certificates was never put in place, as can be seen here: https://opendev.org/openstack/magnum/src/branch/master/magnum/conductor/handlers/common/cert_manager.py#L240 Steps to reproduce: Create a Magnum cluster and then delete it. Inspect the Barbican database to see that two certificates, along with their private keys and passphrases are still left: $ mysql barbican -t <<<"select name, status, created_at, deleted_at from secrets order by created_at desc limit 12;" +------------------------+--------+---------------------+---------------------+ \| name \| status \| created_at \| deleted_at \| +------------------------+--------+---------------------+---------------------+ \| Private Key Passphrase \| ACTIVE \| 2024-04-14 18:32:48 \| 2024-04-14 19:06:39 \| \| Certificate \| ACTIVE \| 2024-04-14 18:32:48 \| 2024-04-14 19:06:39 \| \| Private Key \| ACTIVE \| 2024-04-14 18:32:48 \| 2024-04-14 19:06:39 \| \| Private Key \| ACTIVE \| 2024-04-14 18:32:47 \| NULL \| \| Private Key Passphrase \| ACTIVE \| 2024-04-14 18:32:47 \| NULL \| \| Certificate \| ACTIVE \| 2024-04-14 18:32:47 \| NULL \| \| Private Key Passphrase \| ACTIVE \| 2024-04-14 18:32:46 \| NULL \| \| Private Key \| ACTIVE \| 2024-04-14 18:32:46 \| NULL \| \| Certificate \| ACTIVE \| 2024-04-14 18:32:45 \| NULL \| \| Private Key Passphrase \| ACTIVE \| 2024-04-14 18:32:44 \| 2024-04-14 19:06:38 \| \| Private Key \| ACTIVE \| 2024-04-14 18:32:44 \| 2024-04-14 19:06:38 \| \| Certificate \| ACTIVE \| 2024-04-14 18:32:43 \| 2024-04-14 19:06:38 \| +------------------------+--------+---------------------+---------------------+ Expected result: All created certificates should be removed when the cluster is deleted.	It seems that since separate CA certs were added for etcd and front proxy in https://review.opendev.org/c/openstack/magnum/+/746864, the cleanup code to remove these certificates was never put in place, as can be seen here: https://opendev.org/openstack/magnum/src/branch/master/magnum/conductor/handlers/common/cert_manager.py#L240 Steps to reproduce: Create a Magnum cluster and then delete it. Inspect the Barbican database to see that two certificates, along with their private keys and passphrases are still left: $ mysql barbican -t <<<"select name, status, created_at, deleted_at from secrets order by created_at desc limit 12;" +------------------------+--------+---------------------+---------------------+ \| name \| status \| created_at \| deleted_at \| +------------------------+--------+---------------------+---------------------+ \| Private Key Passphrase \| ACTIVE \| 2024-04-14 18:32:48 \| 2024-04-14 19:06:39 \| \| Certificate \| ACTIVE \| 2024-04-14 18:32:48 \| 2024-04-14 19:06:39 \| \| Private Key \| ACTIVE \| 2024-04-14 18:32:48 \| 2024-04-14 19:06:39 \| \| Private Key \| ACTIVE \| 2024-04-14 18:32:47 \| NULL \| \| Private Key Passphrase \| ACTIVE \| 2024-04-14 18:32:47 \| NULL \| \| Certificate \| ACTIVE \| 2024-04-14 18:32:47 \| NULL \| \| Private Key Passphrase \| ACTIVE \| 2024-04-14 18:32:46 \| NULL \| \| Private Key \| ACTIVE \| 2024-04-14 18:32:46 \| NULL \| \| Certificate \| ACTIVE \| 2024-04-14 18:32:45 \| NULL \| \| Private Key Passphrase \| ACTIVE \| 2024-04-14 18:32:44 \| 2024-04-14 19:06:38 \| \| Private Key \| ACTIVE \| 2024-04-14 18:32:44 \| 2024-04-14 19:06:38 \| \| Certificate \| ACTIVE \| 2024-04-14 18:32:43 \| 2024-04-14 19:06:38 \| +------------------------+--------+---------------------+---------------------+ Expected result: All created certificates should be removed when the cluster is deleted.