Steps to reproduce:
Create a Magnum cluster and then delete it. Inspect the Barbican database to see that two certificates, along with their private keys and passphrases are still left:
$ mysql barbican -t <<<"select name, status, created_at, deleted_at from secrets order by created_at desc limit 12;"
+------------------------+--------+---------------------+---------------------+
| name | status | created_at | deleted_at |
+------------------------+--------+---------------------+---------------------+
| Private Key Passphrase | ACTIVE | 2024-04-14 18:32:48 | 2024-04-14 19:06:39 |
| Certificate | ACTIVE | 2024-04-14 18:32:48 | 2024-04-14 19:06:39 |
| Private Key | ACTIVE | 2024-04-14 18:32:48 | 2024-04-14 19:06:39 |
| Private Key | ACTIVE | 2024-04-14 18:32:47 | NULL |
| Private Key Passphrase | ACTIVE | 2024-04-14 18:32:47 | NULL |
| Certificate | ACTIVE | 2024-04-14 18:32:47 | NULL |
| Private Key Passphrase | ACTIVE | 2024-04-14 18:32:46 | NULL |
| Private Key | ACTIVE | 2024-04-14 18:32:46 | NULL |
| Certificate | ACTIVE | 2024-04-14 18:32:45 | NULL |
| Private Key Passphrase | ACTIVE | 2024-04-14 18:32:44 | 2024-04-14 19:06:38 |
| Private Key | ACTIVE | 2024-04-14 18:32:44 | 2024-04-14 19:06:38 |
| Certificate | ACTIVE | 2024-04-14 18:32:43 | 2024-04-14 19:06:38 |
+------------------------+--------+---------------------+---------------------+
Expected result:
All created certificates should be removed when the cluster is deleted.
It seems that since separate CA certs ware added for etcd and front proxy in https:/ /review. opendev. org/c/openstack /magnum/ +/746864, the cleanup code to remove these certificates was never put in place, as can be seen here: https:/ /opendev. org/openstack/ magnum/ src/branch/ master/ magnum/ conductor/ handlers/ common/ cert_manager. py#L240
Steps to reproduce:
Create a Magnum cluster and then delete it. Inspect the Barbican database to see that two certificates, along with their private keys and passphrases are still left:
$ mysql barbican -t <<<"select name, status, created_at, deleted_at from secrets order by created_at desc limit 12;" ------- ------- ----+-- ------+ ------- ------- ------- +------ ------- ------- -+ ------- ------- ----+-- ------+ ------- ------- ------- +------ ------- ------- -+ ------- ------- ----+-- ------+ ------- ------- ------- +------ ------- ------- -+
+------
| name | status | created_at | deleted_at |
+------
| Private Key Passphrase | ACTIVE | 2024-04-14 18:32:48 | 2024-04-14 19:06:39 |
| Certificate | ACTIVE | 2024-04-14 18:32:48 | 2024-04-14 19:06:39 |
| Private Key | ACTIVE | 2024-04-14 18:32:48 | 2024-04-14 19:06:39 |
| Private Key | ACTIVE | 2024-04-14 18:32:47 | NULL |
| Private Key Passphrase | ACTIVE | 2024-04-14 18:32:47 | NULL |
| Certificate | ACTIVE | 2024-04-14 18:32:47 | NULL |
| Private Key Passphrase | ACTIVE | 2024-04-14 18:32:46 | NULL |
| Private Key | ACTIVE | 2024-04-14 18:32:46 | NULL |
| Certificate | ACTIVE | 2024-04-14 18:32:45 | NULL |
| Private Key Passphrase | ACTIVE | 2024-04-14 18:32:44 | 2024-04-14 19:06:38 |
| Private Key | ACTIVE | 2024-04-14 18:32:44 | 2024-04-14 19:06:38 |
| Certificate | ACTIVE | 2024-04-14 18:32:43 | 2024-04-14 19:06:38 |
+------
Expected result:
All created certificates should be removed when the cluster is deleted.