StarlingX

x509 front-proxy-ca cert/key should be the same on both controllers

Bug #1855915 reported by Chris Friesen
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Bart Wensley

Bug Description

Brief Description
-----------------
While testing a related issue, I noticed that the front-proxy-ca.crt/front-proxy-ca.key x509 certificate/key was different on the two controller nodes. They should be the same.

Severity
--------
Major (I believe this could cause addon API servers to fail over a swact due to key mismatch.)

Steps to Reproduce
------------------
Install StarlingX. Check the values of /etc/kubernetes/pki/front-proxy-ca.crt and /etc/kubernetes/pki/front-proxy-client.crt on the two controller nodes and check if they match.

Expected Behavior
------------------
The certificate and key should match on both controller nodes.

Actual Behavior
----------------
The certificate and key do not match.

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Two or more nodes.

Branch/Pull Time/Commit
-----------------------
Day one issue, I think.

Last Pass
---------
Never

Timestamp/Logs
--------------
N/A

Test Activity
-------------
Investigating failure of kubernetes conformance testing

Bart Wensley (bartwensley)
Changed in starlingx:
assignee: nobody → Bart Wensley (bartwensley)
Ghada Khalil (gkhalil)
tags: added: stx.containers
Changed in starlingx:
importance: Undecided → High
status: New → Triaged
tags: added: stx.3.0 stx.config
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/698349

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/698350

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/698351

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/698350
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=5af9f695c3f90951623188f8c889ee9303e95b15
Submitter: Zuul
Branch: master

commit 5af9f695c3f90951623188f8c889ee9303e95b15
Author: Bart Wensley <email address hidden>
Date: Tue Dec 10 20:29:56 2019 -0600

    Store front-proxy server certificates in hiera data

    Store the front-proxy server certificates in hiera data so
    they can later be copied to the second master.

    Closes-Bug: 1855915
    Depends-On https://review.opendev.org/#/c/698349
    Signed-off-by: Bart Wensley <email address hidden>

    Change-Id: I538b5ad4263319dce4c063ffc279799d3a878b62

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/698351
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=8b5cabef0dae2d6c7ee091580938f09f900c3a4a
Submitter: Zuul
Branch: master

commit 8b5cabef0dae2d6c7ee091580938f09f900c3a4a
Author: Bart Wensley <email address hidden>
Date: Tue Dec 10 20:32:11 2019 -0600

    Copy front-proxy server certificates to second master

    Copy the front-proxy server certificates to the second master
    when it is installed so they match the certificates on the
    first master.

    Change-Id: I83b63f7fdb96403c217ca7aaa024d11315d27df2
    Closes-Bug: 1855915
    Depends-On: https://review.opendev.org/#/c/698350
    Signed-off-by: Bart Wensley <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/698349
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=bd288a4f6a8ec65881d964cce98f85a7747a8fab
Submitter: Zuul
Branch: master

commit bd288a4f6a8ec65881d964cce98f85a7747a8fab
Author: Bart Wensley <email address hidden>
Date: Tue Dec 10 20:28:02 2019 -0600

    Preserve front-proxy server certificates

    Preserve the front-proxy server certificates so they can later
    be copied to the second master.

    Change-Id: Ifa9b375d9715ca7f10ed2ad6ed3b0a1d78d25b91
    Closes-Bug: 1855915
    Signed-off-by: Bart Wensley <email address hidden>

Revision history for this message
Ghada Khalil (gkhalil) wrote :

Next step is to cherrypick the changes to the r/stx.3.0

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (r/stx.3.0)

Fix proposed to branch: r/stx.3.0
Review: https://review.opendev.org/698507

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (r/stx.3.0)

Fix proposed to branch: r/stx.3.0
Review: https://review.opendev.org/698509

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (r/stx.3.0)

Fix proposed to branch: r/stx.3.0
Review: https://review.opendev.org/698511

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (r/stx.3.0)

Reviewed: https://review.opendev.org/698507
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=0ad01cd4cae7d5c85e1022b816ed465b334bb2e5
Submitter: Zuul
Branch: r/stx.3.0

commit 0ad01cd4cae7d5c85e1022b816ed465b334bb2e5
Author: Bart Wensley <email address hidden>
Date: Tue Dec 10 20:28:02 2019 -0600

    Preserve front-proxy server certificates

    Preserve the front-proxy server certificates so they can later
    be copied to the second master.

    Change-Id: Ifa9b375d9715ca7f10ed2ad6ed3b0a1d78d25b91
    Closes-Bug: 1855915
    Signed-off-by: Bart Wensley <email address hidden>
    (cherry picked from commit bd288a4f6a8ec65881d964cce98f85a7747a8fab)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (r/stx.3.0)

Reviewed: https://review.opendev.org/698509
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=b51e4ef738e0020f11f164fd3f86399872caf3c6
Submitter: Zuul
Branch: r/stx.3.0

commit b51e4ef738e0020f11f164fd3f86399872caf3c6
Author: Bart Wensley <email address hidden>
Date: Tue Dec 10 20:29:56 2019 -0600

    Store front-proxy server certificates in hiera data

    Store the front-proxy server certificates in hiera data so
    they can later be copied to the second master.

    Closes-Bug: 1855915
    Depends-On: https://review.opendev.org/#/c/698507
    Signed-off-by: Bart Wensley <email address hidden>

    Change-Id: I538b5ad4263319dce4c063ffc279799d3a878b62
    (cherry picked from commit 5af9f695c3f90951623188f8c889ee9303e95b15)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (r/stx.3.0)

Reviewed: https://review.opendev.org/698511
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=678fe78b72b70e213eae32b1932afe97cc8c16b4
Submitter: Zuul
Branch: r/stx.3.0

commit 678fe78b72b70e213eae32b1932afe97cc8c16b4
Author: Bart Wensley <email address hidden>
Date: Tue Dec 10 20:32:11 2019 -0600

    Copy front-proxy server certificates to second master

    Copy the front-proxy server certificates to the second master
    when it is installed so they match the certificates on the
    first master.

    Change-Id: I83b63f7fdb96403c217ca7aaa024d11315d27df2
    Closes-Bug: 1855915
    Depends-On: https://review.opendev.org/#/c/698509
    Signed-off-by: Bart Wensley <email address hidden>
    (cherry picked from commit 8b5cabef0dae2d6c7ee091580938f09f900c3a4a)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.