Cert-mon does not detect expired tokens in certain situations
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Isac Sacchi e Souza |
Bug Description
Brief Description
-----------------
If cert-mon has an expired token cached, it will use the "is_expired" method from the Token class to validate if it's still valid. That function has a bug and does not identify expired tokens correctly.
Note that although this bug also affects the other certificate types, that are other code paths that will identify the expired token and renew it on a retry.
Severity
--------
Provide the severity of the defect.
Major
Steps to Reproduce
------------------
1. setup a cert-manager certificate for registry.local
2. cert-mon will identify the new cert and install it
3. leave the system idle for some time (at least 2h)
4. delete the certificate secret to trigger a cert-mon update
5. the API call to upload the new cert will fail with 401 unauthorized and will keep failing until cert-mon is restarted
Expected Behavior
------------------
cert-mon correctly identifies that the token is expired and renews it
Actual Behavior
----------------
cert-mon tries to use the expired token and does not recover from the 401 error
Reproducibility
---------------
100% Reproducible
System Configuration
-------
Tested on a AIO-SX but the bug should be independent of the configuration.
Branch/Pull Time/Commit
-------
Tested with the master branch on 2021-02-16.
Last Pass
---------
Before the plarform cert monitoring was introduced
Timestamp/Logs
--------------
2021-02-
2021-02-
2021-02-
2021-02-
2021-02-
2021-02-
This error will continue to happen until cert-mon is restarted
Test Activity
-------------
Feature Testing
Workaround
----------
Restart cert-mon with "sudo sm-restart service cert-mon"
summary: |
- Cert-mon does detect expired tokens in certain situations + Cert-mon does not detect expired tokens in certain situations |
Changed in starlingx: | |
assignee: | nobody → Isac Sacchi e Souza (isouza) |
Changed in starlingx: | |
status: | New → In Progress |
tags: | added: stx.5.0 |
tags: | added: stx.config |
Changed in starlingx: | |
importance: | Undecided → Medium |
Changed in starlingx: | |
status: | In Progress → Fix Released |
Regarding the changes in review https:/ /review. opendev. org/c/starlingx /config/ +/776476/ 1/sysinv/ sysinv/ sysinv/ sysinv/ openstack/ common/ keystone_ objects. py#29
There appears to be a similar code bug at https:/ /opendev. org/starlingx/ nfv/src/ branch/ master/ nfv/nfv- vim/nfv_ vim/api/ openstack/ _objects. py#L251 ... is there another LP tracking this or will it be covered by this LP ?