StarlingX

dcmanager kube-rootca-update-strategy create with expired date should be blocked

Bug #1949119 reported by Al Bailey
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Al Bailey

Bug Description

Brief Description

dcmanager kube-rootca-update-strategy create with expired date should be blocked

Severity

Provide the severity of the defect.

Minor

Steps to Reproduce

1)creating an update strategy with dcmanager commands is allowed but the same is blocked with sw-manager commands

dcmanager kube-rootca-update-strategy create --expiry-date 2021-10-25
+------------------------+----------------------------+
| Field | Value |
+------------------------+----------------------------+
| strategy type | kube-rootca-update |
| subcloud apply type | None |
| max parallel subclouds | None |
| stop on failure | False |
| state | initial |
| created_at | 2021-10-26T19:44:30.981739 |
| updated_at | None |
+------------------------+----------------------------+

(NFV code blocks it)
sw-manager kube-rootca-update-strategy create --expiry-date 2021-09-20
Operation failed: New k8s rootCA should have at least 24 hours of validation before expiry
Strategy creation failed

sw-manager kube-rootca-update-strategy create --expiry-date 2021-10-24
Operation failed: New k8s rootCA should have at least 24 hours of validation before expiry
Strategy creation failed

Expected Behavior
creating a cert with expired date should be blocked

Actual Behavior
currently it is being allowed

Reproducibility
100%

System Configuration
Distributed Cloud

Branch/Pull Time/Commit
Oct 25 2021

Last Pass
new feature testing

Timestamp/Logs
N/A (this is a CLI issue)

Alarms
N/A

Test Activity
Feature testing

Workaround
apply the strategy. it will fail when it gets to the sysinv code that tries to generate the invalid cert.

Al Bailey (albailey1974)
Changed in starlingx:
assignee: nobody → Al Bailey (albailey1974)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to distcloud (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/distcloud/+/815912

Changed in starlingx:
status: New → In Progress
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.6.0 stx.distcloud
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to distcloud (master)

Reviewed: https://review.opendev.org/c/starlingx/distcloud/+/815912
Committed: https://opendev.org/starlingx/distcloud/commit/671ea28adc03cd31d0da5cc6db2cabb83ca47e63
Submitter: "Zuul (22348)"
Branch: master

commit 671ea28adc03cd31d0da5cc6db2cabb83ca47e63
Author: albailey <email address hidden>
Date: Thu Oct 28 16:50:39 2021 -0500

    Add validation for kube rootca during strategy create

    The validation code has been duplicated from sysinv since
    there is no validation library that can be imported for
    the certificate subject and expiry date.

    This is a usability fix, since the code acts the same, but
    the strategy will not need to wait and be applied to see
    the error.

    Test Plan:
     Verified invalid subject is rejected during creation
     Verified invalid subject arguments rejected during creation
     Verified invalid expiry-date is rejected during creation
     Verified expired expiry-date is rejected during creation
     Verified valid values are accepted for subject and expiry date
     Verified cert-file cannot be passed with subject or expiry_date

    Change-Id: I24875dbe129eb2ad4c52b2617710277472b9a89e
    Closes-Bug: 1949119
    Signed-off-by: albailey <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.