StarlingX

Can't list the registry-image-list on the system after running the certificate migration playbook

Bug #1958932 reported by Reinildes Oliveira
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Reinildes Oliveira

Bug Description

Brief Description
-------------------------------------
"system registry-image-list" fails with the CA error after running the migration playbook

Severity
-------------------------------------
Major

Steps to Reproduce
-------------------------------------
1)create the following inventory file:

all:
  vars:
    ica_cert: base64...
    ica_key: base64...
  children:
    target_group:
      vars:
        dns_domain: starlingx
        duration: 2160h # 90d
        renewBefore: 360h # 15d
        subject_C: Canada
        subject_ST: Ontario
        subject_L: Ottawa
        subject_O: pvtest
        subject_OU: engineering
        subject_CN: pvtest.com
        subject_prefix: pvtest
        # SSH password to connect to all subclouds
        ansible_ssh_user: sysadmin
        ansible_ssh_pass: pwd*
        # Sudo password
        ansible_become_pass: pwd*

2)run the playbook on the system

ansible-playbook /usr/share/ansible/stx-ansible/playbooks/migrate-platform-certificates-to-certmanager.yml -i migration-inventory.yml --extra-vars "target_list=localhost mode=update" --ask-vault-pass

3)After playbook run is successful, try the following, system is complaining about the RootCA to be installed that signed the ICA

[sysadmin@controller-0 ~(keystone_admin)]$ system registry-image-list
Registry certificate signed by an unknown CA. Install a trusted CA with 'system certificate-install -m ssl_ca'
[sysadmin@controller-0 ~(keystone_admin)]$

Expected Behavior
-------------------------------------
system registry-image-list should list the images fine

Actual Behavior
-------------------------------------

system registry-image-list is failing to list the images

Reproducibility
-------------------------------------

<Reproducible/Intermittent/Seen once>

100%

System Configuration
-------------------------------------

DC6 ipv6
BUILD_DATE="2022-01-20 20:31:52 -0500"

Last Pass
-------------------------------------

Test Activity
-------------------------------------

Feature testing

Workaround
-------------------------------------

manually install the CA that signed the ICA solves the issue

Reinildes Oliveira (rjosemat)
Changed in starlingx:
assignee: nobody → Reinildes Oliveira (rjosemat)
OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: New → In Progress
Ghada Khalil (gkhalil)
tags: added: stx.7.0 stx.security
Changed in starlingx:
importance: Undecided → Medium
Revision history for this message
Ghada Khalil (gkhalil) wrote :

screening: stx.7.0 / medium - issue related to a new certificate migration playbook introduced in stx.7.0

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/826132
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/a2e87be9579756fd724934f495aa3f214310e86b
Submitter: "Zuul (22348)"
Branch: master

commit a2e87be9579756fd724934f495aa3f214310e86b
Author: Rei Oliveira <email address hidden>
Date: Mon Jan 24 14:38:31 2022 -0300

    Install Root CA when migrating certificates

    This is a refactor of the ssl_ca certificate install in order to
    support multiple certificates by specifying certificates as parameters.

    Now, the playbook also installs the Root CA certificate alongside the
    ICA certificate. That fixes the bug with system registry-image-list.

    Also, updated naming for some parameters and documentation in
    migrate-subcloud1-overrides-EXAMPLE.yml to better explain parameters
    now that Root CA is introduced.

    Test Plan:
    PASS: Run the playbook and system certificate-list. Check that both
          system_local_ca_cert and root_ca_cert are installed.
    PASS: Run the playbook and check that system registry-list returns with
          no errors
    PASS: Run the playbook with unrelated system_local_ca_cert and
          root_ca_cert and verify the playbook shows an error message

    Closes-Bug: 1958932

    Signed-off-by: Rei Oliveira <email address hidden>
    Change-Id: Iff0dfd51fcc8e4bdb06c13789e079423a27a8cb8

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.