StarlingX

Raise alarm for expiring rootCA 180d before expiry instead of 30d

Bug #1959779 reported by Michel Thebeau [WIND] on 2022-02-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Low	Michel Thebeau [WIND]

Bug Description

Brief Description

https://storyboard.openstack.org/#!/story/2008946 raises the expiring certificate alarms 30d before expiry. Based on discussion with tech lead, architect, this is deemed too short for large system deployment. 30 days may not be enough to update all clusters in a larger distributed cloud. It is agreed to raise an alarm at 180d ONLY for the K8S Root CA

Severity

Minor - system usability concern

Steps to Reproduce

Apply a k8s rootCA certificate that expires within 181d
Confirm the certificate expiring alarm is raised at 180d from expiry

Expected Behavior

The alarm is raised 180d before certificate expiry of the K8s rootCA

Actual Behavior

Alarm raised 30d before certificate expiry (as per the initial feature design)

Reproducibility

100%

System Configuration

any

Branch/Pull Time/Commit

master

Last Pass

N/A

Timestamp/Logs

N/A

Test Activity

cert-alarm, alarm expiry

Workaround

N/A (not configurable)

Tags:

Michel Thebeau [WIND] (mthebeau) on 2022-02-02

Changed in starlingx:
assignee:	nobody → Michel Thebeau [WIND] (mthebeau)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-02-04: Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/827932

Ghada Khalil (gkhalil) on 2022-02-05

tags:	added: stx.7.0 stx.config
Changed in starlingx:
importance:	Undecided → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-02-07: Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/827932
Committed: https://opendev.org/starlingx/config/commit/681deef0e509653109e3baa51e1b097b47dd68a3
Submitter: "Zuul (22348)"
Branch: master

commit 681deef0e509653109e3baa51e1b097b47dd68a3
Author: Michel Thebeau <email address hidden>
Date: Wed Feb 2 09:04:59 2022 -0500

Add 180d alarm-before default for kube root CA

The default 30 day alarm-before value for a root CA gives insufficient
notice for certificate renewal in large deployments.

Add a default 180 days and apply it to the kubernetes root CA.

    Test plan:
     - configure 180+ days k8s rootCA on bootstrap: PASS
     - examine /var/log/cert-alarm.log: kubernetes-root-ca: PASS
     - Observe expiring alarm 180 days before expiry: PASS

Closes-Bug: 1959779

Change-Id: Iaee16494bb29038753d8e7a7137d6795b473df4a
Signed-off-by: Michel Thebeau <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.