StarlingX

show-certs.sh checks wrong etcd apiserver client certificate

Bug #1986953 reported by Karla Felix
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Karla Felix

Bug Description

Brief Description

show-certs.sh script check wrong certification. As a result, from user point of view, certification seem not renewed.
For “etcd apiserver client certificate CERTIFICATE:” show-certs.sh checks “/etc/etcd/apiserver-etcd-client.crt” which is not correct.
Intead of this it should check “/etc/kubernetes/pki/apiserver-etcd-client.crt”.
Because certificaiton renewal script /usr/bin/kube-cert-rotation.sh renwew /etc/kubernetes/pki/apiserver-etcd-client.crt

As a result even “etcd apiserver client certificate CERTIFICATE:” was renewed, user cannot check its renewal.
Severity

<Major: System/Feature is usable but degraded>
Issue itself is harmless, but user cannot get correct information.
Steps to Reproduce

1: Follow the steps and create certificate for “etcd apiserver client certificate CERTIFICATE:" which will expire soon.
2: Run show-certs.sh then check certification will be expired soon.

etcd apiserver client certificate CERTIFICATE:
------------------------------------------
         Renewal : Manual
         Filename : /etc/etcd/apiserver-etcd-client.crt <- This is wrong
         Subject : /CN=apiserver-etcd-client
         Issuer : /CN=etcd
         Issue Date : Aug 5 15:00:00 2021 GMT
         Expiry Date : Aug 5 15:00:00 2022 GMT
         Residual Time : 1d

2: Run /usr/bin/kube-cert-rotation.sh to renew certificate
3: Run show-certs.sh again. But /etc/etcd/apiserver-etcd-client.crt is not renewed. Because /usr/bin/kube-cert-rotation.sh renewed /etc/kubernetes/pki/apiserver-etcd-client.crt
Expected Behavior
show-certs.sh checks /etc/kubernetes/pki/apiserver-etcd-client.crt
Actual Behavior
show-certs.sh checks /etc/etcd/apiserver-etcd-client.crt
Reproducibility

Reproducible

System Configuration

Any

Load info (eg: 2022-03-10_20-00-07)

N/A

Last Pass

N/A

Timestamp/Logs

N/A

Alarms

No alarms

Test Activity

N/A

Workaround
Modify show-certs.sh as attached or check /etc/kubernetes/pki/apiserver-etcd-client.crt directory.

Karla Felix (kkarolin)
Changed in starlingx:
assignee: nobody → Karla Felix (kkarolin)
OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to utilities (master)

Reviewed: https://review.opendev.org/c/starlingx/utilities/+/853173
Committed: https://opendev.org/starlingx/utilities/commit/e64913011168d6befe295f50924d315107af29cd
Submitter: "Zuul (22348)"
Branch: master

commit e64913011168d6befe295f50924d315107af29cd
Author: Karla Felix <email address hidden>
Date: Mon Aug 15 11:07:28 2022 -0300

    show-certs checks wrong etcd apiserver client certificate

    show-certs.sh script checks the wrong file for etcd apiserver
    client certificate. As a result, from user point of view,
    the certificate seems not renewed. For “etcd apiserver client
    certificate CERTIFICATE:” show-certs.sh checks
    “/etc/etcd/apiserver-etcd-client.crt” which is not correct.
    Instead it should check:
    “/etc/kubernetes/pki/apiserver-etcd-client.crt”.

    Test Plan:

    PASS: Run /usr/bin/kube-cert-rotation.sh and check if etcd apiserver
          client certificate were renewed.

    Closes-Bug: 1986953
    Signed-off-by: Karla Felix <email address hidden>
    Change-Id: I1152ce3dea709b7f4b82ce4dd80f65a479d8badf

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.8.0 stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.