StarlingX

cert-mon fails to monitor platform cert changes

Bug #1998370 reported by Kyle MacLeod
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Kyle MacLeod

Bug Description

Brief Description

Cert-mon is not monitoring the platform certs, there might be other areas where cert-mon involved is broken

Severity

major

Steps to Reproduce

1)create the following

---
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdhZ0F3SUJBZ0lRUmo2Tk11Mmx1MG5LaFduenFROUtzakFLQmdncWhrak9QUVFEQWpBcU1TZ3cKSmdZRFZRUURFeDlYVWxNdFYxSkRVQzFEZFcxMWJIVnpMVk4wWlhCRFlTQlNiMjkwSUVOQk1CNFhEVEl3TURZeApPREV5TURJek4xb1hEVE13TURZeE5qRXlNREl6TjFvd01qRXdNQzRHQTFVRUF4TW5WMUpUTFZkU1ExQXRRM1Z0CmRXeDFjeTFUZEdWd1EyRWdTVzUwWlhKdFpXUnBZWFJsSUVOQk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMEQKQVFjRFFnQUVtMThSUmNlWDQ1NWZuVSt5RkRRQ29IR2dZaXp5OEVCbGI5UHgxa3BIS3B4ZysrTjFLUUVaWWp0dwpCWFNSUHdGdThXeUFoVkF0bDlZOVhHeEVDR3NXSjZObU1HUXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkCkV3RUIvd1FJTUFZQkFmOENBUUF3SFFZRFZSME9CQllFRkZSdGZWU2ZSYjcwOHlIWWtKODdxTUlJRnVmZ01COEcKQTFVZEl3UVlNQmFBRkhqeFpRL05OZExIbTBlNlJ4VnA0clRDQk00VE1Bb0dDQ3FHU000OUJBTUNBMGdBTUVVQwpJUUNiaTV4Y3YwZmtHR1dLWDZnanBSWXh6OS9OUzVRNUtkSTRibWFoYTg1U1FBSWdPeFErNU9ZeXFWQ2FtV0JDCm9pd1p5RHFUcmJDMlZUeXlWcDI0OWJrdE0vYz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU00WTF6dzZXNXJSZGI0YWU1NGFQSWphcHJxZHFCQitBZWZEZmw0d1FUbXBvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFbTE4UlJjZVg0NTVmblUreUZEUUNvSEdnWWl6eThFQmxiOVB4MWtwSEtweGcrK04xS1FFWgpZanR3QlhTUlB3RnU4V3lBaFZBdGw5WTlYR3hFQ0dzV0p3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  name: stepca-ica-secret
  namespace: deployment
type: kubernetes.io/tls
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: stepca-issuer
  namespace: deployment
spec:
  ca:
    secretName: stepca-ica-secret
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: system-restapi-gui-certificate
  namespace: deployment
spec:
  secretName: system-restapi-gui-certificate
  dnsNames:
  - cgcs-r430-1-2.cumulus.wrs.com
  ipAddresses:
  - 128.224.150.49
  - 192.168.204.1
  issuerRef:
    name: stepca-issuer
    kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: system-registry-local-certificate
  namespace: deployment
spec:
  secretName: system-registry-local-certificate
  dnsNames:
  - registry.local
  - registry.central
  ipAddresses:
  - 128.224.150.49
  - 192.168.204.1
  issuerRef:
    name: stepca-issuer
    kind: Issuer
---

2)apply the config

3)verify certs are issued

[sysadmin@controller-0 ~(keystone_admin)]$ kubectl get certs -A
NAMESPACE NAME READY SECRET AGE
deployment system-openldap-local-certificate True system-openldap-local-certificate 11h
deployment system-registry-local-certificate True system-registry-local-certificate 101m
deployment system-restapi-gui-certificate True system-restapi-gui-certificate 101m
platform-deployment-manager platform-deployment-manager-serving-cert True platform-deployment-manager-webhook-server-secret 11h
[sysadmin@controller-0 ~(keystone_admin)]$

4)when the "system-restapi-gui-certificate" the https should be installed on the system automatically, but cert-mon fails to notice this and ssl cert never installed

Expected Behavior

platform certs are monitored by cert-mon

Actual Behavior

cert-mon fails to monitor platform cert changes

Reproducibility

100%

System Configuration

r730_1-2

[sysadmin@controller-0 ~(keystone_admin)]$ cat /etc/build.info
SW_VERSION="22.12"
BUILD_TARGET="Host Installer"
BUILD_TYPE="Formal"
BUILD_ID="2022-11-28_18-00-09"
SRC_BUILD_ID="284"JOB="wrcp-master-debian"
BUILD_BY="jenkins"
BUILD_NUMBER="178"
BUILD_HOST="yow-wrcp-lx.wrs.com"
BUILD_DATE="2022-11-28 23:00:09 +0000"

Last Pass

2022-11-27 23:00:09 +0000, 22.12 build

Timestamp/Logs

/folk/cgts_logs/CGTS-41443

Alarms

na

Test Activity

random testing

Workaround

Describe workaround if available

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/866202

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/866202
Committed: https://opendev.org/starlingx/config/commit/1cacd6010a3eb0eaa44dee44fdd46b8ece6a3cde
Submitter: "Zuul (22348)"
Branch: master

commit 1cacd6010a3eb0eaa44dee44fdd46b8ece6a3cde
Author: Kyle MacLeod <email address hidden>
Date: Wed Nov 30 12:51:43 2022 -0500

    Fix cert-mon service for non-distributed cloud systems

    Fixes issue where the distributed_cloud_role is None
    for non-DC systems. The previous commit was relying
    on None check to see if dc_role was initialized. This
    commit uses DC_ROLE_UNDETECTED instead of None for this
    purpose.

    Test Plan:

    PASS
    - Verify certmon service startup on non-DC system (simulated)
    - Verify certmon service startup on system with DC role

    Closes-Bug: 1998370

    Change-Id: I4518edc98820be5efde8ca5e7e372a5388f59001
    Signed-off-by: Kyle MacLeod <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Kyle MacLeod (kmacleod)
importance: Undecided → Medium
importance: Medium → High
tags: added: stx.8.0 stx.config stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.