StarlingX

kube-rootca_sync_status is in-sync after rehoming a subcloud, despite kubernetes root_ca cert issuer is different

Bug #2009827 reported by Christopher de Oliveira Souza on 2023-03-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Low	Christopher de Oliveira Souza

Bug Description

Brief Description
-----------------
When a subcloud is rehomed to a different system controller, kube-rootca_sync_status shows that it is "in-sync", whereas, the issuer of kubernetes rootca of new system controller and rehomed subcloud are different.

Severity
--------
Minor

Steps to Reproduce
------------------
Rehome a subcloud to different System controller.

Expected Behavior
------------------
the issuer of kubernetes rootca of new system controller and rehomed subcloud should be the same.

Actual Behavior
----------------
the issuer of kubernetes rootca of new system controller and rehomed subcloud are different.

System Configuration
--------------------
DC

Last Pass
---------
N/A

Timestamp/Logs
--------------
N/A

Tags:

Christopher de Oliveira Souza (cdeolive) on 2023-03-09

Changed in starlingx:
assignee:	nobody → Christopher de Oliveira Souza (cdeolive)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-09: Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/ansible-playbooks/+/876964

Changed in starlingx:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-15: Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/876964
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/6a6d3064d71b00fc0be98d27885058443ded0e8c
Submitter: "Zuul (22348)"
Branch: master

commit 6a6d3064d71b00fc0be98d27885058443ded0e8c
Author: Christopher Souza <email address hidden>
Date: Thu Mar 9 08:47:55 2023 -0300

Update rehome subcloud playbook to update rootca cert

    In this commit, the rehoming playbook is updated
    to ensure the subcloud will have the same k8s
    rootca cert as the new central cloud
    post rehoming.

    Test Plan:
    PASS: Rehome a subcloud.
    dcmanager subcloud add --migrate
    --bootstrap-address <controller-0-oam-address>
    --bootstrap-values <bootstrap_values>
    --sysadmin-password <subcloud password>
    PASS: open the /etc/kubernetes/pki/ca.crt of the
    subcloud and verify that the cert is
    the same cert of the central controller.
    PASS: create a strategy
    - sw-manager fw-update-strategy create
    - sw-manager kube-rootca-update-strategy creat
    - sw-manager kube-upgrade-strategy create
    - sw-manager patch-strategy create
    - sw-manager upgrade-strategy create
    then rehome a subcloud and verify that the subcloud
    has the same k8s rootca cert as the central
    controller.

Closes-Bug: 2009827

Signed-off-by: Christopher Souza <email address hidden>
Change-Id: Ia116dcbcd1f02c6b3d56a0529e16617853ba3b08

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2023-05-01

Changed in starlingx:
importance:	Undecided → Low
tags:	added: stx.9.0 stx.distcloud

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.