Migration playbook does not reflect correct issuer if system-local-ca issuer already exists
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Marcelo de Castro Loebens |
Bug Description
Brief Description
-----------------
Migration playbook does not reflect correct issuer if system-local-ca issuer already exists. The playbook uses the current issuer instead of the one passed in the playbook's inventory file.
Severity
--------
Minor.
Steps to Reproduce
------------------
1) Follow the steps in https:/
2) Follow the steps in https:/
3) Wait for the playbook to finish.
4) List the platform certificates and observe the issuer field. It has the reference for the previous issuer.
Expected Behavior
------------------
In a platform certificate, like 'system-
Actual Behavior
----------------
Old value is shown.
Reproducibility
---------------
100%.
System Configuration
-------
N/A
Branch/Pull Time/Commit
-------
Master.
Last Pass
---------
N/A
Timestamp/Logs
--------------
N/A
Test Activity
-------------
Development test.
Workaround
----------
Remove the old issuer manually before running the playbook.
Changed in starlingx: | |
assignee: | nobody → Marcelo de Castro Loebens (mdecastr) |
status: | New → In Progress |
Changed in starlingx: | |
importance: | Undecided → Low |
tags: | added: stx.9.0 stx.security |
Reviewed: https:/ /review. opendev. org/c/starlingx /ansible- playbooks/ +/875255 /opendev. org/starlingx/ ansible- playbooks/ commit/ d437d02f9459c04 38cb0e779c0d3fe 19ad763f2a
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit d437d02f9459c04 38cb0e779c0d3fe 19ad763f2a
Author: Marcelo de Castro Loebens <email address hidden>
Date: Fri Feb 24 15:47:32 2023 -0400
Fix cluster issuer usage in migration playbook
Fixed an issue where the migrate- platform- certificates- to-certmanager
playbook wasn't using the issuer passed by the user in the inventory
file if there's already a local issuer created in the platform.
The issue was due to a name collision between an already existing
cluster issuer named 'system-local-ca' and the one created by the
playbook using the provided inventory file.
This is fixed now by overwriting the 'system-local-ca' issuer. If a
root CA was created to sign the issuer's certificates, it will be
deleted upon the execution of the playbook. Also, any certificate
emitted by the old 'system-local-ca' issuer will be renewed to match
the new issuer upon the upon the execution of the playbook.
The leaf certificates affected by the playbook (and this change) are: registry- local-certifica te', 'system- restapi- gui-certificate ', auth-apps- certificate' and 'system- openldap- local-certifica te'.
'system-
'oidc-
Test Plan: /docs.starlingx .io/security/ kubernetes/ starlingx- rest-api- applications- and-the- web-admin- server- cert-9196c57948 34.html /docs.starlingx .io/security/ kubernetes/ migrate- platform- certificates- to-use- cert-manager- c0b1727e4e5d. html
PASS: Follow the steps in
https:/
to create a local issuer.
Create another yaml configuration file for a certificate issued
by the 'system-local-ca' and apply it.
Follow the steps in
https:/
to execute the cert manager migration playbook. Use a different
issuer for the CA certs parameters in the inventory file.
Wait for the playbook to finish.
Verify, for all the affected certificates and the one you issued
using the old 'system-local-ca', that the issuer matches the one
provided in the inventory file.
PASS: Folowing the same tutorials described above, create a local
issuer.
Create a new LDAP user and test if you can log to it.
Execute the cert manager migration playbook. Use a different
issuer for the CA certs parameters in the inventory file.
Wait for the playbook to finish.
Verify that you can still log to the LDAP user created.
Create another LDAP user and test if you can log to it.
Closes-Bug: 2011630
Signed-off-by: Marcelo de Castro Loebens <email address hidden> 507b91a714de639 212a9b4df38
Change-Id: I92650ac230e63d