commit d437d02f9459c0438cb0e779c0d3fe19ad763f2a
Author: Marcelo de Castro Loebens <email address hidden>
Date: Fri Feb 24 15:47:32 2023 -0400
Fix cluster issuer usage in migration playbook
Fixed an issue where the migrate-platform-certificates-to-certmanager
playbook wasn't using the issuer passed by the user in the inventory
file if there's already a local issuer created in the platform.
The issue was due to a name collision between an already existing
cluster issuer named 'system-local-ca' and the one created by the
playbook using the provided inventory file.
This is fixed now by overwriting the 'system-local-ca' issuer. If a
root CA was created to sign the issuer's certificates, it will be
deleted upon the execution of the playbook. Also, any certificate
emitted by the old 'system-local-ca' issuer will be renewed to match
the new issuer upon the upon the execution of the playbook.
The leaf certificates affected by the playbook (and this change) are:
'system-registry-local-certificate', 'system-restapi-gui-certificate',
'oidc-auth-apps-certificate' and 'system-openldap-local-certificate'.
PASS: Folowing the same tutorials described above, create a local
issuer.
Create a new LDAP user and test if you can log to it.
Execute the cert manager migration playbook. Use a different
issuer for the CA certs parameters in the inventory file.
Wait for the playbook to finish.
Verify that you can still log to the LDAP user created.
Create another LDAP user and test if you can log to it.
Closes-Bug: 2011630
Signed-off-by: Marcelo de Castro Loebens <email address hidden>
Change-Id: I92650ac230e63d507b91a714de639212a9b4df38
Reviewed: https:/ /review. opendev. org/c/starlingx /ansible- playbooks/ +/875255 /opendev. org/starlingx/ ansible- playbooks/ commit/ d437d02f9459c04 38cb0e779c0d3fe 19ad763f2a
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit d437d02f9459c04 38cb0e779c0d3fe 19ad763f2a
Author: Marcelo de Castro Loebens <email address hidden>
Date: Fri Feb 24 15:47:32 2023 -0400
Fix cluster issuer usage in migration playbook
Fixed an issue where the migrate- platform- certificates- to-certmanager
playbook wasn't using the issuer passed by the user in the inventory
file if there's already a local issuer created in the platform.
The issue was due to a name collision between an already existing
cluster issuer named 'system-local-ca' and the one created by the
playbook using the provided inventory file.
This is fixed now by overwriting the 'system-local-ca' issuer. If a
root CA was created to sign the issuer's certificates, it will be
deleted upon the execution of the playbook. Also, any certificate
emitted by the old 'system-local-ca' issuer will be renewed to match
the new issuer upon the upon the execution of the playbook.
The leaf certificates affected by the playbook (and this change) are: registry- local-certifica te', 'system- restapi- gui-certificate ', auth-apps- certificate' and 'system- openldap- local-certifica te'.
'system-
'oidc-
Test Plan: /docs.starlingx .io/security/ kubernetes/ starlingx- rest-api- applications- and-the- web-admin- server- cert-9196c57948 34.html /docs.starlingx .io/security/ kubernetes/ migrate- platform- certificates- to-use- cert-manager- c0b1727e4e5d. html
PASS: Follow the steps in
https:/
to create a local issuer.
Create another yaml configuration file for a certificate issued
by the 'system-local-ca' and apply it.
Follow the steps in
https:/
to execute the cert manager migration playbook. Use a different
issuer for the CA certs parameters in the inventory file.
Wait for the playbook to finish.
Verify, for all the affected certificates and the one you issued
using the old 'system-local-ca', that the issuer matches the one
provided in the inventory file.
PASS: Folowing the same tutorials described above, create a local
issuer.
Create a new LDAP user and test if you can log to it.
Execute the cert manager migration playbook. Use a different
issuer for the CA certs parameters in the inventory file.
Wait for the playbook to finish.
Verify that you can still log to the LDAP user created.
Create another LDAP user and test if you can log to it.
Closes-Bug: 2011630
Signed-off-by: Marcelo de Castro Loebens <email address hidden> 507b91a714de639 212a9b4df38
Change-Id: I92650ac230e63d