StarlingX

Bug #2011630
Comment #1

Comment 1 for bug 2011630

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-24: Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/875255
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/d437d02f9459c0438cb0e779c0d3fe19ad763f2a
Submitter: "Zuul (22348)"
Branch: master

commit d437d02f9459c0438cb0e779c0d3fe19ad763f2a
Author: Marcelo de Castro Loebens <email address hidden>
Date: Fri Feb 24 15:47:32 2023 -0400

Fix cluster issuer usage in migration playbook

    Fixed an issue where the migrate-platform-certificates-to-certmanager
    playbook wasn't using the issuer passed by the user in the inventory
    file if there's already a local issuer created in the platform.

    The issue was due to a name collision between an already existing
    cluster issuer named 'system-local-ca' and the one created by the
    playbook using the provided inventory file.

    This is fixed now by overwriting the 'system-local-ca' issuer. If a
    root CA was created to sign the issuer's certificates, it will be
    deleted upon the execution of the playbook. Also, any certificate
    emitted by the old 'system-local-ca' issuer will be renewed to match
    the new issuer upon the upon the execution of the playbook.

    The leaf certificates affected by the playbook (and this change) are:
    'system-registry-local-certificate', 'system-restapi-gui-certificate',
    'oidc-auth-apps-certificate' and 'system-openldap-local-certificate'.

    Test Plan:
    PASS: Follow the steps in
          https://docs.starlingx.io/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.html
          to create a local issuer.
          Create another yaml configuration file for a certificate issued
          by the 'system-local-ca' and apply it.
          Follow the steps in
          https://docs.starlingx.io/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.html
          to execute the cert manager migration playbook. Use a different
          issuer for the CA certs parameters in the inventory file.
          Wait for the playbook to finish.
          Verify, for all the affected certificates and the one you issued
          using the old 'system-local-ca', that the issuer matches the one
          provided in the inventory file.

    PASS: Folowing the same tutorials described above, create a local
          issuer.
          Create a new LDAP user and test if you can log to it.
          Execute the cert manager migration playbook. Use a different
          issuer for the CA certs parameters in the inventory file.
          Wait for the playbook to finish.
          Verify that you can still log to the LDAP user created.
          Create another LDAP user and test if you can log to it.

Closes-Bug: 2011630

Signed-off-by: Marcelo de Castro Loebens <email address hidden>
Change-Id: I92650ac230e63d507b91a714de639212a9b4df38

Reviewed:  https://review.opendev.org/c/starlingx/ansible-playbooks/+/875255
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/d437d02f9459c0438cb0e779c0d3fe19ad763f2a
Submitter: "Zuul (22348)"
Branch:    master

commit d437d02f9459c0438cb0e779c0d3fe19ad763f2a
Author: Marcelo de Castro Loebens <Marcelo.DeCastroLoebens@windriver.com>
Date:   Fri Feb 24 15:47:32 2023 -0400

Fix cluster issuer usage in migration playbook
    
    Fixed an issue where the migrate-platform-certificates-to-certmanager
    playbook wasn't using the issuer passed by the user in the inventory
    file if there's already a local issuer created in the platform.
    
    The issue was due to a name collision between an already existing
    cluster issuer named 'system-local-ca' and the one created by the
    playbook using the provided inventory file.
    
    This is fixed now by overwriting the 'system-local-ca' issuer. If a
    root CA was created to sign the issuer's certificates, it will be
    deleted upon the execution of the playbook. Also, any certificate
    emitted by the old 'system-local-ca' issuer will be renewed to match
    the new issuer upon the upon the execution of the playbook.
    
    The leaf certificates affected by the playbook (and this change) are:
    'system-registry-local-certificate', 'system-restapi-gui-certificate',
    'oidc-auth-apps-certificate' and 'system-openldap-local-certificate'.
    
    Test Plan:
    PASS: Follow the steps in
          https://docs.starlingx.io/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.html
          to create a local issuer.
          Create another yaml configuration file for a certificate issued
          by the 'system-local-ca' and apply it.
          Follow the steps in
          https://docs.starlingx.io/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.html
          to execute the cert manager migration playbook. Use a different
          issuer for the CA certs parameters in the inventory file.
          Wait for the playbook to finish.
          Verify, for all the affected certificates and the one you issued
          using the old 'system-local-ca', that the issuer matches the one
          provided in the inventory file.
    
    PASS: Folowing the same tutorials described above, create a local
          issuer.
          Create a new LDAP user and test if you can log to it.
          Execute the cert manager migration playbook. Use a different
          issuer for the CA certs parameters in the inventory file.
          Wait for the playbook to finish.
          Verify that you can still log to the LDAP user created.
          Create another LDAP user and test if you can log to it.
    
    Closes-Bug: 2011630
    
    Signed-off-by: Marcelo de Castro Loebens <Marcelo.DeCastroLoebens@windriver.com>
    Change-Id: I92650ac230e63d507b91a714de639212a9b4df38