StarlingX

no expiry alarm raised on secret "sc-adminep-ca-certificate" at subcloud

Bug #2052550 reported by ayyappa on 2024-02-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Low	ayyappa

Bug Description

Brief Description
-----------------
no expiry alarm raised on secret "sc-adminep-ca-certificate" at subcloud as the substring "adminep-ca-certificate" match and this secret is filtered out from the list

Severity
------
minor - missing alarm for expiring certificate, but since the certificate is renewed automatically, it's not a serious issue.

Steps to Reproduce
-------------------
1)Update the "<subcloudid>-adminep-ca-certificate" at systemcontroller to expire in 30days

2)the "sc-adminep-ca-certificate" gets updated by cert-mon at subcloud but the alarm is not raised as it is being filteredout

Expected Behavior
----------------

alarm is expected at subcloud

Actual Behavior
--------------
no alarm is raised

Reproducibility
-------------------
100% Reproducible

System Configuration
------------------

all lab types

Load info (eg: 2022-03-10_20-00-07)

stx.8.0

Branch/Pull Time/Commit
-----------------------
NA.

Last Pass
--------
N/A Day one config

Timestamp/Logs
------------
NA.

Alarms
------
N/A

Test Activity
--------------
dev testing

Workaround
-----------
Not required.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-06: Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/908194

Changed in starlingx:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-07: Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/908194
Committed: https://opendev.org/starlingx/config/commit/efd42f0ab8e7d1cd7b6f0f2cf7010cb2c7e7be8a
Submitter: "Zuul (22348)"
Branch: master

commit efd42f0ab8e7d1cd7b6f0f2cf7010cb2c7e7be8a
Author: amantri <email address hidden>
Date: Tue Feb 6 14:42:40 2024 -0500

Raise alarm on secret "sc-adminep-ca-certificate" at subcloud

    When "sc-adminep-ca-certificate" secret falls under alarm-before expiry
    period, the 500.200 expiry alarm is not raised at subcloud as it is
    being filtered out, this fix will do filtering only on systemcontroller
    and raising the alarm at subcloud.

    Test Cases:
    PASS: Change "<subcloudid>-adminep-ca-certificate" at systemcontroller
          so that it falls under the alarm-before timeline, notice
          cert-mon updates the "sc-adminep-ca-certificate" secret at
          subcloud and raises the 500.200 expiry alarm at subcloud.
          Verify no alarm is raised for secret
          "<subcloudid>-adminep-ca-certificate" at systemcontroller
    PASS: On standalone, verify that cert-alarm raises expiry alarms
          without any issues

Closes-bug: 2052550

Change-Id: I03c475bc72b1d8212b185935db956275284674ec
Signed-off-by: amantri <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2024-02-09

Changed in starlingx:
importance:	Undecided → Low
tags:	added: stx.9.0 stx.security
Changed in starlingx:
assignee:	nobody → ayyappa (mantri425)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.