commit 01a5ea0843bd25a422993ff267567609f67351a5
Author: Rei Oliveira <email address hidden>
Date: Thu Mar 28 14:28:34 2024 -0300
First check Root CAs on kube-cert-rotation.sh
As of now, the script only verifies the validity of leaf certificates
and, if expired, will regenerate them based on K8s/etcd Root CAs.
It doesn't account for the possibility of Root CAs being expired.
It will generate leaf certificates based on Root CAs, even if said
Root CAs are expired.
This change fixes that behaviour by first checking validity of
Root CAs and only allowing leaf certificate renewal if RCAs are
valid.
Test plan:
PASS: Cause Root CAs to expire, run kube-cert-rotation.sh script
and verify that it fails with an error saying Root CAs are
expired and leaf certificates are not renewed.
PASS: Ensure to have valid Root CAs, cause leaf certificates
to expire, run kube-cert-rotation.sh and verify that the
script executes normally and is able to renew
the leaf certificates.
Closes-Bug: 2059708
Signed-off-by: Rei Oliveira <email address hidden>
Change-Id: I98dfd8d1417754f3c723d8ddd52a856785ffc83b
Reviewed: https:/ /review. opendev. org/c/starlingx /config/ +/914684 /opendev. org/starlingx/ config/ commit/ 01a5ea0843bd25a 422993ff2675676 09f67351a5
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 01a5ea0843bd25a 422993ff2675676 09f67351a5
Author: Rei Oliveira <email address hidden>
Date: Thu Mar 28 14:28:34 2024 -0300
First check Root CAs on kube-cert- rotation. sh
As of now, the script only verifies the validity of leaf certificates
and, if expired, will regenerate them based on K8s/etcd Root CAs.
It doesn't account for the possibility of Root CAs being expired.
It will generate leaf certificates based on Root CAs, even if said
Root CAs are expired.
This change fixes that behaviour by first checking validity of
Root CAs and only allowing leaf certificate renewal if RCAs are
valid.
Test plan:
PASS: Cause Root CAs to expire, run kube-cert- rotation. sh script rotation. sh and verify that the
and verify that it fails with an error saying Root CAs are
expired and leaf certificates are not renewed.
PASS: Ensure to have valid Root CAs, cause leaf certificates
to expire, run kube-cert-
script executes normally and is able to renew
the leaf certificates.
Closes-Bug: 2059708
Signed-off-by: Rei Oliveira <email address hidden> f3c723d8ddd52a8 56785ffc83b
Change-Id: I98dfd8d1417754