openstack/openstack-helm-infra
Code Issues Proposed changes

cert-rotation: Return true if grep finds no match

Browse Source 
If grep does not find a match, it return 1 which fails the shell
script. Hence made it return true if no match is found.
Also, removed returning of error from the script becasue any failure
will cause the job to re-run which may re-renew certificates and
restart the pods again. And this can continue if the error persists.

Chaange-Id: I2a38b59789fd522e8163ff9b12ff847eb1fe2f3a
Change-Id: Ica456ef6c5bec2bd29f51aaeef7b5ce5e8681beb
This commit is contained in:
Gupta, Sangeet (sg774j) 2021-08-06 02:52:25 +00:00 committed by Gage Hugo
parent a4f300e3da
commit ba998fc142
3 changed files with 6 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cert-rotation/Chart.yaml
View File

@ -16,5 +16,5 @@ appVersion: "1.0"
description: Rotate the certificates generated by cert-manager description: Rotate the certificates generated by cert-manager
home: https://cert-manager.io/ home: https://cert-manager.io/
name: cert-rotation name: cert-rotation
version: 0.1.0 version: 0.1.1
... ...

13
cert-rotation/templates/bin/_rotate-certs.sh.tpl
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
set -e set -x
{{/* {{/*
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
@ -24,9 +24,6 @@ minDaysToExpiry={{ .Values.jobs.rotate.max_days_to_expiry }}
rotateBefore=$(($(date +%s) + (86400*$minDaysToExpiry))) rotateBefore=$(($(date +%s) + (86400*$minDaysToExpiry)))
# Return Code, initialized to success
rc=0
function rotate_and_get_certs_list(){ function rotate_and_get_certs_list(){
# Rotate the certificates if the expiry date of certificates is within the # Rotate the certificates if the expiry date of certificates is within the
# max_days_to_expiry days # max_days_to_expiry days
@ -64,9 +61,7 @@ function rotate_and_get_certs_list(){
if [ ${counter} -ge 30 ] if [ ${counter} -ge 30 ]
then then
echo "ERROR: Rotated certificate ${cert} in ${namespace} is not ready." echo "ERROR: Rotated certificate ${cert} in ${namespace} is not ready."
# Set return code to error and continue so that the certificates that are # Continue so that the certificates that are rotated successfully are deployed.
# rotated successfully are deployed.
rc=1
break break
fi fi
echo "Rotated certificate ${cert} in ${namespace} is not ready yet ... waiting" echo "Rotated certificate ${cert} in ${namespace} is not ready yet ... waiting"
@ -126,7 +121,7 @@ function restart_the_pods(){
# - find if tls.crt was mounted to the container: get the subpaths of volumeMount in # - find if tls.crt was mounted to the container: get the subpaths of volumeMount in
# the container and grep for tls.crt. (This will be index 2 = idx+2) # the container and grep for tls.crt. (This will be index 2 = idx+2)
resource=($(kubectl get ${kind} -n ${namespace} -o custom-columns='NAME:.metadata.name,SECRETS:.spec.template.spec.volumes[*].secret.secretName,TLS:.spec.template.spec.containers[*].volumeMounts[*].subPath' --no-headers | grep tls.crt)) resource=($(kubectl get ${kind} -n ${namespace} -o custom-columns='NAME:.metadata.name,SECRETS:.spec.template.spec.volumes[*].secret.secretName,TLS:.spec.template.spec.containers[*].volumeMounts[*].subPath' --no-headers | grep tls.crt || true))
idx=0 idx=0
while [[ $idx -lt ${#resource[@]} ]] while [[ $idx -lt ${#resource[@]} ]]
@ -204,4 +199,4 @@ function rotate_job(){
} }
$COMMAND $COMMAND
exit ${rc} exit 0

1
releasenotes/notes/cert-rotation.yaml
View File

@ -1,4 +1,5 @@
--- ---
cert-rotation: cert-rotation:
- 0.1.0 Initial Chart - 0.1.0 Initial Chart
- 0.1.1 Return true if grep finds no match
... ...