This review addresses changes required by the insertion of openldap in
the cert-manager migration playbook from previous version. It includes:
- Fixes in the playbook itself:
- Fix detection of openldap cert;
- Add the ability to run in subclouds with an old version;
- Fixed the template that generates the platform certificates,
adding default values in important fields case user does not
define them in the inventory file.
- Fixes in bootstrap/rehoming:
- Fix the overwrite of the ICA set by the user in the old version
for kubernetes root ca in upgrades, inside the 'system-local-ca'
secret (*);
- Not recreate openldap secret if it isn't required, in upgrades;
- Differentiate between secret types for subclouds in upgrades (it
has to account for TLS type as well, not only Opaque);
- Increase some rehoming timeouts;
- Install the new SystemController system-loca-ca as a trusted CA
in rehoming and restart kubeapi and openldap servers.
- Minor improvements:
- Check if country name is limited to two letters in cert subject;
- The role common/install-trusted-ca creates temporary files in
SystemController. This could lead to race conditions if more
than one playbook that uses the role were executed at the same
time. Changed it to use random components in the filenames.
Test plan:
- Deploy SX, DX and DC with both SX and DX subclouds.
- Execute cert-manager migration playboook.
- Rehome SX subcloud with Opaque 'system-local-ca' (normal case)
- Rehome SX/DX subclouds with TLS 'system-local-ca' (after
cert-manager migration playbook is executed)
- Upgrade SX, DX and DC Systems with SX and DX subclouds from 21.12
and 22.06 to designer iso 22.12. Executed the upgrades both with:
- Running the cert-manager migration in the FROM side. (**)
- Not running the cert-manager migration in the FROM side.
P.S.:
(*) Due to the existence of an upgrade start script called in the
'from' side that will overwrite the secret after this code is
called, this change will only have effects in upgrades moving
forward.
(**) Some upgrade scenarios were affected by the issue in (*).
Re-executing the cert-manager migration playbook in the TO side
was able to fix this cases.
Closes-Bug: 2012435
Depends-on: https://review.opendev.org/c/starlingx/config/+/878913
Signed-off-by: Marcelo de Castro Loebens <Marcelo.DeCastroLoebens@windriver.com>
Change-Id: If9e56347c530a6556508c87659a24d8e8514624e
c78240c5c3