Improve robustness of root CA cert update polling
cert-manager's way of creating new secrets is: 1. create a k8s secret resource with missing data 2. populate the missing data after its creation Thus, just checking that secret exists isn't enough when its data is then consumed. In order to improve this behavior, this work is: - Updating `get_cert_secret` method to check for the secret content and specifically look for the TLS certificate as well - Reducing the secret polling interval and increasing its timeout - Handling the secret certificates unpacking in a try-catch block Test Plan: PASS: Verify kube-rootca-update-generate-cert command properly waits for the secret to be populated in a: - normal condition - throttling condition - condition without polling interval PASS: Verify that if the secret fails to create within the timeout range, the proper error will be shown and the user is able to retry Closes-Bug: 1945331 Signed-off-by: Joao Soubihe <JoaoPaulo.Soubihe@windriver.com> Change-Id: I06438d5824cc2383953a23fc31d95c399d86fc1a
This commit is contained in:
parent
62ac3bd546
commit
350cc912ad
|
@ -1000,11 +1000,11 @@ class KubeOperator(object):
|
|||
label_selector, field_selector, e)
|
||||
raise
|
||||
|
||||
def get_cert_secret(self, name, namespace, max_retries=4):
|
||||
for i in range(0, max_retries):
|
||||
def get_cert_secret(self, name, namespace, max_retries=60):
|
||||
for _ in range(max_retries):
|
||||
secret = self.kube_get_secret(name, NAMESPACE_DEPLOYMENT)
|
||||
if secret is not None and secret.data is not None:
|
||||
if secret is not None and secret.data.get("tls.crt"):
|
||||
LOG.debug("secret = %s" % secret)
|
||||
return secret
|
||||
time.sleep(5)
|
||||
time.sleep(1)
|
||||
return None
|
||||
|
|
|
@ -14834,11 +14834,11 @@ class ConductorManager(service.PeriodicService):
|
|||
|
||||
data = secret.data
|
||||
tls_crt = base64.decode_as_bytes(data['tls.crt'])
|
||||
cert = cutils.extract_certs_from_pem(tls_crt)[0]
|
||||
certs = cutils.extract_certs_from_pem(tls_crt)
|
||||
|
||||
# extract information regarding the new rootca
|
||||
try:
|
||||
new_cert = cutils.build_cert_identifier(cert)
|
||||
new_cert = cutils.build_cert_identifier(certs[0])
|
||||
except Exception:
|
||||
msg = "Failed to extract issuer and serial number from new root CA"
|
||||
LOG.error(msg)
|
||||
|
@ -14909,7 +14909,7 @@ class ConductorManager(service.PeriodicService):
|
|||
:param secret_name: the name of the secret to wait
|
||||
"""
|
||||
kube_operator = kubernetes.KubeOperator()
|
||||
secret = kube_operator.get_cert_secret(secret_name, kubernetes.NAMESPACE_DEPLOYMENT, max_retries=2)
|
||||
secret = kube_operator.get_cert_secret(secret_name, kubernetes.NAMESPACE_DEPLOYMENT)
|
||||
if secret is None:
|
||||
msg = "Secret %s creation timeout" % secret_name
|
||||
LOG.error(msg)
|
||||
|
|
Loading…
Reference in New Issue