starlingx/config
Code Issues Proposed changes

Merge "CLIs for kube rootca update procedure"

Browse Source
This commit is contained in:
Zuul 2021-08-30 19:19:43 +00:00 committed by Gerrit Code Review
commit 39c785ea8e
9 changed files with 496 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
sysinv/cgts-client/cgts-client/cgtsclient/tests/v1/test_kube_rootca_update_shell.py Normal file
View File

@ -0,0 +1,168 @@
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
import mock
from cgtsclient.tests import test_shell
from cgtsclient.v1.ihost import ihost
from cgtsclient.v1.kube_rootca_update import KubeRootCAUpdate
class KubeRootCAUpdateTest(test_shell.ShellTest):
def setUp(self):
super(KubeRootCAUpdateTest, self).setUp()
self.fake_kube_rootca_update = {
'from_rootca_cert': 'oldCert',
'to_rootca_cert': 'newCert',
'state': 'update-started',
'uuid': 'cb737aba-1820-4184-b0dc-9b073822af48',
'capabilities': {},
'created_at': 'fake-created-time',
'updated_at': 'fake-updated-time',
}
self.fake_kube_rootca_host_update = {
'hostname': 'fake-hostname',
'uuid': '88d31a2d-c82e-429f-a52d-f03f860bb620',
'personality': 'fake-personality',
'state': 'None',
'target_rootca_cert': 'fake-target_rootca_cert',
'effective_rootca_cert': 'fake-effective_rootca_cert',
'created_at': 'fake-created-time',
'updated_at': 'fake-updated-time',
}
self.mock_get_endpoint_return_value = 'http://fakelocalhost:6385/v1'
def tearDown(self):
super(KubeRootCAUpdateTest, self).tearDown()
def _check_rootca_update(self, fake_kube_rootca_update, results):
self.assertIn(fake_kube_rootca_update['from_rootca_cert'], results)
self.assertIn(fake_kube_rootca_update['to_rootca_cert'], results)
self.assertIn(fake_kube_rootca_update['state'], results)
self.assertIn(fake_kube_rootca_update['uuid'], results)
self.assertIn(fake_kube_rootca_update['created_at'], results)
self.assertIn(fake_kube_rootca_update['updated_at'], results)
def _check_rootca_host_update(self, fake_kube_rootca_host_update, results):
self.assertIn(fake_kube_rootca_host_update['effective_rootca_cert'], results)
self.assertIn(fake_kube_rootca_host_update['target_rootca_cert'], results)
self.assertIn(fake_kube_rootca_host_update['state'], results)
self.assertIn(fake_kube_rootca_host_update['created_at'], results)
self.assertIn(fake_kube_rootca_host_update['updated_at'], results)
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.get')
@mock.patch('cgtsclient.client._get_ksclient')
@mock.patch('cgtsclient.client._get_endpoint')
def test_kube_rootca_update_start(self, mock_get_endpoint, mock_get_client,
mock_get, mock_create):
mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
mock_get.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
self.make_env()
results = self.shell("kube-rootca-update-start")
self._check_rootca_update(self.fake_kube_rootca_update, results)
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.get_list')
@mock.patch('cgtsclient.client._get_ksclient')
@mock.patch('cgtsclient.client._get_endpoint')
def test_kube_rootca_update_show_current_update(self, mock_get_endpoint, mock_get_client,
mock_get_list, mock_create):
mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
mock_get_list.return_value = [KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)]
self.make_env()
results = self.shell("kube-rootca-update-show")
self._check_rootca_update(self.fake_kube_rootca_update, results)
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.host_update_list')
@mock.patch('cgtsclient.client._get_ksclient')
@mock.patch('cgtsclient.client._get_endpoint')
def test_kube_rootca_update_list_current_update(self, mock_get_endpoint, mock_get_client,
mock_update_list):
mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
mock_update_list.return_value = [KubeRootCAUpdate(None, self.fake_kube_rootca_host_update, True)]
self.make_env()
results = self.shell("kube-rootca-host-update-list")
self.assertIn(self.fake_kube_rootca_host_update['hostname'], results)
self.assertIn(self.fake_kube_rootca_host_update['personality'], results)
self._check_rootca_host_update(self.fake_kube_rootca_host_update, results)
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.rootCA_pods_update')
@mock.patch('cgtsclient.client._get_ksclient')
@mock.patch('cgtsclient.client._get_endpoint')
def test_kube_rootca_pods_update(self, mock_get_endpoint, mock_get_client,
mock_pods_update, mock_create):
self.fake_kube_rootca_update['state'] = 'updated-host-trust-both-cas'
mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
self.fake_kube_rootca_update['state'] = 'updating-pods-trust-both-cas'
mock_pods_update.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
self.make_env()
results = self.shell("kube-rootca-pods-update --phase=trust-both-cas")
self._check_rootca_update(self.fake_kube_rootca_update, results)
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
@mock.patch('cgtsclient.v1.ihost.ihostManager.kube_update_rootca')
@mock.patch('cgtsclient.v1.ihost._find_ihost')
@mock.patch('cgtsclient.client._get_ksclient')
@mock.patch('cgtsclient.client._get_endpoint')
def test_kube_rootca_host_update(self, mock_get_endpoint, mock_get_client,
mock_get_host, mock_host_update, mock_create):
fake_controller = {'id': '0',
'uuid': '1127ea5e-067b-11ec-9a03-0242ac130003',
'hostname': 'fake-hostname',
'personality': 'controller',
'administrative': 'unlocked',
'operational': 'enabled',
'availability': 'available'}
self.fake_kube_rootca_host_update['state'] = 'updating-host-trust-both-cas'
mock_get_host.return_value = ihost(None, fake_controller, True)
mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
mock_host_update.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_host_update, True)
self.make_env()
results = self.shell("kube-rootca-host-update --phase=trust-both-cas fake-hostname")
self._check_rootca_host_update(self.fake_kube_rootca_host_update, results)
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.update_complete')
@mock.patch('cgtsclient.client._get_ksclient')
@mock.patch('cgtsclient.client._get_endpoint')
def test_kube_rootca_update_complete(self, mock_get_endpoint, mock_get_client,
mock_update_complete, mock_create):
self.fake_kube_rootca_update['state'] = 'updated-pods-trust-new-ca'
mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
self.fake_kube_rootca_update['state'] = 'update-completed'
mock_update_complete.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
self.make_env()
results = self.shell("kube-rootca-update-complete")
self._check_rootca_update(self.fake_kube_rootca_update, results)
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
@mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.update_complete')
@mock.patch('cgtsclient.client._get_ksclient')
@mock.patch('cgtsclient.client._get_endpoint')
def test_kube_rootca_update_abort(self, mock_get_endpoint, mock_get_client,
mock_update_complete, mock_create):
mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
self.fake_kube_rootca_update['state'] = 'update-aborted'
mock_update_complete.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
self.make_env()
results = self.shell("kube-rootca-update-abort")
self._check_rootca_update(self.fake_kube_rootca_update, results)

2
sysinv/cgts-client/cgts-client/cgtsclient/v1/client.py
View File

@ -57,6 +57,7 @@ from cgtsclient.v1 import iuser
from cgtsclient.v1 import kube_cluster
from cgtsclient.v1 import kube_cmd_version
from cgtsclient.v1 import kube_host_upgrade
from cgtsclient.v1 import kube_rootca_update
from cgtsclient.v1 import kube_upgrade
from cgtsclient.v1 import kube_version
from cgtsclient.v1 import label
@ -175,3 +176,4 @@ class Client(http.HTTPClient):
self.device_image_state = device_image_state.DeviceImageStateManager(self)
self.device_label = device_label.DeviceLabelManager(self)
self.restore = restore.RestoreManager(self)
self.kube_rootca_update = kube_rootca_update.KubeRootCAUpdateManager(self)

8
sysinv/cgts-client/cgts-client/cgtsclient/v1/ihost.py
View File

@ -138,6 +138,14 @@ class ihostManager(base.Manager):
body=post_body)
return self.resource_class(self, body)
def kube_update_rootca(self, hostid, phase):
post_body = {}
post_body['phase'] = phase
resp, body = self.api.json_request(
'POST', self._path(hostid) + "/kube_update_ca",
body=post_body)
return self.resource_class(self, body)
def device_image_update(self, hostid):
path = self._path(hostid) + "/device_image_update"
resp, body = self.api.json_request('POST', path)

99
sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update.py Normal file
View File

@ -0,0 +1,99 @@
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
from cgtsclient.common import base
class KubeRootCAUpdate(base.Resource):
def __repr__(self):
return "<kube_rootca_update %s>" % self._info
class KubeRootCAUpdateManager(base.Manager):
resource_class = KubeRootCAUpdate
@staticmethod
def _path(uuid=None):
return 'v1/kube_rootca_update/%s' % uuid if uuid else 'v1/kube_rootca_update/'
def create(self, force):
"""Create a new entry for kubernetes rootca update operation """
return self._create(self._path() + '?force=' + str(force), {})
def get(self, uuid=None):
"""Retrieve the details of a given kubernetes rootca update.
:param uuid: uuid of update
"""
try:
return self._list(self._path(uuid))[0]
except IndexError:
return None
def get_list(self, uuid=None):
"""Retrieve the details of a given kubernetes rootca update.
:param uuid: uuid of update
"""
try:
return self._list(self._path(uuid), 'kube_rootca_updates')
except IndexError:
return []
def rootCA_upload(self, pem_content):
"""Retrieve the details of a given kubernetes rootca update.
:param pem_content: the content of the PEM file to be uploaded
"""
path = self._path('upload_cert')
return self._upload(path, pem_content)
def rootCA_generate(self, expiry_date=None, subject=None):
"""Generate a root CA to be applied during
kubernetes rootca update procedure.
:param expiry_date: stores data from CLI arg expiry_date.
A datetime string in ISO 8601 format (YYYY-MM-DD)
specifying the expiry date for the certificate to be
generated.
:param subject: A string specifying the subject to be set
for the certificate.
"""
path = self._path('generate_cert')
generate_body = {}
generate_body['expiry_date'] = expiry_date
generate_body['subject'] = subject
return self._create(path, generate_body)
def rootCA_pods_update(self, phase):
"""Kubernetes rootca update for pods.
:param phase: the phase of the update request.
"""
post_body = {}
post_body['phase'] = phase
resp, body = self.api.json_request('POST', self._path() + "pods",
body=post_body)
return self.resource_class(self, body)
def host_update_list(self):
"""Retrieves Kubernetes root CA update status by hosts"""
return self._list(self._path('hosts'), 'kube_host_updates')
def update_complete(self, patch, force):
"""Marks the Kubernetes rootca update as complete
:param patch: a json PATCH document to apply on complete API.
:param force: A CLI argument to indicate if the API should ignore
minor alarms on eventual health checks.
"""
return self._update(self._path() + '?force=' + str(force), patch)

192
sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update_shell.py Executable file
View File

@ -0,0 +1,192 @@
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# All Rights Reserved.
#
from cgtsclient.common import utils
from cgtsclient import exc
from cgtsclient.v1 import ihost as ihost_utils
# Kubernetes constants
KUBE_ROOTCA_UPDATE_COMPLETED = 'update-completed'
KUBE_ROOTCA_UPDATE_ABORTED = 'update-aborted'
def _print_kube_rootca_update_show(obj):
fields = ['uuid', 'state', 'from_rootca_cert', 'to_rootca_cert',
'created_at', 'updated_at']
optional_fields = []
data = [(f, getattr(obj, f, '')) for f in fields]
if optional_fields:
data += [(f, getattr(obj, f, '')) for f in optional_fields
if hasattr(obj, f)]
utils.print_tuple_list(data)
def _print_kube_rootca_host_update_show(obj):
fields = ['uuid', 'state', 'effective_rootca_cert',
'target_rootca_cert', 'created_at', 'updated_at']
optional_fields = []
data = [(f, getattr(obj, f, '')) for f in fields]
if optional_fields:
data += [(f, getattr(obj, f, '')) for f in optional_fields
if hasattr(obj, f)]
utils.print_tuple_list(data)
@utils.arg('hostnameorid', metavar='<hostname or id>',
help="Name or ID of host")
@utils.arg('--phase',
choices=['trust-both-cas', 'update-certs', 'trust-new-ca'],
help="Specify the phase of the update")
def do_kube_rootca_host_update(cc, args):
"""Update root CA certificate on a host."""
ihost = ihost_utils._find_ihost(cc, args.hostnameorid)
if args.phase in ['trust-both-cas', 'update-certs', 'trust-new-ca']:
kube_update_host_rootca = cc.ihost.kube_update_rootca(ihost.uuid,
args.phase)
else:
raise exc.CommandError('Invalid phase value: %s' % args.phase)
_print_kube_rootca_host_update_show(kube_update_host_rootca)
@utils.arg('--phase',
choices=['trust-both-cas', 'trust-new-ca'],
help="Specify the phase of the update")
def do_kube_rootca_pods_update(cc, args):
"""Update root CA certificate for pods."""
if args.phase in ['trust-both-cas', 'trust-new-ca']:
kube_rootca_update = \
cc.kube_rootca_update.rootCA_pods_update(args.phase)
else:
raise exc.CommandError('Invalid phase value: %s' % args.phase)
_print_kube_rootca_update_show(kube_rootca_update)
@utils.arg('-f', '--force',
action='store_true',
default=False,
help="Ignore non management-affecting alarms")
def do_kube_rootca_update_start(cc, args):
"""Start a new procedure for kubernetes rootCA update """
kube_rootca_update = cc.kube_rootca_update.create(args.force)
uuid = getattr(kube_rootca_update, 'uuid', '')
try:
kube_rootca_update = cc.kube_rootca_update.get(uuid)
except exc.HTTPNotFound:
raise exc.CommandError('Created kubernetes rootca update UUID not found: %s'
% uuid)
_print_kube_rootca_update_show(kube_rootca_update)
@utils.arg('certificate_file',
metavar='<certificate_file>',
help='Path to the kubernetes certificate file (in PEM format) to upload.')
def do_kube_rootca_update_upload_cert(cc, args):
"""Upload new kubernetes rootCA """
certificate_file = args.certificate_file
try:
with open(certificate_file, 'rb') as sec_file:
cert_upload = cc.kube_rootca_update.rootCA_upload(sec_file)
except Exception:
raise exc.CommandError("Error: Could not open file %s." %
certificate_file)
if cert_upload.get("error"):
print(cert_upload.get("error"))
else:
# Show new rootca certificate identifier <issuer_hash>-<serial_number>
print("Uploaded new rootca certificate: %s" % cert_upload.get("success"))
@utils.arg('--expiry-date',
default=None,
help='Optional argument to define expiry date '
'in the format of YYYY-MM-DD for k8s root'
'CA to be generated')
@utils.arg('--subject',
default=None,
help='Subject to be set on new kubernetes root CA.Should '
'have the format <parameter_initials>=<value> and '
'supports C(Country), ST(State/Province), L(Locality) '
'O(Organization), OU(OrganizationalUnit), '
'CN(CommonName) subject parameters. An example is an '
'entry like C=US ST=California L=San Francisco '
'O=StarlingX OU=Company1 CN=Subject Example')
def do_kube_rootca_update_generate_cert(cc, args):
"""Generate new kubernetes rootCA"""
certificate = cc.kube_rootca_update.rootCA_generate(args.expiry_date, args.subject)
if certificate.error:
print(certificate.error)
else:
# Show new rootca certificate identifier <issuer_hash>-<serial_number>
print("Generated new rootca certificate: %s" % certificate.success)
def do_kube_rootca_update_show(cc, args):
"""Retrieves kubernetes rootCA update status"""
update_status = cc.kube_rootca_update.get_list()
fields = ['uuid', 'state', 'from_rootca_cert', 'to_rootca_cert',
'created_at', 'updated_at']
utils.print_list(update_status, fields, fields)
def do_kube_rootca_host_update_list(cc, args):
"""Retrieves kubernetes rootCA update status on each host"""
update_status_list = cc.kube_rootca_update.host_update_list()
fields = ['hostname', 'personality', 'state', 'effective_rootca_cert',
'target_rootca_cert', 'created_at', 'updated_at']
utils.print_list(update_status_list, fields, fields)
@utils.arg('-f', '--force',
action='store_true',
default=False,
help="Ignore non management-affecting alarms")
def do_kube_rootca_update_complete(cc, args):
"""Marks the rootca update as complete"""
patch = []
patch.append({'op': 'replace',
'path': '/state',
'value': KUBE_ROOTCA_UPDATE_COMPLETED})
update_status = cc.kube_rootca_update.update_complete(patch, args.force)
_print_kube_rootca_update_show(update_status)
@utils.arg('-f', '--force',
action='store_true',
default=False,
help="Ignore non management-affecting alarms")
def do_kube_rootca_update_abort(cc, args):
"""Marks the rootca update as aborted"""
patch = []
patch.append({'op': 'replace',
'path': '/state',
'value': KUBE_ROOTCA_UPDATE_ABORTED})
update_status = cc.kube_rootca_update.update_complete(patch, args.force)
_print_kube_rootca_update_show(update_status)

2
sysinv/cgts-client/cgts-client/cgtsclient/v1/shell.py
View File

@ -43,6 +43,7 @@ from cgtsclient.v1 import isystem_shell
from cgtsclient.v1 import iuser_shell
from cgtsclient.v1 import kube_cluster_shell
from cgtsclient.v1 import kube_rootca_update_shell
from cgtsclient.v1 import kube_upgrade_shell
from cgtsclient.v1 import kube_version_shell
from cgtsclient.v1 import label_shell
@ -125,6 +126,7 @@ COMMAND_MODULES = [
kube_cluster_shell,
kube_version_shell,
kube_upgrade_shell,
kube_rootca_update_shell,
device_image_shell,
device_image_state_shell,
device_label_shell,

14
sysinv/sysinv/sysinv/sysinv/api/controllers/v1/kube_rootca_update.py
View File

@ -597,6 +597,9 @@ class KubeRootCAUpdateController(rest.RestController):
rpc_host_update_list = pecan.request.dbapi.kube_rootca_host_update_get_list()
hostnames = [host.hostname for host in rpc_host_update_list]
LOG.debug("Starting cleanup procedure")
self._clear_kubernetes_resources(hostnames)
# cleanup kube_rootca_host_update table
@ -615,21 +618,25 @@ class KubeRootCAUpdateController(rest.RestController):
# cleanup kube_rootca_update table for completion
if update_state == kubernetes.KUBE_ROOTCA_UPDATE_COMPLETED:
pecan.request.dbapi.kube_rootca_update_destroy(rpc_kube_rootca_update.id)
LOG.debug("Removed procedure entry on kube_rootca_update table")
# If applicable, notify dcmanager that the update is completed
system = pecan.request.dbapi.isystem_get_one()
role = system.get('distributed_cloud_role')
if role == constants.DISTRIBUTED_CLOUD_ROLE_SYSTEMCONTROLLER:
dc_api.notify_dcmanager_kube_rootca_update_completed()
LOG.info("Kubernetes rootca update completed")
# clear update in progess alarm
if self.fm_api.get_fault(fm_constants.FM_ALARM_ID_KUBE_ROOTCA_UPDATE_IN_PROGRESS,
self.alarm_instance_id):
LOG.debug("Removing KUBE ROOTCA UPDATE IN PROGRESS alarm")
self.fm_api.clear_fault(fm_constants.FM_ALARM_ID_KUBE_ROOTCA_UPDATE_IN_PROGRESS,
self.alarm_instance_id)
# raise update aborted alarm if this is an abort
if update_state == kubernetes.KUBE_ROOTCA_UPDATE_ABORTED:
LOG.debug("Raising KUBE ROOTCA PROCEDURE ABORTED alarm")
fault = fm_api.Fault(
alarm_id=fm_constants.FM_ALARM_ID_KUBE_ROOTCA_UPDATE_ABORTED,
alarm_state=fm_constants.FM_ALARM_STATE_SET,
@ -714,11 +721,8 @@ class KubeRootCAHostUpdateController(rest.RestController):
# Get all the host update state
host_updates_temp = []
try:
host_updates_temp = \
pecan.request.dbapi.kube_rootca_host_update_get_list()
except exception.NotFound:
pass
host_updates_temp = \
pecan.request.dbapi.kube_rootca_host_update_get_list()
host_updates = [host_update for host_update in host_updates_temp
if host_update.state is not None]

30
sysinv/sysinv/sysinv/sysinv/common/kubernetes.py
View File

@ -93,25 +93,25 @@ KUBE_HOST_UPGRADING_KUBELET_FAILED = 'upgrading-kubelet-failed'
KUBE_ROOTCA_UPDATE_STARTED = 'update-started'
KUBE_ROOTCA_UPDATE_CERT_UPLOADED = 'update-new-rootca-cert-uploaded'
KUBE_ROOTCA_UPDATE_CERT_GENERATED = 'update-new-rootca-cert-generated'
KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS = 'updating-pods-trustBothCAs'
KUBE_ROOTCA_UPDATED_PODS_TRUSTBOTHCAS = 'updated-pods-trustBothCAs'
KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS_FAILED = 'updating-pods-trustBothCAs-failed'
KUBE_ROOTCA_UPDATING_PODS_TRUSTNEWCA = 'updating-pods-trustNewCA'
KUBE_ROOTCA_UPDATED_PODS_TRUSTNEWCA = 'updated-pods-trustNewCA'
KUBE_ROOTCA_UPDATING_PODS_TRUSTNEWCA_FAILED = 'updating-pods-trustNewCA-failed'
KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS = 'updating-pods-trust-both-cas'
KUBE_ROOTCA_UPDATED_PODS_TRUSTBOTHCAS = 'updated-pods-trust-both-cas'
KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS_FAILED = 'updating-pods-trust-both-cas-failed'
KUBE_ROOTCA_UPDATING_PODS_TRUSTNEWCA = 'updating-pods-trust-new-ca'
KUBE_ROOTCA_UPDATED_PODS_TRUSTNEWCA = 'updated-pods-trust-new-ca'
KUBE_ROOTCA_UPDATING_PODS_TRUSTNEWCA_FAILED = 'updating-pods-trust-new-ca-failed'
KUBE_ROOTCA_UPDATE_COMPLETED = 'update-completed'
KUBE_ROOTCA_UPDATE_ABORTED = 'update-aborted'
# Kubernetes rootca host update states
KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS = 'updating-host-trustBothCAs'
KUBE_ROOTCA_UPDATED_HOST_TRUSTBOTHCAS = 'updated-host-trustBothCAs'
KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS_FAILED = 'updating-host-trustBothCAs-failed'
KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS = 'updating-host-updateCerts'
KUBE_ROOTCA_UPDATED_HOST_UPDATECERTS = 'updated-host-updateCerts'
KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS_FAILED = 'updating-host-updateCerts-failed'
KUBE_ROOTCA_UPDATING_HOST_TRUSTNEWCA = 'updating-host-trustNewCA'
KUBE_ROOTCA_UPDATED_HOST_TRUSTNEWCA = 'updated-host-trustNewCA'
KUBE_ROOTCA_UPDATING_HOST_TRUSTNEWCA_FAILED = 'updating-host-trustNewCA-failed'
KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS = 'updating-host-trust-both-cas'
KUBE_ROOTCA_UPDATED_HOST_TRUSTBOTHCAS = 'updated-host-trust-both-cas'
KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS_FAILED = 'updating-host-trust-both-cas-failed'
KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS = 'updating-host-update-certs'
KUBE_ROOTCA_UPDATED_HOST_UPDATECERTS = 'updated-host-update-certs'
KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS_FAILED = 'updating-host-update-certs-failed'
KUBE_ROOTCA_UPDATING_HOST_TRUSTNEWCA = 'updating-host-trust-new-ca'
KUBE_ROOTCA_UPDATED_HOST_TRUSTNEWCA = 'updated-host-trust-new-ca'
KUBE_ROOTCA_UPDATING_HOST_TRUSTNEWCA_FAILED = 'updating-host-trust-new-ca-failed'
# Kubeadm and Kubelet default versions
KUBERNETES_DEFAULT_VERSION = '1.18.1'

2
sysinv/sysinv/sysinv/sysinv/conductor/manager.py
View File

@ -14175,7 +14175,7 @@ class ConductorManager(service.PeriodicService):
try:
new_cert_id = cutils.build_cert_identifier(cert)
except Exception:
msg = "Failed to extract subject and serial number" \
msg = "Failed to extract subject and serial number " \
"from new root CA"
LOG.error(msg)
return dict(success="", error=msg)