CLIs for kube rootca update procedure

This commit reunites the code related to user client interface to use k8s rootca update APIs on sysinv. Includes commands for system kube-rootca-update-start system kube-rootca-update-generate-cert system kube-rootca-update-upload-cert system kube-rootca-host-update system kube-rootca-pods-update system kube-rootca-update-complete system kube-rootca-update-abort Task: 43080 Story: 2008675 Depends-on: https://review.opendev.org/c/starlingx/config/+/805375 Signed-off-by: Joao Soubihe <JoaoPaulo.Soubihe@windriver.com> Change-Id: I67f938130a9f3d6a4abdcf7b47492226dfbd3ce6
2021-05-10 14:13:26 -03:00 · 2021-05-10 14:13:26 -03:00 · 5afb182c00
parent f9d3c9112c
commit 5afb182c00
9 changed files with 496 additions and 21 deletions
--- a/sysinv/cgts-client/cgts-client/cgtsclient/tests/v1/test_kube_rootca_update_shell.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/tests/v1/test_kube_rootca_update_shell.py
@ -0,0 +1,168 @@
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+import mock
+
+from cgtsclient.tests import test_shell
+from cgtsclient.v1.ihost import ihost
+from cgtsclient.v1.kube_rootca_update import KubeRootCAUpdate
+
+
+class KubeRootCAUpdateTest(test_shell.ShellTest):
+
+    def setUp(self):
+        super(KubeRootCAUpdateTest, self).setUp()
+
+        self.fake_kube_rootca_update = {
+            'from_rootca_cert': 'oldCert',
+            'to_rootca_cert': 'newCert',
+            'state': 'update-started',
+            'uuid': 'cb737aba-1820-4184-b0dc-9b073822af48',
+            'capabilities': {},
+            'created_at': 'fake-created-time',
+            'updated_at': 'fake-updated-time',
+        }
+        self.fake_kube_rootca_host_update = {
+            'hostname': 'fake-hostname',
+            'uuid': '88d31a2d-c82e-429f-a52d-f03f860bb620',
+            'personality': 'fake-personality',
+            'state': 'None',
+            'target_rootca_cert': 'fake-target_rootca_cert',
+            'effective_rootca_cert': 'fake-effective_rootca_cert',
+            'created_at': 'fake-created-time',
+            'updated_at': 'fake-updated-time',
+        }
+        self.mock_get_endpoint_return_value = 'http://fakelocalhost:6385/v1'
+
+    def tearDown(self):
+        super(KubeRootCAUpdateTest, self).tearDown()
+
+    def _check_rootca_update(self, fake_kube_rootca_update, results):
+        self.assertIn(fake_kube_rootca_update['from_rootca_cert'], results)
+        self.assertIn(fake_kube_rootca_update['to_rootca_cert'], results)
+        self.assertIn(fake_kube_rootca_update['state'], results)
+        self.assertIn(fake_kube_rootca_update['uuid'], results)
+        self.assertIn(fake_kube_rootca_update['created_at'], results)
+        self.assertIn(fake_kube_rootca_update['updated_at'], results)
+
+    def _check_rootca_host_update(self, fake_kube_rootca_host_update, results):
+        self.assertIn(fake_kube_rootca_host_update['effective_rootca_cert'], results)
+        self.assertIn(fake_kube_rootca_host_update['target_rootca_cert'], results)
+        self.assertIn(fake_kube_rootca_host_update['state'], results)
+        self.assertIn(fake_kube_rootca_host_update['created_at'], results)
+        self.assertIn(fake_kube_rootca_host_update['updated_at'], results)
+
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.get')
+    @mock.patch('cgtsclient.client._get_ksclient')
+    @mock.patch('cgtsclient.client._get_endpoint')
+    def test_kube_rootca_update_start(self, mock_get_endpoint, mock_get_client,
+                                      mock_get, mock_create):
+        mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
+        mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
+        mock_get.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
+
+        self.make_env()
+        results = self.shell("kube-rootca-update-start")
+        self._check_rootca_update(self.fake_kube_rootca_update, results)
+
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.get_list')
+    @mock.patch('cgtsclient.client._get_ksclient')
+    @mock.patch('cgtsclient.client._get_endpoint')
+    def test_kube_rootca_update_show_current_update(self, mock_get_endpoint, mock_get_client,
+                                                    mock_get_list, mock_create):
+        mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
+        mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
+        mock_get_list.return_value = [KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)]
+
+        self.make_env()
+        results = self.shell("kube-rootca-update-show")
+        self._check_rootca_update(self.fake_kube_rootca_update, results)
+
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.host_update_list')
+    @mock.patch('cgtsclient.client._get_ksclient')
+    @mock.patch('cgtsclient.client._get_endpoint')
+    def test_kube_rootca_update_list_current_update(self, mock_get_endpoint, mock_get_client,
+                                                    mock_update_list):
+        mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
+        mock_update_list.return_value = [KubeRootCAUpdate(None, self.fake_kube_rootca_host_update, True)]
+        self.make_env()
+        results = self.shell("kube-rootca-host-update-list")
+        self.assertIn(self.fake_kube_rootca_host_update['hostname'], results)
+        self.assertIn(self.fake_kube_rootca_host_update['personality'], results)
+        self._check_rootca_host_update(self.fake_kube_rootca_host_update, results)
+
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.rootCA_pods_update')
+    @mock.patch('cgtsclient.client._get_ksclient')
+    @mock.patch('cgtsclient.client._get_endpoint')
+    def test_kube_rootca_pods_update(self, mock_get_endpoint, mock_get_client,
+                                     mock_pods_update, mock_create):
+        self.fake_kube_rootca_update['state'] = 'updated-host-trust-both-cas'
+        mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
+        mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
+        self.fake_kube_rootca_update['state'] = 'updating-pods-trust-both-cas'
+        mock_pods_update.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
+
+        self.make_env()
+        results = self.shell("kube-rootca-pods-update --phase=trust-both-cas")
+        self._check_rootca_update(self.fake_kube_rootca_update, results)
+
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
+    @mock.patch('cgtsclient.v1.ihost.ihostManager.kube_update_rootca')
+    @mock.patch('cgtsclient.v1.ihost._find_ihost')
+    @mock.patch('cgtsclient.client._get_ksclient')
+    @mock.patch('cgtsclient.client._get_endpoint')
+    def test_kube_rootca_host_update(self, mock_get_endpoint, mock_get_client,
+                                     mock_get_host, mock_host_update, mock_create):
+        fake_controller = {'id': '0',
+                           'uuid': '1127ea5e-067b-11ec-9a03-0242ac130003',
+                           'hostname': 'fake-hostname',
+                           'personality': 'controller',
+                           'administrative': 'unlocked',
+                           'operational': 'enabled',
+                           'availability': 'available'}
+        self.fake_kube_rootca_host_update['state'] = 'updating-host-trust-both-cas'
+        mock_get_host.return_value = ihost(None, fake_controller, True)
+        mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
+        mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
+        mock_host_update.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_host_update, True)
+
+        self.make_env()
+        results = self.shell("kube-rootca-host-update --phase=trust-both-cas fake-hostname")
+        self._check_rootca_host_update(self.fake_kube_rootca_host_update, results)
+
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.update_complete')
+    @mock.patch('cgtsclient.client._get_ksclient')
+    @mock.patch('cgtsclient.client._get_endpoint')
+    def test_kube_rootca_update_complete(self, mock_get_endpoint, mock_get_client,
+                                         mock_update_complete, mock_create):
+        self.fake_kube_rootca_update['state'] = 'updated-pods-trust-new-ca'
+        mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
+        mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
+        self.fake_kube_rootca_update['state'] = 'update-completed'
+        mock_update_complete.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
+
+        self.make_env()
+        results = self.shell("kube-rootca-update-complete")
+        self._check_rootca_update(self.fake_kube_rootca_update, results)
+
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.create')
+    @mock.patch('cgtsclient.v1.kube_rootca_update.KubeRootCAUpdateManager.update_complete')
+    @mock.patch('cgtsclient.client._get_ksclient')
+    @mock.patch('cgtsclient.client._get_endpoint')
+    def test_kube_rootca_update_abort(self, mock_get_endpoint, mock_get_client,
+                                      mock_update_complete, mock_create):
+        mock_get_endpoint.return_value = self.mock_get_endpoint_return_value
+        mock_create.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
+        self.fake_kube_rootca_update['state'] = 'update-aborted'
+        mock_update_complete.return_value = KubeRootCAUpdate(None, self.fake_kube_rootca_update, True)
+
+        self.make_env()
+        results = self.shell("kube-rootca-update-abort")
+        self._check_rootca_update(self.fake_kube_rootca_update, results)
--- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/client.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/client.py
@ -57,6 +57,7 @@ from cgtsclient.v1 import iuser
 from cgtsclient.v1 import kube_cluster
 from cgtsclient.v1 import kube_cmd_version
 from cgtsclient.v1 import kube_host_upgrade
+from cgtsclient.v1 import kube_rootca_update
 from cgtsclient.v1 import kube_upgrade
 from cgtsclient.v1 import kube_version
 from cgtsclient.v1 import label
@ -175,3 +176,4 @@ class Client(http.HTTPClient):
        self.device_image_state = device_image_state.DeviceImageStateManager(self)
        self.device_label = device_label.DeviceLabelManager(self)
        self.restore = restore.RestoreManager(self)
+        self.kube_rootca_update = kube_rootca_update.KubeRootCAUpdateManager(self)
--- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/ihost.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/ihost.py
@ -138,6 +138,14 @@ class ihostManager(base.Manager):
            body=post_body)
        return self.resource_class(self, body)

+    def kube_update_rootca(self, hostid, phase):
+        post_body = {}
+        post_body['phase'] = phase
+        resp, body = self.api.json_request(
+            'POST', self._path(hostid) + "/kube_update_ca",
+            body=post_body)
+        return self.resource_class(self, body)
+
    def device_image_update(self, hostid):
        path = self._path(hostid) + "/device_image_update"
        resp, body = self.api.json_request('POST', path)
--- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update.py
@ -0,0 +1,99 @@
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+from cgtsclient.common import base
+
+
+class KubeRootCAUpdate(base.Resource):
+    def __repr__(self):
+        return "<kube_rootca_update %s>" % self._info
+
+
+class KubeRootCAUpdateManager(base.Manager):
+    resource_class = KubeRootCAUpdate
+
+    @staticmethod
+    def _path(uuid=None):
+        return 'v1/kube_rootca_update/%s' % uuid if uuid else 'v1/kube_rootca_update/'
+
+    def create(self, force):
+        """Create a new entry for kubernetes rootca update operation """
+        return self._create(self._path() + '?force=' + str(force), {})
+
+    def get(self, uuid=None):
+        """Retrieve the details of a given kubernetes rootca update.
+
+        :param uuid: uuid of update
+        """
+
+        try:
+            return self._list(self._path(uuid))[0]
+        except IndexError:
+            return None
+
+    def get_list(self, uuid=None):
+        """Retrieve the details of a given kubernetes rootca update.
+
+        :param uuid: uuid of update
+        """
+        try:
+            return self._list(self._path(uuid), 'kube_rootca_updates')
+        except IndexError:
+            return []
+
+    def rootCA_upload(self, pem_content):
+        """Retrieve the details of a given kubernetes rootca update.
+
+        :param pem_content: the content of the PEM file to be uploaded
+        """
+
+        path = self._path('upload_cert')
+        return self._upload(path, pem_content)
+
+    def rootCA_generate(self, expiry_date=None, subject=None):
+        """Generate a root CA to be applied during
+           kubernetes rootca update procedure.
+
+           :param expiry_date: stores data from CLI arg expiry_date.
+           A datetime string in ISO 8601 format (YYYY-MM-DD)
+           specifying the expiry date for the certificate to be
+           generated.
+           :param subject: A string specifying the subject to be set
+           for the certificate.
+        """
+
+        path = self._path('generate_cert')
+        generate_body = {}
+        generate_body['expiry_date'] = expiry_date
+        generate_body['subject'] = subject
+        return self._create(path, generate_body)
+
+    def rootCA_pods_update(self, phase):
+        """Kubernetes rootca update for pods.
+
+        :param phase: the phase of the update request.
+        """
+
+        post_body = {}
+        post_body['phase'] = phase
+        resp, body = self.api.json_request('POST', self._path() + "pods",
+                                           body=post_body)
+        return self.resource_class(self, body)
+
+    def host_update_list(self):
+        """Retrieves Kubernetes root CA update status by hosts"""
+
+        return self._list(self._path('hosts'), 'kube_host_updates')
+
+    def update_complete(self, patch, force):
+        """Marks the Kubernetes rootca update as complete
+
+        :param patch: a json PATCH document to apply on complete API.
+        :param force: A CLI argument to indicate if the API should ignore
+        minor alarms on eventual health checks.
+        """
+
+        return self._update(self._path() + '?force=' + str(force), patch)
--- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update_shell.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update_shell.py
@ -0,0 +1,192 @@
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# All Rights Reserved.
+#
+
+from cgtsclient.common import utils
+from cgtsclient import exc
+from cgtsclient.v1 import ihost as ihost_utils
+
+
+# Kubernetes constants
+KUBE_ROOTCA_UPDATE_COMPLETED = 'update-completed'
+KUBE_ROOTCA_UPDATE_ABORTED = 'update-aborted'
+
+
+def _print_kube_rootca_update_show(obj):
+    fields = ['uuid', 'state', 'from_rootca_cert', 'to_rootca_cert',
+              'created_at', 'updated_at']
+    optional_fields = []
+    data = [(f, getattr(obj, f, '')) for f in fields]
+    if optional_fields:
+        data += [(f, getattr(obj, f, '')) for f in optional_fields
+                 if hasattr(obj, f)]
+    utils.print_tuple_list(data)
+
+
+def _print_kube_rootca_host_update_show(obj):
+    fields = ['uuid', 'state', 'effective_rootca_cert',
+              'target_rootca_cert', 'created_at', 'updated_at']
+    optional_fields = []
+    data = [(f, getattr(obj, f, '')) for f in fields]
+    if optional_fields:
+        data += [(f, getattr(obj, f, '')) for f in optional_fields
+                 if hasattr(obj, f)]
+    utils.print_tuple_list(data)
+
+
+@utils.arg('hostnameorid', metavar='<hostname or id>',
+           help="Name or ID of host")
+@utils.arg('--phase',
+           choices=['trust-both-cas', 'update-certs', 'trust-new-ca'],
+           help="Specify the phase of the update")
+def do_kube_rootca_host_update(cc, args):
+    """Update root CA certificate on a host."""
+
+    ihost = ihost_utils._find_ihost(cc, args.hostnameorid)
+    if args.phase in ['trust-both-cas', 'update-certs', 'trust-new-ca']:
+        kube_update_host_rootca = cc.ihost.kube_update_rootca(ihost.uuid,
+                                                              args.phase)
+    else:
+        raise exc.CommandError('Invalid phase value: %s' % args.phase)
+
+    _print_kube_rootca_host_update_show(kube_update_host_rootca)
+
+
+@utils.arg('--phase',
+           choices=['trust-both-cas', 'trust-new-ca'],
+           help="Specify the phase of the update")
+def do_kube_rootca_pods_update(cc, args):
+    """Update root CA certificate for pods."""
+
+    if args.phase in ['trust-both-cas', 'trust-new-ca']:
+        kube_rootca_update = \
+            cc.kube_rootca_update.rootCA_pods_update(args.phase)
+    else:
+        raise exc.CommandError('Invalid phase value: %s' % args.phase)
+
+    _print_kube_rootca_update_show(kube_rootca_update)
+
+
+@utils.arg('-f', '--force',
+           action='store_true',
+           default=False,
+           help="Ignore non management-affecting alarms")
+def do_kube_rootca_update_start(cc, args):
+    """Start a new procedure for kubernetes rootCA update """
+
+    kube_rootca_update = cc.kube_rootca_update.create(args.force)
+    uuid = getattr(kube_rootca_update, 'uuid', '')
+
+    try:
+        kube_rootca_update = cc.kube_rootca_update.get(uuid)
+    except exc.HTTPNotFound:
+        raise exc.CommandError('Created kubernetes rootca update UUID not found: %s'
+                               % uuid)
+
+    _print_kube_rootca_update_show(kube_rootca_update)
+
+
+@utils.arg('certificate_file',
+           metavar='<certificate_file>',
+           help='Path to the kubernetes certificate file (in PEM format) to upload.')
+def do_kube_rootca_update_upload_cert(cc, args):
+    """Upload new kubernetes rootCA """
+
+    certificate_file = args.certificate_file
+    try:
+        with open(certificate_file, 'rb') as sec_file:
+            cert_upload = cc.kube_rootca_update.rootCA_upload(sec_file)
+    except Exception:
+        raise exc.CommandError("Error: Could not open file %s." %
+                               certificate_file)
+
+    if cert_upload.get("error"):
+        print(cert_upload.get("error"))
+    else:
+        # Show new rootca certificate identifier <issuer_hash>-<serial_number>
+        print("Uploaded new rootca certificate: %s" % cert_upload.get("success"))
+
+
+@utils.arg('--expiry-date',
+           default=None,
+           help='Optional argument to define expiry date '
+                'in the format of YYYY-MM-DD for k8s root'
+                'CA to be generated')
+@utils.arg('--subject',
+           default=None,
+           help='Subject to be set on new kubernetes root CA.Should '
+                'have the format <parameter_initials>=<value> and '
+                'supports C(Country), ST(State/Province), L(Locality) '
+                'O(Organization), OU(OrganizationalUnit), '
+                'CN(CommonName) subject parameters. An example is an '
+                'entry like C=US ST=California L=San Francisco '
+                'O=StarlingX OU=Company1 CN=Subject Example')
+def do_kube_rootca_update_generate_cert(cc, args):
+    """Generate new kubernetes rootCA"""
+
+    certificate = cc.kube_rootca_update.rootCA_generate(args.expiry_date, args.subject)
+
+    if certificate.error:
+        print(certificate.error)
+    else:
+        # Show new rootca certificate identifier <issuer_hash>-<serial_number>
+        print("Generated new rootca certificate: %s" % certificate.success)
+
+
+def do_kube_rootca_update_show(cc, args):
+    """Retrieves kubernetes rootCA update status"""
+
+    update_status = cc.kube_rootca_update.get_list()
+
+    fields = ['uuid', 'state', 'from_rootca_cert', 'to_rootca_cert',
+              'created_at', 'updated_at']
+
+    utils.print_list(update_status, fields, fields)
+
+
+def do_kube_rootca_host_update_list(cc, args):
+    """Retrieves kubernetes rootCA update status on each host"""
+
+    update_status_list = cc.kube_rootca_update.host_update_list()
+
+    fields = ['hostname', 'personality', 'state', 'effective_rootca_cert',
+              'target_rootca_cert', 'created_at', 'updated_at']
+
+    utils.print_list(update_status_list, fields, fields)
+
+
+@utils.arg('-f', '--force',
+           action='store_true',
+           default=False,
+           help="Ignore non management-affecting alarms")
+def do_kube_rootca_update_complete(cc, args):
+    """Marks the rootca update as complete"""
+
+    patch = []
+    patch.append({'op': 'replace',
+                  'path': '/state',
+                  'value': KUBE_ROOTCA_UPDATE_COMPLETED})
+
+    update_status = cc.kube_rootca_update.update_complete(patch, args.force)
+    _print_kube_rootca_update_show(update_status)
+
+
+@utils.arg('-f', '--force',
+           action='store_true',
+           default=False,
+           help="Ignore non management-affecting alarms")
+def do_kube_rootca_update_abort(cc, args):
+    """Marks the rootca update as aborted"""
+
+    patch = []
+    patch.append({'op': 'replace',
+                  'path': '/state',
+                  'value': KUBE_ROOTCA_UPDATE_ABORTED})
+
+    update_status = cc.kube_rootca_update.update_complete(patch, args.force)
+    _print_kube_rootca_update_show(update_status)
--- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/shell.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/shell.py
@ -43,6 +43,7 @@ from cgtsclient.v1 import isystem_shell
 from cgtsclient.v1 import iuser_shell

 from cgtsclient.v1 import kube_cluster_shell
+from cgtsclient.v1 import kube_rootca_update_shell
 from cgtsclient.v1 import kube_upgrade_shell
 from cgtsclient.v1 import kube_version_shell
 from cgtsclient.v1 import label_shell
@ -125,6 +126,7 @@ COMMAND_MODULES = [
    kube_cluster_shell,
    kube_version_shell,
    kube_upgrade_shell,
+    kube_rootca_update_shell,
    device_image_shell,
    device_image_state_shell,
    device_label_shell,
--- a/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/kube_rootca_update.py
+++ b/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/kube_rootca_update.py
@ -597,6 +597,9 @@ class KubeRootCAUpdateController(rest.RestController):

        rpc_host_update_list = pecan.request.dbapi.kube_rootca_host_update_get_list()
        hostnames = [host.hostname for host in rpc_host_update_list]
+
+        LOG.debug("Starting cleanup procedure")
+
        self._clear_kubernetes_resources(hostnames)

        # cleanup kube_rootca_host_update table
@ -615,21 +618,25 @@ class KubeRootCAUpdateController(rest.RestController):
        # cleanup kube_rootca_update table for completion
        if update_state == kubernetes.KUBE_ROOTCA_UPDATE_COMPLETED:
            pecan.request.dbapi.kube_rootca_update_destroy(rpc_kube_rootca_update.id)
+            LOG.debug("Removed procedure entry on kube_rootca_update table")

            # If applicable, notify dcmanager that the update is completed
            system = pecan.request.dbapi.isystem_get_one()
            role = system.get('distributed_cloud_role')
            if role == constants.DISTRIBUTED_CLOUD_ROLE_SYSTEMCONTROLLER:
                dc_api.notify_dcmanager_kube_rootca_update_completed()
+            LOG.info("Kubernetes rootca update completed")

        # clear update in progess alarm
        if self.fm_api.get_fault(fm_constants.FM_ALARM_ID_KUBE_ROOTCA_UPDATE_IN_PROGRESS,
                                self.alarm_instance_id):
+            LOG.debug("Removing KUBE ROOTCA UPDATE IN PROGRESS alarm")
            self.fm_api.clear_fault(fm_constants.FM_ALARM_ID_KUBE_ROOTCA_UPDATE_IN_PROGRESS,
                                    self.alarm_instance_id)

        # raise update aborted alarm if this is an abort
        if update_state == kubernetes.KUBE_ROOTCA_UPDATE_ABORTED:
+            LOG.debug("Raising KUBE ROOTCA PROCEDURE ABORTED alarm")
            fault = fm_api.Fault(
                    alarm_id=fm_constants.FM_ALARM_ID_KUBE_ROOTCA_UPDATE_ABORTED,
                    alarm_state=fm_constants.FM_ALARM_STATE_SET,
@ -714,11 +721,8 @@ class KubeRootCAHostUpdateController(rest.RestController):

        # Get all the host update state
        host_updates_temp = []
-        try:
-            host_updates_temp = \
-                pecan.request.dbapi.kube_rootca_host_update_get_list()
-        except exception.NotFound:
-            pass
+        host_updates_temp = \
+            pecan.request.dbapi.kube_rootca_host_update_get_list()
        host_updates = [host_update for host_update in host_updates_temp
                        if host_update.state is not None]

--- a/sysinv/sysinv/sysinv/sysinv/common/kubernetes.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/kubernetes.py
@ -93,25 +93,25 @@ KUBE_HOST_UPGRADING_KUBELET_FAILED = 'upgrading-kubelet-failed'
 KUBE_ROOTCA_UPDATE_STARTED = 'update-started'
 KUBE_ROOTCA_UPDATE_CERT_UPLOADED = 'update-new-rootca-cert-uploaded'
 KUBE_ROOTCA_UPDATE_CERT_GENERATED = 'update-new-rootca-cert-generated'
-KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS = 'updating-pods-trustBothCAs'
-KUBE_ROOTCA_UPDATED_PODS_TRUSTBOTHCAS = 'updated-pods-trustBothCAs'
-KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS_FAILED = 'updating-pods-trustBothCAs-failed'
-KUBE_ROOTCA_UPDATING_PODS_TRUSTNEWCA = 'updating-pods-trustNewCA'
-KUBE_ROOTCA_UPDATED_PODS_TRUSTNEWCA = 'updated-pods-trustNewCA'
-KUBE_ROOTCA_UPDATING_PODS_TRUSTNEWCA_FAILED = 'updating-pods-trustNewCA-failed'
+KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS = 'updating-pods-trust-both-cas'
+KUBE_ROOTCA_UPDATED_PODS_TRUSTBOTHCAS = 'updated-pods-trust-both-cas'
+KUBE_ROOTCA_UPDATING_PODS_TRUSTBOTHCAS_FAILED = 'updating-pods-trust-both-cas-failed'
+KUBE_ROOTCA_UPDATING_PODS_TRUSTNEWCA = 'updating-pods-trust-new-ca'
+KUBE_ROOTCA_UPDATED_PODS_TRUSTNEWCA = 'updated-pods-trust-new-ca'
+KUBE_ROOTCA_UPDATING_PODS_TRUSTNEWCA_FAILED = 'updating-pods-trust-new-ca-failed'
 KUBE_ROOTCA_UPDATE_COMPLETED = 'update-completed'
 KUBE_ROOTCA_UPDATE_ABORTED = 'update-aborted'

 # Kubernetes rootca host update states
-KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS = 'updating-host-trustBothCAs'
-KUBE_ROOTCA_UPDATED_HOST_TRUSTBOTHCAS = 'updated-host-trustBothCAs'
-KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS_FAILED = 'updating-host-trustBothCAs-failed'
-KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS = 'updating-host-updateCerts'
-KUBE_ROOTCA_UPDATED_HOST_UPDATECERTS = 'updated-host-updateCerts'
-KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS_FAILED = 'updating-host-updateCerts-failed'
-KUBE_ROOTCA_UPDATING_HOST_TRUSTNEWCA = 'updating-host-trustNewCA'
-KUBE_ROOTCA_UPDATED_HOST_TRUSTNEWCA = 'updated-host-trustNewCA'
-KUBE_ROOTCA_UPDATING_HOST_TRUSTNEWCA_FAILED = 'updating-host-trustNewCA-failed'
+KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS = 'updating-host-trust-both-cas'
+KUBE_ROOTCA_UPDATED_HOST_TRUSTBOTHCAS = 'updated-host-trust-both-cas'
+KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS_FAILED = 'updating-host-trust-both-cas-failed'
+KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS = 'updating-host-update-certs'
+KUBE_ROOTCA_UPDATED_HOST_UPDATECERTS = 'updated-host-update-certs'
+KUBE_ROOTCA_UPDATING_HOST_UPDATECERTS_FAILED = 'updating-host-update-certs-failed'
+KUBE_ROOTCA_UPDATING_HOST_TRUSTNEWCA = 'updating-host-trust-new-ca'
+KUBE_ROOTCA_UPDATED_HOST_TRUSTNEWCA = 'updated-host-trust-new-ca'
+KUBE_ROOTCA_UPDATING_HOST_TRUSTNEWCA_FAILED = 'updating-host-trust-new-ca-failed'

 # Kubeadm and Kubelet default versions
 KUBERNETES_DEFAULT_VERSION = '1.18.1'
--- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
@ -14175,7 +14175,7 @@ class ConductorManager(service.PeriodicService):
        try:
            new_cert_id = cutils.build_cert_identifier(cert)
        except Exception:
-            msg = "Failed to extract subject and serial number" \
+            msg = "Failed to extract subject and serial number " \
                  "from new root CA"
            LOG.error(msg)
            return dict(success="", error=msg)