starlingx
/
config
Code Issues Proposed changes

Remove subcloud admin endpoint data migration 

Admin endpoint cert upgrade will be handeled by manifest, so data
migration is no longer needed in subcloud.
On N+1 side, admin endpoint cert secret (key/cert) will be pulled
directly from k8s resource for manifest to generate endpoint cert
on first host unlock.

Only need to update SAN of admin endpoint cert.

Closes-Bug: 1923510
Depends-On: https://review.opendev.org/c/starlingx/stx-puppet/+/786666
Change-Id: I4312abd6c767d6ba54c13ce1e90f2e25df9ed216
Signed-off-by: Bin Qian <bin.qian@windriver.com>
This commit is contained in:
Bin Qian 2021-04-30 12:14:31 -04:00
parent 0a61602cf3
commit 862c1746ab
2 changed files with 0 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
controllerconfig/controllerconfig/scripts/controller_config
View File

@ -389,15 +389,6 @@ start()
fi
fi
if [ -e $CONFIG_DIR/admin-ep-cert.pem ]
then
cp $CONFIG_DIR/admin-ep-cert.pem /etc/ssl/private/
if [ $? -ne 0 ]
then
fatal_error "Unable to copy $CONFIG_DIR/admin-ep-cert.pem to certificates dir"
fi
fi
if [ -e $CONFIG_DIR/dc-adminep-root-ca.crt ]
then
cp $CONFIG_DIR/dc-adminep-root-ca.crt /etc/pki/ca-trust/source/anchors/

67
controllerconfig/controllerconfig/upgrade-scripts/85-update-sc-admin-endpoint-cert.py
View File

@ -9,15 +9,9 @@
# This script can be removed in the release that follows stx.5.0
#
import base64
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography import x509
from shutil import copyfile
import socket
import subprocess
import sys
import time
from controllerconfig.common import log
@ -117,67 +111,6 @@ def update_sc_admin_endpoint_cert(to_release):
else:
raise Exception('Command failed after retries: %s' % cmd)
# Extract subcloud admin endpoint certificate.
# There is an issue with cert-manager where even though the certificate is
# reported as ready from the previous command, the actual data extracted is
# still empty. So we retry if no valid certificate data is extracted, and
# retry for private key data for the same reason.
cmd = "kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret \
sc-adminep-certificate -n sc-cert -o=jsonpath='{.data.tls\.crt}'"
for attempt in range(3):
try:
cert = execute_command(cmd)
if not cert:
raise Exception('Certificate extracted is empty.')
cert = base64.b64decode(cert)
# Test loading the certificate to ensure it's valid
x509.load_pem_x509_certificate(cert, default_backend())
except Exception as e:
LOG.info('Failed to extract certificate: %s Will retry.' % e)
time.sleep(5)
continue
else:
break
else:
raise Exception('Failed to extract certificate from cert-manager.')
# Extract subcloud admin endpoint private key,
# Retry if no valid private key data is extracted.
cmd = "kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret \
sc-adminep-certificate -n sc-cert -o=jsonpath='{.data.tls\.key}'"
for attempt in range(3):
try:
key = execute_command(cmd)
if not key:
raise Exception('Private key extracted is empty.')
key = base64.b64decode(key)
# Test loading the private key to ensure it's valid
serialization.load_pem_private_key(key, password=None,
backend=default_backend())
except Exception as e:
LOG.info('Failed to extract private key: %s Will retry.' % e)
time.sleep(5)
continue
else:
break
else:
raise Exception('Failed to extract private key from cert-manager.')
# Create haproxy tls certificate
cert_file = "/etc/ssl/private/admin-ep-cert.pem"
with open(cert_file, 'w') as f:
f.write(key + cert)
# Copy admin endpoint certficates to the shared filesystem directory
shared_file = "/opt/platform/config/%s/admin-ep-cert.pem" % to_release
copyfile(cert_file, shared_file)
# Restart haproxy to take the new cert
cmd = "sm-restart service haproxy"
execute_command(cmd)
LOG.info('Subcloud admin endpoint certificate updated successfully')