Fix subcloud going offline if certificates expire
K8s certificates rotation after they reach the expiry date requires restart of sysinv services, both sysinv-conductor and sysinv-inv. The sysinv services cache k8s client object and get credentials from admin.conf. Restaring only the sysinv-conductor and missing the restart of the sysinv api causes the certificates not to be updated and this way affecting subcloud management functionality. The fix updates the script "kube-cert-rotation.sh" to restart all sysinv services and not only sysinv-conductor. The script "kube-cert-rotation.sh" requires to be installed with "700" permission. Tests performed: PASS: kube-cert-rotation.sh script gets installed correctly in directory /usr/bin and is set with permissions "700". PASS: kube-cert-rotation.sh script executes without errors when run to renew K8s certificates. PASS: After K8s certificates are renewed, all sysinv services get restarted. PASS: Executed successfully kube-cert-rotation.sh in AIO-SX and DC system configurations. Closes-Bug: 2002452 Signed-off-by: Carmen Rata <carmen.rata@windriver.com> Change-Id: Ie74a47226280b9362558ebfa158a4bf91209e957
This commit is contained in:
parent
6d1911c01f
commit
8cd5f76083
|
@ -24,6 +24,7 @@ override_dh_install:
|
|||
install -p -D -m 755 $(CURDIR)/etc/sysinv/sysinv_goenabled_check.sh $(CURDIR)/debian/tmp/etc/goenabled.d/sysinv_goenabled_check.sh
|
||||
install -p -D -m 700 $(CURDIR)/etc/sysinv/delete_load.sh $(CURDIR)/debian/tmp/etc/sysinv/upgrades/delete_load.sh
|
||||
install -p -D -m 644 debian/tmpfiles.conf $(CURDIR)/debian/tmp/usr/lib/tmpfiles.d/sysinv.conf
|
||||
install -p -D -m 700 $(CURDIR)/scripts/kube-cert-rotation.sh $(CURDIR)/debian/tmp/usr/bin/kube-cert-rotation.sh
|
||||
dh_install
|
||||
|
||||
override_dh_python3:
|
||||
|
@ -35,3 +36,4 @@ override_dh_installsystemd:
|
|||
|
||||
override_dh_fixperms:
|
||||
dh_fixperms -Xkube-cert-rotation.sh
|
||||
|
||||
|
|
|
@ -8,7 +8,6 @@ scripts/partition_info.sh usr/bin
|
|||
scripts/validate-platform-backup.sh usr/bin
|
||||
scripts/manage-partitions usr/bin
|
||||
scripts/query_pci_id usr/bin
|
||||
scripts/kube-cert-rotation.sh usr/bin
|
||||
scripts/ceph_k8s_update_monitors.sh usr/bin
|
||||
usr/lib/python*/dist-packages/*
|
||||
etc/goenabled.d/sysinv_goenabled_check.sh
|
||||
|
@ -16,6 +15,7 @@ etc/sysinv/upgrades/delete_load.sh
|
|||
etc/update-motd.d/10-system
|
||||
usr/bin/cert-alarm
|
||||
usr/bin/cert-mon
|
||||
usr/bin/kube-cert-rotation.sh
|
||||
usr/bin/sysinv-agent
|
||||
usr/bin/sysinv-api
|
||||
usr/bin/sysinv-conductor
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# Copyright (C) 2019 Intel Corporation
|
||||
# Copyright (c) 2021 Wind River Systems, Inc.
|
||||
# Copyright (c) 2021-2023 Wind River Systems, Inc.
|
||||
#
|
||||
|
||||
#
|
||||
|
@ -334,9 +334,12 @@ if [ ${RESTART_SCHEDULER} -eq 1 ]; then
|
|||
ERR=2
|
||||
fi
|
||||
fi
|
||||
# Restart sysinv-conductor since it's using credentials from admin.conf
|
||||
# Restart sysinv services, both conductor and api, since both are using
|
||||
# credentials from admin.conf. Command sm-restart-safe only restarts
|
||||
# sysinv-conductor. Command sm-restart will restart sysinv-conductor
|
||||
# and its dependencies, meaning all sysinv services.
|
||||
if [ ${RESTART_SYSINV} -eq 1 ]; then
|
||||
sm-restart-safe service sysinv-conductor
|
||||
sm-restart service sysinv-conductor
|
||||
if [ $? -ne 0 ]; then
|
||||
ERR=2
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue