Fix subcloud going offline if certificates expire

K8s certificates rotation after they reach the expiry date requires restart of sysinv services, both sysinv-conductor and sysinv-inv. The sysinv services cache k8s client object and get credentials from admin.conf. Restaring only the sysinv-conductor and missing the restart of the sysinv api causes the certificates not to be updated and this way affecting subcloud management functionality. The fix updates the script "kube-cert-rotation.sh" to restart all sysinv services and not only sysinv-conductor. The script "kube-cert-rotation.sh" requires to be installed with "700" permission. Tests performed: PASS: kube-cert-rotation.sh script gets installed correctly in directory /usr/bin and is set with permissions "700". PASS: kube-cert-rotation.sh script executes without errors when run to renew K8s certificates. PASS: After K8s certificates are renewed, all sysinv services get restarted. PASS: Executed successfully kube-cert-rotation.sh in AIO-SX and DC system configurations. Closes-Bug: 2002452 Signed-off-by: Carmen Rata <carmen.rata@windriver.com> Change-Id: Ie74a47226280b9362558ebfa158a4bf91209e957
2 months ago · 8cd5f76083
parent 6d1911c01f
commit 8cd5f76083
3 changed files with 9 additions and 4 deletions
--- a/sysinv/sysinv/debian/deb_folder/rules
+++ b/sysinv/sysinv/debian/deb_folder/rules
@ -24,6 +24,7 @@ override_dh_install:
 	install -p -D -m 755 $(CURDIR)/etc/sysinv/sysinv_goenabled_check.sh $(CURDIR)/debian/tmp/etc/goenabled.d/sysinv_goenabled_check.sh
 	install -p -D -m 700 $(CURDIR)/etc/sysinv/delete_load.sh $(CURDIR)/debian/tmp/etc/sysinv/upgrades/delete_load.sh
 	install -p -D -m 644 debian/tmpfiles.conf $(CURDIR)/debian/tmp/usr/lib/tmpfiles.d/sysinv.conf
+	install -p -D -m 700 $(CURDIR)/scripts/kube-cert-rotation.sh $(CURDIR)/debian/tmp/usr/bin/kube-cert-rotation.sh
 	dh_install

 override_dh_python3:
@ -35,3 +36,4 @@ override_dh_installsystemd:

 override_dh_fixperms:
 	dh_fixperms -Xkube-cert-rotation.sh
+
--- a/sysinv/sysinv/debian/deb_folder/sysinv.install
+++ b/sysinv/sysinv/debian/deb_folder/sysinv.install
@ -8,7 +8,6 @@ scripts/partition_info.sh usr/bin
 scripts/validate-platform-backup.sh usr/bin
 scripts/manage-partitions usr/bin
 scripts/query_pci_id usr/bin
-scripts/kube-cert-rotation.sh usr/bin
 scripts/ceph_k8s_update_monitors.sh usr/bin
 usr/lib/python*/dist-packages/*
 etc/goenabled.d/sysinv_goenabled_check.sh
@ -16,6 +15,7 @@ etc/sysinv/upgrades/delete_load.sh
 etc/update-motd.d/10-system
 usr/bin/cert-alarm
 usr/bin/cert-mon
+usr/bin/kube-cert-rotation.sh
 usr/bin/sysinv-agent
 usr/bin/sysinv-api
 usr/bin/sysinv-conductor
--- a/sysinv/sysinv/sysinv/scripts/kube-cert-rotation.sh
+++ b/sysinv/sysinv/sysinv/scripts/kube-cert-rotation.sh
@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2019 Intel Corporation
-# Copyright (c) 2021 Wind River Systems, Inc.
+# Copyright (c) 2021-2023 Wind River Systems, Inc.
 #

 #
@ -334,9 +334,12 @@ if [ ${RESTART_SCHEDULER} -eq 1 ]; then
        ERR=2
    fi
 fi
-# Restart sysinv-conductor since it's using credentials from admin.conf
+# Restart sysinv services, both conductor and api, since both are using
+# credentials from admin.conf. Command sm-restart-safe only restarts
+# sysinv-conductor. Command sm-restart will restart sysinv-conductor
+# and its dependencies, meaning all sysinv services.
 if [ ${RESTART_SYSINV} -eq 1 ]; then
-    sm-restart-safe service sysinv-conductor
+    sm-restart service sysinv-conductor
    if [ $? -ne 0 ]; then
        ERR=2
    fi