Browse Source

Merge "Remove subcloud admin endpoint data migration"

changes/09/789309/3
Zuul 2 months ago
committed by Gerrit Code Review
parent
commit
c994dbafa2
2 changed files with 0 additions and 76 deletions
  1. +0
    -9
      controllerconfig/controllerconfig/scripts/controller_config
  2. +0
    -67
      controllerconfig/controllerconfig/upgrade-scripts/85-update-sc-admin-endpoint-cert.py

+ 0
- 9
controllerconfig/controllerconfig/scripts/controller_config View File

@ -389,15 +389,6 @@ start()
fi
fi
if [ -e $CONFIG_DIR/admin-ep-cert.pem ]
then
cp $CONFIG_DIR/admin-ep-cert.pem /etc/ssl/private/
if [ $? -ne 0 ]
then
fatal_error "Unable to copy $CONFIG_DIR/admin-ep-cert.pem to certificates dir"
fi
fi
if [ -e $CONFIG_DIR/dc-adminep-root-ca.crt ]
then
cp $CONFIG_DIR/dc-adminep-root-ca.crt /etc/pki/ca-trust/source/anchors/


+ 0
- 67
controllerconfig/controllerconfig/upgrade-scripts/85-update-sc-admin-endpoint-cert.py View File

@ -9,15 +9,9 @@
# This script can be removed in the release that follows stx.5.0
#
import base64
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography import x509
from shutil import copyfile
import socket
import subprocess
import sys
import time
from controllerconfig.common import log
@ -117,67 +111,6 @@ def update_sc_admin_endpoint_cert(to_release):
else:
raise Exception('Command failed after retries: %s' % cmd)
# Extract subcloud admin endpoint certificate.
# There is an issue with cert-manager where even though the certificate is
# reported as ready from the previous command, the actual data extracted is
# still empty. So we retry if no valid certificate data is extracted, and
# retry for private key data for the same reason.
cmd = "kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret \
sc-adminep-certificate -n sc-cert -o=jsonpath='{.data.tls\.crt}'"
for attempt in range(3):
try:
cert = execute_command(cmd)
if not cert:
raise Exception('Certificate extracted is empty.')
cert = base64.b64decode(cert)
# Test loading the certificate to ensure it's valid
x509.load_pem_x509_certificate(cert, default_backend())
except Exception as e:
LOG.info('Failed to extract certificate: %s Will retry.' % e)
time.sleep(5)
continue
else:
break
else:
raise Exception('Failed to extract certificate from cert-manager.')
# Extract subcloud admin endpoint private key,
# Retry if no valid private key data is extracted.
cmd = "kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret \
sc-adminep-certificate -n sc-cert -o=jsonpath='{.data.tls\.key}'"
for attempt in range(3):
try:
key = execute_command(cmd)
if not key:
raise Exception('Private key extracted is empty.')
key = base64.b64decode(key)
# Test loading the private key to ensure it's valid
serialization.load_pem_private_key(key, password=None,
backend=default_backend())
except Exception as e:
LOG.info('Failed to extract private key: %s Will retry.' % e)
time.sleep(5)
continue
else:
break
else:
raise Exception('Failed to extract private key from cert-manager.')
# Create haproxy tls certificate
cert_file = "/etc/ssl/private/admin-ep-cert.pem"
with open(cert_file, 'w') as f:
f.write(key + cert)
# Copy admin endpoint certficates to the shared filesystem directory
shared_file = "/opt/platform/config/%s/admin-ep-cert.pem" % to_release
copyfile(cert_file, shared_file)
# Restart haproxy to take the new cert
cmd = "sm-restart service haproxy"
execute_command(cmd)
LOG.info('Subcloud admin endpoint certificate updated successfully')


Loading…
Cancel
Save