Merge "Remove subcloud admin endpoint data migration"
This commit is contained in:
commit
c994dbafa2
|
@ -389,15 +389,6 @@ start()
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -e $CONFIG_DIR/admin-ep-cert.pem ]
|
|
||||||
then
|
|
||||||
cp $CONFIG_DIR/admin-ep-cert.pem /etc/ssl/private/
|
|
||||||
if [ $? -ne 0 ]
|
|
||||||
then
|
|
||||||
fatal_error "Unable to copy $CONFIG_DIR/admin-ep-cert.pem to certificates dir"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -e $CONFIG_DIR/dc-adminep-root-ca.crt ]
|
if [ -e $CONFIG_DIR/dc-adminep-root-ca.crt ]
|
||||||
then
|
then
|
||||||
cp $CONFIG_DIR/dc-adminep-root-ca.crt /etc/pki/ca-trust/source/anchors/
|
cp $CONFIG_DIR/dc-adminep-root-ca.crt /etc/pki/ca-trust/source/anchors/
|
||||||
|
|
|
@ -9,15 +9,9 @@
|
||||||
# This script can be removed in the release that follows stx.5.0
|
# This script can be removed in the release that follows stx.5.0
|
||||||
#
|
#
|
||||||
|
|
||||||
import base64
|
|
||||||
from cryptography.hazmat.backends import default_backend
|
|
||||||
from cryptography.hazmat.primitives import serialization
|
|
||||||
from cryptography import x509
|
|
||||||
from shutil import copyfile
|
|
||||||
import socket
|
import socket
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
import time
|
|
||||||
|
|
||||||
from controllerconfig.common import log
|
from controllerconfig.common import log
|
||||||
|
|
||||||
|
@ -117,67 +111,6 @@ def update_sc_admin_endpoint_cert(to_release):
|
||||||
else:
|
else:
|
||||||
raise Exception('Command failed after retries: %s' % cmd)
|
raise Exception('Command failed after retries: %s' % cmd)
|
||||||
|
|
||||||
# Extract subcloud admin endpoint certificate.
|
|
||||||
# There is an issue with cert-manager where even though the certificate is
|
|
||||||
# reported as ready from the previous command, the actual data extracted is
|
|
||||||
# still empty. So we retry if no valid certificate data is extracted, and
|
|
||||||
# retry for private key data for the same reason.
|
|
||||||
cmd = "kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret \
|
|
||||||
sc-adminep-certificate -n sc-cert -o=jsonpath='{.data.tls\.crt}'"
|
|
||||||
for attempt in range(3):
|
|
||||||
try:
|
|
||||||
cert = execute_command(cmd)
|
|
||||||
if not cert:
|
|
||||||
raise Exception('Certificate extracted is empty.')
|
|
||||||
cert = base64.b64decode(cert)
|
|
||||||
|
|
||||||
# Test loading the certificate to ensure it's valid
|
|
||||||
x509.load_pem_x509_certificate(cert, default_backend())
|
|
||||||
except Exception as e:
|
|
||||||
LOG.info('Failed to extract certificate: %s Will retry.' % e)
|
|
||||||
time.sleep(5)
|
|
||||||
continue
|
|
||||||
else:
|
|
||||||
break
|
|
||||||
else:
|
|
||||||
raise Exception('Failed to extract certificate from cert-manager.')
|
|
||||||
|
|
||||||
# Extract subcloud admin endpoint private key,
|
|
||||||
# Retry if no valid private key data is extracted.
|
|
||||||
cmd = "kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret \
|
|
||||||
sc-adminep-certificate -n sc-cert -o=jsonpath='{.data.tls\.key}'"
|
|
||||||
for attempt in range(3):
|
|
||||||
try:
|
|
||||||
key = execute_command(cmd)
|
|
||||||
if not key:
|
|
||||||
raise Exception('Private key extracted is empty.')
|
|
||||||
key = base64.b64decode(key)
|
|
||||||
|
|
||||||
# Test loading the private key to ensure it's valid
|
|
||||||
serialization.load_pem_private_key(key, password=None,
|
|
||||||
backend=default_backend())
|
|
||||||
except Exception as e:
|
|
||||||
LOG.info('Failed to extract private key: %s Will retry.' % e)
|
|
||||||
time.sleep(5)
|
|
||||||
continue
|
|
||||||
else:
|
|
||||||
break
|
|
||||||
else:
|
|
||||||
raise Exception('Failed to extract private key from cert-manager.')
|
|
||||||
|
|
||||||
# Create haproxy tls certificate
|
|
||||||
cert_file = "/etc/ssl/private/admin-ep-cert.pem"
|
|
||||||
with open(cert_file, 'w') as f:
|
|
||||||
f.write(key + cert)
|
|
||||||
|
|
||||||
# Copy admin endpoint certficates to the shared filesystem directory
|
|
||||||
shared_file = "/opt/platform/config/%s/admin-ep-cert.pem" % to_release
|
|
||||||
copyfile(cert_file, shared_file)
|
|
||||||
|
|
||||||
# Restart haproxy to take the new cert
|
|
||||||
cmd = "sm-restart service haproxy"
|
|
||||||
execute_command(cmd)
|
|
||||||
|
|
||||||
LOG.info('Subcloud admin endpoint certificate updated successfully')
|
LOG.info('Subcloud admin endpoint certificate updated successfully')
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue