starlingx/config
Code Issues Proposed changes
4,776 Commits 31 Branches 39 Tags
04bb563752adfe037e133127dca045dcca465dd7
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Rei Oliveira 04bb563752 Recover k8s certs after long period offline 
These two scripts can be used to recover k8s certificates after they
expire due to a long period offline.

Recovery can be performed by first running kube-cert-rotation.sh and
then kube-expired-kubelet-cert-recovery.sh.

Note:

- As it is now, it only works for AIO-SX standalone and subcloud
environments. Additional work will be done for other types of
environments.

- The k8s Root CA will not be addressed in this commit. It's under
consideration whether the K8s Root CA recovery is required as Root CAs
have very long durations. Incremental work for it will be posted in
a followup review if necessary.

Test case:
PASS: In a system where k8s certificates are not expired, run sudo
      show-certs.sh and take note of the kubelet certificates dates
      (kubelet-client-current.pem, kubelet-server, kubelet CA).
      Now run kube-expired-kubelet-cert-recovery.sh and verify
      that dates have not changed.
PASS: In a system where k8s certificates are not expired, run sudo
      show-certs.sh and take note of the k8s leaf certificates dates
      (admin.conf,apiserver, apiserver-kubelet-client,
      controller-manager.conf, front-proxy-client, scheduler.conf).
      Now run kube-cert-rotation.sh and verify that dates have
      not changed.
PASS: After the 2 steps above, run 'kubectl get po -A' to verify the
      health of the cluster.

PASS:
- Change 'hardware clock' of vbox vm to more than 1 year in the future.
- Verified, after turning on vm, that system date was now 1 year ahead
- Verified that kubernetes was not responding. No kubectl commands were
  accepted. 'sudo show-certs.sh' showed etcd and kubelet certs expired
  and 'sudo kubeadm certs check-expiration' replies with an error, which
  indicates certificates have already expired.
- Run kube-cert-rotation.sh followed by kube-expired-kubelet-cert-recovery.sh
- Verify that after 1 minute kubectl starts to respond again.
- Run 'sudo show-certs.sh' and verify that k8s certificates (admin.conf,
  apiserver, apiserver-kubelet-client, controller-manager.conf,
  front-proxy-client, scheduler.conf), the etcd certificates
  (etcd-client.crt, etcd-server.crt, apiserver-etcd-client.crt)
  and kubelet certificates (kubelet-client-current.pem, kubelet-server,
  kubelet CA) now show valid dates.
- Run kubectl commands such as 'kubectl delete pod' and verify k8s is
  able to respond and restart pods successfully.

Story: 2010815
Task: 48343

Change-Id: I7f71201e7f9ce83f79dc68c68a8a4d55ee3c69aa
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
2023-07-24 17:43:05 -03:00
api-ref/source
Add runtime reconfiguration of kubelet
2022-06-09 17:59:35 -04:00
config-gate
Update debian package versions to use git commits
2023-02-10 20:11:06 +00:00
controllerconfig
Update controllerconfig tox environment for debian
2023-05-31 15:25:25 +00:00
devstack
Deprecate old policy engine and restrict access
2022-08-10 11:18:38 -03:00
doc
Fix tox-docs failing sphinx
2022-05-31 13:56:30 +00:00
releasenotes
Remove host hardware sysinv profile
2021-10-18 18:01:40 -03:00
storageconfig
Update debian package versions to use git commits
2023-02-10 20:11:06 +00:00
sysinv
Recover k8s certs after long period offline
2023-07-24 17:43:05 -03:00
tmp/patch-scripts/EXAMPLE_SYSINV/scripts
StarlingX open source release updates
2018-05-31 07:35:52 -07:00
tools/docker/images
Enable kubernetes SCTPSupport feature
2019-09-03 19:23:05 +00:00
tsconfig
Replay of bootstrap playbook fails providing initial system config
2023-03-29 22:45:00 +00:00
workerconfig
Update debian package versions to use git commits
2023-02-10 20:11:06 +00:00
.gitignore
Minor zuul and tox file cleanup after manifest re-org
2019-09-06 15:40:37 -05:00
.gitreview
OpenDev Migration Patch
2019-04-19 19:52:42 +00:00
.yamllint
clear yamllint errors under stx-config
2018-09-12 21:11:57 +08:00
.zuul.yaml
Update controllerconfig tox environment for debian
2023-05-31 15:25:25 +00:00
bindep.txt
py3: Add py39 gate for sysinv
2021-08-27 08:39:06 -04:00
centos_build_layer.cfg
Build layering, add layer build config file
2019-10-15 12:29:05 +08:00
centos_dev_wheels.inc
Config file changes to add 'tsconfig' after relocation from 'update'
2019-09-05 11:51:05 -04:00
centos_iso_image.inc
Merge sysinv_fpga_agent with sysinv_agent
2022-10-03 14:12:28 -04:00
centos_pkg_dirs
Merge sysinv_fpga_agent with sysinv_agent
2022-10-03 14:12:28 -04:00
centos_pkg_dirs_containers
Config file changes for packages relocated to repo 'openstack-armada-app'
2019-09-05 10:42:00 -04:00
centos_stable_wheels.inc
Config file changes to add 'tsconfig' after relocation from 'update'
2019-09-05 11:51:05 -04:00
CONTRIBUTORS.wrs
StarlingX open source release updates
2018-05-31 07:35:52 -07:00
debian_build_layer.cfg
Add debian_build_layer.cfg file
2021-10-05 14:50:08 -04:00
debian_iso_image.inc
Debian: config: update debian_iso_image.inc
2022-11-08 15:48:04 +08:00
debian_pkg_dirs
Merge sysinv_fpga_agent with sysinv_agent
2022-10-03 14:12:28 -04:00
debian_stable_wheels.inc
debian: Add sysinv wheel to the build
2022-11-21 13:33:24 +00:00
LICENSE
StarlingX open source release updates
2018-05-31 07:35:52 -07:00
README.rst
StarlingX open source release updates
2018-05-31 07:35:52 -07:00
test-requirements.txt
Calling an additional shell lint command from zuul
2021-06-03 17:35:50 -05:00
tox.ini
Update tox.ini to work with tox 4
2022-12-26 18:55:39 +00:00

README.rst

stx-config

StarlingX Configuration Management

View Git Blame Copy Permalink
Description
StarlingX System Configuration Management
Readme 106 MiB
Languages
Python 98%
Shell 1.6%
CSS 0.2%