New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP Regenerate TLS info #28657
base: master
Are you sure you want to change the base?
WIP Regenerate TLS info #28657
Conversation
0e59c21
to
8ffdb0e
Compare
/retest |
Job Failure Risk Analysis for sha: 8ffdb0e
|
test/extended/operators/certs.go
Outdated
@@ -111,6 +142,10 @@ var _ = g.Describe(fmt.Sprintf("[sig-arch][Late][Jira:%q]", "kube-apiserver"), g | |||
masters = append(masters, &nodeList.Items[i]) | |||
} | |||
|
|||
// etcd operator doesn't immediately remove the certificate for boostrap | |||
err = cleanupEtcdCertificates(ctx, kubeClient, masters) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
openshift-tests cannot make lasting change to a cluster. Why is this necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Etcd-operator now keeps previous certkeys in preparation to signer/ca/key rotation, so this code will remove bootstrap certkey. It has a "garbage collector", but there is no way to trigger it immediately.
Perhaps etcd-operator should have a way to trigger it immediately - and eventually do this automatically after bootstrap?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: RewriteNodeIPs should include bootstrap IP (fetch it from secrets in openshift-etcd namespace)
glad to see an update, but we cannot mutate the secrets of the cluster we're inspecting. |
656255f
to
b15c49e
Compare
Job Failure Risk Analysis for sha: b15c49e
|
test/extended/operators/certs.go
Outdated
@@ -79,6 +78,7 @@ func gatherCertsFromPlatformNamespaces(ctx context.Context, kubeClient kubernete | |||
return certgraphanalysis.GatherCertsFromPlatformNamespaces(ctx, kubeClient, | |||
certgraphanalysis.SkipRevisioned, | |||
certgraphanalysis.SkipHashed, | |||
certgraphanalysis.SkipBootstrapCerts(bootstrapIP), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
at some point we'll need to unskip these.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created https://issues.redhat.com/browse/API-1801 to follow up
/lgtm holding for acknowledgement of #28657 (comment) |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, vrutkovs The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
1 similar comment
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, vrutkovs The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
b15c49e
to
361fa6b
Compare
New changes are detected. LGTM label has been removed. |
Job Failure Risk Analysis for sha: 361fa6b
|
361fa6b
to
62b6a74
Compare
0cd945b
to
7f0699f
Compare
/retest |
/payload 4.16 nightly blocking |
@vrutkovs: trigger 8 job(s) of type blocking for the nightly release of OCP 4.16
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/fa21d080-0303-11ef-9f8a-5c131aba2e97-0 |
Job Failure Risk Analysis for sha: 7f0699f
|
/payload-job periodic-ci-openshift-release-master-ci-4.16-e2e-aws-ovn periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-sdn periodic-ci-openshift-release-master-ci-4.16-e2e-azure-ovn periodic-ci-openshift-release-master-nightly-4.16-e2e-azure-sdn periodic-ci-openshift-release-master-ci-4.16-e2e-gcp-ovn periodic-ci-openshift-release-master-nightly-4.16-e2e-gcp-sdn periodic-ci-openshift-release-master-nightly-4.16-e2e-metal-ipi-ovn-bm-upgrade periodic-ci-openshift-release-master-nightly-4.16-upgrade-from-stable-4.15-e2e-metal-ipi-sdn-bm-upgrade periodic-ci-openshift-release-master-nightly-4.16-e2e-vsphere-ovn-serial periodic-ci-openshift-release-master-nightly-4.16-e2e-vsphere-sdn periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node |
@vrutkovs: trigger 11 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/725ab070-0314-11ef-9bb1-8e3e1fa014c9-0 |
7f0699f
to
c482e1e
Compare
Job Failure Risk Analysis for sha: c482e1e
|
a54e803
to
0594d16
Compare
@vrutkovs: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Job Failure Risk Analysis for sha: 008a7ec
|
Needs to pull in k8s 1.30 rebase to make it buildable |
This updates TLS info, which includes new secrets from etcd and AutoRegenerateWhileOffline for kube-apiserver.
Requires openshift/library-go#1717