Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP Regenerate TLS info #28657

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

WIP Regenerate TLS info #28657

wants to merge 5 commits into from

Conversation

vrutkovs
Copy link
Member

@vrutkovs vrutkovs commented Mar 14, 2024
edited

This updates TLS info, which includes new secrets from etcd and AutoRegenerateWhileOffline for kube-apiserver.

Requires openshift/library-go#1717

@openshift-ci openshift-ci bot requested review from mfojtik and soltysh March 14, 2024 19:23
@openshift-ci openshift-ci bot added the vendor-update Touching vendor dir or related files label Mar 14, 2024
@vrutkovs
Copy link
Member Author

/retest

@openshift-trt-bot
Copy link

Job Failure Risk Analysis for sha: 8ffdb0e

Job Name Failure Risk
pull-ci-openshift-origin-master-e2e-metal-ipi-sdn IncompleteTests
Tests for this run (24) are below the historical average (1039): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-serial Low
[sig-arch] events should not repeat pathologically for ns/openshift-etcd-operator
This test has passed 40.43% of 47 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node-serial'] in the last 14 days.

deads2k
deads2k reviewed Mar 15, 2024
View reviewed changes
test/extended/operators/certs.go Outdated
@@ -111,6 +142,10 @@ var _ = g.Describe(fmt.Sprintf("[sig-arch][Late][Jira:%q]", "kube-apiserver"), g
masters = append(masters, &nodeList.Items[i])
}

// etcd operator doesn't immediately remove the certificate for boostrap
err = cleanupEtcdCertificates(ctx, kubeClient, masters)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

openshift-tests cannot make lasting change to a cluster. Why is this necessary?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Etcd-operator now keeps previous certkeys in preparation to signer/ca/key rotation, so this code will remove bootstrap certkey. It has a "garbage collector", but there is no way to trigger it immediately.

Perhaps etcd-operator should have a way to trigger it immediately - and eventually do this automatically after bootstrap?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: RewriteNodeIPs should include bootstrap IP (fetch it from secrets in openshift-etcd namespace)

@deads2k
Copy link
Contributor

deads2k commented Mar 15, 2024

glad to see an update, but we cannot mutate the secrets of the cluster we're inspecting.

@vrutkovs vrutkovs force-pushed the tls-update-mar12 branch 2 times, most recently from 656255f to b15c49e Compare April 15, 2024 13:32
@vrutkovs vrutkovs mentioned this pull request Apr 15, 2024
Closed
@openshift-trt-bot
Copy link

Job Failure Risk Analysis for sha: b15c49e

Job Name Failure Risk
pull-ci-openshift-origin-master-e2e-metal-ipi-ovn-ipv6 IncompleteTests
Tests for this run (18) are below the historical average (675): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-fips IncompleteTests
Tests for this run (98) are below the historical average (1723): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

deads2k
deads2k reviewed Apr 23, 2024
View reviewed changes
test/extended/operators/certs.go Outdated
@@ -79,6 +78,7 @@ func gatherCertsFromPlatformNamespaces(ctx context.Context, kubeClient kubernete
return certgraphanalysis.GatherCertsFromPlatformNamespaces(ctx, kubeClient,
certgraphanalysis.SkipRevisioned,
certgraphanalysis.SkipHashed,
certgraphanalysis.SkipBootstrapCerts(bootstrapIP),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

at some point we'll need to unskip these.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created https://issues.redhat.com/browse/API-1801 to follow up

@deads2k
Copy link
Contributor

deads2k commented Apr 23, 2024

/lgtm
/approve
/hold

holding for acknowledgement of #28657 (comment)

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 23, 2024
@openshift-merge-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 23, 2024
@deads2k deads2k added approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Apr 23, 2024
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 23, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 23, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

1 similar comment
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 23, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Apr 23, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 23, 2024

New changes are detected. LGTM label has been removed.

@openshift-trt-bot
Copy link

Job Failure Risk Analysis for sha: 361fa6b

Job Name Failure Risk
pull-ci-openshift-origin-master-e2e-metal-ipi-ovn-ipv6 IncompleteTests
Tests for this run (13) are below the historical average (954): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-gcp-ovn IncompleteTests
Tests for this run (16) are below the historical average (1753): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-gcp-csi IncompleteTests
Tests for this run (16) are below the historical average (694): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-fips IncompleteTests
Tests for this run (16) are below the historical average (1487): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

@vrutkovs vrutkovs force-pushed the tls-update-mar12 branch 2 times, most recently from 0cd945b to 7f0699f Compare April 24, 2024 13:31
@vrutkovs vrutkovs mentioned this pull request Apr 24, 2024
Merged
@vrutkovs vrutkovs changed the title Regenerate TLS info WIP Regenerate TLS info Apr 24, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 24, 2024
@vrutkovs
Copy link
Member Author

/retest

@vrutkovs
Copy link
Member Author

/payload 4.16 nightly blocking

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 25, 2024

@vrutkovs: trigger 8 job(s) of type blocking for the nightly release of OCP 4.16

  • periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-sdn-upgrade
  • periodic-ci-openshift-release-master-ci-4.16-e2e-azure-ovn-upgrade
  • periodic-ci-openshift-release-master-ci-4.16-upgrade-from-stable-4.15-e2e-gcp-ovn-rt-upgrade
  • periodic-ci-openshift-hypershift-release-4.16-periodics-e2e-aws-ovn-conformance
  • periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-serial
  • periodic-ci-openshift-release-master-ci-4.16-e2e-aws-ovn-upgrade
  • periodic-ci-openshift-release-master-nightly-4.16-e2e-metal-ipi-ovn-bm
  • periodic-ci-openshift-release-master-nightly-4.16-e2e-metal-ipi-ovn-ipv6

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/fa21d080-0303-11ef-9f8a-5c131aba2e97-0

@openshift-trt-bot
Copy link

Job Failure Risk Analysis for sha: 7f0699f

Job Name Failure Risk
pull-ci-openshift-origin-master-e2e-openstack-ovn IncompleteTests
Tests for this run (97) are below the historical average (1444): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-metal-ipi-sdn IncompleteTests
Tests for this run (98) are below the historical average (948): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-gcp-csi IncompleteTests
Tests for this run (99) are below the historical average (542): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

@vrutkovs
Copy link
Member Author

/payload-job periodic-ci-openshift-release-master-ci-4.16-e2e-aws-ovn periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-sdn periodic-ci-openshift-release-master-ci-4.16-e2e-azure-ovn periodic-ci-openshift-release-master-nightly-4.16-e2e-azure-sdn periodic-ci-openshift-release-master-ci-4.16-e2e-gcp-ovn periodic-ci-openshift-release-master-nightly-4.16-e2e-gcp-sdn periodic-ci-openshift-release-master-nightly-4.16-e2e-metal-ipi-ovn-bm-upgrade periodic-ci-openshift-release-master-nightly-4.16-upgrade-from-stable-4.15-e2e-metal-ipi-sdn-bm-upgrade periodic-ci-openshift-release-master-nightly-4.16-e2e-vsphere-ovn-serial periodic-ci-openshift-release-master-nightly-4.16-e2e-vsphere-sdn periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 25, 2024

@vrutkovs: trigger 11 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

  • periodic-ci-openshift-release-master-ci-4.16-e2e-aws-ovn
  • periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-sdn
  • periodic-ci-openshift-release-master-ci-4.16-e2e-azure-ovn
  • periodic-ci-openshift-release-master-nightly-4.16-e2e-azure-sdn
  • periodic-ci-openshift-release-master-ci-4.16-e2e-gcp-ovn
  • periodic-ci-openshift-release-master-nightly-4.16-e2e-gcp-sdn
  • periodic-ci-openshift-release-master-nightly-4.16-e2e-metal-ipi-ovn-bm-upgrade
  • periodic-ci-openshift-release-master-nightly-4.16-upgrade-from-stable-4.15-e2e-metal-ipi-sdn-bm-upgrade
  • periodic-ci-openshift-release-master-nightly-4.16-e2e-vsphere-ovn-serial
  • periodic-ci-openshift-release-master-nightly-4.16-e2e-vsphere-sdn
  • periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/725ab070-0314-11ef-9bb1-8e3e1fa014c9-0

@openshift-trt-bot
Copy link

Job Failure Risk Analysis for sha: c482e1e

Job Name Failure Risk
pull-ci-openshift-origin-master-e2e-agnostic-ovn-cmd IncompleteTests
Tests for this run (25) are below the historical average (537): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

@vrutkovs vrutkovs force-pushed the tls-update-mar12 branch 3 times, most recently from a54e803 to 0594d16 Compare April 26, 2024 16:49
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 2, 2024

@vrutkovs: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-csi 008a7ec link false /test e2e-gcp-csi
ci/prow/e2e-aws-ovn-single-node 008a7ec link false /test e2e-aws-ovn-single-node
ci/prow/e2e-openstack-ovn 008a7ec link false /test e2e-openstack-ovn
ci/prow/e2e-gcp-ovn-rt-upgrade 008a7ec link false /test e2e-gcp-ovn-rt-upgrade
ci/prow/verify 008a7ec link true /test verify
ci/prow/e2e-gcp-ovn-upgrade 008a7ec link true /test e2e-gcp-ovn-upgrade
ci/prow/e2e-aws-ovn-fips 008a7ec link true /test e2e-aws-ovn-fips
ci/prow/e2e-aws-ovn-single-node-upgrade 008a7ec link false /test e2e-aws-ovn-single-node-upgrade
ci/prow/e2e-agnostic-ovn-cmd 008a7ec link false /test e2e-agnostic-ovn-cmd
ci/prow/e2e-aws-ovn-cgroupsv2 008a7ec link false /test e2e-aws-ovn-cgroupsv2
ci/prow/e2e-aws-ovn-upgrade 008a7ec link false /test e2e-aws-ovn-upgrade
ci/prow/e2e-metal-ipi-sdn 008a7ec link false /test e2e-metal-ipi-sdn
ci/prow/e2e-gcp-ovn 008a7ec link true /test e2e-gcp-ovn
ci/prow/e2e-aws-csi 008a7ec link false /test e2e-aws-csi
ci/prow/e2e-aws-ovn-serial 008a7ec link true /test e2e-aws-ovn-serial
ci/prow/unit 008a7ec link true /test unit
ci/prow/images 008a7ec link true /test images
ci/prow/e2e-metal-ipi-ovn-ipv6 008a7ec link true /test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-aws-ovn-single-node-serial 008a7ec link false /test e2e-aws-ovn-single-node-serial

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-trt-bot
Copy link

Job Failure Risk Analysis for sha: 008a7ec

Job Name Failure Risk
pull-ci-openshift-origin-master-e2e-openstack-ovn IncompleteTests
Tests for this run (14) are below the historical average (1480): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-metal-ipi-sdn IncompleteTests
Tests for this run (13) are below the historical average (1271): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-metal-ipi-ovn-ipv6 IncompleteTests
Tests for this run (13) are below the historical average (1195): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-gcp-ovn-upgrade IncompleteTests
Tests for this run (17) are below the historical average (735): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-gcp-ovn-rt-upgrade IncompleteTests
Tests for this run (17) are below the historical average (676): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-gcp-ovn IncompleteTests
Tests for this run (16) are below the historical average (1701): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-gcp-csi IncompleteTests
Tests for this run (16) are below the historical average (642): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-upgrade IncompleteTests
Tests for this run (18) are below the historical average (730): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-upgrade IncompleteTests
Tests for this run (17) are below the historical average (2158): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-serial IncompleteTests
Tests for this run (16) are below the historical average (713): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node IncompleteTests
Tests for this run (16) are below the historical average (1596): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-serial IncompleteTests
Tests for this run (16) are below the historical average (834): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-fips IncompleteTests
Tests for this run (16) are below the historical average (1833): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-ovn-cgroupsv2 IncompleteTests
Tests for this run (16) are below the historical average (1720): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-aws-csi IncompleteTests
Tests for this run (16) are below the historical average (730): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)
pull-ci-openshift-origin-master-e2e-agnostic-ovn-cmd IncompleteTests
Tests for this run (16) are below the historical average (604): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

@vrutkovs
Copy link
Member Author

vrutkovs commented May 2, 2024

Needs to pull in k8s 1.30 rebase to make it buildable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hasbro17 hasbro17 hasbro17 left review comments

@deads2k deads2k deads2k left review comments

@mfojtik mfojtik Awaiting requested review from mfojtik

@soltysh soltysh Awaiting requested review from soltysh

Assignees

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. vendor-update Touching vendor dir or related files
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@vrutkovs @openshift-trt-bot @deads2k @openshift-merge-robot @hasbro17