Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-3.11] Correct service serving secret name in the annotation #11119

Merged
merged 1 commit into from Mar 1, 2019
Merged

[release-3.11] Correct service serving secret name in the annotation #11119

merged 1 commit into from Mar 1, 2019

Conversation

bysnupy
Copy link
Member

@bysnupy bysnupy commented Feb 3, 2019

  • Fix: "redeploy-router-certificates.yml" makes changes to wrong "service serving certificate secrets" annotation

  • Version: v3.11, and I've verified other version is also affected this, such as v3.3 ~ v3.10.

  • Description:
    When redeploy-router-certificates.yml playbooks run for redeploy router certificates, both router-certs and router-metrics-tls certificates secret should be redeploy, and the router-certs should be also regenerated as wildcard certificates, it's not service serving certificates. router-metrics-tls secret has been managed as service serving certificates secret. If router-certs created as service serving certificates, it's affected the services to access using wildcard certificates

router-certs will be created again from included openshift_hosted/tasks/router.yml tasks in the roles.

@openshift-ci-robot
Copy link

Hi @bysnupy. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 3, 2019
@openshift-ci-robot
Copy link

@bysnupy: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

  • Fix: "redeploy-router-certificates.yml" makes changes to wrong "service serving certificate secrets" annotation

  • Version: v3.11, and I've verified other version is also affected this, such as v3.3 ~ v3.10.

  • Description:
    When redeploy-router-certificates.yml playbooks run for redeploy router certificates, both router-certs and router-metrics-tls certificates secret should be redeploy, and the router-certs should be also regenerated as wildcard certificates, it's not service serving certificates. router-metrics-tls secret has been managed as service serving certificates secret. If router-certs created as service serving certificates, it's affected the services to access using wildcard certificates

router-certs will be created again from included openshift_hosted/tasks/router.yml tasks in the roles.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@papr-bot
Copy link

papr-bot commented Feb 3, 2019

Can one of the admins verify this patch?
I understand the following commands:

  • bot, add author to whitelist
  • bot, test pull request
  • bot, test pull request once

@bysnupy
Correct service serving secret name in the annotation
da67e65 
Service Serving Secret name is "router-metrics-tls", not "router-certs".
"router-certs" should be created by wildcard certificates and not Service Serving Certificates Secret.
- Fix: https://bugzilla.redhat.com/show_bug.cgi?id=1672011
@bysnupy
Copy link
Member Author

bysnupy commented Feb 6, 2019

Could you PTAL @sdodson @vrutkovs ?

@openshift-ci-robot
Copy link

@bysnupy: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

Could you PTAL @sdodson @vrutkovs ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

@bysnupy: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

@bysnupy: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

The initial installation would set up as "router-metrics-tls", it changed to "router-certs" after running the redeploy playbooks, so I just change it back. And router should be providing wildcard certificates against external access, service serving secret is generated internal service certificates for internal communication, it's not correct for router certificates secret.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

@bysnupy: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

@bysnupy: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

"router-metrics-tls" secret is provided by the serving cert signer component, it does not depend on "openshift_hosted_router_certificate" which provides custom wildcard API certificate and this block is required to delete "router-metrics-tls", so the checking condition about "router-certs" secret is not matched this block.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vrutkovs
Copy link
Member

vrutkovs commented Feb 7, 2019

/ok-to-test

@openshift-ci-robot openshift-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 7, 2019
@bysnupy
Copy link
Member Author

bysnupy commented Feb 11, 2019
edited

Could you PTAL @sdodson ? Or Could you assign other reviewer for this PR @vrutkovs ? Thanks :)

vrutkovs
vrutkovs approved these changes Mar 1, 2019
View reviewed changes
Copy link
Member

@vrutkovs vrutkovs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 1, 2019
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bysnupy, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 1, 2019
@openshift-merge-robot openshift-merge-robot merged commit c0fadcc into openshift:release-3.11 Mar 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vrutkovs vrutkovs vrutkovs approved these changes

@sdodson sdodson Awaiting requested review from sdodson

Assignees

@vrutkovs vrutkovs

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@bysnupy @openshift-ci-robot @papr-bot @vrutkovs @openshift-merge-robot