-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[3.7] Redeploy etcd certificates during upgrade when etcd hostname not present in etcd serving cert SAN. #7914
Conversation
bd7ddc1
to
b07b897
Compare
I had to patch in the new filter and a few other things. I'm also afraid right now that my cert is not always getting replaced. I'll push patches to your branch when i get it working. I have a decent way to iterate on it right now. |
…ent in etcd serving cert SAN.
…s the first host in the etcd host group.
when: | ||
- true in hostvars | oo_select_keys(groups['oo_etcd_to_config']) | oo_collect('__etcd_cert_lacks_hostname') | default([false]) | ||
vars: | ||
etcd_certificates_redeploy: True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without this it wasn't re-deploying the certs. It was properly determining that the cert lacked proper SAN but not updating them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
approved w/ the additional commit i just added
@vrutkovs: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
""" Parses SubjectAlternativeNames from a PEM certificate. | ||
Ex: certificate = '''-----BEGIN CERTIFICATE----- | ||
MIIEcjCCAlqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZldGNk | ||
LXNpZ25lckAxNTE2ODIwNTg1MB4XDTE4MDEyNDE5MDMzM1oXDTIzMDEyMzE5MDMz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe put a '...' to abbreviate? I'd prefer not to have this giant wall of text, let's keep the cert data to 2 or 3 lines.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aside from lib_utils_oo_parse_certificate_san vs oo_parse_certificate_san this is just a straight backport from master. I'm not sure this is worth fixing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I didn't notice the branch. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
""" Parses SubjectAlternativeNames from a PEM certificate. | ||
Ex: certificate = '''-----BEGIN CERTIFICATE----- | ||
MIIEcjCCAlqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZldGNk | ||
LXNpZ25lckAxNTE2ODIwNTg1MB4XDTE4MDEyNDE5MDMzM1oXDTIzMDEyMzE5MDMz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I didn't notice the branch. :)
/lgtm |
/cherrypick release-3.7-hotfix |
@vrutkovs: new pull request created: #8154 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Cherry-pick of #6859 and #6926 on 3.7 branch
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1565762