Bug 1649285

Summary: [RFE] Re-enroll host certificates during host upgrade
Product: [oVirt] ovirt-engine Reporter: Simone Tiraboschi <stirabos>
Component: Host-DeployAssignee: Ondra Machacek <omachace>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Matyáš <pmatyas>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: bugs, lsvaty, mgoldboi, mperina
Target Milestone: ovirt-4.3.1Keywords: FutureFeature
Target Release: ---Flags: rule-engine: ovirt-4.3+
pmatyas: testing_plan_complete-
mgoldboi: planning_ack+
mperina: devel_ack+
lsvaty: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.3.1.1 Doc Type: If docs needed, set a value
Doc Text:
During host upgrade we do re-enroll host certificates in case the certificate is invalid.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-01 10:20:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1683281    

Description Simone Tiraboschi 2018-11-13 10:27:31 UTC 
Description of problem:
For various reason (PKI renewal -- see https://bugzilla.redhat.com/1648190, expiration...) host certs could requires to be enrolled again.

We already have a specific action on engine side but being able to do it also at host upgrade time (at least if lead by the engine) could be a good idea since the host is in maintenance for sure and it can save the user from a second pass just to re-enroll certs if needed.
Comment 1 Sandro Bonazzola 2018-11-13 12:59:11 UTC 
Martin, what do you think? Looks reasonable to me.
Do you see any side effect I can't think of?
Comment 2 Martin Perina 2018-11-14 12:06:16 UTC 
(In reply to Sandro Bonazzola from comment #1)
> Martin, what do you think? Looks reasonable to me.
> Do you see any side effect I can't think of?

It makes sense to move another part from class host-deploy to ansible and add execution of enrolling certificates also to upgrade, but we are very late in the game for 4.3 RFEs. We will try to work on that, but it may be ready in some of oVirt 4.3.z releases ...

I've also removed "optionally" from the title, in order to solve that issue, this needs to be by default turned on, but yeah we will add a flag so administrators could disable it.
Comment 3 Petr Matyáš 2019-02-26 13:47:29 UTC 
Verified on ovirt-engine-4.3.1.2-0.0.master.20190225111554.git314f81b.el7.noarch
Comment 4 Sandro Bonazzola 2019-03-01 10:20:22 UTC 
This bugzilla is included in oVirt 4.3.1 release, published on February 28th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.