Bug 1768484

Summary:	certificate renewal script
Product:	Container Native Virtualization (CNV)	Reporter:	Dan Kenigsberg <danken>
Component:	Virtualization	Assignee:	Roman Mohr <rmohr>
Status:	CLOSED ERRATA	QA Contact:	Kedar Bidarkar <kbidarka>
Severity:	high	Docs Contact:
Priority:	high
Version:	2.2.0	CC:	cnv-qe-bugs, fdeutsch, ncredi, rmohr, sgordon, sgott
Target Milestone:	---
Target Release:	2.2.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1768751 (view as bug list)		Environment:
Last Closed:	2020-01-30 16:27:30 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1768751

Description Dan Kenigsberg 2019-11-04 14:47:51 UTC

As a CNV admin I'd like to easily check if my CNV certificates are nearing their expiry date, and to easily regenerate new certificate.

I'd like to have a script such as cnv_certs.sh that can be used as follows:

$ oc login 
$ ./cnv_certs.sh examine
...
list of existing certs, each with its expiry date

$ ./cnv_certs.sh renew
...
list of new certs each with its expiry date


The script should work against cnv-1.4 and cnv-2 (possibly two different scripts).

Comment 4 Roman Mohr 2019-12-19 09:02:26 UTC

There is now a script in HCO which roughly does what was requested here:

https://github.com/kubevirt/hyperconverged-cluster-operator/pull/372
https://github.com/kubevirt/hyperconverged-cluster-operator/pull/352

It only rotates. It does not show you when certificates would expire.

Comment 5 Dan Kenigsberg 2019-12-19 09:12:26 UTC

Roman, you answered only few of my requests.

I see the script is documented here: https://github.com/kubevirt/hyperconverged-cluster-operator/blob/master/tools/README.md#rotating-certificates

I believe the script is ready to be tested, I see no reason to keep it MODIFIED. Correct me if I am wrong.

Wouldn't the same script work for bug 1768751 too?

Comment 6 Roman Mohr 2019-12-19 09:17:48 UTC

> Roman, you answered only few of my requests.

Yes, sorry.

> Wouldn't the same script work for bug 1768751 too?

Yep. Updated.

> I believe the script is ready to be tested, I see no reason to keep it MODIFIED. Correct me if I am wrong.

I can't speak for QE, so that was intentional.

Comment 7 Dan Kenigsberg 2019-12-19 09:22:10 UTC

> I can't speak for QE, so that was intentional.

I don't follow. MODIFIED means "coding is done, but a build is not yet available for QE". In this case we don't expect to have any build. QE is expected to test upstream.

Comment 8 Kedar Bidarkar 2019-12-19 09:40:27 UTC

Ran all the tests from the HCO repo at github.com/kubevirt/hyperconverged-cluster-operator/tests/func-tests/certificates_test.go

All tests PASSED except the one with PVC+VMI ( It failed because of the StorageClass name mismatch )

So, created a VM with PVC manually and it worked successfully.

Will attach the logs shortly.

Comment 11 Kedar Bidarkar 2019-12-19 09:44:56 UTC

Also had created a VM before running the cert rotation script and was able to access the console after running the cert rotation script.

Comment 13 errata-xmlrpc 2020-01-30 16:27:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:0307