Bug 1849685

Summary: [RFE] Handle PKI renew for grafana
Product: [oVirt] ovirt-engine-dwh Reporter: Yedidyah Bar David <didi>
Component: SetupAssignee: Yedidyah Bar David <didi>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Novotny <pnovotny>
Severity: medium Docs Contact:
Priority: high    
Version: 4.4.0CC: bugs, gdeolive, mperina, sradco
Target Milestone: ovirt-4.4.7Keywords: FutureFeature
Target Release: 4.4.7Flags: sbonazzo: ovirt-4.4?
pm-rhel: planning_ack?
sbonazzo: devel_ack+
gdeolive: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-dwh-4.4.7 Doc Type: Enhancement
Doc Text:
engine-setup now allows renewing the certificate also for grafana when it is set up on a separate machine from the engine.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-28 14:16:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Metrics RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1959839    
Bug Blocks:    

Description Yedidyah Bar David 2020-06-22 14:03:10 UTC 
Description of problem:

Need to test and fix what's needed for grafana on separate machine when PKI needs renew. Currently the code works only on the engine machine. This is enough for grafana if it's there (as it then uses apache, already handled), but not on a separate machine.

Noting, that there is no need to add grafana to PKIEnv.ENTITIES, at least not for the case of engine+grafana on same machine. For separate, we probably need new code, so that won't be enough either.

Version-Release number of selected component (if applicable):
Current master

How reproducible:
Always

Steps to Reproduce:
1. Setup grafana on a separate machine
2. Wait 5 years or so (or move the machine clock forward and disable ntp etc.)
3. engine-setup
4. Connect a browser to grafana

Actual results:
Nothing special happens - eventually the certificate expires and browsers start complaining

Expected results:
Probably engine-setup should check, prompt, allow renewing

Additional info:
This will soon become more urgent, because newer browsers require shorter lifespans, see bug 1824103.
Comment 1 Yedidyah Bar David 2020-09-13 12:40:17 UTC 
Workaround:

1. Remove/rename all of these files:

/etc/pki/ovirt-engine/apache-grafana-ca.pem
/etc/pki/ovirt-engine/apache-ca.pem
/etc/pki/ovirt-engine/keys/apache.key.nopass
/etc/pki/ovirt-engine/keys/apache-grafana.key.nopass
/etc/pki/ovirt-engine/certs/apache.cer
/etc/pki/ovirt-engine/certs/apache-grafana.cer

2. Run engine-setup

It will notice that the files are missing, prompt you for needed stuff, and generate new ones.
Comment 3 Pavel Novotny 2021-07-10 00:22:49 UTC 
Verified in
ovirt-engine-4.4.7.6-0.11.el8ev.noarch
ovirt-engine-dwh-4.4.7.3-1.el8ev.noarch

Verified with grafana installed on a separate machine.
Then I used workaround in comment 1 to invalidate the certificates (I deleted all the certs and keys files) and ran engine-setup again.
It re-created all the necessary files again.
Comment 4 Sandro Bonazzola 2021-07-28 14:16:45 UTC 
This bugzilla is included in oVirt 4.4.7 release, published on July 6th 2021.

Since the problem described in this bug report should be resolved in oVirt 4.4.7 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.