Bug 2071582

Summary: [RFE] Reload MariaDB/Gallera and OVN certificates on refresh
Product: Red Hat OpenStack Reporter: Grzegorz Grasza <ggrasza>
Component: openstack-tripleo-heat-templatesAssignee: Damien Ciabrini <dciabrin>
Status: NEW --- QA Contact: Arik Chernetsky <achernet>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17.1 (Wallaby)CC: apevec, lhh, mburns, sbaker
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2058441    
Bug Blocks:    

Description Grzegorz Grasza 2022-04-04 09:33:35 UTC 
As stated in bugzilla 2058441, post_save commands are currently not provided for mysql and ovn. It should now be possible to reload certificates on the renewal process.

This was previously (at least partially) implemented in [1], but reverted.

[1] https://github.com/openstack/tripleo-heat-templates/commit/8b16911cc26ced10316fdd37a818fc1cb6fe5ece

Controller: 

~~~
Request ID 'mysql':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/mysql.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/mysql.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:22 UTC
	dns: overcloud.internalapi.redhat.local,controller-0.internalapi.redhat.local
	principal name: mysql/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes


Request ID 'ovn_dbs':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_dbs.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_dbs.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:27 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: ovn_dbs/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Request ID 'ovn_controller':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_controller.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_controller.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:28 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: ovn_controller/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Request ID 'neutron_ovn':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_neutron_client.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_neutron_client.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:29 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: neutron_ovn/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Compute: 

~~~
Request ID 'ovn_controller':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_controller.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_controller.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 23:55:10 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: ovn_controller/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
Request ID 'ovn_metadata':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_metadata.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_metadata.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-26 00:12:20 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: ovn_metadata/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes