Red Hat Bugzilla – Bug 1023381
Can not successfully delete ssl certificates after migration
Last modified: 2015-05-14 19:31:34 EDT
Description of problem: After migration, try to delete an ssl certificate that was added before upgrade took place, the action fails => Client shows certificate is deleted, but the certificate info is not removed from datastore and node. Version-Release number of selected component (if applicable): On devenv_3942 How reproducible: Always Steps to Reproduce: 1. Create applications, add alias and ssl certificates on devenv-stage_528 2. Upgrade stage ami to latest and migrate /root/li/misc/maintenance/bin/rhc-populate-sni-proxy rhc-admin-migrate-datastore --compatible --version 2.0.35 oo-admin-upgrade upgrade-node --version 2.0.35 --ignore-cartridge-version 3. Try to delete one ssl certificate from the application rhc alias-list -l openshift+migration3@redhat.com -p redhat sslapps Alias Has Certificate? Certificate Added ----------- ---------------- ----------------- ns.ssl.test yes 2013-10-24 rhc alias delete-cert sslapp pl.ssl.test --confirm -l openshift+migration3@redhat.com -p redhat SSL certificate successfully deleted. 4. Connect to mongo, and query the application, found the ssl certificate field is still true "aliases" : [ { "_id" : ObjectId("5269e7344b4e3f9e3800059d"), "certificate_added_at" : ISODate("2013-10-24T00:00:00Z"), "fqdn" : "pl.ssl.test", "has_private_ssl_certificate" : true } ], 5. Check /var/lib/openshift/.httpd.d , the certificates are deleted 6. Check the certificate info: curl -k -vvv https://pl.ssl.test/>/dev/null The certificate is not removed: * Server certificate: * subject: E=test,CN=OpenShift,OU=HSS,O=RedHat,L=BJ,ST=BJ,C=CN * start date: Apr 12 02:08:38 2013 GMT * expire date: Apr 12 02:08:38 2014 GMT * common name: OpenShift * issuer: E=test,CN=OpenShift,OU=HSS,O=RedHat,L=BJ,ST=BJ,C=CN > GET / HTTP/1.1 Actual results: As description Expected results: The certificate should be removed successfully Additional info:
The actual issue is that the application save is failing due to validation failures in the deployments structure. The specific issue is that the activations array is empty and the validation code does not like that. The options that we have are: 1) Relax the validations in the code 2) Migrate the applications with deployment structures to set the activation time at, say, creation time. The deployment structure shown below is from the application created on stage devenv and then upgraded and migrated. "deployments" : [ { "deployment_id" : "2a7fc675", "created_at" : ISODate("2013-10-29T00:05:05.484Z"), "hot_deploy" : false, "force_clean_build" : false, "ref" : "master", "sha1" : "", "artifact_url" : null, "activations" : [ ] } ],
The issue is that we do not record an activation time during the gear upgrade.
Note; this fix should be verified on a devenv and will not affect the state of any apps in INT.
Broker side fix to validate deployments so that app is not set to an invalid state https://github.com/openshift/origin-server/pull/4037
Commit pushed to master at https://github.com/openshift/li https://github.com/openshift/li/commit/2b5500944dd40f0725d588a689d66fc6f271f52f Fix bug 1023381: Add activation time during build-deploy upgrade
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/726e1d60bbfcea421bb5537eb26fc91b039c4d2b Checking deployment validations for bug 1023381, 1023304
Verified on devenv_3966 After migration, delete the ssl certificate, and query that app in datastore, the "has_private_ssl_certificate" flag is false. the cert is removed from mongo and node.