Bug 1023381 - Can not successfully delete ssl certificates after migration
Can not successfully delete ssl certificates after migration
Status: CLOSED CURRENTRELEASE
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Paul Morie
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-25 06:16 EDT by Jianwei Hou
Modified: 2015-05-14 19:31 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-23 22:26:54 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jianwei Hou 2013-10-25 06:16:01 EDT
Description of problem:
After migration, try to delete an ssl certificate that was added before upgrade took place, the action fails => Client shows certificate is deleted, but the certificate info is not removed from datastore and node.

Version-Release number of selected component (if applicable):
On devenv_3942

How reproducible:
Always

Steps to Reproduce:
1. Create applications, add alias and ssl certificates on devenv-stage_528
2. Upgrade stage ami to latest and migrate
/root/li/misc/maintenance/bin/rhc-populate-sni-proxy
rhc-admin-migrate-datastore --compatible --version 2.0.35
oo-admin-upgrade upgrade-node --version 2.0.35 --ignore-cartridge-version

3. Try to delete one ssl certificate from the application
rhc alias-list -l openshift+migration3@redhat.com -p redhat sslapps
Alias       Has Certificate? Certificate Added
----------- ---------------- -----------------
ns.ssl.test yes              2013-10-24

rhc alias delete-cert sslapp pl.ssl.test --confirm -l openshift+migration3@redhat.com -p redhat
SSL certificate successfully deleted.

4. Connect to mongo, and query the application, found the ssl certificate field is still true
	"aliases" : [
		{
			"_id" : ObjectId("5269e7344b4e3f9e3800059d"),
			"certificate_added_at" : ISODate("2013-10-24T00:00:00Z"),
			"fqdn" : "pl.ssl.test",
			"has_private_ssl_certificate" : true
		}
	],
5. Check /var/lib/openshift/.httpd.d , the certificates are deleted
6. Check the certificate info: curl -k -vvv https://pl.ssl.test/>/dev/null
The certificate is not removed:
* Server certificate:
* 	subject: E=test,CN=OpenShift,OU=HSS,O=RedHat,L=BJ,ST=BJ,C=CN
* 	start date: Apr 12 02:08:38 2013 GMT
* 	expire date: Apr 12 02:08:38 2014 GMT
* 	common name: OpenShift
* 	issuer: E=test,CN=OpenShift,OU=HSS,O=RedHat,L=BJ,ST=BJ,C=CN
> GET / HTTP/1.1


Actual results:
As description

Expected results:
The certificate should be removed successfully

Additional info:
Comment 1 Abhishek Gupta 2013-10-29 11:52:28 EDT
The actual issue is that the application save is failing due to validation failures in the deployments structure. The specific issue is that the activations array is empty and the validation code does not like that.

The options that we have are:
1) Relax the validations in the code
2) Migrate the applications with deployment structures to set the activation time at, say, creation time.

The deployment structure shown below is from the application created on stage devenv and then upgraded and migrated.


            "deployments" : [
                    {
                            "deployment_id" : "2a7fc675",
                            "created_at" : ISODate("2013-10-29T00:05:05.484Z"),
                            "hot_deploy" : false,
                            "force_clean_build" : false,
                            "ref" : "master",
                            "sha1" : "",
                            "artifact_url" : null,
                            "activations" : [ ]
                    }
            ],
Comment 2 Paul Morie 2013-10-29 13:11:43 EDT
The issue is that we do not record an activation time during the gear upgrade.
Comment 3 Paul Morie 2013-10-29 14:55:22 EDT
Note; this fix should be verified on a devenv and will not affect the state of any apps in INT.
Comment 4 Abhishek Gupta 2013-10-29 15:50:58 EDT
Broker side fix to validate deployments so that app is not set to an invalid state

https://github.com/openshift/origin-server/pull/4037
Comment 5 openshift-github-bot 2013-10-29 16:48:50 EDT
Commit pushed to master at https://github.com/openshift/li

https://github.com/openshift/li/commit/2b5500944dd40f0725d588a689d66fc6f271f52f
Fix bug 1023381: Add activation time during build-deploy upgrade
Comment 6 openshift-github-bot 2013-10-29 23:06:02 EDT
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/726e1d60bbfcea421bb5537eb26fc91b039c4d2b
Checking deployment validations for bug 1023381, 1023304
Comment 7 Jianwei Hou 2013-10-30 03:59:57 EDT
Verified on devenv_3966
After migration, delete the ssl certificate, and query that app in datastore, the  "has_private_ssl_certificate" flag is false. the cert is removed from mongo and node.

Note You need to log in before you can comment on or make changes to this bug.