Bug 1768484 - certificate renewal script
Summary: certificate renewal script
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Virtualization
Version: 2.2.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 2.2.0
Assignee: Roman Mohr
QA Contact: Kedar Bidarkar
URL:
Whiteboard:
Depends On:
Blocks: 1768751
TreeView+ depends on / blocked
 
Reported: 2019-11-04 14:47 UTC by Dan Kenigsberg
Modified: 2020-01-30 16:27 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1768751 (view as bug list)
Environment:
Last Closed: 2020-01-30 16:27:30 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2020:0307 0 None None None 2020-01-30 16:27:42 UTC

Description Dan Kenigsberg 2019-11-04 14:47:51 UTC 
As a CNV admin I'd like to easily check if my CNV certificates are nearing their expiry date, and to easily regenerate new certificate.

I'd like to have a script such as cnv_certs.sh that can be used as follows:

$ oc login 
$ ./cnv_certs.sh examine
...
list of existing certs, each with its expiry date

$ ./cnv_certs.sh renew
...
list of new certs each with its expiry date


The script should work against cnv-1.4 and cnv-2 (possibly two different scripts).
Comment 4 Roman Mohr 2019-12-19 09:02:26 UTC 
There is now a script in HCO which roughly does what was requested here:

https://github.com/kubevirt/hyperconverged-cluster-operator/pull/372
https://github.com/kubevirt/hyperconverged-cluster-operator/pull/352

It only rotates. It does not show you when certificates would expire.
Comment 5 Dan Kenigsberg 2019-12-19 09:12:26 UTC 
Roman, you answered only few of my requests.

I see the script is documented here: https://github.com/kubevirt/hyperconverged-cluster-operator/blob/master/tools/README.md#rotating-certificates

I believe the script is ready to be tested, I see no reason to keep it MODIFIED. Correct me if I am wrong.

Wouldn't the same script work for bug 1768751 too?
Comment 6 Roman Mohr 2019-12-19 09:17:48 UTC 
> Roman, you answered only few of my requests.

Yes, sorry.

> Wouldn't the same script work for bug 1768751 too?

Yep. Updated.

> I believe the script is ready to be tested, I see no reason to keep it MODIFIED. Correct me if I am wrong.

I can't speak for QE, so that was intentional.
Comment 7 Dan Kenigsberg 2019-12-19 09:22:10 UTC 
> I can't speak for QE, so that was intentional.

I don't follow. MODIFIED means "coding is done, but a build is not yet available for QE". In this case we don't expect to have any build. QE is expected to test upstream.
Comment 8 Kedar Bidarkar 2019-12-19 09:40:27 UTC 
Ran all the tests from the HCO repo at github.com/kubevirt/hyperconverged-cluster-operator/tests/func-tests/certificates_test.go

All tests PASSED except the one with PVC+VMI ( It failed because of the StorageClass name mismatch )

So, created a VM with PVC manually and it worked successfully.

Will attach the logs shortly.
Comment 11 Kedar Bidarkar 2019-12-19 09:44:56 UTC 
Also had created a VM before running the cert rotation script and was able to access the console after running the cert rotation script.
Comment 13 errata-xmlrpc 2020-01-30 16:27:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:0307
Note You need to log in before you can comment on or make changes to this bug.