1849685 – [RFE] Handle PKI renew for grafana

Bug 1849685 - [RFE] Handle PKI renew for grafana

Summary: [RFE] Handle PKI renew for grafana

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine-dwh
Classification:	oVirt
Component:	Setup
Sub Component:
Version:	4.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	ovirt-4.4.7
Target Release:	4.4.7
Assignee:	Yedidyah Bar David
QA Contact:	Pavel Novotny
Docs Contact:
URL:
Whiteboard:
Depends On:	1959839
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-22 14:03 UTC by Yedidyah Bar David
Modified:	2021-07-28 14:16 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ovirt-engine-dwh-4.4.7
Doc Type:	Enhancement
Doc Text:	engine-setup now allows renewing the certificate also for grafana when it is set up on a separate machine from the engine.
Clone Of:
Environment:
Last Closed:	2021-07-28 14:16:45 UTC
oVirt Team:	Metrics
Embargoed:
Flags:	sbonazzo: ovirt-4.4? pm-rhel: planning_ack? sbonazzo: devel_ack+ gdeolive: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	114772	0	master	MERGED	packaging: grafana: Renew separate apache pki if needed	2021-05-18 07:32:33 UTC

Description Yedidyah Bar David 2020-06-22 14:03:10 UTC

Description of problem:

Need to test and fix what's needed for grafana on separate machine when PKI needs renew. Currently the code works only on the engine machine. This is enough for grafana if it's there (as it then uses apache, already handled), but not on a separate machine.

Noting, that there is no need to add grafana to PKIEnv.ENTITIES, at least not for the case of engine+grafana on same machine. For separate, we probably need new code, so that won't be enough either.

Version-Release number of selected component (if applicable):
Current master

How reproducible:
Always

Steps to Reproduce:
1. Setup grafana on a separate machine
2. Wait 5 years or so (or move the machine clock forward and disable ntp etc.)
3. engine-setup
4. Connect a browser to grafana

Actual results:
Nothing special happens - eventually the certificate expires and browsers start complaining

Expected results:
Probably engine-setup should check, prompt, allow renewing

Additional info:
This will soon become more urgent, because newer browsers require shorter lifespans, see bug 1824103.

Comment 1 Yedidyah Bar David 2020-09-13 12:40:17 UTC

Workaround:

1. Remove/rename all of these files:

/etc/pki/ovirt-engine/apache-grafana-ca.pem
/etc/pki/ovirt-engine/apache-ca.pem
/etc/pki/ovirt-engine/keys/apache.key.nopass
/etc/pki/ovirt-engine/keys/apache-grafana.key.nopass
/etc/pki/ovirt-engine/certs/apache.cer
/etc/pki/ovirt-engine/certs/apache-grafana.cer

2. Run engine-setup

It will notice that the files are missing, prompt you for needed stuff, and generate new ones.

Comment 3 Pavel Novotny 2021-07-10 00:22:49 UTC

Verified in
ovirt-engine-4.4.7.6-0.11.el8ev.noarch
ovirt-engine-dwh-4.4.7.3-1.el8ev.noarch

Verified with grafana installed on a separate machine.
Then I used workaround in comment 1 to invalidate the certificates (I deleted all the certs and keys files) and ran engine-setup again.
It re-created all the necessary files again.

Comment 4 Sandro Bonazzola 2021-07-28 14:16:45 UTC

This bugzilla is included in oVirt 4.4.7 release, published on July 6th 2021.

Since the problem described in this bug report should be resolved in oVirt 4.4.7 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.