2071582 – [RFE] Reload MariaDB/Gallera and OVN certificates on refresh

Bug 2071582 - [RFE] Reload MariaDB/Gallera and OVN certificates on refresh

Summary: [RFE] Reload MariaDB/Gallera and OVN certificates on refresh

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Damien Ciabrini
QA Contact:	Arik Chernetsky
Docs Contact:
URL:
Whiteboard:
Depends On:	2058441
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-04 09:33 UTC by Grzegorz Grasza
Modified:	2022-08-09 09:56 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-14484	0	None	None	None	2022-04-04 09:34:17 UTC

Description Grzegorz Grasza 2022-04-04 09:33:35 UTC

As stated in bugzilla 2058441, post_save commands are currently not provided for mysql and ovn. It should now be possible to reload certificates on the renewal process.

This was previously (at least partially) implemented in [1], but reverted.

[1] https://github.com/openstack/tripleo-heat-templates/commit/8b16911cc26ced10316fdd37a818fc1cb6fe5ece

Controller: 

~~~
Request ID 'mysql':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/mysql.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/mysql.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:22 UTC
	dns: overcloud.internalapi.redhat.local,controller-0.internalapi.redhat.local
	principal name: mysql/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes


Request ID 'ovn_dbs':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_dbs.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_dbs.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:27 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: ovn_dbs/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Request ID 'ovn_controller':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_controller.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_controller.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:28 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: ovn_controller/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Request ID 'neutron_ovn':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_neutron_client.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_neutron_client.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:29 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: neutron_ovn/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Compute: 

~~~
Request ID 'ovn_controller':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_controller.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_controller.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 23:55:10 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: ovn_controller/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
Request ID 'ovn_metadata':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/tls/private/ovn_metadata.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/ovn_metadata.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-26 00:12:20 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: ovn_metadata/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

Note You need to log in before you can comment on or make changes to this bug.