MCO-607: MCO-237: Keep track of certs in ControllerConfigStatus#3756
Merged
Conversation
cdoern
changed the title
Contributor
|
@cdoern: This pull request references MCO-607 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
jira/valid-reference
Contributor
Author
|
/jira-refresh |
Contributor
|
@cdoern: This pull request references MCO-607 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
cdoern
changed the title
Contributor
Author
|
/jira-refresh |
Contributor
Author
|
/retest-required .... not sure what just happened. |
cdoern
force-pushed
the
certVisibility
branch
6 times, most recently
from
7c92d22 to
7c7c739
Compare
Contributor
Author
|
/retest-required |
2 similar comments
Contributor
Author
|
/retest-required |
Contributor
Author
|
/retest-required |
Member
|
Hey, that's pretty cool! I'm not sure the signer is coming out quite right sometimes though (here, maybe?) : (I had to dump JSON because yaml was crying about control characters) |
openshift-ci
Bot
added
the
approved
Contributor
Author
|
@sergiordlr does this need QE approval to test the sanity of the output in the controllerconfig? |
Contributor
|
Hello. We have used IPI on AWS for the verification. This is the info displayed in the controllerconfig
The information is ok. It has the right issuer, subject and dates.
There are several certificates in kubeAPIServerServingCAData, but only the last one ( |
Contributor
Author
|
thanks @sergiordlr I will push a fix for only the last certificate showing |
cdoern
force-pushed
the
certVisibility
branch
2 times, most recently
from
24963f1 to
7978318
Compare
Contributor
Author
|
/retest-required |
Contributor
|
Verified using IPI on AWS. This is the information reported by the ControllerConfig:
The information is ok. I has the right issure, subject and dates:
The information is OK too. It has the right subject, issuer and dates for every certificate:
Master pool is reporting the expiration time for the certificates like this: The same information is displayed for the worker pool
The information in the ControllerConfig regarding the certificates was correct after the certificate rotation. We have not found any problem. The only thing that we like to comment is that the information regarding the certificates' expiration date in the MCPs is a bit confusing from the user's point of view, the information is right, though. |
Contributor
|
Please, no problem has been found, but before adding the qe-approved label, could you please, guys, review the PR verification and confirm that the information that we are displaying now is the information that we want to display actually? So that I have the opportunity to test the PR in case you decide to add/remove some information. Thank you very much! |
Contributor
|
I forgot to add that everytime we rotate the certificates, the number of certificates tracked by ControllerConfig increases. I'm not sure about how it can impact the readability of MCPs and ControllerConfig if we rotate the certificates very often. For example, this is the number of certificates without any rotation And this is the same ControllerConfig after a certificate rotation Before the rotation we had 8 certificates, after the rotation we have 13 certificates. I haven't rotated again, but I assume that likely after a second rotation we will have aprox 18 certificates and so on.... It is not a problem of this PR, this PR shows the information correctly. The certificates are added to the kube-apiserver-client-ca bundle. |
Contributor
|
With the latest change, the certificates information in MCPs is this one (subject has been added): No issues found. |
Contributor
|
Not a bug, but maybe we are showing too many logs regarding the certificates visibility in the MCO controller pod |
Contributor
Author
thanks for that.... leftover debug I will definitely remove that. |
add ControllerCertificates to ControllerConfigStatus to keep track of all rotated certs This data gets updated when the template controller syncs also, add a way for the MCPs to keep track of cert expiration date for the console team Signed-off-by: Charlie Doern <cdoern@redhat.com>
Contributor
Author
|
/retest-required |
Contributor
|
@cdoern: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Contributor
Author
|
/retest-required |
Contributor
|
/test okd-images |
Contributor
Author
|
/test bootstrap-unit |
Contributor
|
Since no problem has been found and the information that we are displaying seems to be OK, we add the qe-approved label. /label qe-approved |
openshift-ci
Bot
added
the
qe-approved
Contributor
Author
|
Made a cleanup item for the above issues with the controllerConfig in the future: https://issues.redhat.com/browse/MCO-688 |
Member
|
/lgtm |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cdoern, cheesesashimi The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
wking
added a commit
to wking/machine-config-operator
that referenced
this pull request
Jan 2, 2024
These had snuck in back in 80e7b4d (keep track of certs in ControllerConfigStatus, 2023-06-20, openshift#3756), 81136ed (implement the ability for the MCO to handle image registry certificates, 2023-06-27, names doesn't have any functional impact, but it's less confusing to read if the package is refered to with a consistent prefix. This commit addresses all the duplicates turned up with: $ git grep -c '"github.com/openshift/api/machineconfiguration/v1"' | grep '[.]go:' | grep -v 'vendor/\|:1$'
wking
added a commit
to wking/machine-config-operator
that referenced
this pull request
Jan 2, 2024
These had snuck in back in 80e7b4d (keep track of certs in ControllerConfigStatus, 2023-06-20, openshift#3756), 81136ed (implement the ability for the MCO to handle image registry certificates, 2023-06-27, openshift#3770), and similar. Having the same package imported under multiple names doesn't have any functional impact, but it's less confusing to read if the package is refered to with a consistent prefix. This commit addresses all the duplicates turned up with: $ git grep -c '"github.com/openshift/api/machineconfiguration/v1"' | grep '[.]go:' | grep -v 'vendor/\|:1$'
wking
added a commit
to wking/machine-config-operator
that referenced
this pull request
Jan 2, 2024
These had snuck in back in 80e7b4d (keep track of certs in ControllerConfigStatus, 2023-06-20, openshift#3756), 81136ed (implement the ability for the MCO to handle image registry certificates, 2023-06-27, openshift#3770), and similar. Having the same package imported under multiple names doesn't have any functional impact, but it's less confusing to read if the package is refered to with a consistent prefix. This commit addresses all the duplicates turned up with: $ git grep -c '"github.com/openshift/api/machineconfiguration/v1"' | grep '[.]go:' | grep -v 'vendor/\|:1$'
wking
added a commit
to wking/machine-config-operator
that referenced
this pull request
Jan 2, 2024
These had snuck in back in 80e7b4d (keep track of certs in ControllerConfigStatus, 2023-06-20, openshift#3756), 81136ed (implement the ability for the MCO to handle image registry certificates, 2023-06-27, openshift#3770), and similar. Having the same package imported under multiple names doesn't have any functional impact, but it's less confusing to read if the package is refered to with a consistent prefix. This commit addresses all the duplicates turned up with: $ git grep -c '"github.com/openshift/api/machineconfiguration/v1"' | grep '[.]go:' | grep -v 'vendor/\|:1$'
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add ControllerCertificates to ControllerConfigStatus to keep track of all rotated certs This data gets updated when the template controller syncs. So this happens whenever the controllerConfig is modified either by a cert data rotation or otherwise.
The node controller also has access to this data and puts it into the proper MCP in order for the console team to properly access this data.
- What I did
Modified the CRD for the controllerConfig, added two new API types, and attached logic to the template controller to go through this data.
- How to verify it
oc describe controllerconfigshould now have cert info in the statusoc describe mcp/...should now have cert expiry info in the status- Description for the changelog
Added certificate information to the controllerconfig so customers can access the data easily.