weixin_39569389
weixin_39569389
2020-12-01 01:53

Allow setting certificates validity period during installation

This PR is adding support for setting certificates validity period during installation. It's done by passing --expire-days and --signer-expire-days options to oc adm that were adding in v1.5 (see https://github.com/openshift/origin/pull/11814)

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1275176 Trello: https://trello.com/c/MV4uHYdW/367-leverage-the-new-expire-days-in-the-ansible-playbooks

PTAL
CC

该提问来源于开源项目:openshift/openshift-ansible

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

44条回答

  • weixin_39569389 weixin_39569389 5月前

    Thank you! I'm watching and waiting :)

    点赞 评论 复制链接分享
  • weixin_39569389 weixin_39569389 5月前

    Updated and ready to be tested/merged.

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    Evaluated for openshift ansible test up to 638e4198f80e6e2705c7a5e865e7d39112d1f42a

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_openshift_ansible_extended_conformance_install/84/) (Base Commit: 403b5c5545b9b07e7a4416e5a63609512ddaa224)

    点赞 评论 复制链接分享
  • weixin_40005373 weixin_40005373 5月前

    aos-ci-test

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    success: aos-ci-jenkins/OS_unit_tests for 638e4198f80e6e2705c7a5e865e7d39112d1f42a (logs)

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    success: "aos-ci-jenkins/OS_3.4_NOT_containerized, aos-ci-jenkins/OS_3.4_NOT_containerized_e2e_tests" for 638e4198f80e6e2705c7a5e865e7d39112d1f42a (logs)

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    success: "aos-ci-jenkins/OS_3.4_containerized, aos-ci-jenkins/OS_3.4_containerized_e2e_tests" for 638e4198f80e6e2705c7a5e865e7d39112d1f42a (logs)

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    success: "aos-ci-jenkins/OS_3.5_NOT_containerized, aos-ci-jenkins/OS_3.5_NOT_containerized_e2e_tests" for 638e4198f80e6e2705c7a5e865e7d39112d1f42a (logs)

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    success: "aos-ci-jenkins/OS_3.5_containerized, aos-ci-jenkins/OS_3.5_containerized_e2e_tests" for 638e4198f80e6e2705c7a5e865e7d39112d1f42a (logs)

    点赞 评论 复制链接分享
  • weixin_40005373 weixin_40005373 5月前

    [merge]

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    Evaluated for openshift ansible merge up to 638e4198f80e6e2705c7a5e865e7d39112d1f42a

    点赞 评论 复制链接分享
  • weixin_40005373 weixin_40005373 5月前

    -coder Once https://github.com/openshift/openshift-ansible/pull/3769 merges the version comparisons can use the new filters https://gist.github.com/abutcher/c60a27f6fa9abf4ae365fc24738349ee.

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    3b87f8180e751e6bebe8c9227eeb4100ffef8eba - State: success - All Test Contexts: "aos-ci-jenkins/OS_3.4_NOT_containerized, aos-ci-jenkins/OS_3.4_NOT_containerized_e2e_tests" - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_NOT_containerized,OSE_VER=3.4,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster,TargetBranch=master,nodes=openshift-ansible-slave-1166/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt

    点赞 评论 复制链接分享
  • weixin_39569389 weixin_39569389 5月前

    Containerized installation fails because openshift.common.version_gte_3_5_or_1_5 is evaluating to true. I feel that it's a bug in condition evaluation. I don't see another way of not using new option on old versions.

    点赞 评论 复制链接分享
  • weixin_40005373 weixin_40005373 5月前

    -coder I'm looking into how we can address this. openshift.common.version_gte_3_5_or_1_5 is defaulting to true because we have nothing to base the version on (as written) but we do know the image tag that we intend to use prior to creating certs.

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    3b87f8180e751e6bebe8c9227eeb4100ffef8eba - State: error - All Test Contexts: aos-ci-jenkins/OS_3.4_containerized - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_containerized,OSE_VER=3.4,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster-containerized,TargetBranch=master,nodes=openshift-ansible-slave-1166/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    3b87f8180e751e6bebe8c9227eeb4100ffef8eba - State: success - All Test Contexts: "aos-ci-jenkins/OS_3.5_NOT_containerized, aos-ci-jenkins/OS_3.5_NOT_containerized_e2e_tests" - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_NOT_containerized,OSE_VER=3.5,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster,TargetBranch=master,nodes=openshift-ansible-slave-1166/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    3b87f8180e751e6bebe8c9227eeb4100ffef8eba - State: success - All Test Contexts: "aos-ci-jenkins/OS_3.5_containerized, aos-ci-jenkins/OS_3.5_containerized_e2e_tests" - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_containerized,OSE_VER=3.5,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster-containerized,TargetBranch=master,nodes=openshift-ansible-slave-1166/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt

    点赞 评论 复制链接分享
  • weixin_39569389 weixin_39569389 5月前

    aos-ci-test is failing on 3.4 because --expire-days hasn't been backported there. Though, why is it only failing for containerized installs?

    I suspect that openshift.common.version_gte_3_5_or_1_5 is evaluating to true for some strange reason. Is it possible?

    点赞 评论 复制链接分享
  • weixin_39828956 weixin_39828956 5月前

    oh, that's probably right.

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_openshift_ansible_extended_conformance_install/84/) (Base Commit: 403b5c5545b9b07e7a4416e5a63609512ddaa224)

    点赞 评论 复制链接分享
  • weixin_39569389 weixin_39569389 5月前

    How we'll merge it? How I can help?

    点赞 评论 复制链接分享
  • weixin_39569389 weixin_39569389 5月前

    Ping.

    点赞 评论 复制链接分享
  • weixin_39828956 weixin_39828956 5月前

    aos-ci-test

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    3b87f8180e751e6bebe8c9227eeb4100ffef8eba - State: success - All Test Contexts: aos-ci-jenkins/OS_unit_tests - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-2-unit-tests-1163/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt

    点赞 评论 复制链接分享
  • weixin_39828956 weixin_39828956 5月前

    flake https://github.com/openshift/origin/issues/12797 [merge]

    点赞 评论 复制链接分享
  • weixin_39828956 weixin_39828956 5月前

    aos-ci-test is failing on 3.4 because --expire-days hasn't been backported there. Though, why is it only failing for containerized installs?

    点赞 评论 复制链接分享
  • weixin_39612122 weixin_39612122 5月前

    -coder said

    
    Ok, I've updated the code and tested it against OSE v3.5 on RHEL. It works fine on 1 node with embedded etcd. I was checking an expiration dates of all *.crt files inside /etc/origin.
    
    To  :
    
    Are you OK with these changes? If yes, then I'll add a bit documentation before merging.
    Do we have certificates in some non-standard places that I'm not aware of?
    Do we have QEs who can test this along with corner cases (like using containerized environment)?
    I also tested redeploy-certificates.yml, it updates all the certificates except ca.crt. Is it a feature?
    

    If you want a thorough test of the new depoyment I suggest you use the cert expiry checker we have now

    Using your existing inventory file you can run:

    
    $ ansible-playbook -v -i <inventory_file> ./playbooks/certificate_expiry/easy-mode.yaml
    $ xdg-open /tmp/cert-expiry-report.html
    $ xdg-open /tmp/cert-expiry-report.json
    </inventory_file>
    点赞 评论 复制链接分享
  • weixin_39569389 weixin_39569389 5月前

    It's ready to merge. PTAL.

    点赞 评论 复制链接分享
  • weixin_40005373 weixin_40005373 5月前

    [merge]

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    [test]ing while waiting on the merge queue

    点赞 评论 复制链接分享
  • weixin_40005373 weixin_40005373 5月前

    aos-ci-test

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    3b87f8180e751e6bebe8c9227eeb4100ffef8eba - State: success - All Test Contexts: aos-ci-jenkins/OS_unit_tests - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-2-unit-tests-1089/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    3b87f8180e751e6bebe8c9227eeb4100ffef8eba - State: error - All Test Contexts: aos-ci-jenkins/OS_3.4_containerized - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_containerized,OSE_VER=3.4,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster-containerized,TargetBranch=master,nodes=openshift-ansible-slave-1093/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    3b87f8180e751e6bebe8c9227eeb4100ffef8eba - State: success - All Test Contexts: "aos-ci-jenkins/OS_3.4_NOT_containerized, aos-ci-jenkins/OS_3.4_NOT_containerized_e2e_tests" - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_NOT_containerized,OSE_VER=3.4,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster,TargetBranch=master,nodes=openshift-ansible-slave-1093/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    3b87f8180e751e6bebe8c9227eeb4100ffef8eba - State: success - All Test Contexts: "aos-ci-jenkins/OS_3.5_NOT_containerized, aos-ci-jenkins/OS_3.5_NOT_containerized_e2e_tests" - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_NOT_containerized,OSE_VER=3.5,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster,TargetBranch=master,nodes=openshift-ansible-slave-1093/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt

    点赞 评论 复制链接分享
  • weixin_39618956 weixin_39618956 5月前

    3b87f8180e751e6bebe8c9227eeb4100ffef8eba - State: success - All Test Contexts: "aos-ci-jenkins/OS_3.5_containerized, aos-ci-jenkins/OS_3.5_containerized_e2e_tests" - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_containerized,OSE_VER=3.5,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster-containerized,TargetBranch=master,nodes=openshift-ansible-slave-1093/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt

    点赞 评论 复制链接分享
  • weixin_39569389 weixin_39569389 5月前

    The first one is very strange because it could not compile a test:

    
    23:21:08 ++ Building release v1.5.0-alpha.3+4cbbecd-244
    23:21:16 rm -rf _output
    23:21:16 hack/build-cross.sh
    23:21:17 ++ Building go targets for linux/amd64: images/pod cmd/dockerregistry cmd/gitserver pkg/sdn/plugin/sdn-cni-plugin vendor/github.com/containernetworking/cni/plugins/ipam/host-local vendor/github.com/containernetworking/cni/plugins/main/loopback examples/hello-openshift examples/deployment
    23:22:31 ++ Building go targets for linux/amd64: cmd/openshift cmd/oc
    23:25:46 ++ Building go targets for linux/amd64: test/extended/extended.test
    23:27:26 # github.com/openshift/origin/test/extended/registry
    23:27:26 test/extended/registry/registry.go:52: cannot use "github.com/openshift/origin/pkg/image/api".ResourceImageStreams (type "github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/api".ResourceName) as type string in argument to "github.com/openshift/origin/pkg/image/api".Resource
    

    The second one is a test-flake https://github.com/openshift/origin/issues/12797

    could you re-run merge process, please?

    点赞 评论 复制链接分享
  • weixin_40005373 weixin_40005373 5月前

    Are you OK with these changes? If yes, then I'll add a bit documentation before merging.

    These changes LGTM.

    Do we have certificates in some non-standard places that I'm not aware of?

    All are covered here afaict.

    Do we have QEs who can test this along with corner cases (like using containerized environment)?

    QE will pick up when we move our cluster lifecycle card to complete.

    I also tested redeploy-certificates.yml, it updates all the certificates except ca.crt. Is it a feature?

    There is a separate playbook for rolling CA redeployment playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml.

    点赞 评论 复制链接分享
  • weixin_39569389 weixin_39569389 5月前

    Current state/open questions: - ~It isn't tested because at this moment installer fails with error Detected OpenShift version 1.3.1 does not match requested openshift_release 1.5 when I'm trying to use v1.5 I didn't find the repo for origin 1.5~ - It's not clear do I need some special code for a containerized installation - I don't know whether code for supporting external etcd should be added or not - I'm not sure that new parameters will affect procedure of updating of the existing certificates - ~It isn't documented~

    点赞 评论 复制链接分享
  • weixin_40005373 weixin_40005373 5月前

    It isn't tested because at this moment installer fails with error Detected OpenShift version 1.3.1 does not match requested openshift_release 1.5 when I'm trying to use v1.5 I didn't find the repo for origin 1.5

    1.5 packages haven't been created yet afaik. I can get you configuration for testing 3.5 internally.

    It's not clear do I need some special code for a containerized installation

    This can be accomplished using a host level variable containerized=true per host in the inventory or containerized=true can be added under [OSEv3:vars] to globally set containerized true for all services.

    For example,

    
    ...
    
    [masters]
    master1.abutcher.com containerized=true
    
    [nodes]
    master1.abutcher.com openshift_schedulable=true containerized=true
    

    I don't know whether code for supporting external etcd should be added or not

    We have an internal variable for configuring external etcd CA validity etcd_ca_default_days but no configurable for etcd peer and serving certificates. If we are allowing OpenShift certificate validity to be configured then I think we should also add variables for external etcd cert validity but that can be done separately.

    I'm not sure that new parameters will affect procedure of updating of the existing certificates

    This process uses the same code updated here so I expect that no changes will be required.

    It isn't documented

    Adding these variables to https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.ose.example with a small explanation will be a good start.

    点赞 评论 复制链接分享
  • weixin_39569389 weixin_39569389 5月前

    Ok, I've updated the code and tested it against OSE v3.5 on RHEL. It works fine on 1 node with embedded etcd. I was checking an expiration dates of all *.crt files inside /etc/origin.

    To : - Are you OK with these changes? If yes, then I'll add a bit documentation before merging. - Do we have certificates in some non-standard places that I'm not aware of? - Do we have QEs who can test this along with corner cases (like using containerized environment)? - I also tested redeploy-certificates.yml, it updates all the certificates except ca.crt. Is it a feature?

    点赞 评论 复制链接分享
  • weixin_39569389 weixin_39569389 5月前

    I don't know whether code for supporting external etcd should be added or not

    We have an internal variable for configuring external etcd CA validity etcd_ca_default_days but no configurable for etcd peer and serving certificates. If we are allowing OpenShift certificate validity to be configured then I think we should also add variables for external etcd cert validity but that can be done separately.

    Is it still in the scope of my task? Technically it's not because these certificates are generated by openssl command and it doesn't use oadm at all. Practically it could be in scope, in terms of a general task for setting the certificates validity.

    点赞 评论 复制链接分享

相关推荐