Loading...

XML

Word

Printable

Type: Task
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
None

Epic Link:
Automate certificate handling for RHOSAK certificates
Blocked:
False
Blocked Reason:

Hide
Waiting for a fleetshard sync enhancement on https://issues.redhat.com/browse/MGDSTRM-10879 to be released needed for the https://issues.redhat.com/browse/MGDSTRM-10919 sub-task

Show
Waiting for a fleetshard sync enhancement on https://issues.redhat.com/browse/MGDSTRM-10879 to be released needed for the https://issues.redhat.com/browse/MGDSTRM-10919 sub-task
Ready:
False
Discussed with Team:
Yes
Feature Link:
MGDSRVS-145 - RHOSAK Enterprise Plan: RHOSAK on customer-owned OSD/ROSA/ARO
Git Pull Request:
https://github.com/bf2fc6cc711aee1a0c2a/kas-fleet-manager/pull/1680, https://github.com/bf2fc6cc711aee1a0c2a/kas-fleet-manager/pull/1639
[QE] How to address?:
---
[QE] Why QE missed?:
---
Intelligence Requested:
Market:

Sprint:
MK - Sprint 234

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

At the moment, the automatic certificate management is done in a blocking manner: https://github.com/bf2fc6cc711aee1a0c2a/kas-fleet-manager/blob/49ca377b2bc7368316653412721bd17e859355d5/internal/kafka/internal/services/kafkatlscertmgmt/kafka_tls_certificate_management_service.go#L80
which can potentially block the reconciler depending on the time the calls to backing external service takes: in Stage we've observed certificate reconciling times of up to `20s` for some Kafkas: see reconciler times

The certmagic library has an asynchrnous "ManageAsync" method which we could use.
But before we consider using this, we need to make sure that we do not send the Kafkas to the data plane if the Kafka doesn't have certificate already created:

this can be done either by ignoring all the kafkas that do not have the certificate in place and are in provisioning state
finding a way to signal to the data plane that a particular managed kafka is in erronous state and it should be ignored: see the TODO comment on https://github.com/bf2fc6cc711aee1a0c2a/kas-fleet-manager/blob/5e6f90a4e64a128502bcbadaac076eeb9bd68481/internal/kafka/internal/services/kafka.go#L923

is blocked by

MGDSTRM-10879 Do not update the Kafka master secret if the ManagedKafkaCR has the pause-reconciliation annotation

Closed

1.	Make the certificate management async		Closed		Manyanda Chitimbo
2.	Do not return an error when retrieving certificate for a given Kafka fails but instead pause the corresponding ManagedKafka for reconciliation		Closed		Manyanda Chitimbo

Assignee:: Manyanda Chitimbo

Reporter:: Manyanda Chitimbo

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2023/03/08 10:16 AM

Updated:: 2023/04/04 11:40 AM

Resolved:: 2023/04/04 11:40 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Sub-Tasks

Activity

People

Dates