Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-2194

Making sure that existing certificates on edpm nodes are tracked after adoption procedure

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Normal Normal
    • rhos-18.0.0
    • None
    • None
    • None
    • 8
    • False
    • Hide

      Blocked by the testing task, once that is resolved we can work this task.

      Show
      Blocked by the testing task, once that is resolved we can work this task.
    • False
    • ?
    • ?
    • OSPRH-813 - Red Hat OpenStack 18.0 Data Plane Adoption
    • ?
    • ?
    • DFG Security: UC Sprint 93, DFG Security: UC Sprint 94
    • 2024Q2

      The default expected behavior after adopting the data plane would be that the new certificates are generated, uploaded into the EDPM nodes and placed in the right places, but the services running on those nodes are not restarted or notified in any way.

      This might be an issue, since the old certificates will not be tracked by the new control plane.

      The following might be possible:

      1. Schedule a planned restart of EDPM nodes, which should happen within a month after the Data Plane Adoption takes place, making sure no certificate expires before this time.
      2. Trigger certificate reload for all of the EDPM services or apply the certificate reload commands. This should not restart or interrupt any workloads on EDPM
      3. Upload the old certificates for tracking into the new control plane, so cert-manager can keep track of the old certificates and reload them as needed.

       

            rh-ee-mharley Mauricio Harley
            hrybacki@redhat.com Harry Rybacki
            rhos-dfg-security
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: