search

Altinn / altinn-platform

Altinn Platform infrastructure
6 stars 1 forks source link

Bump altinn-vmss-terraformagent fra ubuntu 20.04 til 22.04 #697

Closed bengtfredh closed 7 months ago

bengtfredh commented 8 months ago

Description

We want to upgrade altinn-vmss-terraformagent from ubuntu 20.04 to 22.04. The new agentpool is called altinn-vmss-terraformagent-2204 for now. When we have tested it, we will replace altinn-vmss-terraformagent with the nower version.

Additional Information

Main benefit is to get access to newer software i.e podman from default repo.

Tasks

Test use of new agentpoll altinn-vmss-terraformagent:

Acceptance Criterias

bengtfredh commented 8 months ago

Hit a snag with openssl:

openssl pkcs12 -in accesstokencredentials.pfx -password pass: -nodes -clcerts -nokeys
Error outputting keys and certificates
40E71134E17F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Could not read certificate from <stdin>

Found article https://stackoverflow.com/questions/69361375/issue-to-convert-the-ssl-certificates-from-pfx-to-peem-with-openssl changed code to:

openssl pkcs12 -in accesstokencredentials.pfx -password pass: -nodes -clcerts -nokeys -legacy

That fixed the issue

New command is not backward compatible, when run on 20.04:

openssl pkcs12 -in accesstokencredentials.pfx -password pass: -nodes -clcerts -nokeys -legacy
pkcs12: Unrecognized flag legacy
pkcs12: Use -help for summary.
unable to load certificate
139807611491648:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
bengtfredh commented 8 months ago

Observed that terraform wanted to upgrade tls certs in cluster. After some investigation I found that the newer version of openssl removed some blank lines in tls.crt when convert from pfx. Secret get updated but cert is the same.