search

openshift / cluster-etcd-operator

Operator to manage the lifecycle of the etcd members of an OpenShift cluster
Apache License 2.0
96 stars 130 forks source link

ETCD-607: gate leaf cert generation #1269

Closed tjungblu closed 5 months ago

tjungblu commented 5 months ago

This implements a gate to avoid triggering leaf cert generation in the same static pod revision as an update to the signer certificates (and their respective bundles).

This PR also removes the openshift-config dependency on signer certificates. With 4.17 we should be safe to remove any reference, as the newly generated signer certificate in openshift-etcd should already be distributed and ready for consumption.

In plain words: an upgrade to 4.17 will automatically rotate your etcd signer certificates for the first time and every refresh period happily ever after.

openshift-ci-robot commented 5 months ago

@tjungblu: This pull request references ETCD-607 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set.

In response to [this](https://github.com/openshift/cluster-etcd-operator/pull/1269): >Drafting, since we're waiting for #1268 to merge first >--- > >This implements a gate to avoid triggering leaf cert generation in the >same static pod revision as an update to the signer certificates (and >their respective bundles). > >This PR also removes the openshift-config dependency on signer >certificates. With 4.17 we should be safe to remove any reference, as >the newly generated signer certificate in openshift-etcd should already >be distributed and ready for consumption. > >In plain words: an upgrade to 4.17 will automatically rotate your etcd >signer certificates for the first time and every refresh period happily >ever after. > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-etcd-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-ci[bot] commented 5 months ago

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

openshift-ci-robot commented 5 months ago

@tjungblu: This pull request references ETCD-607 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set.

In response to [this](https://github.com/openshift/cluster-etcd-operator/pull/1269): >This implements a gate to avoid triggering leaf cert generation in the >same static pod revision as an update to the signer certificates (and >their respective bundles). > >This PR also removes the openshift-config dependency on signer >certificates. With 4.17 we should be safe to remove any reference, as >the newly generated signer certificate in openshift-etcd should already >be distributed and ready for consumption. > >In plain words: an upgrade to 4.17 will automatically rotate your etcd >signer certificates for the first time and every refresh period happily >ever after. > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-etcd-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
tjungblu commented 5 months ago

/retest

openshift-ci-robot commented 5 months ago

@tjungblu: This pull request references ETCD-607 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set.

In response to [this](https://github.com/openshift/cluster-etcd-operator/pull/1269): >This implements a gate to avoid triggering leaf cert generation in the >same static pod revision as an update to the signer certificates (and >their respective bundles). > >This PR also removes the openshift-config dependency on signer >certificates. With 4.17 we should be safe to remove any reference, as >the newly generated signer certificate in openshift-etcd should already >be distributed and ready for consumption. > >In plain words: an upgrade to 4.17 will automatically rotate your etcd >signer certificates for the first time and every refresh period happily >ever after. > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-etcd-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
tjungblu commented 5 months ago

/retest

tjungblu commented 5 months ago

/retest

tjungblu commented 5 months ago

/hold

it's functional now, but we need to run a couple more payload tests.

tjungblu commented 5 months ago

/payload-aggregate periodic-ci-openshift-release-master-ci-4.17-upgrade-from-stable-4.16-e2e-aws-ovn-upgrade 10

openshift-ci[bot] commented 5 months ago

@tjungblu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/441b58e0-2812-11ef-9a57-03161ade4e76-0

tjungblu commented 5 months ago

/payload 4.17 nightly blocking

openshift-ci[bot] commented 5 months ago

@tjungblu: trigger 8 job(s) of type blocking for the nightly release of OCP 4.17

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/dc4daa50-288a-11ef-815f-720d05854ba7-0

tjungblu commented 5 months ago

/test ?

openshift-ci[bot] commented 5 months ago

@tjungblu: The following commands are available to trigger required jobs:

The following commands are available to trigger optional jobs:

Use /test all to run the following jobs that were automatically triggered:

In response to [this](https://github.com/openshift/cluster-etcd-operator/pull/1269#issuecomment-2162297707): >/test ? Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
tjungblu commented 5 months ago

/test e2e-aws-ovn-single-node /test e2e-metal-assisted /test e2e-metal-ipi-ovn-ipv6

tjungblu commented 5 months ago

/retest

tjungblu commented 5 months ago

/test e2e-aws-ovn-single-node /test e2e-metal-assisted /test e2e-metal-ipi-ovn-ipv6

tjungblu commented 5 months ago

/test e2e-aws-ovn-single-node /test e2e-metal-assisted /test e2e-metal-ipi-ovn-ipv6

tjungblu commented 5 months ago

/payload 4.17 nightly blocking

openshift-ci[bot] commented 5 months ago

@tjungblu: trigger 8 job(s) of type blocking for the nightly release of OCP 4.17

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/55616b00-28c9-11ef-91af-fdba917daf2e-0

tjungblu commented 5 months ago

/test e2e-metal-assisted

/payload-aggregate periodic-ci-openshift-release-master-nightly-4.17-e2e-metal-ovn-assisted 10

openshift-ci[bot] commented 5 months ago

@tjungblu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/386c3860-28db-11ef-8a13-3330e29fd75c-0

tjungblu commented 5 months ago

/test e2e-aws-ovn-single-node /test e2e-metal-assisted /test e2e-metal-ipi-ovn-ipv6 /payload-aggregate periodic-ci-openshift-release-master-nightly-4.17-e2e-metal-ovn-assisted 10

openshift-ci[bot] commented 5 months ago

@tjungblu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5f7a0bb0-296e-11ef-996d-2b746f5b8c8a-0

openshift-ci[bot] commented 5 months ago

@tjungblu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-qe-no-capabilities 2e9cb28e7649d73c1e1282e31f48862eeb253af9 link false /test e2e-gcp-qe-no-capabilities
ci/prow/e2e-operator-fips 2e9cb28e7649d73c1e1282e31f48862eeb253af9 link false /test e2e-operator-fips
ci/prow/e2e-aws-etcd-recovery 2e9cb28e7649d73c1e1282e31f48862eeb253af9 link false /test e2e-aws-etcd-recovery
ci/prow/e2e-operator 2e9cb28e7649d73c1e1282e31f48862eeb253af9 link true /test e2e-operator

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
tjungblu commented 5 months ago

/test e2e-aws-ovn-single-node /test e2e-metal-assisted /test e2e-metal-ipi-ovn-ipv6 /payload-aggregate periodic-ci-openshift-release-master-nightly-4.17-e2e-metal-ovn-assisted 10

openshift-ci[bot] commented 5 months ago

@tjungblu: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/33c95440-298b-11ef-805b-37002ac13108-0

tjungblu commented 5 months ago

/payload 4.17 nightly blocking

openshift-ci[bot] commented 5 months ago

@tjungblu: trigger 8 job(s) of type blocking for the nightly release of OCP 4.17

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/aadd7fc0-299a-11ef-9bb2-57a1c364b563-0

hasbro17 commented 5 months ago

/payload 4.17 nightly blocking

openshift-ci[bot] commented 5 months ago

@hasbro17: trigger 8 job(s) of type blocking for the nightly release of OCP 4.17

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/d4f4c480-2a17-11ef-85a4-862ed4700999-0

openshift-ci[bot] commented 5 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hasbro17, tjungblu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/cluster-etcd-operator/blob/master/OWNERS)~~ [hasbro17,tjungblu] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
tjungblu commented 5 months ago

/close

taking #1275

openshift-ci[bot] commented 5 months ago

@tjungblu: Closed this PR.

In response to [this](https://github.com/openshift/cluster-etcd-operator/pull/1269#issuecomment-2175163733): >/close > >taking #1275 Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.