Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add test to rotate keys until an old one invalidades #503

Merged
merged 1 commit into from
Dec 6, 2024

Conversation

afaranha
Copy link
Contributor

@afaranha afaranha commented Nov 19, 2024

Jira: OSPRH-9674

@openshift-ci openshift-ci bot requested review from abays and viroel November 19, 2024 10:11
@afaranha
Copy link
Contributor Author

/retest

@Deydra71
Copy link
Contributor

/test keystone-operator-build-deploy-kuttl

@Deydra71
Copy link
Contributor

Deydra71 commented Nov 28, 2024

Updates:

Replaced oc patch with oc apply to handle the entire resource replacement reliably. oc patch often resulted in inconsistent updates or partial changes in keystone secret, which resulted in incomplete rotation triggers (secret annotation was updated, but fernet keys weren't rotated... but this was not happening 100% of times.)
oc apply ensures the full configuration is applied cleanly.

Increased the timeout duration for rollout status checks to accommodate slower deployments observed during rotations. The 100 seconds might not be necessary for CI, but in my environment it was the first value that prevented premature failures.

TODO 1 : Check the validate_test_token.sh script, the grep is probably not working correctly (use the updated one from test_invalid_token.sh script.

TODO 2(me): Resolve the script hack/configure_local_webhook.sh added by mistake, it's probably a remnant from rebasing...

@Deydra71
Copy link
Contributor

/test keystone-operator-build-deploy-kuttl

timeout

tests/kuttl/common/scripts/rotate_token.sh Outdated Show resolved Hide resolved
Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>
Co-authored-by: Andre Aranha <afariasa@redhat.com>
@openshift-ci openshift-ci bot added the lgtm label Dec 5, 2024
@Deydra71 Deydra71 requested a review from stuggi December 6, 2024 09:46
Copy link
Contributor

@stuggi stuggi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Copy link
Contributor

openshift-ci bot commented Dec 6, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: afaranha, stuggi, xek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Dec 6, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit c7da0ef into openstack-k8s-operators:main Dec 6, 2024
6 checks passed
@Deydra71
Copy link
Contributor

/cherry-pick 18.0-fr1

@openshift-cherrypick-robot

@Deydra71: #503 failed to apply on top of branch "18.0-fr1":

Applying: Update fernet keys rotation scripts
error: mode change for tests/kuttl/tests/fernet_rotation/03-cleanup-openstackclient.yaml, which is not in current HEAD
error: could not build fake ancestor
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 Update fernet keys rotation scripts

In response to this:

/cherry-pick 18.0-fr1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Deydra71
Copy link
Contributor

/cherry-pick 18.0-fr1

@openshift-cherrypick-robot

@Deydra71: new pull request created: #521

In response to this:

/cherry-pick 18.0-fr1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants