Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DPE-5932] Remove cert-available check for CA rotation #502

Merged
merged 9 commits into from
Nov 21, 2024
Merged

[DPE-5932] Remove cert-available check for CA rotation #502

merged 9 commits into from
Nov 21, 2024

Conversation

phvalguima
Copy link
Contributor

@phvalguima phvalguima commented Nov 11, 2024
edited
Loading

This PR removes one of the filters that was causing a race condition at CA rotation + large deployments. It fixes the CA rotation for large deployments in our CI.

Closes #500

@phvalguima phvalguima requested a review from reneradoi November 12, 2024 08:26
@phvalguima phvalguima changed the title [NOT MERGE] Reorder certain flows within the TLS CA rotation Remove cert-available check for CA rotation Nov 12, 2024
reneradoi
reneradoi previously approved these changes Nov 13, 2024
View reviewed changes
Copy link
Contributor

@reneradoi reneradoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey Pedro, I think this change makes sense. We had a couple of changes on the whole process in the last weeks, therefore the condition if not self.ca_rotation_complete_in_cluster() in _on_certificate_available is now probably obsolete. The original need for it was to make sure nothing gets updated during the rollout of the new CA: no certs, no secrets, no ca-bundle.

Your assumption of a race condition seems plausible, at least the integration tests look good after the change. Important tough: Make sure the condition if not self.ca_rotation_complete_in_cluster() stays in store_new_tls_resources(), otherwise the certs might get updated during the rollout of the new CA.

lib/charms/opensearch/v0/opensearch_base_charm.py Outdated Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_tls.py Show resolved Hide resolved
lib/charms/opensearch/v0/opensearch_tls.py Show resolved Hide resolved
tests/unit/lib/test_opensearch_tls.py Outdated Show resolved Hide resolved
@phvalguima phvalguima changed the title Remove cert-available check for CA rotation [DPE-5932] Remove cert-available check for CA rotation Nov 15, 2024
@phvalguima phvalguima requested a review from reneradoi November 15, 2024 15:26
@phvalguima phvalguima marked this pull request as ready for review November 15, 2024 15:27
reneradoi
reneradoi previously approved these changes Nov 19, 2024
View reviewed changes
Copy link
Contributor

@reneradoi reneradoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @phvalguima the unit tests look fine now. The only thing that needs to be adjusted is the comments in line 1581 and 1690 of test_opensearch_tls.py saying In case any stage of a CA cert rotation is being processed, further 'certificate-available' events are deferred.

Other than that, the change can be merged from my point of view.

@phvalguima phvalguima requested a review from reneradoi November 19, 2024 12:44
@phvalguima phvalguima merged commit 727d283 into 2/edge Nov 21, 2024
38 of 40 checks passed
@phvalguima phvalguima deleted the TEST-ca-rotation-fix branch November 21, 2024 06:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reneradoi reneradoi reneradoi approved these changes

@Mehdi-Bendriss Mehdi-Bendriss Mehdi-Bendriss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OpenSearch's CA rotation gets stuck in large deployments
3 participants
@phvalguima @Mehdi-Bendriss @reneradoi