Novncproxy cert cleanup by auniyal61 · Pull Request #1410 · openstack-k8s-operators/openstack-operator

auniyal61 · 2025-04-21T06:19:14Z

Adds cleanup fix and supporting tests for ovncproxy certs and routes cleanup

softwarefactory-project-zuul · 2025-04-21T09:52:04Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/aff9e16d7e7d46d69106ef6e41ed4d7a

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 31m 48s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 10m 34s
❌ cifmw-crc-podified-edpm-baremetal FAILURE in 1h 43m 38s
✔️ adoption-standalone-to-crc-ceph-provider SUCCESS in 3h 16m 21s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 21m 59s
❌ openstack-operator-kuttl FAILURE in 25m 48s (non-voting)

gibizer · 2025-04-22T07:22:19Z

Why did you closed #1385 and opened this new PR?

auniyal61 · 2025-04-22T08:42:27Z

Why did you closed #1385 and opened this new PR?

during rebase from github UI, there were confusing changes, extra merge commits,
creating new branch seems simpler to push with new changes.
sorry to lose the previous comments, I thought I added comment here, but missed.

gibizer · 2025-04-22T11:48:53Z

Why did you closed #1385 and opened this new PR?

during rebase from github UI, there were confusing changes, extra merge commits, creating new branch seems simpler to push with new changes. sorry to lose the previous comments, I thought I added comment here, but missed.

Even if the github rebase dirtied you branch in your fork, your local branch should not have effected by the GUI. So you could just re-push your local branch to your fork (probably with a --force) to get back to your last good state. Next time if you hit similar issues feel free to ping me and we can try to fix the branch together.

gibizer

good progress. I need to take a look locally...

softwarefactory-project-zuul · 2025-04-29T23:12:17Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/935a7fc5175d461fa5c17e192cce2cf2

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 30m 19s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 13m 28s
❌ cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 21m 39s
✔️ adoption-standalone-to-crc-ceph-provider SUCCESS in 3h 12m 37s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 28m 22s
❌ openstack-operator-kuttl FAILURE in 26m 54s (non-voting)

stuggi · 2025-04-30T10:39:07Z

+	}
+
+	certs := &certmgrv1.CertificateList{}
+	listOpts := []client.ListOption{


just fyi, the certs have the same service labelSelector as the route.

labels: osctlplane-service: nova-novncproxy

stuggi

in general looks really good. I have just some concern about deleting certs for anything with the route base name. check my comment inline.

stuggi · 2025-05-05T09:39:48Z

+		for _, cert := range certs.Items {
+			routeBaseName := strings.TrimSuffix(route.Name, "-public")
+			if strings.Contains(cert.Name, routeBaseName) {


two notes on this

This will delete all certs with the routeBaseName prefixed, which means it will also delete e.g. the internal svc cert, even it is not 1:1 related to the route. In general I think right now that is okish, since we have a single deployment as the backend for the internal and public k8s services. If for some reason we change to have independent deployments and one could still be around when the one for the route get deleted, there would be a not necessary restart since we delete the svc cert when the route is gone, the openstack-op will reconcile, and create the a new cert for it which results in a restart of the deployment.

some services don't create a route, so this cleanup will not delete the certs their k8s service if they get deleted.

With this I think we want to be explicite in what we delete. We already checked that the public k8s svc is gone. So we can delete the route cert, the public k8s cert and the route. We should also check if the internal k8s svc is gone and only delete the cert when it is.

If it helps to man cleanup task easier, when we create the certs, the serviceCertSelector get passed as a label [1][2][3]. We can add additional labels to filter for public/internal/route and k8s svc object name it was created for, or other use case, like a cell label in [4] to the vencrypt cert to make the cleanup of those easier. Maybe we split it to only focus here on the route, its cert and the k8s svc and handle the vencrypt cert in a follow up.

[1] https://github.com/openstack-k8s-operators/openstack-operator/blob/main/pkg/openstack/common.go#L322
[2] https://github.com/openstack-k8s-operators/openstack-operator/blob/main/pkg/openstack/common.go#L372
[3] https://github.com/openstack-k8s-operators/openstack-operator/blob/main/pkg/openstack/common.go#L609
[4] https://github.com/openstack-k8s-operators/openstack-operator/blob/main/pkg/openstack/nova.go#L305

to cleanup route cert could be just if route.Name+"-route" == cert.Name && object.CheckOwnerRefExist(instance.GetUID(), cert.OwnerReferences) {

With this I think we want to be explicite in what we delete. We already checked that the public k8s svc is gone. So we can delete the route cert, the public k8s cert and the route. We should also check if the internal k8s svc is gone and only delete the cert when it is.

Sounds good to me.

gibizer · 2025-05-05T11:44:12Z

+		for _, cert := range certs.Items {
+			routeBaseName := strings.TrimSuffix(route.Name, "-public")
+			if strings.Contains(cert.Name, routeBaseName) {


With this I think we want to be explicite in what we delete. We already checked that the public k8s svc is gone. So we can delete the route cert, the public k8s cert and the route. We should also check if the internal k8s svc is gone and only delete the cert when it is.

Sounds good to me.

stuggi · 2025-05-07T09:20:36Z

+		routeBaseName := strings.TrimSuffix(route.Name, "-public")
+		for _, cert := range certs.Items {
+			if object.CheckOwnerRefExist(instance.GetUID(), cert.OwnerReferences) {
+				if strings.Contains(cert.Name, routeBaseName) {


I think this still has the issue that you could cleanup internal svc cert when it may be still required. lets take barbican as an example:

$ oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD barbican-public barbican-public-openstack.apps-crc.testing barbican-public barbican-public edge/Redirect None

we remove -public which leaves e.g. barbican.

the certs have this naming format:

$ oc get cert NAME READY SECRET AGE barbican-internal-svc True cert-barbican-internal-svc 0s barbican-public-route True cert-barbican-public-route 2m19s barbican-public-svc True cert-barbican-public-svc 0s

So we'd delete all certs public, route and internal without checking if the internal svc is really gone. I think for now lets just do if _, ok := cert.Labels[serviceCertSelector]; ok && strings.Contains(cert.Name, route.Name) { and keep the internal svc cert. we can follow up with cleaning up the internal svc certs.

ack,
specifically for novncproxy added cert.Spec.CommonName to match with route.Name for now, commonName is not present in all certs.

Also as discussed in slack, I think we should add osctlplane-service for all types of certs.
will fix above too once its added

Also adds tests for novncproxy certs and routes cleanup Closes: OSPRH-10549

softwarefactory-project-zuul · 2025-06-03T18:59:04Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/0a90270c538846469b49f84ec72813e3

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 29m 46s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 16m 12s
❌ cifmw-crc-podified-edpm-baremetal FAILURE in 46m 39s
✔️ adoption-standalone-to-crc-ceph-provider SUCCESS in 3h 15m 09s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 41m 31s

auniyal61 · 2025-06-04T05:40:29Z

/retest cifmw-crc-podified-edpm-baremetal
cifmw-crc-podified-edpm-baremetal failed because could not create/get subscription

fatal: [localhost]: FAILED! =>
     attempts: 30
     changed: true
     cmd:
     - oc
     - get
     - sub
     - openstack-operator
     - --namespace=openstack-operators
     - -o=jsonpath={.status.installplan.name}
     delta: '0:00:00.128871'
     end: '2025-06-03 16:32:57.074955'
     msg: ''
     rc: 0
     start: '2025-06-03 16:32:56.946084'
     stderr: ''
     stderr_lines: []
     stdout: ''
     stdout_lines: []

no resource created
https://logserver.rdoproject.org/f37/rdoproject.org/f37779706f714992bc64c205be0256cc/ci-framework-data/logs/openstack-k8s-operators-openstack-must-gather/namespaces/openstack/all_resources.log

openshift-ci · 2025-06-04T05:40:33Z

@auniyal61: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

/test functional

/test images

/test openstack-operator-build-deploy

/test openstack-operator-build-deploy-kuttl

/test openstack-operator-build-deploy-kuttl-4-18

/test precommit-check

The following commands are available to trigger optional jobs:

/test openstack-operator-build-deploy-tempest

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openstack-k8s-operators-openstack-operator-main-functional

pull-ci-openstack-k8s-operators-openstack-operator-main-images

pull-ci-openstack-k8s-operators-openstack-operator-main-openstack-operator-build-deploy-kuttl

pull-ci-openstack-k8s-operators-openstack-operator-main-openstack-operator-build-deploy-kuttl-4-18

pull-ci-openstack-k8s-operators-openstack-operator-main-precommit-check

Details

In response to this:

/retest cifmw-crc-podified-edpm-baremetal
cifmw-crc-podified-edpm-baremetal failed because could not create/get subscription

fatal: [localhost]: FAILED! =>
    attempts: 30
    changed: true
    cmd:
    - oc
    - get
    - sub
    - openstack-operator
    - --namespace=openstack-operators
    - -o=jsonpath={.status.installplan.name}
    delta: '0:00:00.128871'
    end: '2025-06-03 16:32:57.074955'
    msg: ''
    rc: 0
    start: '2025-06-03 16:32:56.946084'
    stderr: ''
    stderr_lines: []
    stdout: ''
    stdout_lines: []

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

auniyal61 · 2025-06-04T05:47:14Z

recheck

stuggi

/lgtm

openshift-ci · 2025-06-04T11:43:16Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: auniyal61, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [stuggi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

auniyal61 requested review from gibizer, mrkisaolamb and stuggi April 21, 2025 06:19

openshift-ci Bot requested review from dprince and rebtoor April 21, 2025 06:19

auniyal61 commented Apr 21, 2025

View reviewed changes

Comment thread tests/functional/ctlplane/openstackoperator_controller_test.go

auniyal61 force-pushed the novncproxy-cert-cleanup branch from baa89e0 to 228c7fb Compare April 22, 2025 05:22

auniyal61 force-pushed the novncproxy-cert-cleanup branch from 228c7fb to 324ee1e Compare April 24, 2025 11:39

auniyal61 commented Apr 24, 2025

View reviewed changes

Comment thread pkg/openstack/common.go Outdated

gibizer reviewed Apr 24, 2025

View reviewed changes

auniyal61 force-pushed the novncproxy-cert-cleanup branch from 324ee1e to fffc191 Compare April 25, 2025 01:27

gibizer reviewed Apr 25, 2025

View reviewed changes

Comment thread tests/functional/ctlplane/openstackoperator_controller_test.go

auniyal61 force-pushed the novncproxy-cert-cleanup branch 2 times, most recently from 3154add to 480b775 Compare April 28, 2025 13:24

bogdando reviewed Apr 28, 2025

View reviewed changes

Comment thread pkg/openstack/common.go Outdated

stuggi reviewed Apr 28, 2025

View reviewed changes

Comment thread pkg/openstack/nova.go Outdated

Comment thread pkg/openstack/nova.go Outdated

Comment thread pkg/openstack/common.go Outdated

auniyal61 force-pushed the novncproxy-cert-cleanup branch from 480b775 to 5a1ba89 Compare April 29, 2025 19:39

auniyal61 force-pushed the novncproxy-cert-cleanup branch from 5a1ba89 to 8dd0d22 Compare April 30, 2025 02:32

auniyal61 commented Apr 30, 2025

View reviewed changes

Comment thread pkg/openstack/nova.go Outdated

auniyal61 requested review from gibizer and stuggi April 30, 2025 03:55

stuggi reviewed Apr 30, 2025

View reviewed changes

auniyal61 force-pushed the novncproxy-cert-cleanup branch from 8dd0d22 to 45eb741 Compare April 30, 2025 17:13

auniyal61 requested a review from stuggi April 30, 2025 17:13

auniyal61 force-pushed the novncproxy-cert-cleanup branch from 45eb741 to 3bfccd0 Compare May 5, 2025 05:40

stuggi reviewed May 5, 2025

View reviewed changes

gibizer reviewed May 5, 2025

View reviewed changes

auniyal61 force-pushed the novncproxy-cert-cleanup branch 2 times, most recently from 6136d0a to 9d627f6 Compare May 6, 2025 09:35

stuggi reviewed May 7, 2025

View reviewed changes

auniyal61 force-pushed the novncproxy-cert-cleanup branch from 9d627f6 to 9b3be17 Compare June 2, 2025 08:36

stuggi reviewed Jun 2, 2025

View reviewed changes

Comment thread pkg/openstack/common.go

auniyal61 force-pushed the novncproxy-cert-cleanup branch from 9b3be17 to c27c9b3 Compare June 2, 2025 09:19

auniyal61 requested review from gibizer and stuggi June 2, 2025 14:40

auniyal61 force-pushed the novncproxy-cert-cleanup branch from c27c9b3 to ed9f2a6 Compare June 3, 2025 14:24

auniyal61 commented Jun 3, 2025

View reviewed changes

Comment thread controllers/core/openstackcontrolplane_controller.go

auniyal61 force-pushed the novncproxy-cert-cleanup branch from ed9f2a6 to 069f5b1 Compare June 3, 2025 15:22

novncproxy cert and routes cleanup

2e665b6

Also adds tests for novncproxy certs and routes cleanup Closes: OSPRH-10549

auniyal61 force-pushed the novncproxy-cert-cleanup branch from 069f5b1 to 2e665b6 Compare June 3, 2025 15:27

stuggi approved these changes Jun 4, 2025

View reviewed changes

openshift-ci Bot assigned stuggi Jun 4, 2025

openshift-ci Bot added the lgtm label Jun 4, 2025

openshift-ci Bot added the approved label Jun 4, 2025

openshift-merge-bot Bot merged commit faa0f3c into openstack-k8s-operators:main Jun 4, 2025
9 checks passed

auniyal61 deleted the novncproxy-cert-cleanup branch June 4, 2025 15:07

Conversation

auniyal61 commented Apr 21, 2025 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

softwarefactory-project-zuul Bot commented Apr 21, 2025

Uh oh!

gibizer commented Apr 22, 2025

Uh oh!

auniyal61 commented Apr 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gibizer commented Apr 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

gibizer left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

softwarefactory-project-zuul Bot commented Apr 29, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

stuggi Apr 30, 2025

Choose a reason for hiding this comment

Uh oh!

stuggi left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

stuggi May 5, 2025

Choose a reason for hiding this comment

Uh oh!

stuggi May 5, 2025

Choose a reason for hiding this comment

Uh oh!

gibizer May 5, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

gibizer May 5, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

stuggi May 7, 2025

Choose a reason for hiding this comment

Uh oh!

auniyal61 Jun 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

softwarefactory-project-zuul Bot commented Jun 3, 2025

Uh oh!

auniyal61 commented Jun 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci Bot commented Jun 4, 2025

Uh oh!

auniyal61 commented Jun 4, 2025

Uh oh!

stuggi left a comment

Choose a reason for hiding this comment

auniyal61 commented Apr 21, 2025 •

edited by openshift-ci Bot

Loading

auniyal61 commented Apr 22, 2025 •

edited

Loading

gibizer commented Apr 22, 2025 •

edited

Loading

auniyal61 Jun 2, 2025 •

edited

Loading

auniyal61 commented Jun 4, 2025 •

edited

Loading