Skip to content

Commit

Permalink
Generate a temp certificate for OCP4 Trusted CA remediation
Browse files Browse the repository at this point in the history 
Lately, we've been experiencing issues with manual remediations timing
out during functional testing. This manifests in the following error:

   === RUN   TestE2e/Apply_manual_remediations
    <snip>
    helpers.go:1225: Running manual remediation '/tmp/content-3345141771/applications/openshift/networking/default_ingress_ca_replaced/tests/ocp4/e2e-remediation.sh'
    helpers.go:1225: Running manual remediation '/tmp/content-3345141771/applications/openshift/general/file_integrity_notification_enabled/tests/ocp4/e2e-remediation.sh'
    helpers.go:1231: Command '/tmp/content-3345141771/applications/openshift/authentication/idp_is_configured/tests/ocp4/e2e-remediation.sh' timed out

In this particular case, it looks like the remediation to add an
Identity Provider to the cluster failed, but this is actually an
unintended side-effect of another change that updated the
idp_is_configured remediation to use a more robust technique for
determining if the cluster applied the remediation successfully:

  #12120
  #12184

Because we updated the remediation to use `oc adm
wait-for-stable-cluster`, we're effectively checking all cluster
operators to ensure they're healthy.

This started causing timeouts because a separate, unrelated remediation
was also getting applied in our testing that updated the default CA, but
didn't include a ConfigMap that contained the CA bundle. As a result,
one of the operators didn't come up because it was looking for a
ConfigMap that didn't exist. The `oc adm wait-for-stable-cluster`
command was hanging on a legitimate issue in a separate remediation.

This commit attempts to fix that issue by updating the trusted CA
remediation by generating a certificate for testing purposes, then
creates a ConfigMap called `trusted-ca-bundle`, before updating the
trusted CA.
  • Loading branch information
@rhmdnd
rhmdnd committed Jul 26, 2024
1 parent d9086f6 commit e7a5e89
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion applications/openshift/networking/default_ingress_ca_replaced/tests/ocp4/e2e-remediation.sh
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,10 @@
#!/bin/bash

# we are using an existing default secret name for testing, so it won't cause any subsequent failures on testing routes.
# Generate a new certificate. The details of the certificate don't really
# matter since we simply need it for the ConfigMap so that the cluster
# operators come back up after the trustedCA change.
openssl req -x509 -newkey rsa:4096 -keyout /tmp/key.pem -out /tmp/cert.pem -sha256 -days 365 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"
oc create configmap trusted-ca-bundle --from-file=ca-bundle.crt=/tmp/cert.pem -n openshift-config

# we are using an existing default secret name for testing, so it won't cause any subsequent failures on testing routes.
oc patch proxies.config cluster --type merge -p '{"spec":{"trustedCA":{"name":"trusted-ca-bundle"}}}'

0 comments on commit e7a5e89

Please sign in to comment.