Apply a runtime manifest to update apiserver certSANs

When the bootstrap manifest is applied the system adds any OAM IP addresses to the apiserver's certificate SAN list. This is used for remote kubectl access. However when the OAM IP address is changed, these IP values are not updated. Without the correct values in apiserver cert remote access will fail. This change makes sysinv to apply the kubernetes certsans runtime puppet manifest during OAM IP change process to update apiserver's cert SANs list with the new IPs. Change-Id: I48eaf4bc3128c0c63591b77ceae69c7db0ea88ab Depends-On: https://review.opendev.org/#/c/751891/ Closes-Bug: 1878451 Signed-off-by: Andy Ning <andy.ning@windriver.com>
2020-09-14 14:06:57 -04:00 · 2020-09-14 14:06:57 -04:00 · 5c5a6d4acb
parent 24bfa0f79e
commit 5c5a6d4acb
1 changed files with 10 additions and 0 deletions
--- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
@ -6110,6 +6110,16 @@ class ConductorManager(service.PeriodicService):
    def update_oam_config(self, context):
        """Update the OAM network configuration"""

+        # update kube-apiserver cert's SANs at runtime
+        personalities = [constants.CONTROLLER]
+        config_uuid = self._config_update_hosts(context, personalities)
+        config_dict = {
+            "personalities": personalities,
+            "classes": ['platform::kubernetes::certsans::runtime']
+        }
+        self._config_apply_runtime_manifest(context, config_uuid, config_dict)
+
+        # there is still pending reboot required config to apply
        self._config_update_hosts(context, [constants.CONTROLLER], reboot=True)

        extoam = self.dbapi.iextoam_get_one()