[18.0-fr6] Fix cert-manager CA rotation race in TLS cert rotation KUTTL test by openshift-cherrypick-robot · Pull Request #1967 · openstack-k8s-operators/openstack-operator · GitHub
Skip to content

[18.0-fr6] Fix cert-manager CA rotation race in TLS cert rotation KUTTL test#1967

Merged
openshift-merge-bot[bot] merged 1 commit into
openstack-k8s-operators:18.0-fr6from
openshift-cherrypick-robot:cherry-pick-1964-to-18.0-fr6
Jul 3, 2026
Merged

[18.0-fr6] Fix cert-manager CA rotation race in TLS cert rotation KUTTL test#1967
openshift-merge-bot[bot] merged 1 commit into
openstack-k8s-operators:18.0-fr6from
openshift-cherrypick-robot:cherry-pick-1964-to-18.0-fr6

Conversation

@openshift-cherrypick-robot

Copy link
Copy Markdown

This is an automated cherry-pick of #1964

/assign abays

The ctlplane-tls-cert-rotation KUTTL test fails intermittently because
the custom_duration patch changes both CA and leaf cert durations
simultaneously. cert-manager processes Certificate resources in
parallel, so leaf certs can be re-issued before the CA itself is
re-issued, resulting in some certs signed by the old CA and others by
the new CA. This causes cross-service SSL verification failures (e.g.
neutron cannot connect to OVN NB due to CA mismatch).

Fix by removing CA duration changes from the patch so only leaf cert
durations change, preventing the CA key from rotating. Also add
cert-manager re-issuance waits and control plane stability checks in
step 03, and add retry logic to the non-API service cert check in
step 04.

Ref: https://redhat.atlassian.net/browse/OSPRH-32142

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

@abays abays left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abays, openshift-cherrypick-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved label Jul 2, 2026
@abays

abays commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

/retest

@openshift-merge-bot openshift-merge-bot Bot merged commit f8ee522 into openstack-k8s-operators:18.0-fr6 Jul 3, 2026
8 checks passed
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@openshift-cherrypick-robot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/openstack-operator-build-deploy-kuttl-4-18 505c75b link unknown /test openstack-operator-build-deploy-kuttl-4-18

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants