Skip to content

[18.0-fr6] Fix cert-manager CA rotation race in TLS cert rotation KUTTL test#1967

Open
openshift-cherrypick-robot wants to merge 1 commit into
openstack-k8s-operators:18.0-fr6from
openshift-cherrypick-robot:cherry-pick-1964-to-18.0-fr6
Open

[18.0-fr6] Fix cert-manager CA rotation race in TLS cert rotation KUTTL test#1967
openshift-cherrypick-robot wants to merge 1 commit into
openstack-k8s-operators:18.0-fr6from
openshift-cherrypick-robot:cherry-pick-1964-to-18.0-fr6

Conversation

@openshift-cherrypick-robot

Copy link
Copy Markdown

This is an automated cherry-pick of #1964

/assign abays

The ctlplane-tls-cert-rotation KUTTL test fails intermittently because
the custom_duration patch changes both CA and leaf cert durations
simultaneously. cert-manager processes Certificate resources in
parallel, so leaf certs can be re-issued before the CA itself is
re-issued, resulting in some certs signed by the old CA and others by
the new CA. This causes cross-service SSL verification failures (e.g.
neutron cannot connect to OVN NB due to CA mismatch).

Fix by removing CA duration changes from the patch so only leaf cert
durations change, preventing the CA key from rotating. Also add
cert-manager re-issuance waits and control plane stability checks in
step 03, and add retry logic to the non-API service cert check in
step 04.

Ref: https://redhat.atlassian.net/browse/OSPRH-32142

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

OpenStackControlPlane CRD Size Report

Metric Value
CRD JSON size 349969 bytes (342KB)
Base branch size 349969 bytes
Change +0.00%
Status yellow — growing
Threshold reference
Color Range Meaning
🟢 green < 300KB Comfortable
🟡 yellow 300–400KB Growing
🟠 orange 400–750KB Concerning
🔴 red > 750KB Approaching 1.5MB etcd limit (cut in half to allow space for update)

@abays abays left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abays, openshift-cherrypick-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants