nsxserviceaccount: update PI cert when there is PI while there is no cluster-control-plane #1020
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1020 +/- ##
=======================================
Coverage 74.47% 74.47%
=======================================
Files 118 118
Lines 16285 16313 +28
=======================================
+ Hits 12128 12149 +21
- Misses 3389 3393 +4
- Partials 768 771 +3
|
gran-vmv
reviewed
Feb 10, 2025
liu4480
force-pushed
the
topic/biliu/nsxserviceaccounts
branch
from
8806f8c to
a00773a
Compare
|
@edwardbadboy @dantingl @lxiaopei can you have a look? thanks |
liu4480
force-pushed
the
topic/biliu/nsxserviceaccounts
branch
2 times, most recently
from
41ea0e7 to
a22a122
Compare
…cluster-control-plane
liu4480
force-pushed
the
topic/biliu/nsxserviceaccounts
branch
from
a22a122 to
c41a588
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Each time when nsx-operator reconciles NSXServiceAccount, it creates a new cert, and uses the new cert to create PI, then create the cluster-control-plane resource.
If the PI creation was successful, but cluster-control-plane creation fails, it doesn't delete the PI, but it continue with next retry. The next retry will generate a new cert, but the new cert is not updated to the existing PI, and the new cert is used for creating cluster-control-plane. In this bug, at first the license is missing, so PI is created with an older cert, and then license is configured, so the cluster-control-plane is created with a newer cert. That's why the clusters created before the license was applied run into such symptom.
the key problem is this code snippet:
This code is originally for checking whether a cluster with the same name has already been registered but it's with a different uuid. This means probably there is some leftover data in NSX.
Leftover data case:
hasPI: false
!hasPI: true
(piObj == nil): false
!hasPI != (piObj == nil): true
So it reports old PI exists error.
PI creation successful but cluster-control-plane creation failure case:
hasPI: true
!hasPI: false
(piObj == nil): false
!hasPI != (piObj == nil): false
So it doesn't report error, in this case, nsxserviceaccounts server shall update the PI with new cert