Skip to content

HDDS-8592. Fetch and save all root certificates during service's certificate rotation. #5025

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jul 6, 2023
Merged

HDDS-8592. Fetch and save all root certificates during service's certificate rotation. #5025

merged 7 commits into from
Jul 6, 2023

Conversation

Galsza
Copy link
Contributor

@Galsza Galsza commented Jul 5, 2023
edited by ChenSammi
Loading

What changes were proposed in this pull request?

This is a redone version of an approved draft pr: #5000
The reason for the redo is to clean up the commit history and make sure that the rebase process was done cleanly.
Unfortunately I lost the original changes in that pull request due to a personal error and had to use changes saved in
#5001
But during the process of taking commits from that pull request I realized that the conflicts and the number of commits makes it more complicated than rewriting it from scratch. Sorry for the inconvenience.

Orig description:
After the SCMs finished their part of root ca rotation the clients also need to get the new root CA certificate. This is done through a simple polling mechanism that asks the SCMs for the root CAs and once it observes a change it invokes a consumer from the clients to notify them. Integrating this change is going to be done in later items.

What is the link to the Apache JIRA

HDDS-8592

How was this patch tested?

Added unit tests. Functional change is not yet observed in this patch as the polling is not actually integrated into anything yet.

@Galsza Galsza marked this pull request as ready for review July 6, 2023 10:19
@Galsza Galsza marked this pull request as draft July 6, 2023 10:38
@Galsza Galsza force-pushed the HDDS-8592_redo_changes branch from 4e9021c to 37cd46c Compare July 6, 2023 10:52
@Galsza Galsza marked this pull request as ready for review July 6, 2023 10:52
@ChenSammi ChenSammi changed the title HDDS-8592. Prepare DefaultCertificateClient for Root CA Rotation HDDS-8592. Fetch and persist all root certificates during service's certificate roration. Jul 6, 2023
@ChenSammi ChenSammi changed the title HDDS-8592. Fetch and persist all root certificates during service's certificate roration. HDDS-8592. Fetch and save all root certificates during service's certificate roration. Jul 6, 2023
@ChenSammi
Copy link
Contributor

@Galsza , the patch looks good. Wait for the CI result.

@ChenSammi
Copy link
Contributor

ChenSammi commented Jul 6, 2023
edited
Loading

The failed filesystem integration test is irrelevant. The error is "no space on disk". It could be related with "TestRootedOzoneFileSystem". @adoroszlai has raised the ticket HDDS-8981.

https://github.com/apache/ozone/actions/runs/5474596081

@ChenSammi ChenSammi changed the title HDDS-8592. Fetch and save all root certificates during service's certificate roration. HDDS-8592. Fetch and save all root certificates during service's certificate rotation. Jul 6, 2023
@ChenSammi ChenSammi merged commit e23cf1b into apache:master Jul 6, 2023
errose28 added a commit to errose28/ozone that referenced this pull request Jul 10, 2023
@errose28
Merge branch 'master' into HDDS-8062-container-log
46e73d5 
* master: (36 commits)
  HDDS-8990. Intermittent timeout waiting on datanode4 9856 to become available (apache#5039)
  Revert "HDDS-7750. Incorrect WRITE ACL check. (apache#4992)"
  HDDS-7750. Incorrect WRITE ACL check. (apache#4992)
  HDDS-8985. Intermittent timeout exiting safe mode in HA secure tests (apache#5033)
  HDDS-8593. Add RootCARotationPoller to CertClient (apache#5030)
  HDDS-7645. Kubernetes check should fail fast if cluster cannot start (apache#5028)
  HDDS-8981. TestRootedOzoneFileSystem runs out of disk space (apache#5029)
  HDDS-8592. Fetch and save all root certificates during service's certificate rotation. (apache#5025)
  HDDS-8981. Disable TestRootedOzoneFileSystem#testSafeMode
  HDDS-8591. Create scheduler to check for new root ca certificates (apache#4961)
  HDDS-8979. error validating kustomization.yaml (apache#5024)
  HDDS-8973. Ozone SCM HA should not allocates duplicate IDs when transferring leadership (apache#5018)
  HDDS-8970. Snapshot Diff should return path relative to bucket root (apache#5015)
  HDDS-8975. Clarify SCM HA auto-bootstrap doc (apache#5021)
  HDDS-8689. Rotate Root CA and Sub CA in SCM. (apache#4943)
  HDDS-8436. Support setSafeMode(), isFileClosed() FileSystem API (apache#4825)
  HDDS-8880. Intermittent fork timeout in TestOMRatisSnapshots (apache#5022)
  HDDS-8962. Ensure docker env is stopped (apache#5011)
  HDDS-7794. [snapshot] SnapshotDiff should throw better error messages for exception handling (apache#5007)
  HDDS-7922. [FSO] S3G folder support fso layout filestatus s3A compatibility (apache#4448)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChenSammi ChenSammi ChenSammi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Galsza @ChenSammi