Revert "[tls] Add CA bundle from OpenStackCtlplane to controller" #737
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/5c66387583d843f39f22773c52977344 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 20m 00s |
cjeanner
force-pushed
the
bundle-ca/revert
branch
from
8db6775 to
be6189c
Compare
|
New changes are detected. LGTM label has been removed. |
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/ffe8a2e752eb46c4885576b77d4ff110 ✔️ openstack-k8s-operators-content-provider SUCCESS in 57m 34s |
This is a *partial* revert of 00e8d24. We've seen constant failures in a CI job, linked to certificate validation: https://review.rdoproject.org/zuul/builds?job_name=podified-multinode-edpm-e2e-nobuild-tagged-crc&project=openstack-k8s-operators/ci-framework An example: FAILED - RETRYING: [localhost]: Wait for keystone endpoint to exist in DNS (1 retries left). fatal: [localhost]: FAILED! => {"attempts": 20, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200, 300, 301, 302, 401, 402, 403]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129)>", "redirected": false, "status": -1, "url": "https://keystone-public-openstack.apps-crc.testing"} Reverting the CA verification toggle patch seems the safest way to get back to a green CI. It's still supposed to fetch and install the CA at this point. We're seeing tempest failures when we do a complete reverse. Note: the new failure may be related to a recent patch: openstack-k8s-operators/openstack-operator#502
cjeanner
force-pushed
the
bundle-ca/revert
branch
from
be6189c to
dbe17d9
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/5f0a20838e9c4edca78f412c85cffa39 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 19m 21s |
|
Issue isn't really on our side in fact. The failing job is consuming published content without any rebuild - meaning we may need a bump of the openstack-operator or related change. We'll move the tagged-nobuild job to periodic since the edpm-deployment is already running on each PR. |
This is a partial revert of 00e8d24.
We've seen constant failures in a CI job, linked to certificate
validation:
https://review.rdoproject.org/zuul/builds?job_name=podified-multinode-edpm-e2e-nobuild-tagged-crc&project=openstack-k8s-operators/ci-framework
An example:
FAILED - RETRYING: [localhost]: Wait for keystone endpoint to exist in DNS (1 retries left).
fatal: [localhost]: FAILED! => {"attempts": 20, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200, 300, 301, 302, 401, 402, 403]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129)>", "redirected": false, "status": -1, "url": "https://keystone-public-openstack.apps-crc.testing/"}
Reverting the CA verification toggle patch seems the safest way to get
back to a green CI.
It's still supposed to fetch and install the CA at this point.
We're seeing tempest failures when we do a complete reverse.
Note: the new failure may be related to a recent patch:
openstack-k8s-operators/openstack-operator#502
As a pull request owner and reviewers, I checked that: