action #103539
closed
Update expired SSL certificate on monitor.qa.suse.de with dehydrated and salt, same as on OSD size:M
Added by okurz about 3 years ago.
Updated almost 3 years ago.
Description
Observation¶
Same as for OSD done in #103149 we need to update SSL certificates on all the domains we have linked to monitor.qa.suse.de (4 domains). See https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/615
Acceptance criteria¶
AC1: monitor.qa.suse.de has a valid certificateAC2: stats.openqa-monitor.qa.suse.de has a valid certificate- AC3: there is monitoring for the certificate, same as we have for osd
AC4: The certificates are automatically refreshed
Suggestions¶
Files
- Subject changed from Update SSL certificates on monitor.qa.suse.de with dehydrated and salt, same as on OSD to Update expired SSL certificate on monitor.qa.suse.de with dehydrated and salt, same as on OSD size:M
- Description updated (diff)
- Status changed from New to Workable
- Assignee set to nicksinger
- Status changed from Workable to In Progress
- Status changed from In Progress to Feedback
- Related to action #103527: osd-deployment pipelines fail and alerts are not handled size:M added
monitor.qa.suse.de and stats.openqa-monitor.qa.suse.de seems to work - any remaining steps wrt making sure renewal happens automatically?
- Priority changed from Urgent to Normal
Lowering priority since, as far as I can tell, the sites work without exceptions in the browser
I suggest to add monitoring, same as we already have for OSD
- Description updated (diff)
- Due date set to 2022-01-07
- Status changed from Feedback to Workable
Monitoring is left to do. Will carry this over into the new year. If anybody is bored feel free to take over :) Otherwise I will add the monitoring in the new year. Our current certificate is valid until the 20th of Jan so we have headroom to implement this monitoring before the current cert expires
- Due date changed from 2022-01-07 to 2022-01-14
- Priority changed from Normal to High
Seems like a good thing we already set the due date prematurely. @nicksinger I recall your saying you were already looking into it. If you can, please update here at the next opportunity - or if there's something others can help you with, you're welcome to ask.
- Status changed from Workable to In Progress
- Due date changed from 2022-01-14 to 2022-01-18
nicksinger wrote:
Monitoring is left to do. Will carry this over into the new year. If anybody is bored feel free to take over :) Otherwise I will add the monitoring in the new year. Our current certificate is valid until the 20th of Jan so we have headroom to implement this monitoring before the current cert expires
Apparently we're at Feb 14 now, which suggests automated renewal worked at least once.
cdywan wrote:
https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/639 is still in progress, I'm starting to get worried that we'll see alerts for broken certificates afterall... bumping the due date to tomorrow in any case
@nicksinger Please prepare manual steps to do the update tomorrow
Just to make it clear here in the ticket too:
AC4: The certificates are automatically refreshed
is already done. Therefore we don't need to worry about an expiring certificate and we won't see any alerts because this is why this ticket is still open - creating monitoring/alerts for it. I polished up https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/639 and think it can be merged now to receive the metrics. A dashboard for grafana is still left to do but I'd like to cover it in a separate MR
- Due date deleted (
2022-01-18)
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
