From 85e69406ff9dacdf5a489b5695050991276bdac6 Mon Sep 17 00:00:00 2001 From: rabi Date: Wed, 11 Mar 2026 11:10:43 +0530 Subject: [PATCH] Retry endpoint cert fingerprint check in tls-cert-rotation kuttl test The ctlplane-tls-cert-rotation kuttl test can fail because it collects endpoint TLS fingerprints before service pods have restarted with the new certificates. Replace the one-shot fingerprint check with a retry loop that polls until all endpoint certs have rotated. Change-Id: I50bd0cd57b05cbf88bcf77b7835d7c23f06694b4 Signed-off-by: rabi --- .../04-assert-service-cert-rotation.yaml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/test/kuttl/tests/ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml b/test/kuttl/tests/ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml index 6525e4e14..bee83c34e 100644 --- a/test/kuttl/tests/ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml +++ b/test/kuttl/tests/ctlplane-tls-cert-rotation/04-assert-service-cert-rotation.yaml @@ -7,9 +7,16 @@ commands: NAMESPACE=$NAMESPACE bash ../../common/osp_check_noapi_service_certs.sh - script: | - echo "Get fingerprints of all service certs" + echo "Checking endpoint cert rotation..." + for i in $(seq 1 30); do + oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_after + if bash ../../common/osp_check_fingerprints.sh 2>/dev/null; then + echo "All endpoint certs rotated successfully." + exit 0 + fi + echo "Attempt $i/30: Not all certs rotated yet, waiting 20s..." + sleep 20 + done + echo "Collecting final fingerprints for failure diagnostics..." oc exec -i openstackclient -n $NAMESPACE -- bash -s < ../../common/osp_endpoint_fingerprints.sh > /tmp/endpoint_fingerprints_after - - - script: | - echo "Check if all services from before are present in after and have valid fingerprints" bash -s < ../../common/osp_check_fingerprints.sh