CI: Fix CAPO misc failure on flux-webui and gitea

Bogdan Antoherequested to merge
fix-misc-ci into main

What does this MR do and why?

We noticed multiple failures in capo CI misc pipelines ( in particular we have seen erros related to flux-webui&gitea ). Looking into flux pod logs I've found some inconsistences in the SSO integration due of wrong CA certificate:


Get "https://keycloak.sylva/realms/sylva/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority

As you probably know, the misc CI is the only place where we are testing the usage of an external certificate into our stack. The bottle neck in this case is related to changes introduced into MR !1577 (merged), which modify the variable name from CA_CERT to CA_CHAIN (91e4a4db), but the secret related to extraCA (https://gitlab.com/sylva-projects/sylva-core/-/blob/main/kustomize-units/sylva-ca/extra-cert.yaml?ref_type=heads#L8) has not been updated.

This affect the sylva-ca.crt secret created by external secret operator which was not properly configured and not contain both certificates ( internal, generated by certificate manager and the external one). To validate the ssl communication between components this secrets should have both certificates in order to be trusted in terms of certificate authority.

Changing the variable name fix the CI and now it's working as expected ( see: https://gitlab.com/sylva-projects/sylva-core/-/jobs/8676112253 )

Related reference(s)

Closes #1943 (closed)

Test coverage

CI configuration

CI pipelines perform an update for both management and workload clusters, this update will NOT perform a ClusterAPI rolling update (deletion and creation of new K8s nodes) by default.

For some cases, it may be relevant to perform more complex tests.

Theses features can be activated in an MR by adding one of these labels to the MR and will apply to the next pipelines.

  • adding the label ci-featuretest-rolling-update pipelines will perform a node rolling update in the -update jobs (without version upgrades)
  • adding the label ci-featuretest-upgrade-from-1.2.1 pipelines will perform an upgrade from Sylva 1.2.1 to your dev branch (including a k8s version upgrade resulting in a node rolling update)
Edited by Bogdan Antohe

Merge request reports