Skip to content

Cleanup orphan certificates when nodes are removed from NodeSet #1792

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rabi wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Cleanup orphan certificates when nodes are removed from NodeSet #1792

rabi wants to merge 1 commit into from

Conversation

@rabi
Copy link
Contributor

@rabi rabi commented Feb 3, 2026
edited by openshift-ci bot
Loading

When a node is removed from a DataPlane NodeSet, the TLS certificates created for that node were not being cleaned up, leaving orphan Certificate resources in the cluster.

This adds a cleanupStaleCertificates function that runs at the beginning of EnsureTLSCerts to delete certificates for nodes that no longer exist in the NodeSet. It uses the allHostnames map (which reflects current nodes) to identify stale certificates by comparing against the hostname label on existing Certificate CRs.

Jira: OSPRH-26077

@openshift-ci openshift-ci bot requested review from slagle and stuggi February 3, 2026 06:02
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 3, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rabi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Feb 3, 2026
stuggi
stuggi reviewed Feb 3, 2026
View reviewed changes
internal/dataplane/cert.go
}
if _, exists := allHostnames[hostname]; !exists {
util.LogForObject(helper, fmt.Sprintf("Deleting stale certificate %s for removed node %s", cert.Name, hostname), instance)
if err := helper.GetClient().Delete(ctx, &cert); client.IgnoreNotFound(err) != nil {
Copy link
Contributor

@stuggi stuggi Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also delete the secret holding the certs after the cert CR was removed. In cert-manager there is only a global switch to cleanup the secrets holding the cert when the cert CR gets deleted, which is per default false and not happening. If we'd leave the cert secret and you add a node with the same hostname it would re-use the older certs, instead of replacing them this new ones.

Copy link
Contributor Author

@rabi rabi Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, let me add that. Thanks.

@rabi @cursoragent
Cleanup orphan certificates when nodes are removed from NodeSet
8bcb489 
When a node is removed from a DataPlane NodeSet, the TLS certificates
created for that node were not being cleaned up, leaving orphan
Certificate resources in the cluster.

This adds a cleanupStaleCertificates function that runs at the beginning
of EnsureTLSCerts to delete certificates for nodes that no longer exist
in the NodeSet. It uses the allHostnames map (which reflects current
nodes) to identify stale certificates by comparing against the hostname
label on existing Certificate CRs.

Jira: OSPRH-26077
Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: rabi <ramishra@redhat.com>
@rabi
Copy link
Contributor Author

rabi commented Feb 3, 2026

/test functional

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 3, 2026

@rabi: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/openstack-operator-build-deploy-kuttl 8bcb489 link true /test openstack-operator-build-deploy-kuttl
ci/prow/openstack-operator-build-deploy-kuttl-4-18 8bcb489 link true /test openstack-operator-build-deploy-kuttl-4-18

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Feb 3, 2026

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/a92c233d21144e86ad9d6b51329980ab

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 19m 38s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 21m 23s
cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 31m 51s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 43m 57s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stuggi stuggi stuggi left review comments

@slagle slagle Awaiting requested review from slagle

Assignees

No one assigned

Labels

approved

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rabi @stuggi