[TC-516] Deleting a DS thru the TO API should also delete all SSL keys (if applicable) about trafficcontrol HOT 6 CLOSED

I don't believe this will be backported to 2.1. Moving to 2.2

from trafficcontrol.

During some of my testing, I've had a few issues with the API call related to getting certificate for a CDN. I have a few questions here.

• The API GET /api/1.2/cdns/name/:name/sslkeys brings up all certificates from Riak for a CDN no matter if the delivery service is configured or not in Traffic Ops. I believe this impacts both ORT and Traffic Router and can lead to some issues hard to resolve. If this is implemented, this might help with this situation.

• On delete, should we keep the version of certificates around and only remove -latest? This way there is a recovery path, but what would happen if we recreate the delivery service?

• Is the wanted behavior to delete certs for both API and UI? (This issue is only for API).

from trafficcontrol.

"On delete, should we keep the version of certificates around and only remove -latest? This way there is a recovery path, but what would happen if we recreate the delivery service?"

IMO, on DS delete thru the API all related SSL keys in riak should just go away. No recovery path. Too messy to think about recovery paths. I like to keep it simple if possible. If you end up recreating the DS, you're going to have to regenerate or enter the keys. Thoughts?

from trafficcontrol.

"Is the wanted behavior to delete certs for both API and UI? (This issue is only for API)."

in the old UI, this bug has been around for quite sometime i guess so IMO it stays there.

Our time is better served IMO tightening up the future (the API) but if you disagree @smalenfant maybe another issue would make sense for the "UI side".

after thinking about this more, you're probably right...if you delete thru api or UI then riak ssl keys should be deleted...

from trafficcontrol.

"The API GET /api/1.2/cdns/name/:name/sslkeys brings up all certificates from Riak for a CDN no matter if the delivery service is configured or not in Traffic Ops. I believe this impacts both ORT and Traffic Router and can lead to some issues hard to resolve. If this is implemented, this might help with this situation."

maybe that warrents a different issue @smalenfant. if you agree, you want to create one? I kinda feel like this issue should just stick to deleting riak ssl keys when a ds is deleted...

from trafficcontrol.

This should happen on the CRConfig Snapshot, rather than the DS deletion. Because it's valid for an operator to delete a DS still receiving traffic, and not expect the "live" change to apply, and at some point the future to Snapshot the CRConfig to actually deploy the deletion.

from trafficcontrol.