Note
Before proceeding with the manual steps below, verify that you have performed the steps described in Apply maintenance updates.
Fixed the issue with the aptly endpoint being enabled in HAProxy on the CI/CD
nodes even if the cluster has no aptly node (in online deployments) and causing
HAProxy to report that the aptly-public endpoint is in the DOWN state.
To apply the issue resolution:
Log in to the Salt Master node.
In classes/cluster/<cluster_name>/cicd/control/init.yml,
remove or comment out the following class:
classes:
...
- system.haproxy.proxy.listen.cicd.aptly
...
Refresh pillars:
salt -C 'I@jenkins:client and I@haproxy:proxy' saltutil.refresh_pillar
Apply the changes to HAProxy on the CI/CD nodes:
salt -C 'I@jenkins:client and I@haproxy:proxy' state.apply haproxy.proxy
Added a helper to update the time stamp of the last password change to avoid
issues with lost access to the Salt Master node.
Due to CIS 5.4.1.1, the Salt Master node password expiration is set to maximum
90 days with a subsequent access lock if the password is not updated. As a
result, if the user does not update the password, even if
PasswordAuthentication is disabled, access to the Salt Master node may be
lost.
To apply the issue resolution, perform the steps described in
MCP Deployment Guide: Modify Salt Master password expiration.