[tlse] tls for ManilaAPI pod configuration #212

Deydra71 · 2024-01-18T14:34:22Z

Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured.

Depends-On: openstack-k8s-operators/lib-common#428

Jira: OSPRH-3883

softwarefactory-project-zuul · 2024-01-19T14:51:51Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/28f2cca960ee425dbc9f0ec968359b4c

❌ openstack-k8s-operators-content-provider FAILURE in 8m 14s
⚠️ manila-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

config/samples/manila_v1beta1_manila_tls.yaml

controllers/manila_controller.go

controllers/manilaapi_controller.go

pkg/manilaapi/statefulset.go

templates/manila/config/10-manila_wsgi.conf

softwarefactory-project-zuul · 2024-02-05T16:03:28Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/98e14a2cad31445a9de819cca60573af

❌ openstack-k8s-operators-content-provider FAILURE in 8m 02s
⚠️ manila-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

softwarefactory-project-zuul · 2024-02-06T13:42:44Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/751b060f9ed343f7bd7f223b7298086f

❌ openstack-k8s-operators-content-provider FAILURE in 7m 59s
⚠️ manila-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

softwarefactory-project-zuul · 2024-02-06T15:51:33Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/28566864fb9941f9bcd3f767d693d652

❌ openstack-k8s-operators-content-provider FAILURE in 8m 47s
⚠️ manila-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

Deydra71 · 2024-02-07T10:01:03Z

/retest

config/samples/manila_v1beta1_manilaapi.yaml

controllers/manila_controller.go

pkg/manilaapi/statefulset.go

stuggi

looks good to me, just could extend the tests as we did in other operators as mentioned inline

test/functional/manila_controller_test.go

Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: openstack-k8s-operators#620 Depends-On: openstack-k8s-operators/manila-operator#212 Signed-off-by: Veronika Fisarova <[email protected]>

stuggi · 2024-02-09T08:35:02Z

/test manila-operator-build-deploy-kuttl

stuggi · 2024-02-09T11:08:46Z

looks good to me. @fmount if you are happy with it, we could merge it

fmount

/lgtm

test/functional/manila_controller_test.go

fmount · 2024-02-09T11:18:04Z

Thank you @Deydra71 for this work and @stuggi for the many reviews!

openshift-ci · 2024-02-09T11:18:24Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Deydra71, fmount

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [fmount]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>

openshift-ci · 2024-02-09T11:20:08Z

New changes are detected. LGTM label has been removed.

fmount · 2024-02-09T12:28:21Z

/test manila-operator-build-deploy-tempest

Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: openstack-k8s-operators#620 Depends-On: openstack-k8s-operators/manila-operator#212 Signed-off-by: Veronika Fisarova <[email protected]>

Deydra71 requested review from olliewalsh, fmount and stuggi January 18, 2024 14:34

openshift-ci bot requested a review from viroel January 18, 2024 14:34

Deydra71 added the do-not-merge/hold label Jan 18, 2024

Deydra71 force-pushed the tls-support branch from 190efba to 6daa87f Compare January 19, 2024 14:42

Deydra71 force-pushed the tls-support branch from 6daa87f to 568a757 Compare January 24, 2024 09:30

openshift-merge-robot added the needs-rebase label Jan 26, 2024

Deydra71 force-pushed the tls-support branch from 568a757 to 16f3b9a Compare January 26, 2024 14:01

openshift-merge-robot removed the needs-rebase label Jan 26, 2024

Deydra71 force-pushed the tls-support branch 2 times, most recently from bb41e5b to 8cd8a39 Compare January 29, 2024 08:24

openshift-merge-robot added the needs-rebase label Jan 30, 2024

Deydra71 force-pushed the tls-support branch from 8cd8a39 to 05d6cc0 Compare January 31, 2024 15:01

openshift-merge-robot removed the needs-rebase label Jan 31, 2024

Deydra71 force-pushed the tls-support branch 2 times, most recently from c4f37a2 to cda2809 Compare February 1, 2024 15:24

stuggi reviewed Feb 2, 2024

View reviewed changes

Deydra71 force-pushed the tls-support branch 3 times, most recently from 57e0012 to 843ec84 Compare February 5, 2024 15:53

Deydra71 force-pushed the tls-support branch from 843ec84 to b3b09e8 Compare February 6, 2024 13:34

Deydra71 force-pushed the tls-support branch from b3b09e8 to a032134 Compare February 6, 2024 15:41

Deydra71 force-pushed the tls-support branch 2 times, most recently from 01a4605 to 3864f7f Compare February 7, 2024 08:54

Deydra71 removed the do-not-merge/hold label Feb 7, 2024

stuggi reviewed Feb 7, 2024

View reviewed changes

config/samples/manila_v1beta1_manilaapi.yaml Outdated Show resolved Hide resolved

controllers/manila_controller.go Outdated Show resolved Hide resolved

pkg/manilaapi/statefulset.go Outdated Show resolved Hide resolved

pkg/manilaapi/statefulset.go Outdated Show resolved Hide resolved

Deydra71 force-pushed the tls-support branch from 3864f7f to b391a2a Compare February 7, 2024 13:38

stuggi reviewed Feb 8, 2024

View reviewed changes

test/functional/manila_controller_test.go Show resolved Hide resolved

Deydra71 mentioned this pull request Feb 9, 2024

[tlse] internal TLS support for manila openstack-k8s-operators/openstack-operator#662

Merged

Deydra71 force-pushed the tls-support branch from b391a2a to a93edef Compare February 9, 2024 07:34

stuggi added the lgtm label Feb 9, 2024

fmount approved these changes Feb 9, 2024

View reviewed changes

test/functional/manila_controller_test.go Outdated Show resolved Hide resolved

openshift-ci bot assigned fmount Feb 9, 2024

openshift-ci bot added the approved label Feb 9, 2024

Deydra71 force-pushed the tls-support branch from a93edef to fd9f3ec Compare February 9, 2024 11:20

openshift-ci bot removed the lgtm label Feb 9, 2024

stuggi added the lgtm label Feb 12, 2024

openshift-merge-bot bot merged commit 91c953f into openstack-k8s-operators:main Feb 12, 2024
9 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[tlse] tls for ManilaAPI pod configuration #212

[tlse] tls for ManilaAPI pod configuration #212

Deydra71 commented Jan 18, 2024 •

edited

Loading

softwarefactory-project-zuul bot commented Jan 19, 2024

softwarefactory-project-zuul bot commented Feb 5, 2024

softwarefactory-project-zuul bot commented Feb 6, 2024

softwarefactory-project-zuul bot commented Feb 6, 2024

Deydra71 commented Feb 7, 2024 via email •

edited

Loading

stuggi left a comment

stuggi commented Feb 9, 2024

stuggi commented Feb 9, 2024

fmount left a comment

fmount commented Feb 9, 2024

openshift-ci bot commented Feb 9, 2024

openshift-ci bot commented Feb 9, 2024

fmount commented Feb 9, 2024

[tlse] tls for ManilaAPI pod configuration #212

[tlse] tls for ManilaAPI pod configuration #212

Conversation

Deydra71 commented Jan 18, 2024 • edited Loading

softwarefactory-project-zuul bot commented Jan 19, 2024

softwarefactory-project-zuul bot commented Feb 5, 2024

softwarefactory-project-zuul bot commented Feb 6, 2024

softwarefactory-project-zuul bot commented Feb 6, 2024

Deydra71 commented Feb 7, 2024 via email • edited Loading

stuggi left a comment

Choose a reason for hiding this comment

stuggi commented Feb 9, 2024

stuggi commented Feb 9, 2024

fmount left a comment

Choose a reason for hiding this comment

fmount commented Feb 9, 2024

openshift-ci bot commented Feb 9, 2024

openshift-ci bot commented Feb 9, 2024

fmount commented Feb 9, 2024

Deydra71 commented Jan 18, 2024 •

edited

Loading

Deydra71 commented Feb 7, 2024 via email •

edited

Loading