Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[tlse] internal TLS support for keystone #621

Merged
merged 1 commit into from
Jan 30, 2024
Merged

[tlse] internal TLS support for keystone #621

merged 1 commit into from
Jan 30, 2024

Conversation

stuggi
Copy link
Contributor

@stuggi stuggi commented Jan 11, 2024
edited by openshift-ci bot
Loading

Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true

For services which at this point don't support TLS, cert validation could be disabled using customService config like e.g.:

  customServiceConfig: |
    [keystone_authtoken]
    insecure = true

For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like:

  customServiceConfig: |
    [keystone_authtoken]
    insecure = true
    [placement]
    insecure = true
    [neutron]
    insecure = true
    [glance]
    insecure = true
    [cinder]
    insecure = true

Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: #620
Depends-On: openstack-k8s-operators/keystone-operator#348

Jira: OSPRH-2183

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/lib-common for 384,7629711060c894e11a1d5dff6feed8e3d6a731ae

@stuggi
Copy link
Contributor Author

stuggi commented Jan 11, 2024
edited
Loading

needs to be rebased when #620 landed. only last commit is relevant for this PR

@stuggi stuggi marked this pull request as draft January 11, 2024 11:29
@stuggi stuggi requested review from olliewalsh and Deydra71 and removed request for lewisdenny and frenzyfriday January 11, 2024 11:31
@stuggi stuggi mentioned this pull request Jan 11, 2024
Closed
@stuggi stuggi force-pushed the tlse_keystone branch 2 times, most recently from b3c577d to c7b408b Compare January 12, 2024 16:06
@stuggi stuggi marked this pull request as ready for review January 12, 2024 16:11
@openshift-ci openshift-ci bot requested a review from viroel January 12, 2024 16:11
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/1e073cc361644f658996a1e0222fe8e1

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 02m 44s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 37m 27s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 24m 34s
cifmw-data-plane-adoption-OSP-17-to-extracted-crc FAILURE in 1h 34m 25s
openstack-operator-tempest-multinode FAILURE in 1h 40m 48s

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/0f294f07044c48c49e95dc67f9b076df

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 19m 34s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 11m 34s
cifmw-crc-podified-edpm-baremetal FAILURE in 16m 43s
✔️ cifmw-data-plane-adoption-osp-17-to-extracted-crc SUCCESS in 2h 01m 31s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 38m 43s

@stuggi
Copy link
Contributor Author

stuggi commented Jan 26, 2024

recheck

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/c28a0bf8b41a4164a1830080dcd7fa7d

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 02m 07s
podified-multinode-edpm-deployment-crc RETRY_LIMIT in 42m 29s
cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 38m 10s
cifmw-data-plane-adoption-osp-17-to-extracted-crc RETRY_LIMIT in 46m 02s
openstack-operator-tempest-multinode RETRY_LIMIT in 11m 30s

@stuggi
[tlse] internal TLS support for keystone
8cee472 
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true

For services which at this point don't support TLS, cert validation
could be disabled using customService config like e.g.:

~~~
  customServiceConfig: |
    [keystone_authtoken]
    insecure = true
~~~

For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:

~~~
  customServiceConfig: |
    [keystone_authtoken]
    insecure = true
    [placement]
    insecure = true
    [neutron]
    insecure = true
    [glance]
    insecure = true
    [cinder]
    insecure = true
~~~

Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/keystone-operator#348

Jira: OSPRH-2183
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/28f966dac9944fef90a0efb126eedeac

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 40m 32s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 06m 55s
cifmw-crc-podified-edpm-baremetal FAILURE in 13m 57s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 25m 55s

@stuggi
Copy link
Contributor Author

stuggi commented Jan 29, 2024

/retest

@stuggi
Copy link
Contributor Author

stuggi commented Jan 30, 2024

/retest

@stuggi
Copy link
Contributor Author

stuggi commented Jan 30, 2024

recheck

olliewalsh
olliewalsh approved these changes Jan 30, 2024
View reviewed changes
Copy link
Contributor

@olliewalsh olliewalsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jan 30, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 30, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olliewalsh, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit dc24492 into openstack-k8s-operators:main Jan 30, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olliewalsh olliewalsh olliewalsh approved these changes

@Deydra71 Deydra71 Awaiting requested review from Deydra71

@viroel viroel Awaiting requested review from viroel

Assignees

@olliewalsh olliewalsh

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stuggi @olliewalsh @openshift-merge-robot