[tlse] tls for PlacementAPI pod configuration #92
Conversation
|
Skipping CI for Draft Pull Request. |
| "optional": true | ||
| }, | ||
| { | ||
| "source": "/var/lib/config-data/ca-trust", |
There was a problem hiding this comment.
@stuggi
Since we will be using one CA bundle file created by openstack-operator, we can specify the individual file instead the general folder (?)
|
this PR should contian updates to the samples and kuttl and even tests to test it |
SeanMooney
added
requires-envtest
It's in the draft state still ^^ |
|
yes i know just wanted to call that out |
I had added envtest coverage in serviceoverride PR https://github.com/openstack-k8s-operators/placement-operator/blob/main/tests/functional/placementapi_controller_test.go#L452 / https://github.com/openstack-k8s-operators/placement-operator/blob/main/tests/functional/placementapi_controller_test.go#L537 |
Deydra71
force-pushed
the
tls-support
branch
7 times, most recently
from
030e9ef to
2cc67b3
Compare
|
@gibizer Could you please review, and give ok to test label if sufficient? I still need to make updates to kuttl and functional test, but otherwise the general TLS support is set from major part. |
| properties: | ||
| disableNonTLSListeners: | ||
| type: boolean | ||
| secretName: |
There was a problem hiding this comment.
I just realized that this is probably not enough. we create two services per api, public and internal to allow to use different service types (also LoadBalancer types if you do not use routes for public). With the current tls struct here, we only allow passing in one secret for the service operator.
There was a problem hiding this comment.
I mean this is not a blocker for this PR since its main focus is to get the cacert bundle in so that it can validate e.g. tls connection to db/rabbit. the second step would be to enable the tls for placement itself. just something we have to enhance.
There was a problem hiding this comment.
I see, updating the Service struct could bring more mess as it's already being used in other's implementations. I suggest keeping this PR focused on CA bundle support and then in next implement the support for the public and internal service type.
Deydra71
force-pushed
the
tls-support
branch
3 times, most recently
from
7157889 to
0e75c13
Compare
|
On hold until the agreed changes of the TLS structure are implemented in the lib-common. |
Deydra71
force-pushed
the
tls-support
branch
from
0e75c13 to
7e98cb3
Compare
Deydra71
changed the title
Deydra71
force-pushed
the
tls-support
branch
from
7e98cb3 to
28dfcf4
Compare
| metadata: | ||
| name: cert-public-svc | ||
| labels: | ||
| service: placement |
Deydra71
force-pushed
the
tls-support
branch
3 times, most recently
from
d578b11 to
6779da3
Compare
|
/test placement-operator-build-deploy-kuttl |
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs are mounted to in var/lib/config-data/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. Server cert and key are intended to be moved by kolla to /etc/pki/tls/certs|private. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
There was a problem hiding this comment.
Looks good to me. I assume it was tested together with openstack-k8s-operators/openstack-operator#625 and works.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Deydra71, gibizer The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 72883dc
into
openstack-k8s-operators:main
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/placement-operator#92
Jira: OSPRH-2368
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/placement-operator#92
Jira: OSPRH-2368
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/placement-operator#92
Jira: OSPRH-2368
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/placement-operator#92
Jira: OSPRH-2368
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured.
Depends-On: openstack-k8s-operators/lib-common#428
Jira: OSPRH-2368