[tlse] tls for KeystoneAPI pod configuration #348

stuggi · 2023-12-08T15:05:55Z

Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The CA cert get direct mounted as the environment bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . The service certificates like config files and copied via kolla to /etc/pki/tls/certs/%s.crt|/etc/pki/tls/private/%s.key .
Job deployments for bootstrap/cron get the CA bundle added if configured.

Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile.

Depends-On: openstack-k8s-operators/lib-common#428

Jira: OSPRH-2183

stuggi · 2023-12-08T15:06:19Z

/hold

- creates internal CA when internal TLS enabled - creates TLS certs via cert-manager and passes the cert secret information to the services, right now keystone, glance, cinder and neutron For services which at this point don't support TLS, cert validation could be disabled using customService config like e.g.: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true ~~~ For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#384 Depends-On: openstack-k8s-operators/keystone-operator#348 Depends-On: openstack-k8s-operators/neutron-operator#263 Depends-On: openstack-k8s-operators/glance-operator#386 Depends-On: openstack-k8s-operators/cinder-operator#306 Jira: OSPRH-2183 Jira: OSPRH-1233 Jira: OSPRH-1592 Jira: OSPRH-2197

- creates internal CA when internal TLS enabled - creates TLS certs via cert-manager and passes the cert secret information to the services, right now keystone, glance, cinder and neutron For services which at this point don't support TLS, cert validation could be disabled using customService config like e.g.: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true ~~~ For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: openstack-k8s-operators/keystone-operator#348 Depends-On: openstack-k8s-operators/neutron-operator#263 Depends-On: openstack-k8s-operators/glance-operator#386 Depends-On: openstack-k8s-operators/cinder-operator#306 Jira: OSPRH-2183 Jira: OSPRH-1233 Jira: OSPRH-1592 Jira: OSPRH-2197

stuggi · 2024-01-10T16:54:17Z

/test keystone-operator-build-deploy-kuttl

olliewalsh · 2024-01-10T18:14:50Z

/test keystone-operator-build-deploy-kuttl

Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For services which at this point don't support TLS, cert validation could be disabled using customService config like e.g.: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true ~~~ For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: openstack-k8s-operators#620 Depends-On: openstack-k8s-operators/keystone-operator#348 Jira: OSPRH-2183

stuggi · 2024-01-16T11:37:41Z

/test keystone-operator-build-deploy-kuttl

olliewalsh · 2024-01-25T18:52:03Z

controllers/keystoneapi_controller.go

+	httpdVhostConfig := map[string]interface{}{}
+	for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
+		endptConfig := map[string]interface{}{}
+		endptConfig["ServerName"] = fmt.Sprintf("keystone-%s.%s.svc", endpt.String(), instance.Namespace)


keystone.ServiceName might be better than hard-coding 'keystone'

olliewalsh · 2024-01-25T18:53:54Z

templates/keystoneapi/config/httpd.conf


  ## WSGI configuration
  WSGIApplicationGroup %{GLOBAL}
-  WSGIDaemonProcess keystone display-name=keystone group=keystone processes=3 threads=1 user=keystone
-  WSGIProcessGroup keystone
+  WSGIDaemonProcess {{ $endpt }} display-name={{ $endpt }} group=keystone processes=6 threads=1 user=keystone


why are number processes changing?

done, was not intended

Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The CA cert get direct mounted as the environment bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . The service certificates like config files and copied via kolla to /etc/pki/tls/certs/%s.crt|/etc/pki/tls/private/%s.key . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#428 Jira: OSPRH-2183

Adds kuttl test for tls using pre-created CA bundle and certificate secrets to not have a dependency on cert manager for testing. Jira: OSPRH-2183

olliewalsh

/lgtm

openshift-ci · 2024-01-25T19:11:58Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olliewalsh, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [olliewalsh,stuggi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For services which at this point don't support TLS, cert validation could be disabled using customService config like e.g.: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true ~~~ For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: openstack-k8s-operators#620 Depends-On: openstack-k8s-operators/keystone-operator#348 Jira: OSPRH-2183

openshift-ci bot requested review from abays and lewisdenny December 8, 2023 15:06

openshift-ci bot added the approved label Dec 8, 2023

openshift-ci bot added the do-not-merge/hold label Dec 8, 2023

stuggi requested review from olliewalsh, Deydra71 and vakwetu and removed request for lewisdenny December 8, 2023 15:07

stuggi mentioned this pull request Dec 8, 2023

[tlse] initial internal API TLS support for keystone, glance, cinder and neutron openstack-k8s-operators/openstack-operator#592

Closed

stuggi force-pushed the tlse_secret_update branch from 38a3686 to 4c75247 Compare December 11, 2023 10:02

stuggi force-pushed the tlse_secret_update branch from 4c75247 to 133b879 Compare December 11, 2023 12:57

stuggi force-pushed the tlse_secret_update branch 3 times, most recently from 76f5a59 to 9c7133e Compare December 13, 2023 13:47

stuggi force-pushed the tlse_secret_update branch from 9c7133e to aefcbd4 Compare December 21, 2023 13:28

stuggi force-pushed the tlse_secret_update branch from aefcbd4 to f5302ae Compare January 3, 2024 15:17

openshift-merge-robot added the needs-rebase label Jan 3, 2024

stuggi force-pushed the tlse_secret_update branch from f5302ae to 94f2f71 Compare January 3, 2024 15:22

openshift-merge-robot removed the needs-rebase label Jan 3, 2024

stuggi force-pushed the tlse_secret_update branch 2 times, most recently from 42f9477 to 802bef5 Compare January 5, 2024 13:29

stuggi mentioned this pull request Jan 11, 2024

[tlse] internal TLS support for keystone openstack-k8s-operators/openstack-operator#621

Merged

stuggi force-pushed the tlse_secret_update branch from 643df32 to a9279e3 Compare January 12, 2024 13:07

stuggi force-pushed the tlse_secret_update branch from 66c8614 to 533d69a Compare January 16, 2024 10:56

stuggi force-pushed the tlse_secret_update branch from 533d69a to 0d16f04 Compare January 19, 2024 13:09

stuggi removed the do-not-merge/hold label Jan 19, 2024

stuggi force-pushed the tlse_secret_update branch 2 times, most recently from 0b46372 to 019fa98 Compare January 25, 2024 18:40

olliewalsh reviewed Jan 25, 2024

View reviewed changes

stuggi added 3 commits January 25, 2024 20:01

[tls] Add tls kuttl test

8c0d63d

Adds kuttl test for tls using pre-created CA bundle and certificate secrets to not have a dependency on cert manager for testing. Jira: OSPRH-2183

[tls] add CA cert reconfigure envtest

c3f716c

stuggi force-pushed the tlse_secret_update branch from 019fa98 to c3f716c Compare January 25, 2024 19:01

olliewalsh approved these changes Jan 25, 2024

View reviewed changes

openshift-ci bot assigned olliewalsh Jan 25, 2024

openshift-ci bot added the lgtm label Jan 25, 2024

openshift-merge-bot bot merged commit a18a1e7 into openstack-k8s-operators:main Jan 25, 2024
6 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[tlse] tls for KeystoneAPI pod configuration #348

[tlse] tls for KeystoneAPI pod configuration #348

stuggi commented Dec 8, 2023 •

edited

Loading

stuggi commented Dec 8, 2023

stuggi commented Jan 10, 2024

olliewalsh commented Jan 10, 2024

stuggi commented Jan 16, 2024

olliewalsh Jan 25, 2024

stuggi Jan 25, 2024

olliewalsh Jan 25, 2024

stuggi Jan 25, 2024

olliewalsh left a comment

openshift-ci bot commented Jan 25, 2024

[tlse] tls for KeystoneAPI pod configuration #348

[tlse] tls for KeystoneAPI pod configuration #348

Conversation

stuggi commented Dec 8, 2023 • edited Loading

stuggi commented Dec 8, 2023

stuggi commented Jan 10, 2024

olliewalsh commented Jan 10, 2024

stuggi commented Jan 16, 2024

olliewalsh Jan 25, 2024

Choose a reason for hiding this comment

stuggi Jan 25, 2024

Choose a reason for hiding this comment

olliewalsh Jan 25, 2024

Choose a reason for hiding this comment

stuggi Jan 25, 2024

Choose a reason for hiding this comment

olliewalsh left a comment

Choose a reason for hiding this comment

openshift-ci bot commented Jan 25, 2024

stuggi commented Dec 8, 2023 •

edited

Loading