[tlse] tls for NeutronAPI pod configuration #263

stuggi · 2023-12-08T15:06:33Z

Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured.

Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for any changes and reconcile if needed.

Depends-On: openstack-k8s-operators/lib-common#428

Jira: OSPRH-2197

stuggi · 2023-12-08T15:06:41Z

/hold

- creates internal CA when internal TLS enabled - creates TLS certs via cert-manager and passes the cert secret information to the services, right now keystone, glance, cinder and neutron For services which at this point don't support TLS, cert validation could be disabled using customService config like e.g.: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true ~~~ For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#384 Depends-On: openstack-k8s-operators/keystone-operator#348 Depends-On: openstack-k8s-operators/neutron-operator#263 Depends-On: openstack-k8s-operators/glance-operator#386 Depends-On: openstack-k8s-operators/cinder-operator#306 Jira: OSPRH-2183 Jira: OSPRH-1233 Jira: OSPRH-1592 Jira: OSPRH-2197

Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: openstack-k8s-operators#620 Depends-On: openstack-k8s-operators/neutron-operator#263 Jira: OSPRH-2197

softwarefactory-project-zuul · 2024-01-24T19:58:31Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/3eb27bfb6f504ef4bc8c1d58e325db03

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 41m 01s
❌ neutron-operator-tempest-multinode FAILURE in 1h 21m 19s

softwarefactory-project-zuul · 2024-01-24T23:07:13Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/f91074d342024eea8e7d76a4e8082f0c

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 41m 25s
❌ neutron-operator-tempest-multinode FAILURE in 1h 20m 03s

stuggi · 2024-01-25T20:31:39Z

/unhold

Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for any changes and reconcile if needed. Depends-On: openstack-k8s-operators/lib-common#428 Jira: OSPRH-2197

Adds kuttl test for tls using pre-created CA bundle and certificate secrets to not have a dependency on cert manager for testing. Jira: OSPRH-2197

stuggi · 2024-01-26T01:48:49Z

@slawqo I have added some more tests and rebased it. can you please restore the approval?

openshift-ci · 2024-01-29T12:45:26Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: karelyatin, slawqo, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [karelyatin,slawqo,stuggi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: openstack-k8s-operators#620 Depends-On: openstack-k8s-operators/neutron-operator#263 Jira: OSPRH-2197

openshift-ci bot requested review from karelyatin and viroel December 8, 2023 15:06

openshift-ci bot added do-not-merge/hold approved labels Dec 8, 2023

stuggi requested review from olliewalsh, Deydra71, vakwetu and slawqo and removed request for viroel December 8, 2023 15:07

stuggi mentioned this pull request Dec 8, 2023

[tlse] initial internal API TLS support for keystone, glance, cinder and neutron openstack-k8s-operators/openstack-operator#592

Closed

stuggi force-pushed the tlse_secret_update branch from 6667e40 to dd3f9e1 Compare December 11, 2023 13:01

openshift-merge-robot added the needs-rebase label Dec 13, 2023

stuggi force-pushed the tlse_secret_update branch from dd3f9e1 to 54cefc4 Compare December 21, 2023 14:40

openshift-merge-robot removed the needs-rebase label Dec 21, 2023

stuggi force-pushed the tlse_secret_update branch from 54cefc4 to 618dc27 Compare December 21, 2023 15:18

openshift-merge-robot added the needs-rebase label Dec 24, 2023

stuggi force-pushed the tlse_secret_update branch 2 times, most recently from fcd7230 to 5d0d826 Compare January 3, 2024 15:23

openshift-merge-robot removed the needs-rebase label Jan 3, 2024

stuggi force-pushed the tlse_secret_update branch from 5d0d826 to fe01077 Compare January 5, 2024 13:07

stuggi force-pushed the tlse_secret_update branch 2 times, most recently from d28bc1d to 4ec3b41 Compare January 16, 2024 12:16

slawqo approved these changes Jan 18, 2024

View reviewed changes

openshift-ci bot assigned slawqo Jan 18, 2024

openshift-ci bot added the lgtm label Jan 18, 2024

stuggi force-pushed the tlse_secret_update branch from 4ec3b41 to 156cb5d Compare January 24, 2024 18:15

openshift-ci bot removed the lgtm label Jan 24, 2024

stuggi force-pushed the tlse_secret_update branch from 156cb5d to 2cd34c1 Compare January 24, 2024 21:24

stuggi force-pushed the tlse_secret_update branch 3 times, most recently from 627b7b7 to 0ff07ea Compare January 25, 2024 20:04

openshift-ci bot removed the do-not-merge/hold label Jan 25, 2024

stuggi force-pushed the tlse_secret_update branch from 0ff07ea to 9c0a2be Compare January 25, 2024 21:04

stuggi added 3 commits January 25, 2024 23:15

[tls] Add tls kuttl test

ab0a744

Adds kuttl test for tls using pre-created CA bundle and certificate secrets to not have a dependency on cert manager for testing. Jira: OSPRH-2197

[tls] add CA cert reconfigure envtest

db92830

stuggi force-pushed the tlse_secret_update branch from 9c0a2be to db92830 Compare January 25, 2024 22:15

karelyatin approved these changes Jan 29, 2024

View reviewed changes

openshift-ci bot assigned karelyatin Jan 29, 2024

openshift-ci bot added the lgtm label Jan 29, 2024

openshift-merge-bot bot merged commit ae87be7 into openstack-k8s-operators:main Jan 29, 2024
6 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[tlse] tls for NeutronAPI pod configuration #263

[tlse] tls for NeutronAPI pod configuration #263

stuggi commented Dec 8, 2023 •

edited

Loading

stuggi commented Dec 8, 2023

softwarefactory-project-zuul bot commented Jan 24, 2024

softwarefactory-project-zuul bot commented Jan 24, 2024

stuggi commented Jan 25, 2024

stuggi commented Jan 26, 2024

openshift-ci bot commented Jan 29, 2024

[tlse] tls for NeutronAPI pod configuration #263

[tlse] tls for NeutronAPI pod configuration #263

Conversation

stuggi commented Dec 8, 2023 • edited Loading

stuggi commented Dec 8, 2023

softwarefactory-project-zuul bot commented Jan 24, 2024

softwarefactory-project-zuul bot commented Jan 24, 2024

stuggi commented Jan 25, 2024

stuggi commented Jan 26, 2024

openshift-ci bot commented Jan 29, 2024

stuggi commented Dec 8, 2023 •

edited

Loading