[TLS] TLS for public endpoints terminated at a route #502
Conversation
|
/hold |
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/0f1f5f8f3a1d49ffa13b44610d929572 ❌ openstack-k8s-operators-content-provider FAILURE in 13m 49s |
stuggi
force-pushed
the
tls_public_endpoint
branch
3 times, most recently
from
7971a8c to
5504358
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/38ea081cf999428fa0d44a59c372ac92 ✔️ openstack-k8s-operators-content-provider SUCCESS in 58m 50s |
stuggi
force-pushed
the
tls_public_endpoint
branch
from
5504358 to
b9f2e38
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/5b1fab80098242e6b537cfde00e82105 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 02m 02s |
stuggi
force-pushed
the
tls_public_endpoint
branch
from
b9f2e38 to
bb5f504
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/99ca36e8b1af4de8971657a1566951cd ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 08m 03s |
openstack-k8s-operators/ci-framework#639 to ignore ca validation for that task as it is only used to check if keystone is up |
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/ec9d053e3b9640cd8d357aeada3c342e ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 05m 19s |
stuggi
force-pushed
the
tls_public_endpoint
branch
from
437dd74 to
f21d427
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/108c66420f3649b386948d4056ae5d10 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 19m 10s |
|
recheck |
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/087f2db8a8ba472eb844269b5a885fd3 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 18m 11s |
stuggi
force-pushed
the
tls_public_endpoint
branch
from
f21d427 to
35b6926
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/7e15cec698524b28878c47b8a4957b13 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 23m 31s |
stuggi
force-pushed
the
tls_public_endpoint
branch
from
35b6926 to
13efc5b
Compare
|
/test openstack-operator-build-deploy-kuttl |
|
Enable TLS for public endpoints fail right now in kuttl test with cert validation on these commands: submitted openshift/release#44757 |
| // +kubebuilder:validation:Optional | ||
| // +operator-sdk:csv:customresourcedefinitions:type=spec | ||
| // Issuer - cert-manager issuer to be used for the endpoint type. If not specified a self signed will be created. | ||
| Issuer *string `json:"issuer,omitempty"` |
There was a problem hiding this comment.
@olliewalsh @vakwetu @Deydra71 should we change this to be just a secret name the user should provide, instead of an issuer to be used? I think thats what we discussed in one of our meetings.
There was a problem hiding this comment.
as discussed with @olliewalsh @Deydra71 on slack, I'll change the PR to not have a named issuer as parameter and instead a named secret which must contain public/private key
There was a problem hiding this comment.
this is now changed in the latest version. Per service in the apiOverride you can specify in the apiOverride.tls.secretName the secret which must hold the tls.key, tls.crt and ca.crt . if the secret does not exist, or does not have those entries in the data, the operator logs an error.
keystone:
apiOverride:
route: {}
tls:
secretName: mycustomkeystonecerts
0617dd0 to
cb87b6f
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/18fe0d4bbf254cf6abd16256967c08bf ❌ openstack-k8s-operators-content-provider FAILURE in 5m 16s |
stuggi
force-pushed
the
tls_public_endpoint
branch
from
cb87b6f to
5e86f4b
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/1128226fbf164775bf62b22c6ea9b11d ❌ openstack-k8s-operators-content-provider FAILURE in 5m 03s |
|
recheck |
stuggi
force-pushed
the
tls_public_endpoint
branch
from
5e86f4b to
23e9a8d
Compare
|
It is all good and clear for me. Let's wait for reviews of others. |
config/manifests/bases/openstack-operator.clusterserviceversion.yaml
Outdated
Show resolved
Hide resolved
stuggi
force-pushed
the
tls_public_endpoint
branch
2 times, most recently
from
e3046f3 to
c1aee56
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/a751381415c045e5bb66f7bcb7370105 ❌ openstack-k8s-operators-content-provider FAILURE in 8m 19s |
Changes openstacklient * CRD to allows to pass in CA secret * mounts the ca bundle under /etc/pki Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * via the apiOverride.TLS of a service, a secret with cert, key and CA cert can be provided to use instead of the default self signed * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled (default) a Cert for the route gets automatically created and added to the route CR. * the openstack-operator creates a full tls-ca-bundle.pem using the operator image ca-bundle as base and adds the public, internal and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem into the deployment pod and don't have to rely on kolla to run update-ca-trust which requires container to run as root. Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
force-pushed
the
tls_public_endpoint
branch
from
c1aee56 to
094241c
Compare
|
/unhold TLS could be disabled using |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Deydra71, stuggi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
merged commit 757a626
into
openstack-k8s-operators:main
This reverts commit 00e8d24. We've seen constant failures in a CI job, linked to certificate validation: https://review.rdoproject.org/zuul/builds?job_name=podified-multinode-edpm-e2e-nobuild-tagged-crc&project=openstack-k8s-operators/ci-framework An example: FAILED - RETRYING: [localhost]: Wait for keystone endpoint to exist in DNS (1 retries left). fatal: [localhost]: FAILED! => {"attempts": 20, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200, 300, 301, 302, 401, 402, 403]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129)>", "redirected": false, "status": -1, "url": "https://keystone-public-openstack.apps-crc.testing"} Reverting the CA verification toggle patch seems the safest way to get back to a green CI. Note: the new failure may be related to a recent patch: openstack-k8s-operators/openstack-operator#502
This is a *partial* revert of 00e8d24. We've seen constant failures in a CI job, linked to certificate validation: https://review.rdoproject.org/zuul/builds?job_name=podified-multinode-edpm-e2e-nobuild-tagged-crc&project=openstack-k8s-operators/ci-framework An example: FAILED - RETRYING: [localhost]: Wait for keystone endpoint to exist in DNS (1 retries left). fatal: [localhost]: FAILED! => {"attempts": 20, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200, 300, 301, 302, 401, 402, 403]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129)>", "redirected": false, "status": -1, "url": "https://keystone-public-openstack.apps-crc.testing"} Reverting the CA verification toggle patch seems the safest way to get back to a green CI. It's still supposed to fetch and install the CA at this point. We're seeing tempest failures when we do a complete reverse. Note: the new failure may be related to a recent patch: openstack-k8s-operators/openstack-operator#502
This is a *partial* revert of 00e8d24. We've seen constant failures in a CI job, linked to certificate validation: https://review.rdoproject.org/zuul/builds?job_name=podified-multinode-edpm-e2e-nobuild-tagged-crc&project=openstack-k8s-operators/ci-framework An example: FAILED - RETRYING: [localhost]: Wait for keystone endpoint to exist in DNS (1 retries left). fatal: [localhost]: FAILED! => {"attempts": 20, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200, 300, 301, 302, 401, 402, 403]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129)>", "redirected": false, "status": -1, "url": "https://keystone-public-openstack.apps-crc.testing"} Reverting the CA verification toggle patch seems the safest way to get back to a green CI. It's still supposed to fetch and install the CA at this point. We're seeing tempest failures when we do a complete reverse. Note: the new failure may be related to a recent patch: openstack-k8s-operators/openstack-operator#502
Changes openstacklient
Adds CRD parameters to configure TLS for public and internal TLS.
TODO:
Jira: OSP-26299
Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82