Introduce kolla_copy_cacerts #82
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stuggi
requested review from
olliewalsh and
Deydra71
and removed request for
rabi and
rlandy
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/6512e94bcbff401d957f2fdc375e36c0 ❌ tcib-build-containers FAILURE in 20m 34s |
|
recheck |
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/6bb81f604f9141e3b09c566cd5daf656 ❌ tcib-build-containers FAILURE in 20m 37s |
stuggi
force-pushed
the
tls_public_endpoint
branch
from
d902789 to
3ad8781
Compare
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/7365c01aacc04b74a9dc78fb04af772e ❌ tcib-build-containers FAILURE in 21m 19s |
stuggi
commented
Sep 29, 2023
container-images/kolla/base/start.sh
Outdated
| @@ -9,6 +9,9 @@ sudo -E kolla_set_configs | |||
| CMD=$(cat /run_command) | |||
| ARGS="" | |||
|
|
|||
| # Install custom CA certificates | |||
| sudo kolla_update_cacerts | |||
There was a problem hiding this comment.
not all users are in kolla group and can run this right now via sudo
There was a problem hiding this comment.
well sudo -E kolla_set_configs above is also good, so we can expect this to work
There was a problem hiding this comment.
it's kolla_copy_cacerts in kolla, should we try to keep it consistent?
There was a problem hiding this comment.
we could, thought we are now disconnected from kolla.
There was a problem hiding this comment.
yeah but likely to hit similar issues in both, with similar fixes, so good to stay as consistent as possible I expect
|
not sure why cinder fails: |
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 2, 2023
Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * refactors the current route create for followup on TLS-E to create certs for each service endpoint. TODO: adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 2, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 2, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
It appears to be missing package issue. |
|
recheck |
|
Build failed (check pipeline). Post https://review.rdoproject.org/zuul/buildset/8cfb9fafc53c45b2a1a96410fbf1b600 ✔️ tcib-build-containers SUCCESS in 39m 38s |
|
recheck |
olliewalsh
pushed a commit
to olliewalsh/openstack-operator
that referenced
this pull request
Oct 3, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
This adds a script to run at container start via kolla_start to update the container environment for trusted CAs (TLS-E). Also adds the cloud-admin user to the kolla group to be allowed to run kolla* commands as root. This is required to get the openstackclient CA trust updated for tls endpoints. Jira: OSP-26299 Jira: OSP-26849
stuggi
force-pushed
the
tls_public_endpoint
branch
from
3ad8781 to
9f1a562
Compare
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 4, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 4, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 4, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
raukadah
approved these changes
Oct 4, 2023
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: olliewalsh, raukadah, stuggi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 4, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 5, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 6, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 9, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 9, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 10, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 10, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 12, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 12, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 17, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 20, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 20, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 20, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 23, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled a Cert for the route gets automatically created and added to the route CR. TODO: * adding envtest coverage Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 23, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled (default) a Cert for the route gets automatically created and added to the route CR. Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 23, 2023
Changes openstacklient * CRD to allows to pass in CA secret * use kolla to run the openstackclient and update the environment CA on start with passed in CA secret to validate endpoint certs. Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * public issuer can be provided by the user by referencing a named issuer in the namespace. Then this one is used. * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled (default) a Cert for the route gets automatically created and added to the route CR. Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 24, 2023
Changes openstacklient * CRD to allows to pass in CA secret * mounts the ca bundle under /etc/pki Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * via the apiOverride.TLS of a service, a secret with cert, key and CA cert can be provided to use instead of the default self signed * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled (default) a Cert for the route gets automatically created and added to the route CR. * the openstack-operator creates a full tls-ca-bundle.pem using the operator image ca-bundle as base and adds the public, internal and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem into the deployment pod and don't have to rely on kolla to run update-ca-trust which requires container to run as root. Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 24, 2023
Changes openstacklient * CRD to allows to pass in CA secret * mounts the ca bundle under /etc/pki Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * via the apiOverride.TLS of a service, a secret with cert, key and CA cert can be provided to use instead of the default self signed * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled (default) a Cert for the route gets automatically created and added to the route CR. * the openstack-operator creates a full tls-ca-bundle.pem using the operator image ca-bundle as base and adds the public, internal and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem into the deployment pod and don't have to rely on kolla to run update-ca-trust which requires container to run as root. Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 25, 2023
Changes openstacklient * CRD to allows to pass in CA secret * mounts the ca bundle under /etc/pki Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * via the apiOverride.TLS of a service, a secret with cert, key and CA cert can be provided to use instead of the default self signed * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled (default) a Cert for the route gets automatically created and added to the route CR. * the openstack-operator creates a full tls-ca-bundle.pem using the operator image ca-bundle as base and adds the public, internal and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem into the deployment pod and don't have to rely on kolla to run update-ca-trust which requires container to run as root. Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 25, 2023
Changes openstacklient * CRD to allows to pass in CA secret * mounts the ca bundle under /etc/pki Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * via the apiOverride.TLS of a service, a secret with cert, key and CA cert can be provided to use instead of the default self signed * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled (default) a Cert for the route gets automatically created and added to the route CR. * the openstack-operator creates a full tls-ca-bundle.pem using the operator image ca-bundle as base and adds the public, internal and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem into the deployment pod and don't have to rely on kolla to run update-ca-trust which requires container to run as root. Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Oct 25, 2023
Changes openstacklient * CRD to allows to pass in CA secret * mounts the ca bundle under /etc/pki Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * via the apiOverride.TLS of a service, a secret with cert, key and CA cert can be provided to use instead of the default self signed * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled (default) a Cert for the route gets automatically created and added to the route CR. * the openstack-operator creates a full tls-ca-bundle.pem using the operator image ca-bundle as base and adds the public, internal and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem into the deployment pod and don't have to rely on kolla to run update-ca-trust which requires container to run as root. Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
fmount
pushed a commit
to fmount/openstack-operator
that referenced
this pull request
Nov 2, 2023
Changes openstacklient * CRD to allows to pass in CA secret * mounts the ca bundle under /etc/pki Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * via the apiOverride.TLS of a service, a secret with cert, key and CA cert can be provided to use instead of the default self signed * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled (default) a Cert for the route gets automatically created and added to the route CR. * the openstack-operator creates a full tls-ca-bundle.pem using the operator image ca-bundle as base and adds the public, internal and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem into the deployment pod and don't have to rely on kolla to run update-ca-trust which requires container to run as root. Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Nov 7, 2023
Changes openstacklient * CRD to allows to pass in CA secret * mounts the ca bundle under /etc/pki Adds CRD parameters to configure TLS for public and internal TLS. * per default self signed root CA + issuer get created for public and internal certs * via the apiOverride.TLS of a service, a secret with cert, key and CA cert can be provided to use instead of the default self signed * user can provide a CA secret for certs to be added to the combined CA secret the openstack-operator creates to pass into services / openstackclient * refactors the current route create for followup on TLS-E to create certs for each service endpoint. * when TLS for public endpoint is enabled (default) a Cert for the route gets automatically created and added to the route CR. * the openstack-operator creates a full tls-ca-bundle.pem using the operator image ca-bundle as base and adds the public, internal and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem into the deployment pod and don't have to rely on kolla to run update-ca-trust which requires container to run as root. Jira: OSP-26299 Depends-On: openstack-k8s-operators/lib-common#351 Depends-On: openstack-k8s-operators/keystone-operator#318 Depends-On: openstack-k8s-operators/tcib#82
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a script to run at container start via kolla_start to update the container environment for trusted CAs (TLS-E).
Also adds the cloud-admin user to the kolla group to be allowed to run kolla* commands as root. This is required to get the openstackclient CA trust updated for tls endpoints.
Jira: OSP-26299
Jira: OSP-26849