Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TLS Support to barbican operator #55

Merged
merged 3 commits into from
Feb 9, 2024
Merged

Add TLS Support to barbican operator #55

merged 3 commits into from
Feb 9, 2024

Conversation

vakwetu
Copy link
Contributor

@vakwetu vakwetu commented Dec 13, 2023

This adds the changes needed to enable TLS-E in barbican.

@vakwetu vakwetu self-assigned this Dec 13, 2023
@vakwetu vakwetu force-pushed the add_tls branch 3 times, most recently from d58b268 to 8416f11 Compare January 5, 2024 22:49
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 12, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vakwetu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

d34dh0r53 added a commit to d34dh0r53/openstack-operator that referenced this pull request Jan 16, 2024
@d34dh0r53
[tlse] internal TLS support for barbican
67b52c7 
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true

For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:

~~~
  customServiceConfig: |
    [keystone_authtoken]
    insecure = true
    [placement]
    insecure = true
    [neutron]
    insecure = true
    [glance]
    insecure = true
    [cinder]
    insecure = true
~~~

Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/barbican-operator#55

Jira: OSPRH-2349
@d34dh0r53 d34dh0r53 mentioned this pull request Jan 16, 2024
Merged
stuggi
stuggi reviewed Jan 29, 2024
View reviewed changes
Copy link
Contributor

@stuggi stuggi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in general looks good. might want to add envTest and kuttl tests, like we added to the other operators. Can you also add a sample for tls

controllers/barbicanapi_controller.go
}
}

// TODO(alee) should this validation occur in an if statement? what happens when tls is not enabled?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

certsHash would be calculated for the empty certHashes https://github.com/openstack-k8s-operators/lib-common/blob/main/modules/common/tls/tls.go#L166 as both endpoints are not enabled for tls

controllers/barbicanapi_controller.go
instance.Status.Conditions.MarkTrue(condition.ServiceConfigReadyCondition, condition.ServiceConfigReadyMessage)

// TODO(alee) Figure out how serviceLabels are used and what must be in them
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

serviceLabels is basically the base labels to be set on all resources created by the controller to easy query/identify them. depending on which resource is created they get extended with additional, e.g. k8s svc will have the serviceLabels + the endpoint identifier.

controllers/barbicanapi_controller.go
@@ -634,9 +696,38 @@ func (r *BarbicanAPIReconciler) reconcileNormal(ctx context.Context, instance *b
return ctrlResult, nil
}

Log.Info(fmt.Sprintf("[API] Getting input hash '%s'", instance.Name))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we keep this log?

controllers/barbicanapi_controller.go Outdated Show resolved Hide resolved
@d34dh0r53
Copy link
Contributor

d34dh0r53 commented Feb 5, 2024
edited
Loading

/wip

@openshift-ci openshift-ci bot added the approved label Feb 9, 2024
@d34dh0r53
Add TLSe Testing
1166c41 
These tests will determine the functionality of TLSe within the
barbican-operator.
@d34dh0r53
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Feb 9, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 3b43913 into openstack-k8s-operators:main Feb 9, 2024
6 checks passed
d34dh0r53 added a commit to d34dh0r53/openstack-operator that referenced this pull request Feb 12, 2024
@d34dh0r53
Creates certs for k8s service of the service operator when
b35bda0 
spec.tls.endpoint.internal.enabled: true

For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:

~~~
  customServiceConfig: |
    [keystone_authtoken]
    insecure = true
    [placement]
    insecure = true
    [neutron]
    insecure = true
    [glance]
    insecure = true
    [cinder]
    insecure = true
~~~

Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/barbican-operator#55

Jira: OSPRH-2349
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stuggi stuggi stuggi left review comments

@d34dh0r53 d34dh0r53 d34dh0r53 left review comments

@xek xek Awaiting requested review from xek

@olliewalsh olliewalsh Awaiting requested review from olliewalsh

@dmendiza dmendiza Awaiting requested review from dmendiza

@Deydra71 Deydra71 Awaiting requested review from Deydra71

Assignees

@d34dh0r53 d34dh0r53

@vakwetu vakwetu

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vakwetu @d34dh0r53 @stuggi @openshift-merge-robot