Skip to content
This repository has been archived by the owner on Jun 25, 2024. It is now read-only.

Add infrastructure for edpm certs #553

Merged
merged 2 commits into from
Dec 1, 2023

Conversation

vakwetu
Copy link
Contributor

@vakwetu vakwetu commented Dec 1, 2023

This PR adds the ability to generate and mount TLS certs in the ansibleEE
pod for each service.

The basic idea is as follows:

There is a top level parameter on the nodeset (TLSEnabled) that determines whether
TLS-E is enabled.  This is analogous to a similar parameter on the control plane.

Each service has a boolean parameter HasTLSCerts which determines
whether or not certs are expected for this service.  The certs will be issued for each
node in the nodeset and then concatenated into a secret that contains the tls certs and keys
for all the nodes in the node set.  They are referenced as <nodeName>-tls.key, nodeName-tls.crt.
The secret is named <nodeSet.Name>-<service.Name>-certs . 

This secret will be mounted in the openstackAnsibleEE pod at /var/lib/openstack/certs.  It will be up to the ansible  
playbook to move the appropriate certs, keys etc. for each node to the node, and do
any reconfiguration of the service.

This PR adds the ability to generate and mount TLS certs in the ansibleEE
pod for each service.

The basic idea is as follows:

Each service has a boolean parameter HasTLSCerts which determines
whether or not certs are expected for this service.  If so, then we
expect that a secret with the name <nodeSet.Name>-<service.Name>-certs will
be created.

This secret contains the TLS certs, keys and cacerts for every node in
the nodeset.  They are referenced as <nodeName>-tls.key, nodeName-tls.crt, nodeName-ca.crt

This secret will be mounted in the openstackAnsibleEE pod at
/var/lib/openstack/certs.  It will be up to the ansible playbook to
move the appropriate certs, keys etc. for each node to the node, and do
any reconfiguration of the service.

More details are below:
1. After the DNS data is created in the openstackdataplanenodeset_controller,
   a call is made to GenerateTLSCerts for each service that has HasTLSCerts: True.
2. GenerateTLSCerts right now only generates a single cert for each node in the
   nodeset using the DNSNames for that node.  As the cert contains the
   DNSNames for all the node's interfaces, it should be usable on all
   interfaces.  This cert is stored in the secret "nodeName-cert".  This
   is the default cert - and it should only be created once - ie. the
   first time this code is run.
3.  Its likely that most services will be able to use this cert.  If a
    service needs a different kind of cert (maybe using ips - for ovn
    for instance, or a different issuer), then code needs to be added to
    the switch statement for that particular service.
4. The secret containing the cert will need to have an ownership
   reference updated so that we can trigger a reconcile when the cert
   changes or is renewed.
Also specifies a cert for libvirt and nova that contains the ip and
hostname of the control plane.

Add top level flag for TLSEnabled

Just like the control plane, we need a flag to indicate whether the
dataplane has TLS enabled.  This is because - per adoption requirements,
internal TLS may not be enabled.

The hasTLSCerts parameter at the service level is simply for developers
to specify whether or not TLS certs are needed/supported with TLS is
enabled at the top level.
@vakwetu vakwetu requested review from rabi and slagle December 1, 2023 12:53
@openshift-ci openshift-ci bot requested review from bshephar and dprince December 1, 2023 12:53
@slagle
Copy link
Collaborator

slagle commented Dec 1, 2023

This is the same PR as #442. For some reason, github won't allow re-opening the old PR, even though there are new commits.

The plan is to go ahead with this as-is once it passes CI and then fix the review comments in a follow up.

@vakwetu
Copy link
Contributor Author

vakwetu commented Dec 1, 2023

Note: this is identical to a previous PR that got accidentally closed. I'm working on a follow-on PR to address @slagle comments

Copy link
Contributor

openshift-ci bot commented Dec 1, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: slagle, vakwetu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Dec 1, 2023
@openshift-merge-bot openshift-merge-bot bot merged commit 90627b7 into openstack-k8s-operators:main Dec 1, 2023
8 checks passed
katarimanojk added a commit to katarimanojk/dataplane-operator that referenced this pull request Jan 10, 2024
By using the feature [1] to generate certs, this PR will enable
tlsCertsEnabled for ceph_hci_pre service which should generate
certs for the service on each node in the nodeset.

[1] openstack-k8s-operators#553
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants