Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use internal endpoint for admin client #318

Merged

Conversation

stuggi
Copy link
Contributor

@stuggi stuggi commented Sep 29, 2023

Jira: OSP-26299

@stuggi stuggi force-pushed the tls_public_endpoint branch from 59b8ec8 to 6a3a240 Compare October 2, 2023 06:46
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 2, 2023
Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.

TODO: adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 2, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 2, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
olliewalsh pushed a commit to olliewalsh/openstack-operator that referenced this pull request Oct 3, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
@olliewalsh
Copy link
Contributor

/retest

Copy link
Contributor

@olliewalsh olliewalsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 3, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olliewalsh, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot merged commit 508b207 into openstack-k8s-operators:main Oct 3, 2023
1 check passed
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 4, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 4, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 4, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 4, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 5, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 6, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 9, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 9, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 10, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 10, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 12, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 12, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 17, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 20, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 20, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 20, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 23, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 23, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 23, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 24, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 24, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 25, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 25, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 25, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
fmount pushed a commit to fmount/openstack-operator that referenced this pull request Nov 2, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Nov 7, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants