Add TLS support for multiple service endpoints #384
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Deydra71
force-pushed
the
tls-multiple-service-endpoints-support
branch
3 times, most recently
from
aae9cda to
c01c0e2
Compare
stuggi
reviewed
Nov 6, 2023
There was a problem hiding this comment.
@Deydra71 @olliewalsh wondering if this would be a more generic definition of the certs we need, also with the possibility to customize the mount paths. this might be useful for the edpm side where default cert location for libvirt/qemu is /etc/pki/libvirt/ , /etc/pki/libvirt/private/, but could also use the config params cert_file key_file for this. https://wiki.libvirt.org/TLSCreateServerCerts.html#overriding-the-default-locations
// Service contains server-specific TLS secret
type Service struct {
// +kubebuilder:validation:Optional
// SecretName - holding the cert, key for the service
SecretName string `json:"secretName,omitempty"`
// +kubebuilder:validation:Optional
// CertMount - dst location to mount the service tls.crt cert. Can be used to override the default location which is /etc/tls/<service key>/tls.crt
CertMount *string `json:"certMount,omitempty"`
// +kubebuilder:validation:Optional
// KeyMount - dst location to mount the service tls.key key. Can be used to override the default location which is /etc/tls/<service key>/tls.key
KeyMount *string `json:"keyMount,omitempty"`
// +kubebuilder:validation:Optional
// CaMount - dst location to mount this cert CA ca.crt cert to. Can be used if the service CA cert should be mounted specifically, e.g. to be set in a service config for validation, instead of the env wide bundle.
CaMount *string `json:"caMount,omitempty"`
// +kubebuilder:validation:Optional
// DisableNonTLSListeners - disable non TLS listeners of the service (if supported)
DisableNonTLSListeners bool `json:"disableNonTLSListeners,omitempty"`
}
// Ca contains CA-specific settings, which could be used both by services (to define their own CA certificates)
// and by clients (to verify the server's certificate)
type Ca struct {
// +kubebuilder:validation:Optional
// CaBundleSecretName - dst location to mount the CA cert bundle
CaBundleSecretName string `json:"caBundleSecretName,omitempty"`
// +kubebuilder:validation:Optional
// +kubebuilder:default="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
// CaBundleMount - dst location to mount the CA cert bundle
CaBundleMount *string `json:"caBundleMount,omitempty"`
}
// TLS - a generic type, which encapsulates both the service and CA configurations
type TLS struct {
// certificate configuration for API service certs
APIService map[service.Endpoint]Service `json:"APIService"`
// certificate configuration for additional arbitrary certs
Service map[string]Service `json:"service"`
// CA bundle configuration
Ca *Ca `json:"ca"`
}
ef327b5 to
b1bf498
Compare
|
I've implemented the changes to the structs and their fields as suggested by @stuggi ^^ Following these updates the functions and tests were revised within the tls package, so it should now be in place for operator testing. |
Deydra71
force-pushed
the
tls-multiple-service-endpoints-support
branch
from
4946d90 to
cad50be
Compare
stuggi
reviewed
Nov 15, 2023
Deydra71
force-pushed
the
tls-multiple-service-endpoints-support
branch
4 times, most recently
from
1bfaa38 to
2e43709
Compare
Deydra71
force-pushed
the
tls-multiple-service-endpoints-support
branch
2 times, most recently
from
17d5dad to
3719cbd
Compare
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Dec 5, 2023
Adds watches for name secret and configmap resources from the OpenStackClient CRD. This allows to watch the specific resources when they change. Also adds EnvTest for OpenstackClient being created by the OpenstackControlPlane controller. Depends-On: openstack-k8s-operators/lib-common#384
Deydra71
force-pushed
the
tls-multiple-service-endpoints-support
branch
3 times, most recently
from
9acfa6d to
e973d73
Compare
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Dec 6, 2023
Adds watches for name secret and configmap resources from the OpenStackClient CRD. This allows to watch the specific resources when they change. Also adds EnvTest for OpenstackClient being created by the OpenstackControlPlane controller. Depends-On: openstack-k8s-operators/lib-common#384
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Dec 6, 2023
Adds watches for name secret and configmap resources from the OpenStackClient CRD. This allows to watch the specific resources when they change. Also adds EnvTest for OpenstackClient being created by the OpenstackControlPlane controller. Depends-On: openstack-k8s-operators/lib-common#384
Deydra71
force-pushed
the
tls-multiple-service-endpoints-support
branch
2 times, most recently
from
5a5f5d3 to
bb6aad2
Compare
stuggi
added a commit
to stuggi/keystone-operator
that referenced
this pull request
Dec 8, 2023
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for any changes and reconcile if needed. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2183
stuggi
reviewed
Dec 8, 2023
Deydra71
force-pushed
the
tls-multiple-service-endpoints-support
branch
from
bb6aad2 to
62070e5
Compare
stuggi
added a commit
to stuggi/glance-operator
that referenced
this pull request
Jan 5, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-1233
stuggi
added a commit
to stuggi/keystone-operator
that referenced
this pull request
Jan 5, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2183
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 5, 2024
Adds watches for name secret and configmap resources from the OpenStackClient CRD. This allows to watch the specific resources when they change. Also adds EnvTest for OpenstackClient being created by the OpenstackControlPlane controller. Depends-On: openstack-k8s-operators/lib-common#384
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 5, 2024
- creates internal CA when internal TLS enabled
- creates TLS certs via cert-manager and passes the cert secret
information to the services, right now keystone, glance, cinder and
neutron
For services which at this point don't support TLS, cert validation
could be disabled using customService config like e.g.:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
~~~
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On: openstack-k8s-operators/lib-common#384
Depends-On: openstack-k8s-operators/keystone-operator#348
Depends-On: openstack-k8s-operators/neutron-operator#263
Depends-On: openstack-k8s-operators/glance-operator#386
Depends-On: openstack-k8s-operators/cinder-operator#306
Jira: OSPRH-2183
Jira: OSPRH-1233
Jira: OSPRH-1592
Jira: OSPRH-2197
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 5, 2024
Creates TLS certs via cert-manager for placement. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2368
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 5, 2024
Creates TLS certs via cert-manager for NovaAPI, NovaMetadata and NovaNoVNCProxy. Depends-On: openstack-k8s-operators/lib-common#384 Jira: TODO
Deydra71
added a commit
to Deydra71/placement-operator
that referenced
this pull request
Jan 8, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. Depends-On: openstack-k8s-operators/lib-common#384 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/placement-operator
that referenced
this pull request
Jan 8, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. Depends-On: openstack-k8s-operators/lib-common#384 Signed-off-by: Veronika Fisarova <[email protected]>
|
With changes TLS support is moved here ---> #428 |
stuggi
added a commit
to stuggi/keystone-operator
that referenced
this pull request
Jan 8, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The CA cert get direct mounted as the environment bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . The service certificates like config files and copied via kolla to /etc/pki/tls/certs/%s.crt|/etc/pki/tls/private/%s.key . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2183 [wip] use kolla to get service certs in place
d34dh0r53
pushed a commit
to d34dh0r53/neutron-operator
that referenced
this pull request
Jan 8, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for any changes and reconcile if needed. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2197
d34dh0r53
pushed a commit
to d34dh0r53/nova-operator
that referenced
this pull request
Jan 8, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in /etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron and NovaConductor, NovaScheduler and NovaCompute get the CA bundle added if configured. Also indexes the named input resources for CA bundle, and tls secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#384 Jira: TODO
stuggi
added a commit
to stuggi/neutron-operator
that referenced
this pull request
Jan 9, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for any changes and reconcile if needed. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2197
stuggi
added a commit
to stuggi/cinder-operator
that referenced
this pull request
Jan 9, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron, CinderScheduler and CinderVolume get the CA bundle added. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-1592
stuggi
added a commit
to stuggi/glance-operator
that referenced
this pull request
Jan 9, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-1233
stuggi
added a commit
to stuggi/nova-operator
that referenced
this pull request
Jan 9, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in /etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron and NovaConductor, NovaScheduler and NovaCompute get the CA bundle added if configured. Also indexes the named input resources for CA bundle, and tls secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#384 Jira: TODO
stuggi
added a commit
to stuggi/keystone-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The CA cert get direct mounted as the environment bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . The service certificates like config files and copied via kolla to /etc/pki/tls/certs/%s.crt|/etc/pki/tls/private/%s.key . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2183
stuggi
added a commit
to stuggi/neutron-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for any changes and reconcile if needed. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2197
stuggi
added a commit
to stuggi/neutron-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for any changes and reconcile if needed. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2197
stuggi
added a commit
to stuggi/neutron-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for any changes and reconcile if needed. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2197
stuggi
added a commit
to stuggi/neutron-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for any changes and reconcile if needed. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2197
stuggi
added a commit
to stuggi/cinder-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The CA cert get direct mounted as the environment bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . The service certificates like config files and copied via kolla to /etc/pki/tls/certs/%s.crt|/etc/pki/tls/private/%s.key . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-1592
stuggi
added a commit
to stuggi/glance-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-1233
stuggi
added a commit
to stuggi/nova-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The CA cert get direct mounted as the environment bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . The service certificates like config files and copied via kolla to /etc/pki/tls/certs/%s.crt|/etc/pki/tls/private/%s.key . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for CA bundle, and tls secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#384 Jira: TODO
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
Adds watches for name secret and configmap resources from the OpenStackClient CRD. This allows to watch the specific resources when they change. Also adds EnvTest for OpenstackClient being created by the OpenstackControlPlane controller. Depends-On: openstack-k8s-operators/lib-common#384
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
- creates internal CA when internal TLS enabled
- creates TLS certs via cert-manager and passes the cert secret
information to the services, right now keystone, glance, cinder and
neutron
For services which at this point don't support TLS, cert validation
could be disabled using customService config like e.g.:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
~~~
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On: openstack-k8s-operators/lib-common#384
Depends-On: openstack-k8s-operators/keystone-operator#348
Depends-On: openstack-k8s-operators/neutron-operator#263
Depends-On: openstack-k8s-operators/glance-operator#386
Depends-On: openstack-k8s-operators/cinder-operator#306
Jira: OSPRH-2183
Jira: OSPRH-1233
Jira: OSPRH-1592
Jira: OSPRH-2197
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
Creates TLS certs via cert-manager for placement. Depends-On: openstack-k8s-operators/lib-common#384 Jira: OSPRH-2368
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
Creates TLS certs via cert-manager for NovaAPI, NovaMetadata and NovaNoVNCProxy. Depends-On: openstack-k8s-operators/lib-common#384 Jira: TODO
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some services create multiple endpoints, therefore each endpoint needs to support TLS.