TLS support for multiple endpoints #428
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Deydra71
force-pushed
the
tls-multiple-service-endpoints-support-kolla
branch
from
24d9736 to
4abe2fd
Compare
Deydra71
changed the title
Deydra71
force-pushed
the
tls-multiple-service-endpoints-support-kolla
branch
2 times, most recently
from
607328f to
e7962ed
Compare
Deydra71
added a commit
to Deydra71/placement-operator
that referenced
this pull request
Jan 9, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs are mounted to in var/lib/config-data/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. Server cert and key are intended to be moved by kolla to /etc/pki/tls/certs|private. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/placement-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs are mounted to in var/lib/config-data/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. Server cert and key are intended to be moved by kolla to /etc/pki/tls/certs|private. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
…m Issuer Some services create multiple endpoints, therefore each needs to support TLS. Also add TLS support for DB and Messaging services. Set to default mount paths for service certs and keys, as well as for the CA certs bundle file. Signed-off-by: Veronika Fisarova <[email protected]> Co-authored-by: Martin Schuppert <[email protected]>
Deydra71
force-pushed
the
tls-multiple-service-endpoints-support-kolla
branch
from
e7962ed to
21db145
Compare
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
Adds watches for name secret and configmap resources from the OpenStackClient CRD. This allows to watch the specific resources when they change. Also adds EnvTest for OpenstackClient being created by the OpenstackControlPlane controller. Depends-On: openstack-k8s-operators/lib-common#428
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
- creates internal CA when internal TLS enabled
- creates TLS certs via cert-manager and passes the cert secret
information to the services, right now keystone, glance, cinder and
neutron
For services which at this point don't support TLS, cert validation
could be disabled using customService config like e.g.:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
~~~
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On:
openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators/keystone-operator#348
Depends-On: openstack-k8s-operators/neutron-operator#263
Depends-On: openstack-k8s-operators/glance-operator#386
Depends-On: openstack-k8s-operators/cinder-operator#306
Jira: OSPRH-2183
Jira: OSPRH-1233
Jira: OSPRH-1592
Jira: OSPRH-2197
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
Creates TLS certs via cert-manager for placement. Depends-On: openstack-k8s-operators/lib-common#428 Jira: OSPRH-2368
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
Creates TLS certs via cert-manager for NovaAPI, NovaMetadata and NovaNoVNCProxy. Depends-On: openstack-k8s-operators/lib-common#428 Jira: TODO
olliewalsh
reviewed
Jan 10, 2024
| SecretName: t.Service.SecretName, | ||
| DefaultMode: ptr.To[int32](0440), | ||
| SecretName: s.SecretName, | ||
| DefaultMode: ptr.To[int32](0400), |
There was a problem hiding this comment.
If we want to use this without root (using FSGroup) does this need to be 0440?
There was a problem hiding this comment.
yes, maybe. for the services we did so far, non uses non root without kolla. if needed we can introduce a *DefaultMode to the Service type so that it could be customized if needed
There was a problem hiding this comment.
ack, will leave this for follow-up patch if/when it's required
stuggi
added a commit
to stuggi/keystone-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The CA cert get direct mounted as the environment bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . The service certificates like config files and copied via kolla to /etc/pki/tls/certs/%s.crt|/etc/pki/tls/private/%s.key . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#428 Jira: OSPRH-2183
stuggi
added a commit
to stuggi/neutron-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for any changes and reconcile if needed. Depends-On: openstack-k8s-operators/lib-common#428 Jira: OSPRH-2197
stuggi
added a commit
to stuggi/cinder-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The CA cert get direct mounted as the environment bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . The service certificates like config files and copied via kolla to /etc/pki/tls/certs/%s.crt|/etc/pki/tls/private/%s.key . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#428 Jira: OSPRH-1592
stuggi
added a commit
to stuggi/glance-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for password, CA bundle, and endpoint secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#428 Jira: OSPRH-1233
stuggi
added a commit
to stuggi/nova-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The CA cert get direct mounted as the environment bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . The service certificates like config files and copied via kolla to /etc/pki/tls/certs/%s.crt|/etc/pki/tls/private/%s.key . Job deployments for bootstrap/cron get the CA bundle added if configured. Also indexes the named input resources for CA bundle, and tls secrets to be able to watch them for a change and reconcile. Depends-On: openstack-k8s-operators/lib-common#428 Jira: TODO
Deydra71
added a commit
to Deydra71/placement-operator
that referenced
this pull request
Jan 10, 2024
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs are mounted to in var/lib/config-data/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. Server cert and key are intended to be moved by kolla to /etc/pki/tls/certs|private. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
Adds watches for name secret and configmap resources from the OpenStackClient CRD. This allows to watch the specific resources when they change. Also adds EnvTest for OpenstackClient being created by the OpenstackControlPlane controller. Depends-On: openstack-k8s-operators/lib-common#428
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
- creates internal CA when internal TLS enabled
- creates TLS certs via cert-manager and passes the cert secret
information to the services, right now keystone, glance, cinder and
neutron
For services which at this point don't support TLS, cert validation
could be disabled using customService config like e.g.:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
~~~
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On:
openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators/keystone-operator#348
Depends-On: openstack-k8s-operators/neutron-operator#263
Depends-On: openstack-k8s-operators/glance-operator#386
Depends-On: openstack-k8s-operators/cinder-operator#306
Jira: OSPRH-2183
Jira: OSPRH-1233
Jira: OSPRH-1592
Jira: OSPRH-2197
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
Creates TLS certs via cert-manager for placement. Depends-On: openstack-k8s-operators/lib-common#428 Jira: OSPRH-2368
stuggi
added a commit
to stuggi/openstack-operator
that referenced
this pull request
Jan 10, 2024
Creates TLS certs via cert-manager for NovaAPI, NovaMetadata and NovaNoVNCProxy. Depends-On: openstack-k8s-operators/lib-common#428 Jira: TODO
Deydra71
added a commit
to Deydra71/openstack-operator
that referenced
this pull request
Mar 12, 2024
Creates the telemetry aodh route and svc overrides.
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/telemetry-operator#310
Depends-On: openstack-k8s-operators/telemetry-operator#327
Depends-On: openstack-k8s-operators/telemetry-operator#330
Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 13, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 13, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/openstack-operator
that referenced
this pull request
Mar 13, 2024
Creates the telemetry aodh route and svc overrides.
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/telemetry-operator#310
Depends-On: openstack-k8s-operators/telemetry-operator#327
Depends-On: openstack-k8s-operators/telemetry-operator#330
Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 13, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/openstack-operator
that referenced
this pull request
Mar 14, 2024
Creates the telemetry aodh route and svc overrides.
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/telemetry-operator#310
Depends-On: openstack-k8s-operators/telemetry-operator#327
Depends-On: openstack-k8s-operators/telemetry-operator#330
Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/openstack-operator
that referenced
this pull request
Mar 14, 2024
Creates the telemetry aodh route and svc overrides.
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/telemetry-operator#310
Depends-On: openstack-k8s-operators/telemetry-operator#327
Depends-On: openstack-k8s-operators/telemetry-operator#330
Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 14, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 14, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 14, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 15, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 15, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 18, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 19, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 19, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 19, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 19, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 19, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 19, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 20, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/openstack-operator
that referenced
this pull request
Mar 20, 2024
Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like:
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/octavia-operator#265
Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 20, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 20, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/octavia-operator
that referenced
this pull request
Mar 26, 2024
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/openstack-operator
that referenced
this pull request
Mar 27, 2024
Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like:
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/octavia-operator#265
Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71
added a commit
to Deydra71/openstack-operator
that referenced
this pull request
Mar 27, 2024
Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like:
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/octavia-operator#265
Co-authored-by: [email protected]
Signed-off-by: Veronika Fisarova <[email protected]>
stuggi
pushed a commit
to stuggi/openstack-operator
that referenced
this pull request
Apr 9, 2024
Creates the telemetry aodh route and svc overrides.
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:
~~~
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
~~~
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/telemetry-operator#310
Depends-On: openstack-k8s-operators/telemetry-operator#327
Depends-On: openstack-k8s-operators/telemetry-operator#330
Signed-off-by: Veronika Fisarova <[email protected]>
stuggi
pushed a commit
to stuggi/openstack-operator
that referenced
this pull request
Apr 9, 2024
Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like:
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/octavia-operator#265
Co-authored-by: [email protected]
Signed-off-by: Veronika Fisarova <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change adds the TLS support for multiple endpoints, and adds default mounting paths for the CA certificates bundle file, as well for the service certs and keys.