[tlse] tls support for octaviaAPI, amphora pod configuration, add TLS… #265
Conversation
|
/retest |
|
/test octavia-operator-build-deploy-kuttl |
|
/retest |
Deydra71
force-pushed
the
tlse-support
branch
4 times, most recently
from
19ee0f7 to
acbb5da
Compare
| {{- end }} | ||
|
|
||
| ## WSGI configuration | ||
| WSGIProcessGroup octavia-wsgi |
There was a problem hiding this comment.
WSGIProcessGroup {{ $endpt }}
| WSGIProcessGroup octavia-wsgi | ||
| WSGIApplicationGroup %{GLOBAL} | ||
| WSGIPassAuthorization On | ||
| WSGIDaemonProcess octavia-wsgi processes=5 threads=1 user=octavia group=octavia display-name=%{GROUP} |
There was a problem hiding this comment.
WSGIDaemonProcess {{ $endpt }} processes=5 threads=1 user=octavia group=octavia display-name={{ $endpt }}
Deydra71
force-pushed
the
tlse-support
branch
2 times, most recently
from
83dedff to
6df4739
Compare
|
/retest |
|
/retest Failed due to the ovn ImagePullBackOff |
|
/retest |
|
Still failing:
|
|
/retest |
|
Failed because of missing volumes and volumeMounts in the TLS assertion file, but CI is working finally ^^ |
|
/retest |
|
/retest Error generating bundle manifests: error resolving image: GET https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?scope=repository%3Arhel8%2Fhttpd-24%3Apull&service=docker-registry: unexpected status code 503 Service Unavailable |
Deydra71
force-pushed
the
tlse-support
branch
3 times, most recently
from
44f7784 to
1f4da83
Compare
|
/retest neutron-db-sync-wp55t image error: |
Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like:
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/octavia-operator#265
Signed-off-by: Veronika Fisarova <[email protected]>
… databse connection Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
|
/retest Kuttl tests themselves passed, connection issue at the end |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Deydra71, weinimo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 7fd1a4f
into
openstack-k8s-operators:main
Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like:
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/octavia-operator#265
Signed-off-by: Veronika Fisarova <[email protected]>
Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like:
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/octavia-operator#265
Co-authored-by: [email protected]
Signed-off-by: Veronika Fisarova <[email protected]>
Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true
For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like:
customServiceConfig: |
[keystone_authtoken]
insecure = true
[placement]
insecure = true
[neutron]
insecure = true
[glance]
insecure = true
[cinder]
insecure = true
Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators#620
Depends-On: openstack-k8s-operators/octavia-operator#265
Co-authored-by: [email protected]
Signed-off-by: Veronika Fisarova <[email protected]>
… databse connection
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured.
Depends-On: openstack-k8s-operators/lib-common#428