Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce kolla_copy_cacerts #82

Merged

Conversation

stuggi
Copy link
Contributor

@stuggi stuggi commented Sep 28, 2023

This adds a script to run at container start via kolla_start to update the container environment for trusted CAs (TLS-E).

Also adds the cloud-admin user to the kolla group to be allowed to run kolla* commands as root. This is required to get the openstackclient CA trust updated for tls endpoints.

Jira: OSP-26299
Jira: OSP-26849

@openshift-ci openshift-ci bot requested review from rabi and rlandy September 28, 2023 15:28
@stuggi stuggi requested review from olliewalsh and Deydra71 and removed request for rabi and rlandy September 28, 2023 15:28
@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/6512e94bcbff401d957f2fdc375e36c0

tcib-build-containers FAILURE in 20m 34s
⚠️ tcib-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job tcib-build-containers
⚠️ tcib-podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job tcib-build-containers

@stuggi
Copy link
Contributor Author

stuggi commented Sep 28, 2023

recheck

@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/6bb81f604f9141e3b09c566cd5daf656

tcib-build-containers FAILURE in 20m 37s
⚠️ tcib-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job tcib-build-containers
⚠️ tcib-podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job tcib-build-containers

@stuggi stuggi force-pushed the tls_public_endpoint branch from d902789 to 3ad8781 Compare September 29, 2023 07:53
@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/7365c01aacc04b74a9dc78fb04af772e

tcib-build-containers FAILURE in 21m 19s
⚠️ tcib-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job tcib-build-containers
⚠️ tcib-podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job tcib-build-containers

@@ -9,6 +9,9 @@ sudo -E kolla_set_configs
CMD=$(cat /run_command)
ARGS=""

# Install custom CA certificates
sudo kolla_update_cacerts
Copy link
Contributor Author

@stuggi stuggi Sep 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not all users are in kolla group and can run this right now via sudo

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well sudo -E kolla_set_configs above is also good, so we can expect this to work

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's kolla_copy_cacerts in kolla, should we try to keep it consistent?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could, thought we are now disconnected from kolla.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah but likely to hit similar issues in both, with similar fixes, so good to stay as consistent as possible I expect

@stuggi
Copy link
Contributor Author

stuggi commented Sep 29, 2023

not sure why cinder fails:

2023-09-29 04:16:01 | Stderr: 'Error: building at STEP "RUN dnf -y install ceph-common openstack-cinder && dnf clean all && rm -rf /var/cache/dnf": while running runtime: exit status 1\n': RuntimeError: �[00m

stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 2, 2023
Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.

TODO: adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 2, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 2, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
@raukadah
Copy link
Collaborator

raukadah commented Oct 3, 2023

https://logserver.rdoproject.org/82/82/3ad878147c64a0f50e17977ae3dda609d989f349/github-check/tcib-build-containers/08121fb/ci-framework-data/logs/750e6bb7-bc67-42d9-af49-4cd6d7ca3ac8/base/os/cinder-base/cinder-base-build.log

Extra Packages for Enterprise Linux 9 - x86_64   51 MB/s |  19 MB     00:00    
Error: 
 Problem: package python3-grpcio-1.41.1-6.el9s.x86_64 from delorean-antelope-testing requires libre2.so.0a()(64bit), but none of the providers can be installed
  - package python3-google-api-core-2.10.2-1.el9s.noarch from delorean-antelope-testing requires python3dist(grpcio), but none of the providers can be installed
  - cannot install both re2-1:20211101-3.el9.x86_64 from epel-low-priority and re2-1:20190801-9.el9s.x86_64 from delorean-antelope-testing
  - cannot install both re2-1:20211101-3.el9.x86_64 from epel-low-priority and re2-1:20190801-9.el9s.x86_64 from centos9-storage
  - package python3-google-api-client-2:2.58.0-1.el9s.noarch from delorean-antelope-testing requires ((python3.9dist(google-api-core) < 2 or python3.9dist(google-api-core) > 2.1) with (python3.9dist(google-api-core) < 2.1 or python3.9dist(google-api-core) > 2.2) with (python3.9dist(google-api-core) < 2.2 or python3.9dist(google-api-core) > 2.3) with (python3.9dist(google-api-core) < 2.3 or python3.9dist(google-api-core) > 2.3) with python3.9dist(google-api-core) < 3~~dev0 with python3.9dist(google-api-core) >= 1.31.5), but none of the providers can be installed
  - package libarrow-9.0.0-9.el9.x86_64 from epel-low-priority requires libre2.so.9()(64bit), but none of the providers can be installed
  - package python3-cinder-1:22.1.1-0.20230914070759.bdf0a3d.el9.noarch from delorean-component-cinder requires python3-google-api-client >= 1.11.0, but none of the providers can be installed
  - package parquet-libs-9.0.0-9.el9.x86_64 from epel-low-priority requires libarrow(x86-64) = 9.0.0-9.el9, but none of the providers can be installed
  - package openstack-cinder-1:22.1.1-0.20230914070759.bdf0a3d.el9.noarch from delorean-component-cinder requires python3-cinder = 1:22.1.1-0.20230914070759.bdf0a3d.el9, but none of the providers can be installed
  - package ceph-common-2:18.2.0-1.el9s.x86_64 from centos9-storage requires libparquet.so.900()(64bit), but none of the providers can be installed
  - conflicting requests
  - nothing provides libthrift-0.14.0.so()(64bit) needed by parquet-libs-9.0.0-1.el9s.x86_64 from centos9-storage
  - package python3-grpcio-1.46.7-10.el9.x86_64 from epel-low-priority is filtered out by exclude filtering
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)

It appears to be missing package issue.

@raukadah
Copy link
Collaborator

raukadah commented Oct 3, 2023

recheck

@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/8cfb9fafc53c45b2a1a96410fbf1b600

✔️ tcib-build-containers SUCCESS in 39m 38s
tcib-crc-podified-edpm-baremetal RETRY_LIMIT in 4s
tcib-podified-multinode-edpm-deployment-crc RETRY_LIMIT in 4s

@Deydra71
Copy link

Deydra71 commented Oct 3, 2023

recheck

olliewalsh pushed a commit to olliewalsh/openstack-operator that referenced this pull request Oct 3, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
This adds a script to run at container start via kolla_start to
update the container environment for trusted CAs (TLS-E).

Also adds the cloud-admin user to the kolla group to be allowed
to run kolla* commands as root. This is required to get the
openstackclient CA trust updated for tls endpoints.

Jira: OSP-26299
Jira: OSP-26849
@stuggi stuggi force-pushed the tls_public_endpoint branch from 3ad8781 to 9f1a562 Compare October 4, 2023 06:32
@stuggi stuggi changed the title Introduce kolla_update_cacerts Introduce kolla_copy_cacerts Oct 4, 2023
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 4, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 4, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 4, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
Copy link
Contributor

@olliewalsh olliewalsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@raukadah
Copy link
Collaborator

raukadah commented Oct 4, 2023

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 4, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olliewalsh, raukadah, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot merged commit ed5ebd4 into openstack-k8s-operators:main Oct 4, 2023
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 4, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 5, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 6, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 9, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 9, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 10, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 10, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 12, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 12, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 17, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 20, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 20, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 20, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 23, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 23, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 23, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 24, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 24, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 25, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 25, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Oct 25, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
fmount pushed a commit to fmount/openstack-operator that referenced this pull request Nov 2, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
stuggi added a commit to stuggi/openstack-operator that referenced this pull request Nov 7, 2023
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants