Skip to content

OSASINFRA-3731: openstack: Consume CA cert from CCO secret #359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
stephenfin wants to merge 9 commits into
base: main
Choose a base branch
from
Open

OSASINFRA-3731: openstack: Consume CA cert from CCO secret #359

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
bcc8d53
openstack-cinder: Better name for cloud credentials
stephenfin Mar 12, 2025
bc178a6
openstack-cinder: Make CA cert mount read-only
stephenfin Mar 12, 2025
e598f4c
openstack-cinder: Change mount for cloud credentials
stephenfin Mar 13, 2025
70dd9b8
openstack-cinder: Rename cacert mount
stephenfin Mar 13, 2025
f82724b
openstack-cinder: Consume CA cert from credentials secret (assets)
stephenfin Mar 13, 2025
7f44744
openstack-cinder: Consume CA cert from credentials secret (controller)
stephenfin Feb 19, 2025
39cd59f
openstack-manila: Rename cacert mount
stephenfin Mar 13, 2025
2eb69e0
openstack-manila: Consume CA cert from credentials secret (assets)
stephenfin Mar 13, 2025
61c8118
openstack-manila: Consume CA cert from credentials secret (controller)
stephenfin Feb 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 23 additions & 14 deletions assets/overlays/openstack-cinder/generated/hypershift/controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ spec:
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: cacert,config-cinderplugin,secret-cinderplugin,socket-dir
cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: config-cinderplugin,cloud-credentials,legacy-cacert,socket-dir
openshift.io/required-scc: restricted-v2
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
labels:
Expand Down Expand Up @@ -132,16 +132,17 @@ spec:
memory: 50Mi
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
name: cacert
- mountPath: /csi
name: socket-dir
- mountPath: /etc/kubernetes/config
name: config-cinderplugin
readOnly: true
- mountPath: /etc/kubernetes/secret
name: secret-cinderplugin
- mountPath: /etc/openstack
name: cloud-credentials
readOnly: true
- mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
name: legacy-cacert
readOnly: true
- mountPath: /csi
name: socket-dir
- args:
- --secure-listen-address=0.0.0.0:9202
- --upstream=http://127.0.0.1:8202/
Expand Down Expand Up @@ -404,12 +405,20 @@ spec:
- name: metrics-serving-cert
secret:
secretName: openstack-cinder-csi-driver-controller-metrics-serving-cert
- name: secret-cinderplugin
secret:
items:
- key: clouds.yaml
path: clouds.yaml
secretName: openstack-cloud-credentials
- name: cloud-credentials
projected:
sources:
- secret:
items:
- key: cacert
path: ca.crt
name: openstack-cloud-credentials
optional: true
- secret:
items:
- key: clouds.yaml
path: clouds.yaml
name: openstack-cloud-credentials
- configMap:
items:
- key: cloud.conf
Expand All @@ -422,7 +431,7 @@ spec:
path: ca-bundle.pem
name: cloud-conf
optional: true
name: cacert
name: legacy-cacert
- name: hosted-kubeconfig
secret:
defaultMode: 420
Expand Down
41 changes: 25 additions & 16 deletions assets/overlays/openstack-cinder/generated/hypershift/node.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,13 +90,14 @@ spec:
name: etc-selinux
- mountPath: /sys/fs
name: sys-fs
- mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
name: cacert
- mountPath: /etc/kubernetes/config
name: config-cinderplugin
readOnly: true
- mountPath: /etc/kubernetes/secret
name: secret-cinderplugin
- mountPath: /etc/openstack
name: cloud-credentials
readOnly: true
- mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
name: legacy-cacert
readOnly: true
- args:
- --csi-address=/csi/csi.sock
Expand Down Expand Up @@ -191,25 +192,33 @@ spec:
- name: metrics-serving-cert
secret:
secretName: openstack-cinder-csi-driver-node-metrics-serving-cert
- configMap:
items:
- key: ca-bundle.pem
path: ca-bundle.pem
name: cloud-conf
optional: true
name: cacert
- name: cloud-credentials
projected:
sources:
- secret:
items:
- key: cacert
path: ca.crt
name: openstack-cloud-credentials
optional: true
- secret:
items:
- key: clouds.yaml
path: clouds.yaml
name: openstack-cloud-credentials
- configMap:
items:
- key: cloud.conf
path: cloud.conf
name: cloud-conf
name: config-cinderplugin
- name: secret-cinderplugin
secret:
- configMap:
items:
- key: clouds.yaml
path: clouds.yaml
secretName: openstack-cloud-credentials
- key: ca-bundle.pem
path: ca-bundle.pem
name: cloud-conf
optional: true
name: legacy-cacert
updateStrategy:
rollingUpdate:
maxUnavailable: 10%
Expand Down
37 changes: 23 additions & 14 deletions assets/overlays/openstack-cinder/generated/standalone/controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ spec:
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: cacert,config-cinderplugin,secret-cinderplugin,socket-dir
cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: config-cinderplugin,cloud-credentials,legacy-cacert,socket-dir
openshift.io/required-scc: restricted-v2
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
labels:
Expand Down Expand Up @@ -101,16 +101,17 @@ spec:
memory: 50Mi
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
name: cacert
- mountPath: /csi
name: socket-dir
- mountPath: /etc/kubernetes/config
name: config-cinderplugin
readOnly: true
- mountPath: /etc/kubernetes/secret
name: secret-cinderplugin
- mountPath: /etc/openstack
name: cloud-credentials
readOnly: true
- mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
name: legacy-cacert
readOnly: true
- mountPath: /csi
name: socket-dir
- args:
- --secure-listen-address=0.0.0.0:9202
- --upstream=http://127.0.0.1:8202/
Expand Down Expand Up @@ -346,12 +347,20 @@ spec:
- name: metrics-serving-cert
secret:
secretName: openstack-cinder-csi-driver-controller-metrics-serving-cert
- name: secret-cinderplugin
secret:
items:
- key: clouds.yaml
path: clouds.yaml
secretName: openstack-cloud-credentials
- name: cloud-credentials
projected:
sources:
- secret:
items:
- key: cacert
path: ca.crt
name: openstack-cloud-credentials
optional: true
- secret:
items:
- key: clouds.yaml
path: clouds.yaml
name: openstack-cloud-credentials
- configMap:
items:
- key: cloud.conf
Expand All @@ -364,4 +373,4 @@ spec:
path: ca-bundle.pem
name: cloud-conf
optional: true
name: cacert
name: legacy-cacert
41 changes: 25 additions & 16 deletions assets/overlays/openstack-cinder/generated/standalone/node.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,13 +90,14 @@ spec:
name: etc-selinux
- mountPath: /sys/fs
name: sys-fs
- mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
name: cacert
- mountPath: /etc/kubernetes/config
name: config-cinderplugin
readOnly: true
- mountPath: /etc/kubernetes/secret
name: secret-cinderplugin
- mountPath: /etc/openstack
name: cloud-credentials
readOnly: true
- mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
name: legacy-cacert
readOnly: true
- args:
- --csi-address=/csi/csi.sock
Expand Down Expand Up @@ -191,25 +192,33 @@ spec:
- name: metrics-serving-cert
secret:
secretName: openstack-cinder-csi-driver-node-metrics-serving-cert
- configMap:
items:
- key: ca-bundle.pem
path: ca-bundle.pem
name: cloud-conf
optional: true
name: cacert
- name: cloud-credentials
projected:
sources:
- secret:
items:
- key: cacert
path: ca.crt
name: openstack-cloud-credentials
optional: true
- secret:
items:
- key: clouds.yaml
path: clouds.yaml
name: openstack-cloud-credentials
- configMap:
items:
- key: cloud.conf
path: cloud.conf
name: cloud-conf
name: config-cinderplugin
- name: secret-cinderplugin
secret:
- configMap:
items:
- key: clouds.yaml
path: clouds.yaml
secretName: openstack-cloud-credentials
- key: ca-bundle.pem
path: ca-bundle.pem
name: cloud-conf
optional: true
name: legacy-cacert
updateStrategy:
rollingUpdate:
maxUnavailable: 10%
Expand Down
49 changes: 28 additions & 21 deletions assets/overlays/openstack-cinder/patches/controller_add_driver.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ spec:
template:
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: "cacert,config-cinderplugin,secret-cinderplugin,socket-dir"
cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: "config-cinderplugin,cloud-credentials,legacy-cacert,socket-dir"
openshift.io/required-scc: restricted-v2
labels:
openshift.storage.network-policy.all-egress: allow
Expand Down Expand Up @@ -71,43 +71,50 @@ spec:
periodSeconds: 30
failureThreshold: 5
volumeMounts:
- name: cacert
mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
- name: socket-dir
mountPath: /csi
# credentials and configuration
- name: config-cinderplugin
mountPath: /etc/kubernetes/config
readOnly: true
- name: secret-cinderplugin
mountPath: /etc/kubernetes/secret
- name: cloud-credentials
mountPath: /etc/openstack
readOnly: true
# TODO(stephenfin): Remove in 4.22
- name: legacy-cacert
mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
readOnly: true
- name: socket-dir
mountPath: /csi
resources:
requests:
memory: 50Mi
cpu: 10m
terminationMessagePolicy: FallbackToLogsOnError
volumes:
- name: secret-cinderplugin
secret:
secretName: openstack-cloud-credentials
items:
- key: clouds.yaml
path: clouds.yaml
- name: cloud-credentials
projected:
sources:
- secret:
name: openstack-cloud-credentials
items:
- key: cacert
path: ca.crt
optional: true
- secret:
name: openstack-cloud-credentials
items:
- key: clouds.yaml
path: clouds.yaml
- name: config-cinderplugin
configMap:
name: cloud-conf
items:
- key: cloud.conf
path: cloud.conf
- name: cacert
# If present, extract ca-bundle.pem to
# /etc/kubernetes/static-pod-resources/configmaps/cloud-config
# Let the pod start when the ConfigMap does not exist or the certificate
# is not preset there. The certificate file will be created once the
# ConfigMap is created / the certificate is added to it.
# TODO(stephenfin): Remove in 4.22
- name: legacy-cacert
configMap:
name: cloud-conf
items:
- key: ca-bundle.pem
path: ca-bundle.pem
- key: ca-bundle.pem
path: ca-bundle.pem
optional: true
Loading