OSASINFRA-3730: Add support for storing OpenStack CA bundles #9194
Conversation
|
@stephenfin: This pull request references OSASINFRA-3657 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
|
@stephenfin: This pull request references OSASINFRA-3657 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold Will wait for 4.19 for this. |
openshift-ci
bot
added
the
do-not-merge/hold
|
/retest |
stephenfin
force-pushed
the
OSASINFRA-3657
branch
from
5e359c0 to
2cd9c80
Compare
stephenfin
changed the title
stephenfin
changed the title
|
@stephenfin: This pull request references OSASINFRA-3730 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
nice cleanup |
|
@stephenfin: This pull request references OSASINFRA-3730 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
stephenfin
force-pushed
the
OSASINFRA-3657
branch
from
2cd9c80 to
943219f
Compare
|
/retest |
1 similar comment
|
/retest |
We are storing a cloud configuration file, not a cloud credentials file. Signed-off-by: Stephen Finucane <[email protected]>
If a CA cert is required to talk to your OpenStack then obviously all services that talk to the cloud need to have both credentials and said cert. Currently, these users can get their credentials via cloud credential operator, but they need to source their CA cert from elsewhere (typically by extracting it from the cloud controller manager's configuration). This makes configuration of services more complicated than necessary. Continue the resolution of the issue by storing the CA cert, if any, in the root secret on OpenStack. When coupled with the changes introduced in openshift/cloud-credential-operator#780 [1], this allows us to dole out the cert to anyone who asks for it via a 'CredentialsRequest'. [1] openshift/cloud-credential-operator#780 Signed-off-by: Stephen Finucane <[email protected]>
stephenfin
force-pushed
the
OSASINFRA-3657
branch
from
943219f to
6db3887
Compare
|
@stephenfin: This pull request references OSASINFRA-3730 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/unhold The CCO change has merged. |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/retest |
|
/test e2e-openstack-proxy |
|
@stephenfin: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/test e2e-openstack-proxy |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mandre, patrickdillon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/label acknowledge-critical-fixes-only This is low risk since it's purely additive. |
openshift-ci
bot
added
the
acknowledge-critical-fixes-only
|
[ART PR BUILD NOTIFIER] Distgit: ose-installer-altinfra |
|
[ART PR BUILD NOTIFIER] Distgit: ose-installer-terraform-providers |
|
[ART PR BUILD NOTIFIER] Distgit: ose-baremetal-installer |
|
[ART PR BUILD NOTIFIER] Distgit: ose-installer-artifacts |
6 participants
If a CA bundle is required to talk to your OpenStack then obviously all services that talk to the cloud need to have both credentials and said bundle. Currently, these users can get their credentials via cloud credential operator, but they need to source their CA bundle from elsewhere (typically by extracting it from the cloud controller manager's configuration). This makes configuration of services more complicated than necessary.
Continue the resolution of the issue by storing the CA bundle, if any, in the root secret on OpenStack. When coupled with the changes introduced in openshift/cloud-credential-operator#780, this allows us to dole out the bundle to anyone who asks for it via a
CredentialsRequest.While we're here, we also tweak the configuration for the cloud provider to (a) start generating the configuration file in the new format expected bycluster-cloud-controller-manager-operatorand (b) stop generating an old secret that only the old, now-removed in-tree OpenStack cloud provider needed and used.EDIT: I have deferred the above changes to a different PR.