OSASINFRA-3657: Add support for storing OpenStack CA bundles #780
Conversation
If a CA bundle is required to talk to your OpenStack then obviously all services that talk to the cloud need to have both credentials and said bundle. Currently, these users can get their credentials via cloud credential operator, but they need to source their CA bundle from elsewhere (typically by extracting it from the cloud controller manager's configuration). This makes configuration of services more complicated than necessary. Begin the resolution of the issue by allowing users (i.e. the Installer) to store the CA bundle in their root secret and dole this out to anyone who asks for it via a CredentialsRequest. Follow-up changes will be needed in places like the Installer and csi-operator to start setting/consuming this. Signed-off-by: Stephen Finucane <[email protected]>
|
@stephenfin: This pull request references OSASINFRA-3657 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
|
/cc @mandre |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: stephenfin The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #780 +/- ##
==========================================
- Coverage 47.03% 47.01% -0.03%
==========================================
Files 97 97
Lines 11835 11838 +3
==========================================
- Hits 5567 5566 -1
- Misses 5655 5658 +3
- Partials 613 614 +1
|
|
@stephenfin: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
If a CA bundle is required to talk to your OpenStack then obviously all services that talk to the cloud need to have both credentials and said bundle. Currently, these users can get their credentials via cloud credential operator, but they need to source their CA bundle from elsewhere (typically by extracting it from the cloud controller manager's configuration). This makes configuration of services more complicated than necessary. Continue the resolution of the issue by storing the CA bundle, if any, in the root secret on OpenStack. When coupled with the changes introduced in openshift/cloud-credential-operator#780 [1], this allows us to dole out the bundle to anyone who asks for it via a 'CredentialsRequest'. [1] openshift/cloud-credential-operator#780 Signed-off-by: Stephen Finucane <[email protected]>
|
/hold Will wait for 4.19 for this. |
openshift-ci
bot
added
the
do-not-merge/hold
If a CA bundle is required to talk to your OpenStack then obviously all services that talk to the cloud need to have both credentials and said bundle. Currently, these users can get their credentials via cloud credential operator, but they need to source their CA bundle from elsewhere (typically by extracting it from the cloud controller manager's configuration). This makes configuration of services more complicated than necessary.
Begin the resolution of the issue by allowing users (i.e. the Installer) to store the CA bundle in their root secret and dole this out to anyone who asks for it via a
CredentialsRequest. Follow-up changes will be needed in places like the Installer and csi-operator to start setting/consuming this.