commit 3b7e518a940cffbaab1aa52f5a3166175ee3dd6c
Author: Michał Dulko <email address hidden>
Date: Thu Mar 22 18:28:28 2018 +0100
Add CA certificates Secret and mount it
Our containerized gates started failing recently. Turns out some default
configuation was changed and `tls-proxy` service was added. This option
makes all OpenStack endpoints use HTTPS. This includes creation of a
DevStack CA certificates bundle that then will be configured to be
verified when connecting to OpenStack APIs. This works well with
non-containerized deployment as the bundle is available locally in
/opt/stack/data and our `[neutron]` section sets `cafile` option to
point there.
Things are different in containerized deployment use case as we need a
way to pass those certificates into the container. Effectively - we had
no CA certificates support for containerized deployments either in
DevStack or production.
This commit adds that support by including new Kuryr Kubernetes resource
definition - `kuryr-certificates` Secret. It is supposed to hold CA
certificate under `kuryr-ca-bundle.crt` key. kuryr-controller DaemonSet
definition was modified to mount the certificate into /etc/ssl/certs.
Changes also include implementing support for that in DevStack plugin
(placing the certificate in the secret and setting the `[neutron]cafile`
config option to point to that certificate).
Reviewed: https:/ /review. openstack. org/555502 /git.openstack. org/cgit/ openstack/ kuryr-kubernete s/commit/ ?id=3b7e518a940 cffbaab1aa52f5a 3166175ee3dd6c
Committed: https:/
Submitter: Zuul
Branch: master
commit 3b7e518a940cffb aab1aa52f5a3166 175ee3dd6c
Author: Michał Dulko <email address hidden>
Date: Thu Mar 22 18:28:28 2018 +0100
Add CA certificates Secret and mount it
Our containerized gates started failing recently. Turns out some default containerized deployment as the bundle is available locally in
configuation was changed and `tls-proxy` service was added. This option
makes all OpenStack endpoints use HTTPS. This includes creation of a
DevStack CA certificates bundle that then will be configured to be
verified when connecting to OpenStack APIs. This works well with
non-
/opt/stack/data and our `[neutron]` section sets `cafile` option to
point there.
Things are different in containerized deployment use case as we need a
way to pass those certificates into the container. Effectively - we had
no CA certificates support for containerized deployments either in
DevStack or production.
This commit adds that support by including new Kuryr Kubernetes resource certificates` Secret. It is supposed to hold CA ca-bundle. crt` key. kuryr-controller DaemonSet
definition - `kuryr-
certificate under `kuryr-
definition was modified to mount the certificate into /etc/ssl/certs.
Changes also include implementing support for that in DevStack plugin
(placing the certificate in the secret and setting the `[neutron]cafile`
config option to point to that certificate).
Closes-Bug: 1758061 fc2a1aef4a8cd6c 2148895e9c8
Change-Id: I7ac9d05868994c