Magnum

enable certificate management in kubernetes clusters

Bug #1734318 reported by Ricardo Rocha on 2017-11-24

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Magnum	Fix Released	Undecided	Spyros Trigazis
	Queens	Fix Released	Undecided	Unassigned

Bug Description

Kubernetes has built-in functionality to manage TLS certificates:
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/

Requests for certificate request signing are done via the kubernetes API, and the resulting certificates can be used to enable TLS communication between services and tools running inside the cluster.

To enable this in Magnum we need to generate a new cluster CA for this purpose, which will be used for internal cluster connections only and is not expected to be recognized by anything outside the cluster.

The alternative would be to reuse the cluster CA we already have to generate the client TLS certificates, but as the CA key is stored in barbican we cannot use it to get kubernetes to generate new certificates.

Tags:

Revision history for this message

Ricardo Rocha (rocha-porto) wrote on 2017-11-24:

The second part of this implementation is to make the new CA public certificate available to all pods in the cluster, the same way the svc account is also exposed.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-22: Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/529818

Changed in magnum:
assignee:	nobody → Ricardo Rocha (rocha-porto)
status:	New → In Progress

OpenStack Infra (hudson-openstack) on 2018-02-15

Changed in magnum:
assignee:	Ricardo Rocha (rocha-porto) → Spyros Trigazis (strigazi)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-16: Fix merged to magnum (master)

Reviewed: https://review.openstack.org/529818
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=faa9e90402bcf78acdd166198fff9612fa8be81c
Submitter: Zuul
Branch: master

commit faa9e90402bcf78acdd166198fff9612fa8be81c
Author: Ricardo Rocha <email address hidden>
Date: Fri Dec 22 11:07:51 2017 +0000

[k8s] allow enabling kubernetes cert manager api

Add a new label 'cert_manager_api' to kubernetes clusters controlling the
enable/disable of the kubernetes certificate manager api.

    The same cluster cert/key pair is used by this api. The heat agent is used
    to install the key in the master node(s), as this is required for kubernetes
    to later sign new certificate requests.

    The master template init order is changed so the heat agent is launched
    previous to enabling the services - the controller manager requires the CA key
    to be locally available before being launched.

Change-Id: Ibf85147316e3a194d8a3f92cbb4ae9ce8e16c98f
Partial-Bug: #1734318

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-19: Fix proposed to magnum (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/545772

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-19: Related fix proposed to magnum (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/545779

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-19: Related fix merged to magnum (master)

Reviewed: https://review.openstack.org/545779
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=5a34d7d830ad4b6a714f079d4575e1705df434f3
Submitter: Zuul
Branch: master

commit 5a34d7d830ad4b6a714f079d4575e1705df434f3
Author: Costin Gamenț <email address hidden>
Date: Mon Feb 19 10:30:42 2018 +0100

Check CERT_MANAGER_API if True or False

Follow-up on "Change 529818" to check variable value "True" or "False".

Change-Id: Id01ff344320983653672c9f8df12ae4038953352
Related-bug: 1734318

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-21: Fix merged to magnum (stable/queens)

Reviewed: https://review.openstack.org/545772
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=6f762b3d52bbb522ed829821858428bbe6c9e4cc
Submitter: Zuul
Branch: stable/queens

commit 6f762b3d52bbb522ed829821858428bbe6c9e4cc
Author: Ricardo Rocha <email address hidden>
Date: Fri Dec 22 11:07:51 2017 +0000

[k8s] allow enabling kubernetes cert manager api

Add a new label 'cert_manager_api' to kubernetes clusters controlling the
enable/disable of the kubernetes certificate manager api.

    The same cluster cert/key pair is used by this api. The heat agent is used
    to install the key in the master node(s), as this is required for kubernetes
    to later sign new certificate requests.

    Change-Id: Ibf85147316e3a194d8a3f92cbb4ae9ce8e16c98f
    Partial-Bug: #1734318
    (cherry picked from commit faa9e90402bcf78acdd166198fff9612fa8be81c)

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-07: Related fix proposed to magnum (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/550525

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-08: Related fix merged to magnum (stable/queens)

Reviewed: https://review.openstack.org/550525
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=058d982258baa900326d434b3a0e459900cdf8a7
Submitter: Zuul
Branch: stable/queens

commit 058d982258baa900326d434b3a0e459900cdf8a7
Author: Costin Gamenț <email address hidden>
Date: Mon Feb 19 10:30:42 2018 +0100

Check CERT_MANAGER_API if True or False

Follow-up on "Change 529818" to check variable value "True" or "False".

    Change-Id: Id01ff344320983653672c9f8df12ae4038953352
    Related-bug: 1734318
    (cherry picked from commit 5a34d7d830ad4b6a714f079d4575e1705df434f3)

Spyros Trigazis (strigazi) on 2018-03-25

Changed in magnum:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.