Need ability to add customer-specified certificates for kubernetes api-server at bootstrap time
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
High
|
David Sullivan |
Bug Description
Brief Description
-----------------
Need the ability to update the Kubernetes ApiServer RootCA at ansible-
As use of self-signed certificate will not be acceptable in some use cases.
NOTE: needs to include the ability of being able to specify the apiServerCertSANs such that user can specify additional DNS:<FQDN> and/or IP Records for the auto-generated apiServerCertif
So overall we’ll add 3x ansible bootstrap variables
apiServerRootCaCert == public certificate for the apiServerRootCa
apiServerRootCaKey == private key for the apiServerRootCA
apiServerCertSANs == DNS and/or IP records for the SAN field of the auto-generated apiServer certificate
(the bootstrap will automatically add the OAM IP Records (floating and 2x unit IPs) to this)
Severity
--------
Provide the severity of the defect.
<Major: System/Feature is usable but degraded>
Steps to Reproduce
------------------
Not applicable.
Expected Behavior
------------------
Use of specified root ca for kube ApiServer
Actual Behavior
----------------
Uses internally generated self-signed root ca
Reproducibility
---------------
<Reproducible>
State if the issue is 100% reproducible, intermittent or seen once. If it is intermittent, state the frequency of occurrence
System Configuration
-------
All configs
Branch/Pull Time/Commit
-------
Latest branch
Last Pass
---------
Not applicable
Timestamp/Logs
--------------
Not applicable
Test Activity
-------------
[Evaluation]
Changed in starlingx: | |
assignee: | nobody → David Sullivan (dsullivanwr) |
Changed in starlingx: | |
status: | New → In Progress |
Fix proposed to branch: master /review. opendev. org/671561
Review: https:/