StarlingX

Need ability to add customer-specified certificates for kubernetes api-server at bootstrap time

Bug #1837079 reported by Greg Waines
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
David Sullivan

Bug Description

Brief Description
-----------------
Need the ability to update the Kubernetes ApiServer RootCA at ansible-bootstrap-time.
As use of self-signed certificate will not be acceptable in some use cases.

NOTE: needs to include the ability of being able to specify the apiServerCertSANs such that user can specify additional DNS:<FQDN> and/or IP Records for the auto-generated apiServerCertificate AND we’ll automatically update this parameter to also include IP Records for the OAM Floating IP and both the OAM UNIT IPs

So overall we’ll add 3x ansible bootstrap variables
apiServerRootCaCert == public certificate for the apiServerRootCa
apiServerRootCaKey == private key for the apiServerRootCA
apiServerCertSANs == DNS and/or IP records for the SAN field of the auto-generated apiServer certificate
(the bootstrap will automatically add the OAM IP Records (floating and 2x unit IPs) to this)

Severity
--------
Provide the severity of the defect.
<Major: System/Feature is usable but degraded>

Steps to Reproduce
------------------
Not applicable.

Expected Behavior
------------------
Use of specified root ca for kube ApiServer

Actual Behavior
----------------
Uses internally generated self-signed root ca

Reproducibility
---------------
<Reproducible>
State if the issue is 100% reproducible, intermittent or seen once. If it is intermittent, state the frequency of occurrence

System Configuration
--------------------
All configs

Branch/Pull Time/Commit
-----------------------
Latest branch

Last Pass
---------
Not applicable

Timestamp/Logs
--------------
Not applicable

Test Activity
-------------
[Evaluation]

David Sullivan (dsullivanwr)
Changed in starlingx:
assignee: nobody → David Sullivan (dsullivanwr)
OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/671561

Revision history for this message
Ghada Khalil (gkhalil) wrote :

Marking as stx.2.0 as this would be important for real life deployments of stx.

Changed in starlingx:
importance: Undecided → High
tags: added: stx.2.0 stx.containers
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/671559
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=e6aec4890ddd162cb0b415e213c593d798151841
Submitter: Zuul
Branch: master

commit e6aec4890ddd162cb0b415e213c593d798151841
Author: David Sullivan <email address hidden>
Date: Tue Jul 16 16:21:28 2019 -0400

    Add customer-specified certificates for kubernetes

    We need the ability to update the Kubernetes ApiServer RootCA at
    ansible-bootstrap-time. This includes the ability of being able to
    specify the apiServerCertSANs such that user can specify additional
    DNS:<FQDN> and/or IP Records for the auto-generated
    apiServerCertificate.

    This adds support for storing the apiServerCertSANs in the sysinv
    database and modifies the puppet manifest to support user supplied SAN
    records.

    Partial-Bug: 1837079
    Change-Id: I4d23828b31ced55d55b1c6932d0cfd6b59727288
    Signed-off-by: David Sullivan <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/671561
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=cbe96fb0da435aa9fa5b750ca4e9629f8bd9cabf
Submitter: Zuul
Branch: master

commit cbe96fb0da435aa9fa5b750ca4e9629f8bd9cabf
Author: David Sullivan <email address hidden>
Date: Tue Jul 16 16:21:56 2019 -0400

    Add customer-specified certificates for kubernetes

    We need the ability to update the Kubernetes ApiServer RootCA at
    ansible-bootstrap-time. This includes the ability of being able to
    specify the apiServerCertSANs such that user can specify additional
    DNS:<FQDN> and/or IP Records for the auto-generated
    apiServerCertificate.

    This change adds support for specifying the kubernetes certificates and
    apiserver certificate SANs in ansible.

    Depends-On: https://review.opendev.org/#/c/671559/
    Closes-Bug: 1837079
    Change-Id: I5528c8ddcdd3203dfdae8c63a944957d424e4158
    Signed-off-by: David Sullivan <email address hidden>

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.