[octavia-ingress-controller] Support TLS in Ingress

[lingxiankong]

The binaries affected:

• openstack-cloud-controller-manager
• cinder-csi-plugin
• k8s-keystone-auth
• client-keystone-auth
• octavia-ingress-controller
• manila-csi-plugin
• manila-provisioner
• magnum-auto-healer
• barbican-kms-plugin

What this PR does / why we need it:
Support to create TLS Ingress.

This implementation for octavia-ingress-controller requires the TLS secret must exist when creating the Ingress. In the future, we could consider to create the secret on the fly with integration of e.g. cert-manager.

The TLS support requires OpenStack Barbican deployed in the cloud, TLS Ingress creation will fail if Barbican is not available.

Which issue this PR fixes:
fixes #287

Special notes for reviewers:
Steps to test:

1. Preprae for the TLS secret, make sure to specify the server name in the CN field of the certificate, in this example, we use www.example.com as the server name.

   $ ll
   total 32
   -rw-rw-r-- 1 ubuntu ubuntu 1346 Feb  7 11:01 ca.crt
   -rw-rw-r-- 1 ubuntu ubuntu 1038 Feb  4 21:39 www.example.com.crt
   -rw-rw-r-- 1 ubuntu ubuntu  887 Feb  4 21:39 www.example.com.key
   $ openssl x509 -noout -text -in www.example.com.crt
   Certificate:
   ...
           Subject: C = NZ, ST = Wellington, L = Wellington, O = Catalyst, OU = Lingxian, CN = www.example.com
   ...
   $ kubectl create secret tls tls-secret --cert www.example.com.crt --key www.example.com.key
   $ kubectl describe secret tls-secret
   Name:         tls-secret
   Namespace:    default
   Labels:       <none>
   Annotations:  <none>
   
   Type:  kubernetes.io/tls
   
   Data
   ====
   tls.key:  887 bytes
   tls.crt:  1038 bytes
   

2. Create the Ingress

   cat <<EOF | kubectl apply -f -
   ---
   apiVersion: networking.k8s.io/v1beta1
   kind: Ingress
   metadata:
     name: test-octavia-ingress
     annotations:
       kubernetes.io/ingress.class: "openstack"
       octavia.ingress.kubernetes.io/internal: "false"
   spec:
     backend:
       serviceName: default-http-backend
       servicePort: 80
     tls:
       - secretName: tls-secret
     rules:
     - host: www.example.com
       http:
         paths:
         - path: /hostname
           backend:
             serviceName: hostname
             servicePort: 8080
   EOF
   

3. Check a secret created in OpenStack Barbican.

   $ openstack secret list
   +------------------------------------------------------------------------------------+------------------------------------------------------------------+---------------------------+--------+-----------------------------------------+-----------+------------+-------------+------+------------+
   | Secret href                                                                        | Name                                                             | Created                   | Status | Content types                           | Algorithm | Bit length | Secret type | Mode | Expiration |
   +------------------------------------------------------------------------------------+------------------------------------------------------------------+---------------------------+--------+-----------------------------------------+-----------+------------+-------------+------+------------+
   | http://128.110.154.166/key-manager/v1/secrets/c1b1ac4c-eced-4dee-8d61-efaaf13c4639 | kube_ingress_lingxiank8s_default_test-octavia-ingress_tls-secret | 2020-02-09T10:11:12+00:00 | ACTIVE | {'default': 'application/octet-stream'} | aes       |        256 | opaque      | cbc  | None       |
   +------------------------------------------------------------------------------------+------------------------------------------------------------------+---------------------------+--------+-----------------------------------------+-----------+------------+-------------+------+------------+
   

4. Verify https connection

   $ kubectl get ing
   NAME                   HOSTS             ADDRESS        PORTS     AGE
   test-octavia-ingress   www.example.com   172.24.5.218   80, 443   102s
   $ ip=172.24.5.218
   $ curl --cacert ca.crt --resolve www.example.com:443:$ip https://www.example.com/hostname
   hostname-544845f9c6-t9tnv
   

Here is a live demo.

Release note:

octavia-ingress-controller: Support to create TLS Ingress. The TLS support requires OpenStack Barbican deployed in the cloud, TLS Ingress creation will fail if Barbican is not available.

---

This change is 

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-format : SUCCESS in 3m 13s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-unittest : SUCCESS in 5m 41s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-k8s-cinder : SUCCESS in 11m 42s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-csi-cinder : SUCCESS in 13m 00s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-keystone-authentication-authorization : SUCCESS in 32m 32s

[theopenlab-ci]

Build failed.

• cloud-provider-openstack-e2e-test-csi-cinder : FAILURE in 41m 56s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-flexvolume-cinder : SUCCESS in 43m 38s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-format : SUCCESS in 2m 35s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-unittest : SUCCESS in 6m 19s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-k8s-cinder : SUCCESS in 9m 23s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-csi-cinder : SUCCESS in 11m 25s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-csi-manila : SUCCESS in 26m 45s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-keystone-authentication-authorization : SUCCESS in 31m 22s

[theopenlab-ci]

Build failed.

• cloud-provider-openstack-e2e-test-csi-cinder : FAILURE in 36m 37s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-flexvolume-cinder : SUCCESS in 42m 37s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-e2e-conformance : SUCCESS in 1h 30m 59s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-e2e-conformance-stable-branch-v1.15 : SUCCESS in 1h 46m 17s

[lingxiankong]

/test cloud-provider-openstack-e2e-test-csi-cinder

[theopenlab-ci]

Build failed.

• cloud-provider-openstack-e2e-test-csi-cinder : POST_FAILURE in 8m 00s

[lingxiankong]

/test cloud-provider-openstack-e2e-test-csi-cinder

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-e2e-test-csi-cinder : SUCCESS in 25m 44s

[lingxiankong]

cc @ramineni @chrigl

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-format : SUCCESS in 2m 54s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-unittest : SUCCESS in 6m 26s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-k8s-cinder : SUCCESS in 9m 48s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-csi-cinder : SUCCESS in 10m 35s

[theopenlab-ci]

Build failed.

• cloud-provider-openstack-acceptance-test-csi-manila : POST_FAILURE in 11m 30s

[theopenlab-ci]

Build failed.

• cloud-provider-openstack-acceptance-test-flexvolume-cinder : FAILURE in 11m 43s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-keystone-authentication-authorization : SUCCESS in 18m 54s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-e2e-test-csi-cinder : SUCCESS in 26m 12s

[theopenlab-ci]

Build failed.

• cloud-provider-openstack-acceptance-test-e2e-conformance : POST_FAILURE in 1h 35m 58s

[lingxiankong]

/test cloud-provider-openstack-acceptance-test-e2e-conformance

[lingxiankong]

/test cloud-provider-openstack-acceptance-test-flexvolume-cinder

[lingxiankong]

/test cloud-provider-openstack-acceptance-test-csi-manila

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-e2e-conformance-stable-branch-v1.15 : SUCCESS in 1h 49m 39s

[theopenlab-ci]

Build failed.

• cloud-provider-openstack-acceptance-test-flexvolume-cinder : FAILURE in 12m 41s

[theopenlab-ci]

Build failed.

• cloud-provider-openstack-acceptance-test-csi-manila : POST_FAILURE in 12m 34s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-e2e-conformance : SUCCESS in 1h 36m 22s

[lingxiankong]

/test cloud-provider-openstack-acceptance-test-flexvolume-cinder

[lingxiankong]

/test cloud-provider-openstack-acceptance-test-csi-manila

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-flexvolume-cinder : SUCCESS in 29m 23s

[theopenlab-ci]

Build succeeded.

• cloud-provider-openstack-acceptance-test-csi-manila : SUCCESS in 46m 19s

[chrigl]

/lgtm

[lingxiankong]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lingxiankong

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [lingxiankong]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment