Support CA certificate provided by user #448
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
openshift-ci-robot
requested review from
alexanderConstantinescu and
celebdor
|
Looks good. Just a question, should we mount the configmap even if the cert is not provided? |
openshift-ci-robot
added
the
needs-rebase
dulek
force-pushed
the
kuryr-user-ca-cert
branch
from
692922b
to
d627a5c
Compare
openshift-ci-robot
removed
the
needs-rebase
Yup, I was actually forced to make it not mount it in that case, so this is handled now. |
dulek
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
/retest |
|
/lgtm |
|
/lgtm |
|
/retest |
|
|
||
| // We need to fetch user-provided OpenStack cloud CA certificate and make gophercloud use it. | ||
| // Also it'll get injected into a ConfigMap mounted into kuryr-controller later on. | ||
| userCACert, err := getUserCACert(kubeClient) |
There was a problem hiding this comment.
do you need here : if err != nil?
There was a problem hiding this comment.
Not necessarily, the idea is that when error happens this just proceeds as the cert was not set. And indeed that's the case as the ConfigMap will not exist when user had not set the certificates in install-config.yaml.
| # There's no good way to just "append" user-provided certs to system ones, | ||
| # so just configure openstacksdk to use it. | ||
| cafile = /etc/ssl/certs/user-ca-bundle.crt | ||
| {{ end }} |
There was a problem hiding this comment.
pro tip: if you put a - after the {{ on the ``{{ if ... }}and{{ end }}` lines, it will delete the extra blank lines you'd otherwise get
There was a problem hiding this comment.
Thanks, I fixed all the places.
openshift-ci-robot
added
the
approved
dulek
force-pushed
the
kuryr-user-ca-cert
branch
from
d627a5c
to
5e6e1e7
Compare
|
/retest |
|
/hold Seems like the name of the ConfgMap might change, I'll try updating this once I know the new one. |
openshift-ci-robot
added
the
do-not-merge/hold
In order to allow users to use self-signed certificates when authenticating into OpenStack cloud, we need to make sure CA certificate provided to the installer by the user is actually used by CNO and Kuryr. In case of CNO this commit makes sure to configure gophercloud's HTTP client to use the user CA when provided. In case of Kuryr the CA certificate is injected into kuryr-controller's /etc/ssl/certs.
dulek
force-pushed
the
kuryr-user-ca-cert
branch
from
5e6e1e7
to
108398a
Compare
|
/lgtm |
1 similar comment
|
/lgtm |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: danwinship, dulek, gryf, luis5tb, MaysaMacedo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
7 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
6 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
In order to allow users to use self-signed certificates when
authenticating into OpenStack cloud, we need to make sure CA certificate
provided to the installer by the user is actually used by CNO and Kuryr.
In case of CNO this commit makes sure to configure gophercloud's HTTP
client to use the user CA when provided.
In case of Kuryr the CA certificate is injected into kuryr-controller's
/etc/ssl/certs.