New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support CA certificate provided by user #448
Support CA certificate provided by user #448
Conversation
Looks good. Just a question, should we mount the configmap even if the cert is not provided? |
692922b
to
d627a5c
Compare
Yup, I was actually forced to make it not mount it in that case, so this is handled now. |
/retest |
/lgtm |
/lgtm |
/retest |
|
||
// We need to fetch user-provided OpenStack cloud CA certificate and make gophercloud use it. | ||
// Also it'll get injected into a ConfigMap mounted into kuryr-controller later on. | ||
userCACert, err := getUserCACert(kubeClient) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do you need here : if err != nil?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not necessarily, the idea is that when error happens this just proceeds as the cert was not set. And indeed that's the case as the ConfigMap will not exist when user had not set the certificates in install-config.yaml.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
awesome! thanks!
# There's no good way to just "append" user-provided certs to system ones, | ||
# so just configure openstacksdk to use it. | ||
cafile = /etc/ssl/certs/user-ca-bundle.crt | ||
{{ end }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pro tip: if you put a -
after the {{
on the ``{{ if ... }}and
{{ end }}` lines, it will delete the extra blank lines you'd otherwise get
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I fixed all the places.
d627a5c
to
5e6e1e7
Compare
/retest |
/hold Seems like the name of the ConfgMap might change, I'll try updating this once I know the new one. |
In order to allow users to use self-signed certificates when authenticating into OpenStack cloud, we need to make sure CA certificate provided to the installer by the user is actually used by CNO and Kuryr. In case of CNO this commit makes sure to configure gophercloud's HTTP client to use the user CA when provided. In case of Kuryr the CA certificate is injected into kuryr-controller's /etc/ssl/certs.
5e6e1e7
to
108398a
Compare
/lgtm |
1 similar comment
/lgtm |
/hold cancel |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: danwinship, dulek, gryf, luis5tb, MaysaMacedo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
7 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest |
/retest Please review the full test history for this PR and help us cut down flakes. |
6 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
In order to allow users to use self-signed certificates when
authenticating into OpenStack cloud, we need to make sure CA certificate
provided to the installer by the user is actually used by CNO and Kuryr.
In case of CNO this commit makes sure to configure gophercloud's HTTP
client to use the user CA when provided.
In case of Kuryr the CA certificate is injected into kuryr-controller's
/etc/ssl/certs.