kuryr-kubernetes

History

Michał Dulko 3b7e518a94 Add CA certificates Secret and mount it Our containerized gates started failing recently. Turns out some default configuation was changed and `tls-proxy` service was added. This option makes all OpenStack endpoints use HTTPS. This includes creation of a DevStack CA certificates bundle that then will be configured to be verified when connecting to OpenStack APIs. This works well with non-containerized deployment as the bundle is available locally in /opt/stack/data and our `[neutron]` section sets `cafile` option to point there. Things are different in containerized deployment use case as we need a way to pass those certificates into the container. Effectively - we had no CA certificates support for containerized deployments either in DevStack or production. This commit adds that support by including new Kuryr Kubernetes resource definition - `kuryr-certificates` Secret. It is supposed to hold CA certificate under `kuryr-ca-bundle.crt` key. kuryr-controller DaemonSet definition was modified to mount the certificate into /etc/ssl/certs. Changes also include implementing support for that in DevStack plugin (placing the certificate in the secret and setting the `[neutron]cafile` config option to point to that certificate). Closes-Bug: 1758061 Change-Id: I7ac9d05868994cfc2a1aef4a8cd6c2148895e9c8	2018-03-23 11:15:18 +01:00
..
images	Merge "Kubernetes Network Policy support Spec"	2018-02-04 14:19:10 +00:00
source	Add CA certificates Secret and mount it	2018-03-23 11:15:18 +01:00

Michał Dulko 3b7e518a94 Add CA certificates Secret and mount it

Our containerized gates started failing recently. Turns out some default
configuation was changed and `tls-proxy` service was added. This option
makes all OpenStack endpoints use HTTPS. This includes creation of a
DevStack CA certificates bundle that then will be configured to be
verified when connecting to OpenStack APIs. This works well with
non-containerized deployment as the bundle is available locally in
/opt/stack/data and our `[neutron]` section sets `cafile` option to
point there.

Things are different in containerized deployment use case as we need a
way to pass those certificates into the container. Effectively - we had
no CA certificates support for containerized deployments either in
DevStack or production.

This commit adds that support by including new Kuryr Kubernetes resource
definition - `kuryr-certificates` Secret. It is supposed to hold CA
certificate under `kuryr-ca-bundle.crt` key. kuryr-controller DaemonSet
definition was modified to mount the certificate into /etc/ssl/certs.

Changes also include implementing support for that in DevStack plugin
(placing the certificate in the secret and setting the `[neutron]cafile`
config option to point to that certificate).

Closes-Bug: 1758061
Change-Id: I7ac9d05868994cfc2a1aef4a8cd6c2148895e9c8

2018-03-23 11:15:18 +01:00

images

Merge "Kubernetes Network Policy support Spec"

2018-02-04 14:19:10 +00:00

source

Add CA certificates Secret and mount it

2018-03-23 11:15:18 +01:00