3b7e518a94
Our containerized gates started failing recently. Turns out some default configuation was changed and `tls-proxy` service was added. This option makes all OpenStack endpoints use HTTPS. This includes creation of a DevStack CA certificates bundle that then will be configured to be verified when connecting to OpenStack APIs. This works well with non-containerized deployment as the bundle is available locally in /opt/stack/data and our `[neutron]` section sets `cafile` option to point there. Things are different in containerized deployment use case as we need a way to pass those certificates into the container. Effectively - we had no CA certificates support for containerized deployments either in DevStack or production. This commit adds that support by including new Kuryr Kubernetes resource definition - `kuryr-certificates` Secret. It is supposed to hold CA certificate under `kuryr-ca-bundle.crt` key. kuryr-controller DaemonSet definition was modified to mount the certificate into /etc/ssl/certs. Changes also include implementing support for that in DevStack plugin (placing the certificate in the secret and setting the `[neutron]cafile` config option to point to that certificate). Closes-Bug: 1758061 Change-Id: I7ac9d05868994cfc2a1aef4a8cd6c2148895e9c8 |
||
|---|---|---|
| .. | ||
| devstack | ||
| containerized.rst | ||
| default_configuration.rst | ||
| https_kubernetes.rst | ||
| index.rst | ||
| ipv6.rst | ||
| manual.rst | ||
| ports-pool.rst | ||
| services.rst | ||
| testing_connectivity.rst | ||
| testing_nested_connectivity.rst | ||
| trunk_ports.rst | ||