starlingx/config
Code Issues Proposed changes
3,904 Commits 27 Branches 15 Tags
144f6fc9c5
Go to file
Kaustubh Dhokte 144f6fc9c5 Update certs spec to work with version v1 
The change https://review.opendev.org/c/starlingx/config/+/838594
updated certificate api-version from cert-manager.io/v1alpha2 to
cert-manager.io/v1. But did not make necessary changes to certificates
specs to work with the new version.
This change makes only the required changes to certificates specs to
work with the new version: cert-manager.io/v1

The spec organization[] should now be subject:organizations[]
See the difference here,
https://cert-manager.io/v0.13-docs/reference/api-docs/#cert-manager.io/v1alpha2.Certificate
 and https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec

The organization 'system:masters' in the admin.conf certificate is
required to authorize the access for kubernetes-admin to cluster objects.
This authorization is specified in the 'cluster-admin'
clusterrolebinding. Without this change, all kubectl commands fail.

In v1, unlike in v1alpha2, CN is ignored by TLS clients during
authorization (https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec)
if any subject alt name is set. My initial understanding here was that
the CN field value is being ignored due to
subject:organizations:['system:masters'] (in v1), as all the deployment
and daemonset pods were failing after "system kube-rootca-pods-update
--phase=trust-new-ca" (during rootCA update) with an authorization error
for the user 'kube-apiserver-kubelet-client'.
This forces the removal of organizations from the apiserver kubelet
client certificate as all deployments and daemonset pods authenticate
and authorize with the 'kube-apiserver-kubelet-client' user.

Without 'system:nodes' in the kubelet client certificate,
kube-scheduler and kube-controller-manager fail to authorize.
More Info: https://kubernetes.io/docs/reference/access-authn-authz/node/

Test Plan:
On CentOS AIO-SX:
PASS: Manual kubernetes RootCA update successful
PASS: Orchestrated kubernetes RootCA update successful.
PASS: All deployments, daemonsets and pods running as expected after
      RootCA update.

Closes-Bug: 1978365

Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Change-Id: I767a70a07ab540510e4eb734cb4e282c9918840c
2022-06-14 18:02:24 +00:00
api-ref/source
[PTP dual NIC config] Update REST API for PTP
2022-04-20 17:33:15 -03:00
config-gate
debian: Fix config-gate packaging
2022-03-08 20:19:15 +00:00
controllerconfig
Merge "Enable FluxCD controllers over platform upgrade"
2022-06-09 15:50:58 +00:00
devstack
Remove host hardware sysinv profile
2021-10-18 18:01:40 -03:00
doc
Fix tox-docs failing sphinx
2022-05-31 13:56:30 +00:00
releasenotes
Remove host hardware sysinv profile
2021-10-18 18:01:40 -03:00
storageconfig
Add debian packaging directory for storageconfig
2021-10-18 10:05:38 -03:00
sysinv
Update certs spec to work with version v1
2022-06-14 18:02:24 +00:00
tmp/patch-scripts/EXAMPLE_SYSINV/scripts
StarlingX open source release updates
2018-05-31 07:35:52 -07:00
tools/docker/images
Enable kubernetes SCTPSupport feature
2019-09-03 19:23:05 +00:00
tsconfig
Adjust pxeboot config files path in an upgrade
2022-05-19 21:29:00 -04:00
workerconfig
Add debian packaging directory for workerconfig
2021-09-28 09:51:54 -04:00
.gitignore
Minor zuul and tox file cleanup after manifest re-org
2019-09-06 15:40:37 -05:00
.gitreview
OpenDev Migration Patch
2019-04-19 19:52:42 +00:00
.yamllint
clear yamllint errors under stx-config
2018-09-12 21:11:57 +08:00
.zuul.yaml
Cleanup tox for python3.9 jobs
2022-03-25 20:32:09 +00:00
bindep.txt
py3: Add py39 gate for sysinv
2021-08-27 08:39:06 -04:00
centos_build_layer.cfg
Build layering, add layer build config file
2019-10-15 12:29:05 +08:00
centos_dev_wheels.inc
Config file changes to add 'tsconfig' after relocation from 'update'
2019-09-05 11:51:05 -04:00
centos_helm.inc
Infrastructure and Cluster Monitoring
2019-08-21 17:19:54 -04:00
centos_iso_image.inc
Add cert-alarm service
2021-07-22 08:29:23 -04:00
centos_pkg_dirs
Add cert-alarm service
2021-07-22 08:29:23 -04:00
centos_pkg_dirs_containers
Config file changes for packages relocated to repo 'openstack-armada-app'
2019-09-05 10:42:00 -04:00
centos_stable_wheels.inc
Config file changes to add 'tsconfig' after relocation from 'update'
2019-09-05 11:51:05 -04:00
CONTRIBUTORS.wrs
StarlingX open source release updates
2018-05-31 07:35:52 -07:00
debian_build_layer.cfg
Add debian_build_layer.cfg file
2021-10-05 14:50:08 -04:00
debian_iso_image.inc
Add debian_iso_image.inc file
2021-11-04 09:07:23 -04:00
debian_pkg_dirs
Add missing packages that have debian directories.
2021-11-01 19:20:40 -04:00
debian_stable_wheels.inc
debian: add tsconfig wheel to the build
2022-04-27 10:42:36 -04:00
LICENSE
StarlingX open source release updates
2018-05-31 07:35:52 -07:00
README.rst
StarlingX open source release updates
2018-05-31 07:35:52 -07:00
test-requirements.txt
Calling an additional shell lint command from zuul
2021-06-03 17:35:50 -05:00
tox.ini
Calling an additional shell lint command from zuul
2021-06-03 17:35:50 -05:00

README.rst

stx-config

StarlingX Configuration Management

Description
StarlingX System Configuration Management
Readme 89 MiB
Languages
Python 97.6%
Shell 2%
CSS 0.2%