Skip to content

OSASINFRA-3731: openstack: Consume CA cert from CCO secret #359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

OSASINFRA-3731: openstack: Consume CA cert from CCO secret #359

wants to merge 9 commits into from

Conversation

stephenfin
Copy link
Contributor

@stephenfin stephenfin commented Feb 19, 2025
edited
Loading

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.
In openshift/cluster-storage-operator/pull/557, we modified cluster-storage-operator to pass this CA cert through to the csi-operator when present.

Adapt the assets and controllers for both the openstack-cinder and openstack-manila CSI drivers to start consuming this field, where present. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

This needs to wait for the CCO change to be approved before we merge this. It also needs the CSO change to merge first.

Dependencies:

/hold

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Feb 19, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 19, 2025
edited by openshift-ci bot
Loading

@stephenfin: This pull request references OSASINFRA-3731 which is a valid jira issue.

In response to this:

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.
In openshift/cluster-storage-operator/pull/557, we modified cluster-storage-operator to pass this CA cert through to the csi-operator when present.

Adapt the assets and controllers for both the openstack-cinder and openstack-manila CSI drivers to start consuming this field, where present. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

This ideally will wait for the CCO change to be approved before we merge this. It also needs the CSO change to merge first.

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 19, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 12, 2025
edited by openshift-ci bot
Loading

@stephenfin: This pull request references OSASINFRA-3731 which is a valid jira issue.

In response to this:

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.
In openshift/cluster-storage-operator/pull/557, we modified cluster-storage-operator to pass this CA cert through to the csi-operator when present.

Adapt the assets and controllers for both the openstack-cinder and openstack-manila CSI drivers to start consuming this field, where present. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

This needs to wait for the CCO change to be approved before we merge this. It also needs the CSO change to merge first.

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@stephenfin stephenfin force-pushed the OSASINFRA-3731 branch 3 times, most recently from e11d83d to 7aa9bc9 Compare March 13, 2025 11:26
@EmilienM
Copy link
Member

/retest

@EmilienM EmilienM mentioned this pull request Mar 17, 2025
Merged
4 tasks
@stephenfin
Copy link
Contributor Author

/unhold

openshift/cloud-credential-operator#780 is merged

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 27, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 28, 2025
edited by openshift-ci bot
Loading

@stephenfin: This pull request references OSASINFRA-3731 which is a valid jira issue.

In response to this:

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.
In openshift/cluster-storage-operator/pull/557, we modified cluster-storage-operator to pass this CA cert through to the csi-operator when present.

Adapt the assets and controllers for both the openstack-cinder and openstack-manila CSI drivers to start consuming this field, where present. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

This needs to wait for the CCO change to be approved before we merge this. It also needs the CSO change to merge first.

Dependencies:

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@stephenfin
Copy link
Contributor Author

/retest

openshift/cluster-storage-operator#557 has merged

@stephenfin
Copy link
Contributor Author

I will investigate these failures tomorrow. Hopefully just a case of the payload not pulling in the CSO change yet 🤞

@stephenfin
Copy link
Contributor Author

This is failing because the manila-cloud-credentials secret we now rely on is created in the wrong namespace, openshift-cluster-csi-drivers. Another patch is needed against cluster-storage-operator. Fortunately, @dkokkino has this done separately in openshift/cluster-storage-operator#573 🥳

@stephenfin stephenfin mentioned this pull request Apr 14, 2025
Merged
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jun 24, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stephenfin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 24, 2025
@stephenfin
Copy link
Contributor Author

/retest-required

@stephenfin
openstack-cinder: Better name for cloud credentials
6c6e3e6 
This at least tells you what the secret is for.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-cinder: Make CA cert mount read-only
4b682e9 
Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-cinder: Change mount for cloud credentials
11e4f61 
Put it in a more usual place.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-cinder: Rename cacert mount
4b071e8 
This is going to be superseded in a coming change. Rename it in
preparation.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-cinder: Consume CA cert from credentials secret (assets)
8674068 
In this change, we modify the assets to start (optionally) mounting the
CA cert from the secret in the containers. We leave a fallback in place
for the old config map source to allow time for the
cloud-credential-operator to update things in an upgrade scenario.
This fallback can be removed in 4.20, as noted by the copious TODOs.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-cinder: Consume CA cert from credentials secret (controller)
2df2a4a 
cloud-credential-operator and hypershift-operator now support deploying
the CA cert to the credentials secrets they generate, which means we can
start consuming them from there rather than from configuration.

In this change, we modify the controller to start (optionally) consuming
the CA cert from the secret. We leave a fallback in place for the old
config map source to allow time for the cloud-credential-operator to
update things in an upgrade scenario. This fallback can be removed in
4.22, as noted by the copious TODOs.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-manila: Rename cacert mount
cf725ea 
This is going to be superseded in a coming change. Rename it in
preparation.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-manila: Consume CA cert from credentials secret (assets)
4de9f25 
Again, do what we already did for openstack-cinder but for
openstack-manila. Like the openstack-cinder change, we continue to allow
consuming from the old location to ease upgrades.

It's worth highlighting that this is a nice little step towards having
the Manila CSI driver and controller source their credentials from a
'clouds.yaml' rather than a 'cloud.conf' file, which would let us remove
a lot of logic currently found in the operator. Completing that effort
is a job best left to another day though so a TODO is included for now.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-manila: Consume CA cert from credentials secret (controller)
0b2d16a 
Do what we previously did for the openstack-cinder controller but for
the openstack-manila controller. In effect, we're really just reflecting
the changes made in cluster-storage-operator in [1]. However, we do need
to add some logic to detect where we are consuming our CA cert from so
that we can match forthcoming changes to our assets.

While here, we also replace use of the deprecated `ioutil.ReadFile`
function in favour of its suggested replacement, `os.ReadFile` [2].
We also replace use of `os.IsNotExist` in favour of its suggested
replacement, `errors.Is(err, fs.ErrNotExist)` [3].

[1] github.com/openshift/cluster-storage-operator/pull/557
[2] https://pkg.go.dev/io/ioutil#ReadFile
[3] https://pkg.go.dev/os#IsNotExist

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
Copy link
Contributor Author

/hold I am investigating the failures

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 8, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 8, 2025

@stephenfin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/hypershift-e2e-openstack-aws-csi-manila 0b2d16a link true /test hypershift-e2e-openstack-aws-csi-manila
ci/prow/hypershift-e2e-openstack-aws-csi-cinder 0b2d16a link true /test hypershift-e2e-openstack-aws-csi-cinder
ci/prow/hypershift-aws-e2e-external 0b2d16a link true /test hypershift-aws-e2e-external
ci/prow/hypershift-e2e-aks 0b2d16a link true /test hypershift-e2e-aks
ci/prow/okd-scos-e2e-aws-ovn 0b2d16a link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-openstack-cinder-csi 0b2d16a link true /test e2e-openstack-cinder-csi
ci/prow/e2e-openstack 0b2d16a link false /test e2e-openstack

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bertinatto bertinatto Awaiting requested review from bertinatto

@EmilienM EmilienM Awaiting requested review from EmilienM

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stephenfin @openshift-ci-robot @EmilienM