-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Everywhere adoption #331
Merged
Merged
Changes from all commits
Commits
Show all changes
30 commits
Select commit
Hold shift + click to select a range
63c70b4
Update node hostname
fao89 7d75d3e
TLS Everywhere adoption documentation
xek f0190a8
Add information on how to migrate IPA CA cert
72c4822
Update the documentation to be less verbose
xek a5e1a54
Add TLS adoption tests
xek 8416f61
Update documentation with disabling certmonger on computes
7be769c
Add enable_tlse variable in tests
xek 41c9d70
Enable TLS-E on EDPM
xek 82dbed9
Set the private key length from IPA
xek 7d3a7f5
Add the issuer label used by EDPM
xek db33a9b
Apply new openstack-operator config
xek abab4a3
Use TLS for OVN adoption if it is enabled
xek 6566b6e
Adjest standalone fqdn
xek 27ea5f1
Add tlsCert conf to osdpd
xek 7f81770
Further EDPM adjustements for TLS-E
xek 6aebc14
Update OVN user documentation with TLS-e
afaranha 2087076
Reapply review comment changes
vakwetu 10653e1
Update OVN user documentation with TLS-e
xek 695f665
Test stopping certmonger
xek c13cb2a
Disable TLS-E by default
xek 700f0df
Add note about the need to restart
xek 0d720d9
Fix failure when enable_tlse is not defined
xek b5be0c1
Fall back to standalone.localdomain
xek 339602e
Update doc to run env with TLS enabled
afaranha 41c8f9e
Add missing variable computes
xek 4ace621
Add customIssuer to documentation
xek f45d2d9
Update the ToC and TLS section
xek b6ac7fb
Add dataplane tls configuration
xek 0c64ab6
Update 'Stop and disable certmonger' script
afaranha 9244ea3
Minor documentation wording adjustements
xek File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
[id="con_tlse-description_{context}"] | ||
|
||
= TLS Everywhere | ||
|
||
Note: The assumption is, that the new deployment will adopt the settings from the | ||
old deployment, so in case TLS Everywhere is disabled, it won't be enabled on | ||
the new deployment. | ||
|
||
If the Director deployment was deployed with TLS Everywhere, FreeIPA (IdM) is used | ||
to issue certificates for the OpenStack services. Certmonger, a client process which | ||
is installed on all hosts, interacts with FreeIPA (IdM) to request, install, track | ||
and renew these certificates. | ||
|
||
The new Operator based deployment uses the cert-manager operator to issue, track | ||
and renew the certificates. | ||
|
||
Because the same root CA is used to generate new certificates, the currently used chain | ||
of trust doesn't have to be modified. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This raises a question in my mind: how does cert renewal work on data plane, as any Operator doesn't act on the data plane nodes directly? (Again, not a blocker.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is an ansible playbook that runs when the secret changes, which deploys the certificate from the control plane into the data plane. That's covered under the dataplane-operator TLS-E implementation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nope, user must run a deployment