Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-1092

UI support custom CA for OpenStack cluster deployments

XMLWordPrintable

    • UI support custom CA for OpenStack cluster deployments
    • False
    • False
    • Green
    • To Do
    • ACM-637 - Self-managed IPI provider support
    • 0% To Do, 0% In Progress, 100% Done

      Epic Goal

      • Support configuring a custom CA when creating an OpenShift cluster on OpenStack

      Why is this important?

      • Customers want to bring their own CA as part of regulatory/security/policy standards
      • Deployments can fail without the custom CA configured

      Scenarios

      1. In Credentials wizard for OpenStack, user can input their custom CA
        1. If a CA is provided, then clouds.yaml must contain a reference to the CA, and this should be validated
      2. During cluster creation for OpenStack, when the users selects the credential, the UI will conditionally create a CA Secret with the contents and add the `certificatesSecretRef` to the ClusterDeployment spec.

       

      ClusterDeployment
      ...
spec:
  platform: 
    openstack:
      certificatesSecretRef:
        name: <cluster name>-openstack-certs
      CA secret
      apiVersion: v1
stringData:
  ca.crt: // REDACTED CA contents
kind: Secret
metadata:
  name: <clustername>-openstack-certs
  namespace: <clustername>
type: Opaque
      clouds.yaml
      clouds:
  openstack:
    auth:
      cacert: /etc/openstack-ca/ca.crt // OR /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • Must be able to deploy clusters to OpenStack environments that use a custom CA
      • Credential creation for OpenStack should validate certificate and clouds.yaml appropriately

      Previous Work (Optional):

      1. Current article describing manual method: https://access.redhat.com/articles/6495941
      2. Hive documentation: https://github.com/openshift/hive/blob/95ad9f7/config/crds/hive.openshift.io_clusterdeployments.yaml#L635

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

      ACM Epic Done Checklist

      See presentation and details.

      Update with "Y" if Epic meets the requirement, "N" if it does not,  or "N/A" if not applicable.

      • Y FIPS Readiness
      • Y Works in Disconnected
      • Y Global Proxy Support
      • N/A Installable to Infrastructure Nodes
      • Y No impacts to Performance and Scalability
      • Y Backup and Restorable

        1. screenshot-1.png
          screenshot-1.png
          209 kB
        2. screenshot-2.png
          screenshot-2.png
          206 kB

              bweidenb@redhat.com Bradd Weidenbenner
              showeimer Sho Weimer
              Nelson Jean Nelson Jean
              Kevin Cormier Kevin Cormier
              Atif Shafi Atif Shafi
              Joy Jean Joy Jean
              Bradd Weidenbenner Bradd Weidenbenner
              Votes:
              5 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: