XML

Word

Printable

Details

Type: Epic
Resolution: Done
Priority: Major
Fix Version/s: MCE 2.3.0
Affects Version/s: None
Component/s: Console
Labels:
- CustomerFocus1H23
- RFE
- Train-02
- acm-qe
- cluster-lifecycle
- doc-required
- ga
- openstack
- pm-slack
- ready

Epic Name:
UI support custom CA for OpenStack cluster deployments
Blocked:
False
Ready:
False
Color Status:
Green
Epic Status:
To Do
Feature Link:
ACM-637 - Self-managed IPI provider support
Hierarchy Progress:
100
Hierarchy Progress Bar:

100% 100%

SFDC Cases Links:
SFDC Cases Counter:

Description

Epic Goal

Support configuring a custom CA when creating an OpenShift cluster on OpenStack

Why is this important?

Customers want to bring their own CA as part of regulatory/security/policy standards
Deployments can fail without the custom CA configured

Scenarios

In Credentials wizard for OpenStack, user can input their custom CA
1. If a CA is provided, then clouds.yaml must contain a reference to the CA, and this should be validated
During cluster creation for OpenStack, when the users selects the credential, the UI will conditionally create a CA Secret with the contents and add the `certificatesSecretRef` to the ClusterDeployment spec.

ClusterDeployment

...
spec:
  platform: 
    openstack:
      certificatesSecretRef:
        name: <cluster name>-openstack-certs

CA secret

apiVersion: v1
stringData:
  ca.crt: // REDACTED CA contents
kind: Secret
metadata:
  name: <clustername>-openstack-certs
  namespace: <clustername>
type: Opaque

clouds.yaml

clouds:
  openstack:
    auth:
      cacert: /etc/openstack-ca/ca.crt // OR /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Acceptance Criteria

CI - MUST be running successfully with tests automated
Release Technical Enablement - Provide necessary release enablement details and documents.
Must be able to deploy clusters to OpenStack environments that use a custom CA
Credential creation for OpenStack should validate certificate and clouds.yaml appropriately

Previous Work (Optional):

Current article describing manual method: https://access.redhat.com/articles/6495941
Hive documentation: https://github.com/openshift/hive/blob/95ad9f7/config/crds/hive.openshift.io_clusterdeployments.yaml#L635

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

ACM Epic Done Checklist

See presentation and details.

Update with "Y" if Epic meets the requirement, "N" if it does not, or "N/A" if not applicable.

Y FIPS Readiness
Y Works in Disconnected
Y Global Proxy Support
N/A Installable to Infrastructure Nodes
Y No impacts to Performance and Scalability
Y Backup and Restorable

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

screenshot-1.png
209 kB
2022/09/14 7:32 PM
screenshot-2.png
206 kB
2022/09/14 7:32 PM

Activity

People

Assignee:: Bradd Weidenbenner

Reporter:: Sho Weimer

Manager:: Nelson Jean

Technical Lead:: Kevin Cormier

QA Contact:: Atif Shafi

Designer:: Joy Jean

Product Manager:: Bradd Weidenbenner

Votes:: 5 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 2021/11/09 4:28 PM

Updated:: 2023/06/16 1:10 PM

Resolved:: 2023/06/16 1:10 PM