Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-1092

UI support custom CA for OpenStack cluster deployments

XMLWordPrintable

    • UI support custom CA for OpenStack cluster deployments
    • False
    • False
    • Green
    • To Do
    • ACM-637 - Self-managed IPI provider support
    • 0% To Do, 0% In Progress, 100% Done

      Epic Goal

      • Support configuring a custom CA when creating an OpenShift cluster on OpenStack

      Why is this important?

      • Customers want to bring their own CA as part of regulatory/security/policy standards
      • Deployments can fail without the custom CA configured

      Scenarios

      1. In Credentials wizard for OpenStack, user can input their custom CA
        1. If a CA is provided, then clouds.yaml must contain a reference to the CA, and this should be validated
      2. During cluster creation for OpenStack, when the users selects the credential, the UI will conditionally create a CA Secret with the contents and add the `certificatesSecretRef` to the ClusterDeployment spec.

       

      ClusterDeployment
      ...
      spec:
        platform: 
          openstack:
            certificatesSecretRef:
              name: <cluster name>-openstack-certs
      
      CA secret
      apiVersion: v1
      stringData:
        ca.crt: // REDACTED CA contents
      kind: Secret
      metadata:
        name: <clustername>-openstack-certs
        namespace: <clustername>
      type: Opaque
      
      clouds.yaml
      clouds:
        openstack:
          auth:
            cacert: /etc/openstack-ca/ca.crt // OR /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
      

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • Must be able to deploy clusters to OpenStack environments that use a custom CA
      • Credential creation for OpenStack should validate certificate and clouds.yaml appropriately

      Previous Work (Optional):

      1. Current article describing manual method: https://access.redhat.com/articles/6495941
      2. Hive documentation: https://github.com/openshift/hive/blob/95ad9f7/config/crds/hive.openshift.io_clusterdeployments.yaml#L635

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

      ACM Epic Done Checklist

      See presentation and details.

      Update with "Y" if Epic meets the requirement, "N" if it does not,  or "N/A" if not applicable.

      • Y FIPS Readiness
      • Y Works in Disconnected
      • Y Global Proxy Support
      • N/A Installable to Infrastructure Nodes
      • Y No impacts to Performance and Scalability
      • Y Backup and Restorable

        1. screenshot-1.png
          209 kB
          Kevin Cormier
        2. screenshot-2.png
          206 kB
          Kevin Cormier

              bweidenb@redhat.com Bradd Weidenbenner
              showeimer Sho Weimer
              Nelson Jean Nelson Jean
              Kevin Cormier Kevin Cormier
              Atif Shafi Atif Shafi
              Joy Jean Joy Jean
              Bradd Weidenbenner Bradd Weidenbenner
              Votes:
              5 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: