Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: openshift-4.19
Affects Version/s: openshift-4.19
Component/s: Shift Stack Installer
Labels:

Work Type:
Improvement
Story Points:
1
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
CA Bundle Sync
Release Note Text:

Hide
When an OpenStack cloud uses self-signed certificates, it is necessary to provide a CA cert alongside the {{cloud.yaml}} file for components that require communication with the cloud. Previously, this was managed on a per-component basis. Starting in OpenShift 4.19, the {{cloud-credential-operator}} (CCO) is now capable of consuming a CA cert provided in the root credentials secret and providing this to all components. This will allows users to easily rotate their CA cert alongside their credentials.

Show
When an OpenStack cloud uses self-signed certificates, it is necessary to provide a CA cert alongside the {{cloud.yaml}} file for components that require communication with the cloud. Previously, this was managed on a per-component basis. Starting in OpenShift 4.19, the {{cloud-credential-operator}} (CCO) is now capable of consuming a CA cert provided in the root credentials secret and providing this to all components. This will allows users to easily rotate their CA cert alongside their credentials.
Release Note Type:
Enhancement
Intelligence Requested:
Market:

Sprint:
ShiftStack Sprint 267, ShiftStack Sprint 269

Target Version:

openshift-4.19

Test Coverage:

+

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

The cloud-credential-operator (CCO) consumes a root credential secret from kube-system / openstack-credentials and rolls it out to secrets in different namespaces, in response to CredentialsRequests CRs. We should modify CCO to start looking for a cacert field in this root credential secret and copying it to the generated secrets. This key name is chosen since it aligns with the expected secret key name used by components like CAPO and ORC.

is depended on by

OSASINFRA-3730 Add CA bundle to root credential secret created by installer

Code Review

OSASINFRA-3731 Consume CA bundle from CCO-provisioned credential secret in csi-operator, cluster-storage-operator

Code Review

OSASINFRA-3732 Publish CA cert to well-known location in hypershift

Code Review

OCPBUGS-50659 CAPO deployed by CAPI operator doesn't work with OpenStack self signed CA cert

MODIFIED

links to

openshift/cloud-credential-operator#780: OSASINFRA-3657: Add support for storing OpenStack CA bundles

Assignee:: Stephen Finucane

Reporter:: Stephen Finucane

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024/11/08 5:55 PM

Updated:: 2025/03/10 3:33 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates