XML

Word

Printable

Type: Epic
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
None

Epic Name:
Adoption: Enable and configure TLS-everywhere in OSP 17 source environment
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Parent Link:
RHOSSTRAT-931Adoption: Enable and configure TLS-everywhere in OSP 17 source environment
Color Status:
Not Selected
Dev Approval:
?
Docs Approval:
?
Epic Status:
To Do
Feature Link:
RHOSSTRAT-931 - Adoption: Enable and configure TLS-everywhere in OSP 17 source environment
PM Approval:
?
QE Approval:
?
Hierarchy Progress Bar:

100% To Do, 0% In Progress, 0% Done
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Request

To support the testing of Adoption using CI-Framework:

Implement the required infrastructure changes for TLS-e in https://github.com/openstack-k8s-operators/ci-framework/tree/main/scenarios/adoption
Implement the required configuration for TLS-e in https://github.com/openstack-k8s-operators/data-plane-adoption/tree/main/scenarios

Acceptance criteria

(minimum) The unigamma (hci) topology has TLS-e enabled and the adoption process works end-to-end as validated by the adoption test suite.
(ideal) All existing topologies implemented have TLS-e enabled and the adoption process works end-to-end as validated by the adoption test suite.

Note

Tempest testing and a fully working tempest result is out of scope for this Epic. It is crucial that it is out of scope to keep this Epic's work at a manageable size.

Background

When doing adoption for the uni-gamma topology per this process: https://docs.google.com/document/d/1xXEmhwdVh7a2t0yB6Th_3gYZIp3XkcsV330eb7M5xCk/edit?tab=t.0#heading=h.8oigbikkuakj

TLS-everywhere is not enabled on OSP17.1 deployed environment as we can see in attached snippet from deployed env with the unigamma topology:

+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------------+
| ID                               | Region    | Service Name | Service Type   | Enabled | Interface | URL                                                   |
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------------+
| 0463495b78144ed7bf791673e3143943 | regionOne | keystone     | identity       | True    | admin     | http://192.168.122.99:35357                           |
| 04b6454a0b754cc6b5c9fda94b7b724d | regionOne | manilav2     | sharev2        | True    | internal  | http://172.17.0.163:8786/v2                           |
| 15d2ee5e9145493795dfc8f6ecc1a4d1 | regionOne | manilav2     | sharev2        | True    | public    | http://172.21.0.167:8786/v2                           |
| 206eea22ef634b26ac479e626f9298fb | regionOne | nova         | compute        | True    | internal  | http://172.17.0.163:8774/v2.1                         |
| 21b4463b077e4995a3b76b07f36de940 | regionOne | swift        | object-store   | True    | admin     | http://172.18.0.174:8080/swift/v1/AUTH_%(project_id)s |
| 30ad81df19f74ac585351883a05a1e80 | regionOne | gnocchi      | metric         | True    | internal  | http://172.17.0.163:8041                              |
| 31c6c712814b484dac9e4078da0827fb | regionOne | cinderv3     | volumev3       | True    | admin     | http://172.17.0.163:8776/v3/%(tenant_id)s             |
| 3243c6999ba147d28e02a193a5a07b8e | regionOne | cinderv3     | volumev3       | True    | internal  | http://172.17.0.163:8776/v3/%(tenant_id)s             |
| 34a7ce992acc40a0b522f645ddb8fb7e | regionOne | heat         | orchestration  | True    | public    | http://172.21.0.167:8004/v1/%(tenant_id)s             |
| 42d4bed11b51449081dc2a75414a8826 | regionOne | manilav2     | sharev2        | True    | admin     | http://172.17.0.163:8786/v2                           |
| 550345058d6045fea9df3766a3b50229 | regionOne | heat-cfn     | cloudformation | True    | internal  | http://172.17.0.163:8000/v1                           |
| 6c567575f18d431dbbe9b8c6ea52da74 | regionOne | aodh         | alarming       | True    | public    | http://172.21.0.167:8042                              |
| 742611dd07ac4bfab33d52e3626c8fe4 | regionOne | glance       | image          | True    | admin     | http://172.17.0.163:9293                              |
| 76ac76c5e6794397bbceda87f960bccf | regionOne | nova         | compute        | True    | public    | http://172.21.0.167:8774/v2.1                         |
| 781ff4fb16d04b6a9e0b6182f417fcaf | regionOne | gnocchi      | metric         | True    | public    | http://172.21.0.167:8041                              |
| 95742a4b0dea4ef19fc52fdc39dd686a | regionOne | cinderv3     | volumev3       | True    | public    | http://172.21.0.167:8776/v3/%(tenant_id)s             |
| 96464fc76ba24a7b80247f2a3989f444 | regionOne | aodh         | alarming       | True    | admin     | http://172.17.0.163:8042                              |
| 99621ec53e4b468c9cea0be6fd11f8fc | regionOne | heat         | orchestration  | True    | admin     | http://172.17.0.163:8004/v1/%(tenant_id)s             |
| 99f7870bfdd54819bcf3cf7c1f796432 | regionOne | gnocchi      | metric         | True    | admin     | http://172.17.0.163:8041                              |
| 9a00ae8e170d41748a81c34fb429e78f | regionOne | neutron      | network        | True    | admin     | http://172.17.0.163:9696                              |
| 9d79fc6d3e964a199616221fe24dd845 | regionOne | placement    | placement      | True    | public    | http://172.21.0.167:8778/placement                    |
| a3934dbffe954a288f279032d9521cee | regionOne | swift        | object-store   | True    | internal  | http://172.18.0.174:8080/swift/v1/AUTH_%(project_id)s |
| a499752943aa48438be20c1cc6c0d06f | regionOne | keystone     | identity       | True    | internal  | http://172.17.0.163:5000                              |
| ae11b6e6816b4a858d7fa0c76764bed4 | regionOne | heat         | orchestration  | True    | internal  | http://172.17.0.163:8004/v1/%(tenant_id)s             |
| b5af50481cc24aaea0805ba835a24e78 | regionOne | manila       | share          | True    | admin     | http://172.17.0.163:8786/v1/%(tenant_id)s             |
| bddeebc6a40f4e4da0b8d9471c8aac2a | regionOne | nova         | compute        | True    | admin     | http://172.17.0.163:8774/v2.1                         |
| c22c6e023d2c432197adc41ea5913d8d | regionOne | aodh         | alarming       | True    | internal  | http://172.17.0.163:8042                              |
| c6286b743e624dd68c09af572fb397a1 | regionOne | heat-cfn     | cloudformation | True    | admin     | http://172.17.0.163:8000/v1                           |
| d15e750612d14db390b11b95845cdebd | regionOne | glance       | image          | True    | public    | http://172.21.0.167:9292                              |
| d459f954532d4d54b99e153814e70352 | regionOne | placement    | placement      | True    | internal  | http://172.17.0.163:8778/placement                    |
| d9fe5f8959764a67b2e5c4a1789169ca | regionOne | neutron      | network        | True    | internal  | http://172.17.0.163:9696                              |
| de2787dc66cd45b48cd3fce54e3dba40 | regionOne | glance       | image          | True    | internal  | http://172.17.0.163:9293                              |
| e39eff765b9f4d0591461bee1525d383 | regionOne | manila       | share          | True    | internal  | http://172.17.0.163:8786/v1/%(tenant_id)s             |
| e8c5b17a6d4b401bb4191e0d7d413ad1 | regionOne | neutron      | network        | True    | public    | http://172.21.0.167:9696                              |
| e923a80153c9411ab16079ea759fbbeb | regionOne | swift        | object-store   | True    | public    | http://172.21.0.167:8080/swift/v1/AUTH_%(project_id)s |
| ec8dcbc9c9cb4f118371edb0b1108e1d | regionOne | keystone     | identity       | True    | public    | http://172.21.0.167:5000                              |
| f28c7f843883498da99bbfded1853e42 | regionOne | heat-cfn     | cloudformation | True    | public    | http://172.21.0.167:8000/v1                           |
| fd17ecbe985246e6bf3f16bf138220c2 | regionOne | placement    | placement      | True    | admin     | http://172.17.0.163:8778/placement                    |
| ffa89afd734c400a918df44764c953d7 | regionOne | manila       | share          | True    | public    | http://172.21.0.167:8786/v1/%(tenant_id)s             |
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------------+

According to https://docs.google.com/spreadsheets/d/1PaiuGI7CfsEg9Go6AZ76K9UcGLo3rBIkue-MXR5qfnQ/edit?gid=781861419#gid=781861419 all Uni jobs should have TLSe enabled.
We can see that TLSe is enabled in 18.0 Greenfield of unigamma, but should be enabled across all uni adoption jobs too:

https://sf.apps.int.gpc.ocp-hub.prod.psi.redhat.com/zuul/t/components-integration/build/00ac3e7726084819a34897d725e87739/log/logs/controller-0/ci-framework-data/logs/openstack-k8s-operators-openstack-must-gather/ctlplane/endpoints

All OSP17.1 deployment configs in https://github.com/openstack-k8s-operators/data-plane-adoption/tree/main/scenarios should have tls enabled by default, including unigamma.

blocks

OSPRH-14376 Support RGW tls in unigamma adoption job

Review

Assignee:: Unassigned

Reporter:: Mikolaj Ciecierski

Team:: rhos-dfg-security

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/12/03 1:02 PM

Updated:: 2025/10/01 10:56 AM

Details

Description

Request

Acceptance criteria

Note

Background

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty