-
Bug
-
Resolution: Unresolved
-
Major
-
rhos-18.0.0
-
None
-
False
-
-
False
-
?
-
?
-
?
-
?
-
None
-
-
-
DFG Security: UC Sprint 101
-
Important
-
Security
When environment gets deployed with only TLS for public endpoints, the CA bundle is not configured on the dataplane nodes
$ OPENSTACK_CTLPLANE=config/samples/core_v1beta1_openstackcontrolplane_network_isolation_tls_public_endpoint.yaml make openstack_deploy
Validate PodLevel/internal TLS is not enabled:
$ oc get openstackcontrolplane -n openstack -l core.openstack.org/openstackcontrolplane -o yaml | yq .items[0].spec.tls.podLevel.enabled
false
deploy dataplane
$ DATAPLANE_TLS_ENABLED=false DATAPLANE_TOTAL_NODES=2 make edpm_deploy
Validate TLS is not enabled:
$ oc get openstackdataplanenodeset -n openstack -o yaml | yq .items[0].spec.tlsEnabled
false
no cacert was deployed on the edpm nodes
[root@edpm-compute-0 ~]# ls -la /var/lib/openstack/
total 4
drwxr-xr-x. 3 root root 20 Aug 13 07:02 .
drwxr-xr-x. 48 root root 4096 Aug 13 07:04 ..
drwxr-xr-x. 6 root root 65 Aug 13 07:05 config
The ca bundle created by the ctlplane will also have 3rdparty ca certs the user want to be added to deployments. they should also be installed on the edpm nodes even if internal tls is not enabled
- links to
-
RHBA-2024:139380
Release of containers for RHOSO OpenStack EDPM images
- mentioned on
(3 mentioned on)
