Added configuration parameter, verify_ca, to magnum.conf with default
value of True. This parameter is passed to the heat templates to
indicate whether the cluster nodes validate the Certificate Authority
when making requests to the OpenStack APIs (Keystone, Magnum, Heat).
This configuration parameter can be set to False to disable CA
validation.
Co-Authored-By: Vijendar Komalla <vijendar.komalla@rackspace.com>
Change-Id: Iab02cb1338b811dac0c147378dbd0e63c83f0413
Partial-Bug: #1663757
Allow to specify a custom AUTH_URL for the templates in case instances
cannot reach internalURL which is the case in mose deployment.
A new variable in trust section: trustee_keystone_interface which
default to public is introduced.
Change-Id: I2a908c0752387e4ff4ad2b0fdf0c1025a73ce806
Closes-Bug: #1643197
Cluster that uses ETCD like swarm and K8s failed with LB and TLS enable
because ETCD LB protocol is HTTP but SSL termination in on the ETCD
node. ETCD LB protocol should be the same as K8s with TLS enable
Partial-Bug: #1679724
Change-Id: Ie8c8a7e4609c0e2e63095d4c18af84cc653654e1
By default, API service with service account is accessible from inside
the cluster at the address 10.254.0.1. This IP should be added to SANS
when generating the certs.
Fixes-bug: #1660811
Change-Id: I214b4296bea55bb0c4015165c56fbd8ca3cebd39
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
Change-Id: I643d408cde0d6e30812cf6429fb7118184793400
Since commit 220675d42a heat-params are
used by systemd and are unnecessary.
Implements: blueprint coreos-best-pratice
Change-Id: Iaf88219db2d3aaa452ff07a146acb3fbef323eb1
Multiple variables names where used in different fragments. This commit
makes KUBE_CERTS_PATH and HOST_CERTS_PATH hardcoded values in heat-params
fragment and use them inside fragments instead of hardcoded value and
different variables names
Implements: blueprint coreos-best-pratice
Change-Id: I8c7856601096672890ab5a1318db0177d582e53d
Instead of sourcing heat-params in script, we can use it as a systemd
unit EnvironmentFile directive and not inline in sh scripts.
Change-Id: I3ebf23dee6785febdc87bc5ce4212c30ef24806e
Otherwise, the magnum certificates API will return a 406 Not
Acceptable error.
Change-Id: I0d59bf71b62bdd4204cd32d26ef3f2fc30f8f180
Closes-Bug: #1659423
With this patch following are done:-
- Configure Etcd with TLS support
Configure Following to commuicate with TLS enabled Etcd:-
- Flannel
Etcd also listens at http://127.0.0.1:2379, so on master nodes
etcdctl can communicate without using certificates.
if TLS_DISABLED="True" then TLS is not enabled for etcd.
Change-Id: I7691ca328c4e1bc0738937b62cd813b5ad7df959
Implements: blueprint secure-etcd-cluster-coe
A lot of deployments use self signed certs. Curl breaks in those
cases trying to validate certs against known set of CAs
Change-Id: Ib36f9a99a91ce2c4d2141421ab7295303ead716f
This is patch 3 of 3 to change the internal usage of the terms
Bay and BayModel. This patch updates Bay to Cluster in DB and
Object as well as all the usages. No functionality should be
changed by this patch, just naming and db updates.
Change-Id: Ife04b0f944ded03ca932d70e09e6766d09cf5d9f
Implements: blueprint rename-bay-to-cluster
Followup to [1], to fix long lines and if expressions.
[1] I0c320ef392fb424755730d4572e744f9c3852c87
Change-Id: I0a29def2b6511f1d8f6190c2e07974ac8d235b46
Related-Bug #1599680
This changes were merged into upstream once[1], but lost now.
So I added this changes again.
And this fixes issues which occurs if "KUBE_API_PUBLIC_ADDRESS"
or "KUBE_API_PRIVATE_ADDRESS" are blank.
[1]: Idb30971e205e8fd94a478ef7d0bc6a30f5cab534
Change-Id: I0c320ef392fb424755730d4572e744f9c3852c87
Closes-Bug: #1599680
Since we have seperate template files to different driver directory, we
can cleanup -coreos suffix from template.
1. Remove unused shell scripts.
2. Remove kube-examples.yaml and kube-user.yaml which is never used.
Closes-bug: #1606655
Change-Id: I6ac93ad23e7ae30ad1eb9be1c79c2cf36af8db0c
Michal Nasiadka