Use RBAC while connecting ovn-controllers to SB database#541
Use RBAC while connecting ovn-controllers to SB database#541slawqo wants to merge 3 commits intoopenstack-k8s-operators:mainfrom
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: slawqo The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
slawqo
force-pushed
the
issue/OSPRH-1922
branch
from
445a848 to
bbf8293
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/8881a8dd8a39461b9ead8d3463084988 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 44m 44s |
|
Merge Failed. This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset. |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/488938ee0adc4b9487ec13c9295691f0 ✔️ openstack-k8s-operators-content-provider SUCCESS in 45m 25s |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/654e83d776ca4981a32478cb381b8b58 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 26m 19s |
|
/retest |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/3ea8ac21e62a4d3687373043b2aac30c ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 35m 08s |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/3020f70e344a4bf2a149888db9ae7484 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 50m 20s |
|
/retest |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/41732a57e8994014aedf53c79eb8b7d6 ❌ openstack-k8s-operators-content-provider FAILURE in 11m 36s |
|
/retest |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/47d3989a993f4f908da945b581e1be23 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 44m 44s |
|
/retest |
|
/test ovn-operator-build-deploy-kuttl |
slawqo
force-pushed
the
issue/OSPRH-1922
branch
from
55f259a to
a59ff00
Compare
|
/retest |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/1edf1c78e85242d5a14101aebfb98895 ✔️ openstack-k8s-operators-content-provider SUCCESS in 37m 59s |
slawqo
force-pushed
the
issue/OSPRH-1922
branch
from
a59ff00 to
150e3d8
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/fdeb4472016e46158b575418fe9afc2a ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 48m 58s |
slawqo
force-pushed
the
issue/OSPRH-1922
branch
from
150e3d8 to
690eb12
Compare
|
/retest |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/8f9885c8e75f449b9f54f59f4e2e6f0c ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 46m 54s |
This new secret is created by the ovn-operator with patch [1] and contains OVN SB DB certificate which next is used to sign certificates used by the ovn-controller on each of the edpm nodes. This is required to use OVN RBAC for the connection between ovn-controllers and ovn southband DB. [1] openstack-k8s-operators/ovn-operator#541 Related: #OSPRH-1921 Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
|
slawqo
force-pushed
the
issue/OSPRH-1922
branch
from
690eb12 to
72978b2
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/e4063877124947a49c2677689b9a9ec7 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 58m 58s |
slawqo
force-pushed
the
issue/OSPRH-1922
branch
from
72978b2 to
fe1eabf
Compare
|
Merge Failed. This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset. |
This cert will be then used to sign "per chassis" certificates used by the ovn-controllers to connect to the DB with OVN RBAC enabled [1]. [1] https://docs.ovn.org/en/latest/tutorials/ovn-rbac.html Related: #OSPRH-1922 Assisted-by: claude-opus-4.6 Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
With this patch instead of using the same SSL certificate by each of the ovn-controller PODs in the environment, there is separate certificate generated, with unique CN name which match system-id set in that chassis and signed with certificate from SB. That way OVN RBAC can be used for the connections from ovn-controller PODs to the OVS SB database. Related: #1922 Assisted-by: claude-opus-4.6 Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
This patch configures RBAC to access OVN SB databases so that ovn-controllers now have limited access to this DB and will only be able to modify its own data. On the other hand Northd requires "full access" to the SB DB, and to achieve that there is another DB listener created on port 16642 for to be used by northd. More info about OVN RBAC can be found in its documentation at [1]. [1] https://docs.ovn.org/en/latest/tutorials/ovn-rbac.html Related: #1922 Assisted-by: claude-opus-4.6 Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
slawqo
force-pushed
the
issue/OSPRH-1922
branch
from
fe1eabf to
d8cd997
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/3de86cf04a0d4fa0942a754344657355 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 51m 30s |
Yes, they need it too. I proposed to mount secret with that SB Cert to the ansibleee pod and then generate SSL cert for each node in that Ansibleee POD and copy it to the edpm node. PRs for that part are openstack-k8s-operators/openstack-operator#1895 and openstack-k8s-operators/edpm-ansible#1158
Are you saying that I should generate all certs by openstack-operator or that I should do that only for the SB Cert which is later used to sign certificates for OVN controller (PODs and services running on edpm nodes)? The problem with the latter is that certificates used by ovn-controller have to have CN field which matches "system-id" from that node and have to be signed with cert generated on the SB DB POD. So how it could all be handled by openstack-operator? Should we generate uuids for ovn-controller PODs there too?
I didn't test backup/restore really but I'm not sure what problem we could have with it. Isn't backup/restore already doing backup of certificates on the nodes? |
2 participants
This patch configures RBAC to access OVN SB databases so that ovn-controllers now have limited access to this DB and will only be able to modify its own data.
On the other hand Northd requires "full access" to the SB DB, and to achieve that there is another DB listener created on port 16642 for to be used by northd.
More info about OVN RBAC can be found in its documentation at [1].
[1] https://docs.ovn.org/en/latest/tutorials/ovn-rbac.html
Depends-On: openstack-k8s-operators/install_yamls#1145
Related: #OSPRH-1921
Closes: #OSPRH-1922