starlingx/openstack-armada-app
Code Issues Proposed changes
master
openstack-armada-app/openstack-helm
History
Lucas de Ataides 4c79b9bc53 Improve STX-O HTTPs decoupling from the platform 
This commit improves and addresses issues introduced by [1] and other
FQDN / TLS issues.

The change [1] only addressed a portion of the certificate management
requirements. Initially, it was assumed that only one certificate
(openstack-helm.crt) was needed. However, further inspection revealed
that three files are necessary: the certificate file, the certificate
key, and the CA certificate (though the CA certificate is optional).

This update improves the approach by allowing users to customize the
paths of these certificate files. Users can either utilize the default
system commands (os-certificate-install, ca-certificate-install) to
install the certificates or specify their own custom certificates and
paths. This provides flexibility while maintaining compatibility with
existing system commands.

This by itself was not sufficiente to solve the [2] issue. For that,
the patch 0005 for openstack-helm [3] had to be udpated to include
the HTTPS endpoint configuration for the Keystone Admin endpoint. The
way this patch was written, this endpoint would remain as HTTP even if
the certificates were configured, which can be considered a security
flaw, as someone with bad intentions could have access to Keystone
services in plain HTTP, or even spoof the traffic between the services.

[1] https://review.opendev.org/c/starlingx/openstack-armada-app/+/926641
[2] https://bugs.launchpad.net/starlingx/+bug/2080979
[3] https://opendev.org/starlingx/openstack-armada-app/src/branch/master/openstack-helm/debian/deb_folder/patches/0005-Allow-set-public-endpoint-url-for-keystone-endpoints.patch
[4] https://review.opendev.org/c/starlingx/docs/+/930392

Test Plan:
  Base:
  - PASS: Build STX-Openstack tarball
  - PASS: Apply STX-Openstack
  - PASS: Verify all app communications is being done via HTTP

  Applying the TLS / FQDN configuration before the first apply:
    Using system commands:
    - PASS: Using the `system os-certificate-install` and
            `system ca-certificate-install` commands, apply HTTPS and
            reapply the STX-Openstack application. Verify all
            communications are done via HTTPS
    - PASS: Check the Helm overrides for various charts and make sure
            that all "cacert", "crt" and "key" fields are present.
    - PASS: Verify that all Openstack endpoints are with FQDN and HTTPS
    - PASS: Make sure commands are reaching the HTTPS endpoints

    Using a custom path for the certificates:
    - PASS: Make Helm overrides to the `openstackCertificateFile`,
            `openstackCertificateKeyFile` and
            `openstackCertificateCAFile` fields. Verify that the app
            applies normally
    - PASS: Check the Helm overrides for various charts and make sure
            that all "cacert", "crt" and "key" fields are present.
    - PASS: Verify that all Openstack endpoints are with FQDN and HTTPS
    - PASS: Make sure commands are reaching the HTTPS endpoints

  Applying the TLS / FQDN configuration after the first apply:
    Using system commands:
    - PASS*: Using the `system os-certificate-install` and
            `system ca-certificate-install` commands, apply HTTPS and
            reapply the STX-Openstack application. Verify all
            communications are done via HTTPS

    Using a custom path for the certificates:
    - PASS: Make Helm overrides to the `openstackCertificateFile`,
            `openstackCertificateKeyFile` and
            `openstackCertificateCAFile` fields. Verify that the app
            applies normally
    - PASS: Check the Helm overrides for various charts and make sure
            that all "cacert", "crt" and "key" fields are present.
    - PASS: Verify that all Openstack endpoints are with FQDN and HTTPS
    - PASS: Make sure commands are reaching the HTTPS endpoints

*: This test case has a doc input on [4]. This method (using system
commands to install the STX-Openstack certificates after the application
is already applied) involves waiting for the endpoints to be
reconfigured.

Closes-Bug: 2080979

Change-Id: I57221bcadbed28dd9c00689cfeb6e11219a05de6
Signed-off-by: Lucas de Ataides <lucas.deataidesbarreto@windriver.com>
2024-09-26 13:27:33 -03:00
..
debian Improve STX-O HTTPs decoupling from the platform 2024-09-26 13:27:33 -03:00
files Recreating required files for files folder 2024-02-08 13:10:02 -03:00
Readme.rst Adding openstack-helm and openstack-helm-infra to the build 2018-11-06 09:38:06 -06:00

Readme.rst

This repo is for https://github.com/openstack/openstack-helm

Changes to this repo are needed for StarlingX and those changes are not yet merged. Rather than clone and diverge the repo, the repo is extracted at a particular git SHA, and patches are applied on top.

As those patches are merged, the SHA can be updated and the local patches removed.