Use RBAC while connecting ovn-controllers to SB database#541
Use RBAC while connecting ovn-controllers to SB database#541slawqo wants to merge 3 commits intoopenstack-k8s-operators:mainfrom
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: slawqo The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
slawqo
force-pushed
the
issue/OSPRH-1922
branch
from
445a848 to
bbf8293
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/8881a8dd8a39461b9ead8d3463084988 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 44m 44s |
|
Merge Failed. This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset. |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/488938ee0adc4b9487ec13c9295691f0 ✔️ openstack-k8s-operators-content-provider SUCCESS in 45m 25s |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/654e83d776ca4981a32478cb381b8b58 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 26m 19s |
|
/retest |
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/3ea8ac21e62a4d3687373043b2aac30c ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 35m 08s |
|
@slawqo: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This cert will be then used to sign "per chassis" certificates used by the ovn-controllers to connect to the DB with OVN RBAC enabled [1]. [1] https://docs.ovn.org/en/latest/tutorials/ovn-rbac.html Related: #OSPRH-1922 Assisted-by: claude-opus-4.6 Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
With this patch instead of using the same SSL certificate by each of the ovn-controller PODs in the environment, there is separate certificate generated, with uniq CN name which match system-id set in that chassis and signed with certificate from SB. That way OVN RBAC can be used for the connections from ovn-controller PODs to the OVS SB database. Related: #1922 Assisted-by: claude-opus-4.6 Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
This patch configures RBAC to access OVN SB databases so that ovn-controllers now have limited access to this DB and will only be able to modify its own data. On the other hand Northd requires "full access" to the SB DB, and to achieve that there is another DB listener created on port 16642 for to be used by northd. More info about OVN RBAC can be found in its documentation at [1]. [1] https://docs.ovn.org/en/latest/tutorials/ovn-rbac.html Related: #1922 Assisted-by: claude-opus-4.6 Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/3020f70e344a4bf2a149888db9ae7484 ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 50m 20s |
1 participant
This patch configures RBAC to access OVN SB databases so that ovn-controllers now have limited access to this DB and will only be able to modify its own data.
On the other hand Northd requires "full access" to the SB DB, and to achieve that there is another DB listener created on port 16642 for to be used by northd.
More info about OVN RBAC can be found in its documentation at [1].
[1] https://docs.ovn.org/en/latest/tutorials/ovn-rbac.html
Related: #OSPRH-1921
Closes: #OSPRH-1922