Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

object: also use system certs for validating RGW cert #772

Open
wants to merge 1 commit into
base: release-4.16
Choose a base branch
from

Conversation

BlaineEXE
Copy link

@BlaineEXE BlaineEXE commented Nov 11, 2024

Backport of rook#14911 (rook#14835) to release-4.16

When generating the HTTP client used for RGW admin ops, use both system certs as well as the user-given cert.

As a real world example, admins may use ACME to rotate Letsencrypt certs every 2 months. For an external CephObjectStore, the cert used by Rook and RGW may not be rotated at the same time. This can cause the Rook operator to fail CephObjectStore reconciliation until both certs agree.

When Rook also relies on system certs in the container, Rook's reconciliation will not have reconciliation failures because Letsencrypt's well-known and trusted root certificates can be loaded from the system to validate the RGW's newly-rotated cert.

Signed-off-by: Blaine Gardner [email protected]
(cherry picked from commit 7bb72a0)
(cherry picked from commit 92267b5)

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide.
  • Reviewed the developer guide on Submitting a Pull Request
  • Pending release notes updated with breaking and/or notable changes for the next minor release.
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.

When generating the HTTP client used for RGW admin ops, use both system
certs as well as the user-given cert.

As a real world example, admins may use ACME to rotate Letsencrypt certs
every 2 months. For an external CephObjectStore, the cert used by Rook
and RGW may not be rotated at the same time. This can cause the Rook
operator to fail CephObjectStore reconciliation until both certs agree.

When Rook also relies on system certs in the container, Rook's
reconciliation will not have reconciliation failures because
Letsencrypt's well-known and trusted root certificates can be loaded
from the system to validate the RGW's newly-rotated cert.

Signed-off-by: Blaine Gardner <[email protected]>
(cherry picked from commit 7bb72a0)

# Conflicts:
#	Documentation/CRDs/Cluster/external-cluster/provider-export.md
(cherry picked from commit 92267b5)
Copy link

openshift-ci bot commented Nov 11, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: BlaineEXE

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant