keystone insecure certificate override/ca specification #24984
Comments
|
/cc @uruddarraju |
maisem
added
area/apiserver
kind/feature
|
@kfox1111 what kind of OpenStack/Kubernetes deployment are you speaking about? Please, provide us with the more detailed use case. |
|
Ok, Say I deploy an OpenStack DevStack to do OpenStack development. I now have a Keystone running on a VM that I can test against. I then want to install Kubernetes on the same VM and point it at that development system with --experimental-keystone-url. There's no reason to create a properly secured SSL Keystone endpoint in this environment since it takes a lot of effort, and traffic won't ever leave the VM. We'd like to make it very easy to deploy both OpenStack & Kubernetes for developers. Ideally, we'd even write a DevStack plugin (shell script) to deploy Kubernetes along with the rest of the OpenStack bits all at once in this mode. Kubernetes will then get easy access to a bunch more developers. |
mml
added
the
sig/api-machinery
|
Rightnow I don't see a way to establish a insecure connection via gophercloud package instead we can add a keystone ca.pem to the trusted directory, instruction mentioned here for more information. IMO with this we can close this issue. |
|
I have added it to the proposed keystone token authentication docs. |
1 similar comment
|
I have added it to the proposed keystone token authentication docs. |
Automatic merge from submit-queue specify custom ca file to verify the keystone server <!-- Thanks for sending a pull request! Here are some tips for you: 1. If this is your first time, read our contributor guidelines https://github.com/kubernetes/kubernetes/blob/master/CONTRIBUTING.md and developer guide https://github.com/kubernetes/kubernetes/blob/master/docs/devel/development.md 2. If you want *faster* PR reviews, read how: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/faster_reviews.md 3. Follow the instructions for writing a release note: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes --> **What this PR does / why we need it**: Sometimes the keystone server's certificate is self-signed, mainly used for internal development, testing and etc. For this kind of ca, we need a way to verify the keystone server. Otherwise, below error will occur. > x509: certificate signed by unknown authority This patch provide a way to pass in a ca file to verify the keystone server when starting `kube-apiserver`. **Which issue this PR fixes** : fixes #22695, #24984 **Special notes for your reviewer**: **Release note**: <!-- Steps to write your release note: 1. Use the release-note-* labels to set the release note state (if you have access) 2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`. --> ``` release-note ```
If you are deploying test OpenStack systems with self signed certs and want to test kubernetes/keystone authentication against it, it currently fails due to cert validation.
There needs to be two options to apiserver
--keystone-insecure=true - Ignore certificate issues. Only for testing
--certificate-authority=/path/to/ca.pem - Specify the certificate authority used to issue the keystone cert.
The text was updated successfully, but these errors were encountered: