[tls] nova novncproxy to support vencrypt

[stuggi]

Restructures the tls section of the novncproxy API to support passing a secret name which holds the cert/key to be used for vencrypt. The CA to validate the vnc server is part of the global bundle.

Jira: OSPRH-6552

[gibizer]

Looks good to me. Thanks for adding the env test coverage too.

[gibizer]

so "none" here allows the proxy to fall back to not encrypted connection if the qemu side of the connection does not support encryption. I'm wondering if we need to allow this.

First I thought that in greendfield we don't need this as either TLS is enabled in the whole deployment or not. But I guess we need to support deploying without TLS, booting instances, and then enabling TLS in the deployment. At that point the existing qemu instances will not support TLS. So we need the fallback.

[stuggi]

yes correct thats the use case we'd need this for. and since the computes config is controlling if the vencrypt is used I think its not a big issue.

[gibizer]

yepp fine by me.

[SeanMooney]

for what its worth i believe that we are not currently planning to support enabling tls after the fact as a documented procedure but I'm fine with making the code capable of that so that we can actually do it when a customer or PM asks.

i was wondering the same as gibi but I'm fine with that answer.

[stuggi]

We already got that request. E.g. for adoption if someone has not tlse on the current env, it should stay the same, but possible to be enabled as a day 2 thing after adoption. the procedure is on our list to be tested/document.

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/598eea0b7aaf4b49868ef7309df5bd27

❌ openstack-k8s-operators-content-provider FAILURE in 13m 15s
⚠️ nova-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ nova-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ nova-operator-tempest-multinode-ceph SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[gibizer]

build failure seems to be due to non backward compatible change in the CRD

    go vet ./...
    # github.com/openstack-k8s-operators/openstack-operator/pkg/openstack
    pkg/openstack/nova.go:243:64: cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName undefined (type "github.com/openstack-k8s-operators/nova-operator/api/v1beta1".TLSSection has no field or method SecretName)
    pkg/openstack/nova.go:257:48: cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName undefined (type "github.com/openstack-k8s-operators/nova-operator/api/v1beta1".TLSSection has no field or method SecretName)
    make: *** [Makefile:113: vet] Error 1
  stdout_lines: <omitted>

[stuggi]

build failure seems to be due to non backward compatible change in the CRD

    go vet ./...
    # github.com/openstack-k8s-operators/openstack-operator/pkg/openstack
    pkg/openstack/nova.go:243:64: cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName undefined (type "github.com/openstack-k8s-operators/nova-operator/api/v1beta1".TLSSection has no field or method SecretName)
    pkg/openstack/nova.go:257:48: cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName undefined (type "github.com/openstack-k8s-operators/nova-operator/api/v1beta1".TLSSection has no field or method SecretName)
    make: *** [Makefile:113: vet] Error 1
  stdout_lines: <omitted>

yes it is a breaking change. what I could do is

• keep the old param,
• land this PR
• get the openstack-operator patch landed to use the new params
• update nova to remove the old
• update openstack-operator

[gibizer]

build failure seems to be due to non backward compatible change in the CRD

    go vet ./...
    # github.com/openstack-k8s-operators/openstack-operator/pkg/openstack
    pkg/openstack/nova.go:243:64: cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName undefined (type "github.com/openstack-k8s-operators/nova-operator/api/v1beta1".TLSSection has no field or method SecretName)
    pkg/openstack/nova.go:257:48: cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName undefined (type "github.com/openstack-k8s-operators/nova-operator/api/v1beta1".TLSSection has no field or method SecretName)
    make: *** [Makefile:113: vet] Error 1
  stdout_lines: <omitted>

yes it is a breaking change. what I could do is

• keep the old param,
• land this PR
• get the openstack-operator patch landed to use the new params
• update nova to remove the old
• update openstack-operator

Yeah that is the way forward I guess. Unfortunately the tempest coverage on openstack-operator does not include the vnc tests so we cannot use the test result there to force merge this PR.

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/926df67f1d9b4ab991932521bb69d253

❌ openstack-k8s-operators-content-provider FAILURE in 13m 30s
⚠️ nova-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ nova-operator-tempest-multinode SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ nova-operator-tempest-multinode-ceph SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider

[SeanMooney]

this looks good to me too
just one thing to note is this might conflict with the work kamil is doing on observed generations but there is no way to really avoid that.

[SeanMooney]

for what its worth i believe that we are not currently planning to support enabling tls after the fact as a documented procedure but I'm fine with making the code capable of that so that we can actually do it when a customer or PM asks.

i was wondering the same as gibi but I'm fine with that answer.

[gibizer]

thanks for doing the extra dance with the deprecation

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gibizer, SeanMooney, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [SeanMooney,gibizer,stuggi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stuggi]

Note, tempest vnc tests will fail. that is expected with the current openstack-operator version. we should override it. basically with moving the params, but still have the deprecated one, the openstack-operator expects that from the route -> vnc proxy it is possible to use tls while it isn't right now.

[stuggi]

Note, tempest vnc tests will fail. that is expected with the current openstack-operator version. we should override it. basically with moving the params, but still have the deprecated one, the openstack-operator expects that from the route -> vnc proxy it is possible to use tls while it isn't right now.

or we temporary disable tempest.api.compute.servers.test_novnc.NoVNCConsoleTestJSON if you prefer

[gibizer]

Note, tempest vnc tests will fail. that is expected with the current openstack-operator version. we should override it. basically with moving the params, but still have the deprecated one, the openstack-operator expects that from the route -> vnc proxy it is possible to use tls while it isn't right now.

or we temporary disable tempest.api.compute.servers.test_novnc.NoVNCConsoleTestJSON if you prefer

I will override the job if this test fail. I will expect a clean result in the follow up where the deprecated field is dropped.

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/5dcf4df7ffe4465a8ac634d3ba09f106

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 02m 47s
✔️ nova-operator-kuttl SUCCESS in 40m 53s
❌ nova-operator-tempest-multinode FAILURE in 2h 00m 02s
❌ nova-operator-tempest-multinode-ceph FAILURE in 2h 30m 21s

[stuggi]

Note, tempest vnc tests will fail. that is expected with the current openstack-operator version. we should override it. basically with moving the params, but still have the deprecated one, the openstack-operator expects that from the route -> vnc proxy it is possible to use tls while it isn't right now.

or we temporary disable tempest.api.compute.servers.test_novnc.NoVNCConsoleTestJSON if you prefer

I will override the job if this test fail. I will expect a clean result in the follow up where the deprecated field is dropped.

yes those failed https://logserver.rdoproject.org/48/748/b06b9bcdc8c76faa85bb8cc643a699babde9f41f/github-check/nova-operator-tempest-multinode-ceph/1e623d3/controller/ci-framework-data/tests/test_operator/tempest-tests/stestr_results.html

[gibizer]

The rest of the tempest is green so I'm merging this.