You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add OVN RBAC support with per-node ovn-controller certificates
Enable OVN role-based access control (RBAC) on the Southbound database
so that ovn-controller nodes can only modify their own chassis rows.
When the openstack-operator provides an RBAC issuer name (from a
dedicated rootca-ovn-rbac CA, see patch [1]), this patch:
* Creates per-node cert-manager Certificate CRs for each ovn-controller
pod, with CN set to a deterministic UUID5 system-id derived from the
node name (ComputeSystemID). This CN must match the chassis
system-id for RBAC to authorize operations.
* Copies the RBAC client cert/key into /etc/openvswitch/ on each node
via the config job, and switches ovn-controller to use these dedicated
paths instead of the shared OVN DB cert.
* Mounts the RBAC CA certificate into ovsdbserver-sb pods and builds a
combined CA bundle (regular CA + RBAC CA) so the SB database can
verify ovn-controller client certificates.
* Sets role=ovn-controller on the SB DB connection (port 6642) to enforce RBAC.
* Creates a second SB DB listener on port 16642 with full (unrestricted)
access, used by ovn-northd.
* Updates inactivity probe handling in setup.sh and runtime-config.sh to
iterate over all connections, since SB now has two listeners.
* ovn-controller POD now waits for the Northd to be ready before start,
it is done to avoid race condition when ovn-controller POD could be
started before Northd would populate RBAC rules in the SB DB and that
could cause issues with connection of the ovn-controller to the SB DB.
[1] openstack-k8s-operators/openstack-operator#1906
Related: #OSPRH-1921
Closes: #OSPRH-1922
Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
0 commit comments