Open Stack

On Fri, 2021-06-11 at 01:35 +0800, Rico Lin wrote:
> 
> Dear all
> In short,
> can you help to enable tls-proxy for your test jobs and fix/report
> the issue in [4]? Or it makes no sense for you?
> Here's all repositories contains jobs with tls-proxy disabled:
>  * neutron
>  * neutron-tempest-plugin
>  * cinder-tempest-plugin
>  * cyborg-tempest-plugin
>  * ec2api-tempest-plugin
>  * freezer-tempest-plugin
>  * grenade
>  * heat
>  * js-openstack-lib
>  * keystone
>  * kuryr-kubernetes
>  * masakari
>  * murano
>  * networking-odl
>  * networking-sfc
>  * python-brick-cinderclient-ext
>  * python-neutronclient
>  * python-zaqarclient
>  * sahara
>  * sahara-dashboard
>  * sahara-tests
>  * solum
>  * tacker
>  * telemetry-tempest-plugin
>  * trove
>  * trove-tempest-plugin
>  * vitrage-tempest-plugin
>  * watcher
> As I'm looking for y-cycle potential goals, I found the tls-proxy
> support is not actually ready OpenStack wide (you can find some
> discussion in [3]).We have multiple projects that disable tls-proxy
> in test jobs [1] (and stay that way for a long time).
> For security concerns, I'm currently collecting the missing part for
> this. And try to figure out if there is any infra issue for current
> jobs.
> After I attempt to enable tls-proxy for some projects to check the
> status.
> And from the test result shows ([2]), We might have bugs/test infra
> issues in projects.
> So I invite projects who still have not switched to TLS default.
> Please do, and help to fix/report the issue you're facing.
> As we definitely need some more help on figuring out the actual
> situation on each project.
> So I created an etherpad [4] to track actions or related information.
> 
> Meanwhile, I will attempt to enable tls-proxy on more test jobs (and
> you will be able to find it in [2]). Which gives us a good chance to
> review the logs and see how we might get chances to fix it and enable
> TLS by default.

Hi,

In kuryr-kubernetes we deliberately disable tls-proxy on multinode gate
as I'm not sure how the certificates are shared between the controller
and the subnode. Can you elaborate on that?

> [1]
> https://codesearch.opendev.org/?q=tls-proxy%3A%20false&i=nope&files=&excludeFiles=&repos=
> [2] 
> https://review.opendev.org/q/topic:%22exame-tls-proxy%22+(status:open%20OR%20status:merged)
> [3] https://etherpad.opendev.org/p/community-goals
> [4] https://etherpad.opendev.org/p/support-tls-default
> 
> Rico LinOIF Board director, OpenStack TC, Multi-arch SIG chair, Heat
> PTL, 
> Senior Software Engineer at EasyStack