Skip to content

Support and document persisting the Octavia CA #1988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: stackhpc/2025.1
Choose a base branch
from
Open

Support and document persisting the Octavia CA #1988

wants to merge 3 commits into from
+193 −0

Conversation

@MoteHue
Copy link
Contributor

@MoteHue MoteHue commented Nov 18, 2025

No description provided.

@MoteHue MoteHue requested a review from a team as a code owner November 18, 2025 15:18
@MoteHue
Copy link
Contributor Author

MoteHue commented Nov 18, 2025

This would be good to backport too :)

gemini-code-assist[bot]
gemini-code-assist bot reviewed Nov 18, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces valuable documentation and scripts for managing Octavia TLS certificates. The documentation is comprehensive but could be improved with some corrections to numbering and formatting for better clarity. The accompanying shell scripts are functional but contain some issues, such as using non-standard exit codes and suppressing error outputs, which could hinder debugging. I have provided specific suggestions to address these points and enhance the overall quality and robustness of the changes.

@MoteHue MoteHue force-pushed the support-persisting-octavia-ca branch 2 times, most recently from be8e59e to 8aa76ba Compare November 18, 2025 15:49
@MoteHue MoteHue added documentation Improvements or additions to documentation enhancement New feature or request Caracal Targets the Caracal OpenStack release backport Backport needed labels Nov 18, 2025
@MoteHue MoteHue force-pushed the support-persisting-octavia-ca branch from 8aa76ba to 9958a80 Compare November 18, 2025 16:26
Alex-Welsh
Alex-Welsh requested changes Nov 18, 2025
View reviewed changes
doc/source/operations/octavia.rst Outdated
Comment on lines 71 to 74
Octavia uses mutual TLS to secure communication between the amphorae and
Octavia services. It uses a private CA to sign both client and server
certificates. We use the kolla-ansible built-in support for generating these
certificates:
Copy link
Member

@Alex-Welsh Alex-Welsh Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be a bit clearer about if you should do this to refresh certificates or if it's only needed for an initial deployment. It just kinda jumps into commands without saying what they're going to do and why we run them

Copy link
Contributor Author

@MoteHue MoteHue Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added more context

tools/backup-octavia-certificates.sh
Copy link
Member

@Alex-Welsh Alex-Welsh Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the record, I'd prefer these to be ansible playbooks, but I don't really want to hold this PR up to change it

Copy link
Contributor Author

@MoteHue MoteHue Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do agree playbooks would be nice, but I don't really have the time right now to rewrite these, this is just me extracting existing scripts from a customer site.

@MoteHue MoteHue requested a review from Alex-Welsh November 19, 2025 15:59
@MoteHue MoteHue force-pushed the support-persisting-octavia-ca branch from d5406f8 to 43a0fd0 Compare November 19, 2025 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Alex-Welsh Alex-Welsh Awaiting requested review from Alex-Welsh

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

backport Backport needed Caracal Targets the Caracal OpenStack release documentation Improvements or additions to documentation enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MoteHue @Alex-Welsh