Skip to content

Generate OVN RBAC PKI#1906

Open
slawqo wants to merge 1 commit intoopenstack-k8s-operators:mainfrom
slawqo:issue_osprh_1922_v2
Open

Generate OVN RBAC PKI#1906
slawqo wants to merge 1 commit intoopenstack-k8s-operators:mainfrom
slawqo:issue_osprh_1922_v2

Conversation

@slawqo
Copy link
Copy Markdown
Contributor

@slawqo slawqo commented Apr 29, 2026
edited by openshift-ci Bot
Loading

This patch adds generation of the rootca-ovn-rbac issuer which is used by the ovn-operator to sign per-node ovn-controller RBAC certificates. This CA is intentionally not added to the combined CA bundle as it is only used between the SB database and ovn-controller nodes.

When TLS is enabled, the reconciler passes the RBAC CA cert secret name to the SB DB cluster and the RBAC issuer name to OVNController so the ovn-operator can create cert-manager Certificate resources and verify client connections.

Related: #OSPRH-1921

Related: #OSPRH-1922

@openshift-ci openshift-ci Bot requested review from abays and rebtoor April 29, 2026 14:40
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Apr 29, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: slawqo
Once this PR has been reviewed and has the lgtm label, please assign abays for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 29, 2026
edited
Loading

OpenStackControlPlane CRD Size Report

Metric Value
CRD JSON size 322540 bytes (315KB)
Base branch size 322464 bytes
Change +0.02%
Status yellow — growing
Threshold reference
Color Range Meaning
🟢 green < 300KB Comfortable
🟡 yellow 300–400KB Growing
🟠 orange 400–750KB Concerning
🔴 red > 750KB Approaching 1.5MB etcd limit (cut in half to allow space for update)

@slawqo
Generate OVN RBAC PKI
873083b 
This patch adds generation of the rootca-ovn-rbac issuer which is
used by the ovn-operator to sign per-node ovn-controller RBAC
certificates. This CA is intentionally not added to the combined
CA bundle as it is only used between the SB database and
ovn-controller nodes.

When TLS is enabled, the reconciler passes the RBAC CA cert secret
name to the SB DB cluster and the RBAC issuer name to OVNController
so the ovn-operator can create cert-manager Certificate resources
and verify client connections.

Related: #OSPRH-1921
Related: #OSPRH-1922

Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
@slawqo slawqo force-pushed the issue_osprh_1922_v2 branch from 507f58b to 873083b Compare April 29, 2026 14:42
slawqo added a commit to slawqo/ovn-operator that referenced this pull request Apr 29, 2026
@slawqo
Add OVN RBAC support with per-node ovn-controller certificates
7ec7d97 
Enable OVN role-based access control (RBAC) on the Southbound database
so that ovn-controller nodes can only modify their own chassis rows.

When the openstack-operator provides an RBAC issuer name (from a
dedicated rootca-ovn-rbac CA, see patch [1]), this patch:

* Creates per-node cert-manager Certificate CRs for each ovn-controller
  pod, with CN set to a deterministic UUID5 system-id derived from the
  node name (ComputeSystemID). This CN must match the chassis
  system-id for RBAC to authorize operations.

* Copies the RBAC client cert/key into /etc/openvswitch/ on each node
  via the config job, and switches ovn-controller to use these dedicated
  paths instead of the shared OVN DB cert.

* Mounts the RBAC CA certificate into ovsdbserver-sb pods and builds a
  combined CA bundle (regular CA + RBAC CA) so the SB database can
  verify ovn-controller client certificates.

- Sets role=ovn-controller on the SB DB connection (port 6642) to enforce RBAC.

* Creates a second SB DB listener on port 16642 with full (unrestricted)
  access, used by ovn-northd.

* Updates inactivity probe handling in setup.sh and runtime-config.sh to
  iterate over all connections, since SB now has two listeners.

[1] openstack-k8s-operators/openstack-operator#1906

Related: #OSPRH-1921
Closes: #OSPRH-1922

Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
@slawqo slawqo mentioned this pull request Apr 29, 2026
Open
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Apr 29, 2026

@slawqo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/functional 873083b link true /test functional
ci/prow/precommit-check 873083b link true /test precommit-check
ci/prow/openstack-operator-build-deploy-kuttl-4-18 873083b link true /test openstack-operator-build-deploy-kuttl-4-18

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abays abays Awaiting requested review from abays

@rebtoor rebtoor Awaiting requested review from rebtoor

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@slawqo