OSASINFRA-3657: Add support for storing OpenStack CA bundles

[stephenfin]

If a CA bundle is required to talk to your OpenStack then obviously all services that talk to the cloud need to have both credentials and said bundle. Currently, these users can get their credentials via cloud credential operator, but they need to source their CA bundle from elsewhere (typically by extracting it from the cloud controller manager's configuration). This makes configuration of services more complicated than necessary.

Begin the resolution of the issue by allowing users (i.e. the Installer) to store the CA bundle in their root secret and dole this out to anyone who asks for it via a CredentialsRequest. Follow-up changes will be needed in places like the Installer and csi-operator to start setting/consuming this.

[openshift-ci-robot]

@stephenfin: This pull request references OSASINFRA-3657 which is a valid jira issue.

In response to this:

If a CA bundle is required to talk to your OpenStack then obviously all services that talk to the cloud need to have both credentials and said bundle. Currently, these users can get their credentials via cloud credential operator, but they need to source their CA bundle from elsewhere (typically by extracting it from the cloud controller manager's configuration). This makes configuration of services more complicated than necessary.

Begin the resolution of the issue by allowing users (i.e. the Installer) to store the CA bundle in their root secret and dole this out to anyone who asks for it via a CredentialsRequest. Follow-up changes will be needed in places like the Installer and csi-operator to start setting/consuming this.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stephenfin]

/cc @mandre

[codecov]

Codecov Report

Attention: Patch coverage is 46.66667% with 8 lines in your changes missing coverage. Please review.

Project coverage is 46.99%. Comparing base (db5f253) to head (d4d1748).

Files with missing lines	Patch %	Lines
pkg/openstack/actuator.go	0.00%	5 Missing ⚠️
pkg/openstack/utils.go	62.50%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #780      +/-   ##
==========================================
- Coverage   47.01%   46.99%   -0.03%     
==========================================
  Files          97       97              
  Lines       11874    11877       +3     
==========================================
- Hits         5583     5582       -1     
- Misses       5676     5679       +3     
- Partials      615      616       +1     

Files with missing lines	Coverage Δ
...g/operator/secretannotator/openstack/reconciler.go	55.11% <100.00%> (ø)
pkg/openstack/utils.go	53.84% <62.50%> (-12.83%)	⬇️
pkg/openstack/actuator.go	0.00% <0.00%> (ø)

[stephenfin]

/hold

Will wait for 4.19 for this.

[EmilienM]

/lgtm
thanks!

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: EmilienM, stephenfin
Once this PR has been reviewed and has the lgtm label, please assign dlom for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stephenfin]

/hold cancel

[openshift-ci-robot]

@stephenfin: This pull request references OSASINFRA-3657 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.19." or "openshift-4.19.", but it targets "4.18.0" instead.

In response to this:

If a CA bundle is required to talk to your OpenStack then obviously all services that talk to the cloud need to have both credentials and said bundle. Currently, these users can get their credentials via cloud credential operator, but they need to source their CA bundle from elsewhere (typically by extracting it from the cloud controller manager's configuration). This makes configuration of services more complicated than necessary.

Begin the resolution of the issue by allowing users (i.e. the Installer) to store the CA bundle in their root secret and dole this out to anyone who asks for it via a CredentialsRequest. Follow-up changes will be needed in places like the Installer and csi-operator to start setting/consuming this.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@stephenfin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	d4d1748	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/security	d4d1748	link	true	/test security

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[EmilienM]

/test e2e-hypershift