Allow ssvm agent certs to contain host IP for NAT situations#6864
Conversation
|
SonarCloud Quality Gate failed. |
Codecov Report
@@ Coverage Diff @@
## main #6864 +/- ##
============================================
- Coverage 10.84% 10.84% -0.01%
Complexity 7104 7104
============================================
Files 2485 2485
Lines 245417 245421 +4
Branches 38326 38326
============================================
Hits 26627 26627
- Misses 215521 215525 +4
Partials 3269 3269
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
|
@blueorangutan package |
|
@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
@blueorangutan package |
|
@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with SystemVM template(s). I'll keep you posted as I make progress. |
|
Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. LL-JID 183 |
|
(rekick pkging in Sofia lab manually) |
|
Trillian test result (tid-5243)
|
|
Tests LGTM - the failure is a known intermittent issue not caused by this PR. |
|
@blueorangutan package |
|
@DaanHoogland a Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. LL-JID 197 |
|
@blueorangutan test |
|
@DaanHoogland a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
Trillian test result (tid-39)
|
|
@blueorangutan test |
|
@mlsorensen a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
@blueorangutan package |
|
@rohityadavcloud a Jenkins job has been kicked to build packages. It will be bundled with SystemVM template(s). I'll keep you posted as I make progress. |
|
Packaging result: ✔️ el7 ✔️ el8 ✔️ debian ✔️ suse15. SL-JID 4821 |
|
@blueorangutan test |
|
@rohityadavcloud a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
Trillian test result (tid-5465)
|








Description
There are some networking setups where system VM communications are proxied off of the hypervisor host on which the system VM is running. For example, if the KVM management network is a NAT bridge, or the network plugin employs user mode network for system VM management interfaces, then system VM agent comms look as though they come form the hypervisor host. Admittedly, these configurations are bespoke, which is why a configuration is provided and it's disabled by default.
In such a setup, the certificate authentication for agents fails because the source IP is that of the host of the system VM, rather than the system VM itself, and this IP is not in the connecting certificate presented. This PR adds a configuration value that allows the system VM cert to contain the host IP that the system VM is scheduled on. This allows such setups to maintain auth strictness on agent auth.
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
How Has This Been Tested?
Tested this via unit tests, and in our private integration environment. When ca.framework.cert.systemvm.allow.host.ip is set, agent auth succeeds from system VMs, when unset, it fails as it did prior to this change.