diff --git a/api/bases/manila.openstack.org_manilaapis.yaml b/api/bases/manila.openstack.org_manilaapis.yaml
index 4eb0bded..7171ef84 100644
--- a/api/bases/manila.openstack.org_manilaapis.yaml
+++ b/api/bases/manila.openstack.org_manilaapis.yaml
@@ -925,6 +925,24 @@ spec:
serviceUser:
default: manila
type: string
+ tls:
+ properties:
+ api:
+ properties:
+ internal:
+ properties:
+ secretName:
+ type: string
+ type: object
+ public:
+ properties:
+ secretName:
+ type: string
+ type: object
+ type: object
+ caBundleSecretName:
+ type: string
+ type: object
transportURLSecret:
type: string
required:
diff --git a/api/bases/manila.openstack.org_manilas.yaml b/api/bases/manila.openstack.org_manilas.yaml
index 7f2d7045..d4f52ee0 100644
--- a/api/bases/manila.openstack.org_manilas.yaml
+++ b/api/bases/manila.openstack.org_manilas.yaml
@@ -922,6 +922,24 @@ spec:
x-kubernetes-int-or-string: true
type: object
type: object
+ tls:
+ properties:
+ api:
+ properties:
+ internal:
+ properties:
+ secretName:
+ type: string
+ type: object
+ public:
+ properties:
+ secretName:
+ type: string
+ type: object
+ type: object
+ caBundleSecretName:
+ type: string
+ type: object
required:
- containerImage
type: object
diff --git a/api/bases/manila.openstack.org_manilaschedulers.yaml b/api/bases/manila.openstack.org_manilaschedulers.yaml
index 217330a9..37ba87a6 100644
--- a/api/bases/manila.openstack.org_manilaschedulers.yaml
+++ b/api/bases/manila.openstack.org_manilaschedulers.yaml
@@ -874,6 +874,11 @@ spec:
serviceUser:
default: manila
type: string
+ tls:
+ properties:
+ caBundleSecretName:
+ type: string
+ type: object
transportURLSecret:
type: string
required:
diff --git a/api/bases/manila.openstack.org_manilashares.yaml b/api/bases/manila.openstack.org_manilashares.yaml
index 887a4a28..c5dd12f0 100644
--- a/api/bases/manila.openstack.org_manilashares.yaml
+++ b/api/bases/manila.openstack.org_manilashares.yaml
@@ -874,6 +874,11 @@ spec:
serviceUser:
default: manila
type: string
+ tls:
+ properties:
+ caBundleSecretName:
+ type: string
+ type: object
transportURLSecret:
type: string
required:
diff --git a/api/v1beta1/manilaapi_types.go b/api/v1beta1/manilaapi_types.go
index efb82126..b766fa78 100644
--- a/api/v1beta1/manilaapi_types.go
+++ b/api/v1beta1/manilaapi_types.go
@@ -19,6 +19,7 @@ package v1beta1
import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+ "github.com/openstack-k8s-operators/lib-common/modules/common/tls"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@@ -38,6 +39,11 @@ type ManilaAPITemplate struct {
// +kubebuilder:validation:Optional
// Override, provides the ability to override the generated manifest of several child resources.
Override APIOverrideSpec `json:"override,omitempty"`
+
+ // +kubebuilder:validation:Optional
+ // +operator-sdk:csv:customresourcedefinitions:type=spec
+ // TLS - Parameters related to the TLS
+ TLS tls.API `json:"tls,omitempty"`
}
// APIOverrideSpec to override the generated manifest of several child resources.
diff --git a/api/v1beta1/manilascheduler_types.go b/api/v1beta1/manilascheduler_types.go
index 6e61a9d1..91ed3c9d 100644
--- a/api/v1beta1/manilascheduler_types.go
+++ b/api/v1beta1/manilascheduler_types.go
@@ -18,6 +18,7 @@ package v1beta1
import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+ "github.com/openstack-k8s-operators/lib-common/modules/common/tls"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@@ -61,6 +62,11 @@ type ManilaSchedulerSpec struct {
// +kubebuilder:validation:Required
// ServiceAccount - service account name used internally to provide the default SA name
ServiceAccount string `json:"serviceAccount"`
+
+ // +kubebuilder:validation:Optional
+ // +operator-sdk:csv:customresourcedefinitions:type=spec
+ // TLS - Parameters related to the TLS
+ TLS tls.Ca `json:"tls,omitempty"`
}
// ManilaSchedulerStatus defines the observed state of ManilaScheduler
diff --git a/api/v1beta1/manilashare_types.go b/api/v1beta1/manilashare_types.go
index b46fedb6..a5478566 100644
--- a/api/v1beta1/manilashare_types.go
+++ b/api/v1beta1/manilashare_types.go
@@ -18,6 +18,7 @@ package v1beta1
import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+ "github.com/openstack-k8s-operators/lib-common/modules/common/tls"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@@ -61,6 +62,11 @@ type ManilaShareSpec struct {
// +kubebuilder:validation:Required
// ServiceAccount - service account name used internally to provide the default SA name
ServiceAccount string `json:"serviceAccount"`
+
+ // +kubebuilder:validation:Optional
+ // +operator-sdk:csv:customresourcedefinitions:type=spec
+ // TLS - Parameters related to the TLS
+ TLS tls.Ca `json:"tls,omitempty"`
}
// ManilaShareStatus defines the observed state of ManilaShare
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
index b25479e4..584ca4a2 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -229,6 +229,7 @@ func (in *ManilaAPITemplate) DeepCopyInto(out *ManilaAPITemplate) {
**out = **in
}
in.Override.DeepCopyInto(&out.Override)
+ in.TLS.DeepCopyInto(&out.TLS)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManilaAPITemplate.
@@ -396,6 +397,7 @@ func (in *ManilaSchedulerSpec) DeepCopyInto(out *ManilaSchedulerSpec) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
+ out.TLS = in.TLS
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManilaSchedulerSpec.
@@ -577,6 +579,7 @@ func (in *ManilaShareSpec) DeepCopyInto(out *ManilaShareSpec) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
+ out.TLS = in.TLS
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManilaShareSpec.
diff --git a/config/crd/bases/manila.openstack.org_manilaapis.yaml b/config/crd/bases/manila.openstack.org_manilaapis.yaml
index 4eb0bded..7171ef84 100644
--- a/config/crd/bases/manila.openstack.org_manilaapis.yaml
+++ b/config/crd/bases/manila.openstack.org_manilaapis.yaml
@@ -925,6 +925,24 @@ spec:
serviceUser:
default: manila
type: string
+ tls:
+ properties:
+ api:
+ properties:
+ internal:
+ properties:
+ secretName:
+ type: string
+ type: object
+ public:
+ properties:
+ secretName:
+ type: string
+ type: object
+ type: object
+ caBundleSecretName:
+ type: string
+ type: object
transportURLSecret:
type: string
required:
diff --git a/config/crd/bases/manila.openstack.org_manilas.yaml b/config/crd/bases/manila.openstack.org_manilas.yaml
index 7f2d7045..d4f52ee0 100644
--- a/config/crd/bases/manila.openstack.org_manilas.yaml
+++ b/config/crd/bases/manila.openstack.org_manilas.yaml
@@ -922,6 +922,24 @@ spec:
x-kubernetes-int-or-string: true
type: object
type: object
+ tls:
+ properties:
+ api:
+ properties:
+ internal:
+ properties:
+ secretName:
+ type: string
+ type: object
+ public:
+ properties:
+ secretName:
+ type: string
+ type: object
+ type: object
+ caBundleSecretName:
+ type: string
+ type: object
required:
- containerImage
type: object
diff --git a/config/crd/bases/manila.openstack.org_manilaschedulers.yaml b/config/crd/bases/manila.openstack.org_manilaschedulers.yaml
index 217330a9..37ba87a6 100644
--- a/config/crd/bases/manila.openstack.org_manilaschedulers.yaml
+++ b/config/crd/bases/manila.openstack.org_manilaschedulers.yaml
@@ -874,6 +874,11 @@ spec:
serviceUser:
default: manila
type: string
+ tls:
+ properties:
+ caBundleSecretName:
+ type: string
+ type: object
transportURLSecret:
type: string
required:
diff --git a/config/crd/bases/manila.openstack.org_manilashares.yaml b/config/crd/bases/manila.openstack.org_manilashares.yaml
index 887a4a28..c5dd12f0 100644
--- a/config/crd/bases/manila.openstack.org_manilashares.yaml
+++ b/config/crd/bases/manila.openstack.org_manilashares.yaml
@@ -874,6 +874,11 @@ spec:
serviceUser:
default: manila
type: string
+ tls:
+ properties:
+ caBundleSecretName:
+ type: string
+ type: object
transportURLSecret:
type: string
required:
diff --git a/config/samples/layout/tls/kustomization.yaml b/config/samples/layout/tls/kustomization.yaml
new file mode 100644
index 00000000..8e678fb3
--- /dev/null
+++ b/config/samples/layout/tls/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../bases/manila
+patches:
+- patch: |-
+ - op: replace
+ path: /spec/secret
+ value: osp-secret
+ - op: replace
+ path: /metadata/namespace
+ value: manila-kuttl-tests
+ target:
+ kind: Manila
+- path: tls.yaml
diff --git a/config/samples/layout/tls/tls.yaml b/config/samples/layout/tls/tls.yaml
new file mode 100644
index 00000000..fb76717a
--- /dev/null
+++ b/config/samples/layout/tls/tls.yaml
@@ -0,0 +1,47 @@
+apiVersion: manila.openstack.org/v1beta1
+kind: Manila
+metadata:
+ name: manila
+ namespace: openstack
+spec:
+ manilaAPI:
+ tls:
+ api:
+ internal:
+ secretName: cert-manila-internal-svc
+ public:
+ secretName: cert-manila-public-svc
+ caBundleSecretName: combined-ca-bundle
+ customServiceConfig: |
+ [DEFAULT]
+ enabled_share_protocols = cephfs
+ manilaShares:
+ share0:
+ customServiceConfig: |
+ [DEFAULT]
+ enabled_share_backends = cephfs
+ [cephfs]
+ driver_handles_share_servers=False
+ share_backend_name=cephfs
+ share_driver=manila.share.drivers.cephfs.driver.CephFSDriver
+ cephfs_conf_path=/etc/ceph/ceph.conf
+ cephfs_auth_id=openstack
+ cephfs_cluster_name=ceph
+ cephfs_protocol_helper_type=CEPHFS
+ extraMounts:
+ - name: v1
+ region: r1
+ extraVol:
+ - propagation:
+ - share0
+ extraVolType: Ceph
+ volumes:
+ - name: ceph
+ projected:
+ sources:
+ - secret:
+ name: ceph-conf-files
+ mounts:
+ - name: ceph
+ mountPath: "/etc/ceph"
+ readOnly: true
diff --git a/config/samples/manila_v1beta1_manila_tls.yaml b/config/samples/manila_v1beta1_manila_tls.yaml
new file mode 100644
index 00000000..fdc2bbec
--- /dev/null
+++ b/config/samples/manila_v1beta1_manila_tls.yaml
@@ -0,0 +1,22 @@
+apiVersion: manila.openstack.org/v1beta1
+kind: Manila
+metadata:
+ name: manila
+ namespace: openstack
+spec:
+ serviceUser: manila
+ customServiceConfig: |
+ [DEFAULT]
+ debug = true
+ databaseInstance: openstack
+ secret: osp-secret
+ databaseUser: manila
+ rabbitMqClusterName: rabbitmq
+ manilaAPI:
+ tls:
+ api:
+ internal:
+ secretName: cert-manila-internal-svc
+ public:
+ secretName: cert-manila-public-svc
+ caBundleSecretName: combined-ca-bundle
diff --git a/controllers/manila_controller.go b/controllers/manila_controller.go
index 2a9111f3..291c04ca 100644
--- a/controllers/manila_controller.go
+++ b/controllers/manila_controller.go
@@ -37,6 +37,7 @@ import (
nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment"
common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
+ "github.com/openstack-k8s-operators/lib-common/modules/common/service"
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
manilav1beta1 "github.com/openstack-k8s-operators/manila-operator/api/v1beta1"
"github.com/openstack-k8s-operators/manila-operator/pkg/manila"
@@ -210,6 +211,27 @@ func (r *ManilaReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
return r.reconcileNormal(ctx, instance, helper)
}
+// fields to index to reconcile when change
+const (
+ passwordSecretField = ".spec.secret"
+ caBundleSecretNameField = ".spec.tls.caBundleSecretName"
+ tlsAPIInternalField = ".spec.tls.api.internal.secretName"
+ tlsAPIPublicField = ".spec.tls.api.public.secretName"
+)
+
+var (
+ commonWatchFields = []string{
+ passwordSecretField,
+ caBundleSecretNameField,
+ }
+ manilaAPIWatchFields = []string{
+ passwordSecretField,
+ caBundleSecretNameField,
+ tlsAPIInternalField,
+ tlsAPIPublicField,
+ }
+)
+
// SetupWithManager sets up the controller with the Manager.
func (r *ManilaReconciler) SetupWithManager(mgr ctrl.Manager) error {
// transportURLSecretFn - Watch for changes made to the secret associated with the RabbitMQ
@@ -874,6 +896,21 @@ func (r *ManilaReconciler) generateServiceConfig(
"MemcachedServersWithInet": strings.Join(memcached.Status.ServerListWithInet, ","),
}
+ // create httpd vhost template parameters
+ httpdVhostConfig := map[string]interface{}{}
+ for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
+ endptConfig := map[string]interface{}{}
+ endptConfig["ServerName"] = fmt.Sprintf("%s-%s.%s.svc", manila.ServiceName, endpt.String(), instance.Namespace)
+ endptConfig["TLS"] = false // default TLS to false, and set it bellow to true if enabled
+ if instance.Spec.ManilaAPI.TLS.API.Enabled(endpt) {
+ endptConfig["TLS"] = true
+ endptConfig["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", endpt.String())
+ endptConfig["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", endpt.String())
+ }
+ httpdVhostConfig[endpt.String()] = endptConfig
+ }
+ templateParameters["VHosts"] = httpdVhostConfig
+
configTemplates := []util.Template{
// ScriptsConfigMap
{
@@ -973,6 +1010,7 @@ func (r *ManilaReconciler) schedulerDeploymentCreateOrUpdate(ctx context.Context
DatabaseHostname: instance.Status.DatabaseHostname,
TransportURLSecret: instance.Status.TransportURLSecret,
ServiceAccount: instance.RbacResourceName(),
+ TLS: instance.Spec.ManilaAPI.TLS.Ca,
}
op, err := controllerutil.CreateOrUpdate(ctx, r.Client, deployment, func() error {
@@ -1009,6 +1047,7 @@ func (r *ManilaReconciler) shareDeploymentCreateOrUpdate(ctx context.Context, in
DatabaseHostname: instance.Status.DatabaseHostname,
TransportURLSecret: instance.Status.TransportURLSecret,
ServiceAccount: instance.RbacResourceName(),
+ TLS: instance.Spec.ManilaAPI.TLS.Ca,
}
op, err := controllerutil.CreateOrUpdate(ctx, r.Client, deployment, func() error {
diff --git a/controllers/manilaapi_controller.go b/controllers/manilaapi_controller.go
index 8f637060..7d5338f5 100644
--- a/controllers/manilaapi_controller.go
+++ b/controllers/manilaapi_controller.go
@@ -21,11 +21,16 @@ import (
"fmt"
"time"
+ "k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/runtime"
+ "k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/kubernetes"
+ "k8s.io/utils/ptr"
ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/builder"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log"
+ "sigs.k8s.io/controller-runtime/pkg/predicate"
"github.com/go-logr/logr"
@@ -40,6 +45,7 @@ import (
"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
"github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
+ "github.com/openstack-k8s-operators/lib-common/modules/common/tls"
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
manilav1beta1 "github.com/openstack-k8s-operators/manila-operator/api/v1beta1"
"github.com/openstack-k8s-operators/manila-operator/pkg/manila"
@@ -178,6 +184,7 @@ func (r *ManilaAPIReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
condition.UnknownCondition(condition.KeystoneServiceReadyCondition, condition.InitReason, ""),
condition.UnknownCondition(condition.KeystoneEndpointReadyCondition, condition.InitReason, ""),
condition.UnknownCondition(condition.NetworkAttachmentsReadyCondition, condition.InitReason, condition.NetworkAttachmentsReadyInitMessage),
+ condition.UnknownCondition(condition.TLSInputReadyCondition, condition.InitReason, condition.InputReadyInitMessage),
)
instance.Status.Conditions.Init(&cl)
@@ -256,6 +263,54 @@ func (r *ManilaAPIReconciler) SetupWithManager(mgr ctrl.Manager) error {
return nil
}
+ // index passwordSecretField
+ if err := mgr.GetFieldIndexer().IndexField(context.Background(), &manilav1beta1.ManilaAPI{}, passwordSecretField, func(rawObj client.Object) []string {
+ // Extract the secret name from the spec, if one is provided
+ cr := rawObj.(*manilav1beta1.ManilaAPI)
+ if cr.Spec.Secret == "" {
+ return nil
+ }
+ return []string{cr.Spec.Secret}
+ }); err != nil {
+ return err
+ }
+
+ // index caBundleSecretNameField
+ if err := mgr.GetFieldIndexer().IndexField(context.Background(), &manilav1beta1.ManilaAPI{}, caBundleSecretNameField, func(rawObj client.Object) []string {
+ // Extract the secret name from the spec, if one is provided
+ cr := rawObj.(*manilav1beta1.ManilaAPI)
+ if cr.Spec.TLS.CaBundleSecretName == "" {
+ return nil
+ }
+ return []string{cr.Spec.TLS.CaBundleSecretName}
+ }); err != nil {
+ return err
+ }
+
+ // index tlsAPIInternalField
+ if err := mgr.GetFieldIndexer().IndexField(context.Background(), &manilav1beta1.ManilaAPI{}, tlsAPIInternalField, func(rawObj client.Object) []string {
+ // Extract the secret name from the spec, if one is provided
+ cr := rawObj.(*manilav1beta1.ManilaAPI)
+ if cr.Spec.TLS.API.Internal.SecretName == nil {
+ return nil
+ }
+ return []string{*cr.Spec.TLS.API.Internal.SecretName}
+ }); err != nil {
+ return err
+ }
+
+ // index tlsAPIPublicField
+ if err := mgr.GetFieldIndexer().IndexField(context.Background(), &manilav1beta1.ManilaAPI{}, tlsAPIPublicField, func(rawObj client.Object) []string {
+ // Extract the secret name from the spec, if one is provided
+ cr := rawObj.(*manilav1beta1.ManilaAPI)
+ if cr.Spec.TLS.API.Public.SecretName == nil {
+ return nil
+ }
+ return []string{*cr.Spec.TLS.API.Public.SecretName}
+ }); err != nil {
+ return err
+ }
+
return ctrl.NewControllerManagedBy(mgr).
For(&manilav1beta1.ManilaAPI{}).
Owns(&keystonev1.KeystoneService{}).
@@ -266,9 +321,47 @@ func (r *ManilaAPIReconciler) SetupWithManager(mgr ctrl.Manager) error {
// watch the secrets we don't own
Watches(&source.Kind{Type: &corev1.Secret{}},
handler.EnqueueRequestsFromMapFunc(secretFn)).
+ Watches(
+ &source.Kind{Type: &corev1.Secret{}},
+ handler.EnqueueRequestsFromMapFunc(r.findObjectsForSrc),
+ builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
+ ).
Complete(r)
}
+func (r *ManilaAPIReconciler) findObjectsForSrc(src client.Object) []reconcile.Request {
+ requests := []reconcile.Request{}
+
+ l := log.FromContext(context.Background()).WithName("Controllers").WithName("ManilaAPI")
+
+ for _, field := range manilaAPIWatchFields {
+ crList := &manilav1beta1.ManilaAPIList{}
+ listOps := &client.ListOptions{
+ FieldSelector: fields.OneTermEqualSelector(field, src.GetName()),
+ Namespace: src.GetNamespace(),
+ }
+ err := r.List(context.TODO(), crList, listOps)
+ if err != nil {
+ return []reconcile.Request{}
+ }
+
+ for _, item := range crList.Items {
+ l.Info(fmt.Sprintf("input source %s changed, reconcile: %s - %s", src.GetName(), item.GetName(), item.GetNamespace()))
+
+ requests = append(requests,
+ reconcile.Request{
+ NamespacedName: types.NamespacedName{
+ Name: item.GetName(),
+ Namespace: item.GetNamespace(),
+ },
+ },
+ )
+ }
+ }
+
+ return requests
+}
+
func (r *ManilaAPIReconciler) reconcileDelete(ctx context.Context, instance *manilav1beta1.ManilaAPI, helper *helper.Helper) (ctrl.Result, error) {
r.Log.Info(fmt.Sprintf("Reconciling Service '%s' delete", instance.Name))
@@ -422,7 +515,12 @@ func (r *ManilaAPIReconciler) reconcileInit(
}
// create service - end
- // TODO: TLS, pass in https as protocol
+ // if TLS is enabled
+ if instance.Spec.TLS.API.Enabled(endpointType) {
+ // set endpoint protocol to https
+ data.Protocol = ptr.To(service.ProtocolHTTPS)
+ }
+
apiEndpointsV2[string(endpointType)], err = svc.GetAPIEndpoint(
svcOverride.EndpointURL, data.Protocol, data.Path)
if err != nil {
@@ -540,9 +638,6 @@ func (r *ManilaAPIReconciler) reconcileNormal(ctx context.Context, instance *man
fmt.Sprintf("%s-config-data", parentManilaName), //ConfigSecret
}
- //
- // Create Secrets required as input for the Service and calculate an overall hash of hashes
- //
for _, parentSecret := range parentSecrets {
ctrlResult, err = r.getSecret(ctx, helper, instance, parentSecret, &configVars)
if err != nil {
@@ -551,13 +646,64 @@ func (r *ManilaAPIReconciler) reconcileNormal(ctx context.Context, instance *man
}
instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
+ //
+ // TLS input validation
+ //
+ // Validate the CA cert secret if provided
+ if instance.Spec.TLS.CaBundleSecretName != "" {
+ hash, ctrlResult, err := tls.ValidateCACertSecret(
+ ctx,
+ helper.GetClient(),
+ types.NamespacedName{
+ Name: instance.Spec.TLS.CaBundleSecretName,
+ Namespace: instance.Namespace,
+ },
+ )
+ if err != nil {
+ instance.Status.Conditions.Set(condition.FalseCondition(
+ condition.TLSInputReadyCondition,
+ condition.ErrorReason,
+ condition.SeverityWarning,
+ condition.TLSInputErrorMessage,
+ err.Error()))
+ return ctrlResult, err
+ } else if (ctrlResult != ctrl.Result{}) {
+ return ctrlResult, nil
+ }
+
+ if hash != "" {
+ configVars[tls.CABundleKey] = env.SetValue(hash)
+ }
+
+ // Validate API service certs secrets
+ certsHash, ctrlResult, err := instance.Spec.TLS.API.ValidateCertSecrets(ctx, helper, instance.Namespace)
+ if err != nil {
+ instance.Status.Conditions.Set(condition.FalseCondition(
+ condition.TLSInputReadyCondition,
+ condition.ErrorReason,
+ condition.SeverityWarning,
+ condition.TLSInputErrorMessage,
+ err.Error()))
+ return ctrlResult, err
+ } else if (ctrlResult != ctrl.Result{}) {
+ return ctrlResult, nil
+ }
+
+ configVars[tls.TLSHashName] = env.SetValue(certsHash)
+ }
+
+ // all cert input checks out so report InputReady
+ instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage)
+
+ //
+ // Create secrets required as input for the Service and calculate an overall hash of hashes
+ //
serviceLabels := map[string]string{
common.AppSelector: manila.ServiceName,
common.ComponentSelector: manilaapi.Component,
}
-
//
- // create Secrets for manila-api service
+ // create custom config for this manila service
//
err = r.generateServiceConfig(ctx, helper, instance, &configVars, serviceLabels)
if err != nil {
@@ -569,8 +715,6 @@ func (r *ManilaAPIReconciler) reconcileNormal(ctx context.Context, instance *man
err.Error()))
return ctrl.Result{}, err
}
-
- //
// create hash over all the different input resources to identify if any those changed
// and a restart/recreate is required.
//
@@ -652,12 +796,20 @@ func (r *ManilaAPIReconciler) reconcileNormal(ctx context.Context, instance *man
//
// Define a new Statefulset
- ssDef := statefulset.NewStatefulSet(
- manilaapi.StatefulSet(instance, inputHash, serviceLabels, serviceAnnotations),
- time.Duration(5)*time.Second,
- )
+ ssDef, err := manilaapi.StatefulSet(instance, inputHash, serviceLabels, serviceAnnotations)
+ if err != nil {
+ instance.Status.Conditions.Set(condition.FalseCondition(
+ condition.DeploymentReadyCondition,
+ condition.ErrorReason,
+ condition.SeverityWarning,
+ condition.DeploymentReadyErrorMessage,
+ err.Error()))
+ return ctrl.Result{}, err
+ }
+
+ ss := statefulset.NewStatefulSet(ssDef, time.Duration(5)*time.Second)
- ctrlResult, err = ssDef.CreateOrPatch(ctx, helper)
+ ctrlResult, err = ss.CreateOrPatch(ctx, helper)
if err != nil {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.DeploymentReadyCondition,
@@ -674,7 +826,7 @@ func (r *ManilaAPIReconciler) reconcileNormal(ctx context.Context, instance *man
condition.DeploymentReadyRunningMessage))
return ctrlResult, nil
}
- instance.Status.ReadyCount = ssDef.GetStatefulSet().Status.ReadyReplicas
+ instance.Status.ReadyCount = ss.GetStatefulSet().Status.ReadyReplicas
networkReady := false
networkAttachmentStatus := map[string][]string{}
diff --git a/controllers/manilascheduler_controller.go b/controllers/manilascheduler_controller.go
index 18108536..7e62d076 100644
--- a/controllers/manilascheduler_controller.go
+++ b/controllers/manilascheduler_controller.go
@@ -24,13 +24,17 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
k8s_errors "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/runtime"
+ "k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/kubernetes"
ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/builder"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
"sigs.k8s.io/controller-runtime/pkg/handler"
"sigs.k8s.io/controller-runtime/pkg/log"
+ "sigs.k8s.io/controller-runtime/pkg/predicate"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
"sigs.k8s.io/controller-runtime/pkg/source"
@@ -43,6 +47,7 @@ import (
nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment"
"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
"github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
+ "github.com/openstack-k8s-operators/lib-common/modules/common/tls"
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
manilav1beta1 "github.com/openstack-k8s-operators/manila-operator/api/v1beta1"
"github.com/openstack-k8s-operators/manila-operator/pkg/manila"
@@ -151,6 +156,7 @@ func (r *ManilaSchedulerReconciler) Reconcile(ctx context.Context, req ctrl.Requ
condition.UnknownCondition(condition.ServiceConfigReadyCondition, condition.InitReason, condition.ServiceConfigReadyInitMessage),
condition.UnknownCondition(condition.DeploymentReadyCondition, condition.InitReason, condition.DeploymentReadyInitMessage),
condition.UnknownCondition(condition.NetworkAttachmentsReadyCondition, condition.InitReason, condition.NetworkAttachmentsReadyInitMessage),
+ condition.UnknownCondition(condition.TLSInputReadyCondition, condition.InitReason, condition.InputReadyInitMessage),
)
instance.Status.Conditions.Init(&cl)
@@ -227,6 +233,30 @@ func (r *ManilaSchedulerReconciler) SetupWithManager(mgr ctrl.Manager) error {
return nil
}
+ // index passwordSecretField
+ if err := mgr.GetFieldIndexer().IndexField(context.Background(), &manilav1beta1.ManilaScheduler{}, passwordSecretField, func(rawObj client.Object) []string {
+ // Extract the secret name from the spec, if one is provided
+ cr := rawObj.(*manilav1beta1.ManilaScheduler)
+ if cr.Spec.Secret == "" {
+ return nil
+ }
+ return []string{cr.Spec.Secret}
+ }); err != nil {
+ return err
+ }
+
+ // index caBundleSecretNameField
+ if err := mgr.GetFieldIndexer().IndexField(context.Background(), &manilav1beta1.ManilaScheduler{}, caBundleSecretNameField, func(rawObj client.Object) []string {
+ // Extract the secret name from the spec, if one is provided
+ cr := rawObj.(*manilav1beta1.ManilaScheduler)
+ if cr.Spec.TLS.CaBundleSecretName == "" {
+ return nil
+ }
+ return []string{cr.Spec.TLS.CaBundleSecretName}
+ }); err != nil {
+ return err
+ }
+
return ctrl.NewControllerManagedBy(mgr).
For(&manilav1beta1.ManilaScheduler{}).
Owns(&appsv1.StatefulSet{}).
@@ -234,9 +264,47 @@ func (r *ManilaSchedulerReconciler) SetupWithManager(mgr ctrl.Manager) error {
// watch the secrets we don't own
Watches(&source.Kind{Type: &corev1.Secret{}},
handler.EnqueueRequestsFromMapFunc(secretFn)).
+ Watches(
+ &source.Kind{Type: &corev1.Secret{}},
+ handler.EnqueueRequestsFromMapFunc(r.findObjectsForSrc),
+ builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
+ ).
Complete(r)
}
+func (r *ManilaSchedulerReconciler) findObjectsForSrc(src client.Object) []reconcile.Request {
+ requests := []reconcile.Request{}
+
+ l := log.FromContext(context.Background()).WithName("Controllers").WithName("ManilaScheduler")
+
+ for _, field := range commonWatchFields {
+ crList := &manilav1beta1.ManilaSchedulerList{}
+ listOps := &client.ListOptions{
+ FieldSelector: fields.OneTermEqualSelector(field, src.GetName()),
+ Namespace: src.GetNamespace(),
+ }
+ err := r.List(context.TODO(), crList, listOps)
+ if err != nil {
+ return []reconcile.Request{}
+ }
+
+ for _, item := range crList.Items {
+ l.Info(fmt.Sprintf("input source %s changed, reconcile: %s - %s", src.GetName(), item.GetName(), item.GetNamespace()))
+
+ requests = append(requests,
+ reconcile.Request{
+ NamespacedName: types.NamespacedName{
+ Name: item.GetName(),
+ Namespace: item.GetNamespace(),
+ },
+ },
+ )
+ }
+ }
+
+ return requests
+}
+
func (r *ManilaSchedulerReconciler) reconcileDelete(ctx context.Context, instance *manilav1beta1.ManilaScheduler, helper *helper.Helper) (ctrl.Result, error) {
r.Log.Info(fmt.Sprintf("Reconciling Service '%s' delete", instance.Name))
@@ -304,6 +372,38 @@ func (r *ManilaSchedulerReconciler) reconcileNormal(ctx context.Context, instanc
}
instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
+ //
+ // TLS input validation
+ //
+ // Validate the CA cert secret if provided
+ if instance.Spec.TLS.CaBundleSecretName != "" {
+ hash, ctrlResult, err := tls.ValidateCACertSecret(
+ ctx,
+ helper.GetClient(),
+ types.NamespacedName{
+ Name: instance.Spec.TLS.CaBundleSecretName,
+ Namespace: instance.Namespace,
+ },
+ )
+ if err != nil {
+ instance.Status.Conditions.Set(condition.FalseCondition(
+ condition.TLSInputReadyCondition,
+ condition.ErrorReason,
+ condition.SeverityWarning,
+ condition.TLSInputErrorMessage,
+ err.Error()))
+ return ctrlResult, err
+ } else if (ctrlResult != ctrl.Result{}) {
+ return ctrlResult, nil
+ }
+
+ if hash != "" {
+ configVars[tls.CABundleKey] = env.SetValue(hash)
+ }
+ }
+ // all cert input checks out so report InputReady
+ instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage)
+
//
// Create Secrets required as input for the Service and calculate an overall hash of hashes
//
diff --git a/controllers/manilashare_controller.go b/controllers/manilashare_controller.go
index 734b7f8f..0da833d0 100644
--- a/controllers/manilashare_controller.go
+++ b/controllers/manilashare_controller.go
@@ -24,13 +24,17 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
k8s_errors "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/fields"
"k8s.io/apimachinery/pkg/runtime"
+ "k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/kubernetes"
ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/builder"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
"sigs.k8s.io/controller-runtime/pkg/handler"
"sigs.k8s.io/controller-runtime/pkg/log"
+ "sigs.k8s.io/controller-runtime/pkg/predicate"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
"sigs.k8s.io/controller-runtime/pkg/source"
@@ -43,6 +47,7 @@ import (
nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment"
"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
"github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
+ "github.com/openstack-k8s-operators/lib-common/modules/common/tls"
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
manilav1beta1 "github.com/openstack-k8s-operators/manila-operator/api/v1beta1"
"github.com/openstack-k8s-operators/manila-operator/pkg/manila"
@@ -152,6 +157,7 @@ func (r *ManilaShareReconciler) Reconcile(ctx context.Context, req ctrl.Request)
condition.UnknownCondition(condition.ServiceConfigReadyCondition, condition.InitReason, condition.ServiceConfigReadyInitMessage),
condition.UnknownCondition(condition.DeploymentReadyCondition, condition.InitReason, condition.DeploymentReadyInitMessage),
condition.UnknownCondition(condition.NetworkAttachmentsReadyCondition, condition.InitReason, condition.NetworkAttachmentsReadyInitMessage),
+ condition.UnknownCondition(condition.TLSInputReadyCondition, condition.InitReason, condition.InputReadyInitMessage),
)
instance.Status.Conditions.Init(&cl)
@@ -225,6 +231,30 @@ func (r *ManilaShareReconciler) SetupWithManager(mgr ctrl.Manager) error {
return nil
}
+ // index passwordSecretField
+ if err := mgr.GetFieldIndexer().IndexField(context.Background(), &manilav1beta1.ManilaShare{}, passwordSecretField, func(rawObj client.Object) []string {
+ // Extract the secret name from the spec, if one is provided
+ cr := rawObj.(*manilav1beta1.ManilaShare)
+ if cr.Spec.Secret == "" {
+ return nil
+ }
+ return []string{cr.Spec.Secret}
+ }); err != nil {
+ return err
+ }
+
+ // index caBundleSecretNameField
+ if err := mgr.GetFieldIndexer().IndexField(context.Background(), &manilav1beta1.ManilaShare{}, caBundleSecretNameField, func(rawObj client.Object) []string {
+ // Extract the secret name from the spec, if one is provided
+ cr := rawObj.(*manilav1beta1.ManilaShare)
+ if cr.Spec.TLS.CaBundleSecretName == "" {
+ return nil
+ }
+ return []string{cr.Spec.TLS.CaBundleSecretName}
+ }); err != nil {
+ return err
+ }
+
return ctrl.NewControllerManagedBy(mgr).
For(&manilav1beta1.ManilaShare{}).
Owns(&appsv1.StatefulSet{}).
@@ -232,9 +262,47 @@ func (r *ManilaShareReconciler) SetupWithManager(mgr ctrl.Manager) error {
// watch the secrets we don't own
Watches(&source.Kind{Type: &corev1.Secret{}},
handler.EnqueueRequestsFromMapFunc(secretFn)).
+ Watches(
+ &source.Kind{Type: &corev1.Secret{}},
+ handler.EnqueueRequestsFromMapFunc(r.findObjectsForSrc),
+ builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
+ ).
Complete(r)
}
+func (r *ManilaShareReconciler) findObjectsForSrc(src client.Object) []reconcile.Request {
+ requests := []reconcile.Request{}
+
+ l := log.FromContext(context.Background()).WithName("Controllers").WithName("ManilaShare")
+
+ for _, field := range commonWatchFields {
+ crList := &manilav1beta1.ManilaShareList{}
+ listOps := &client.ListOptions{
+ FieldSelector: fields.OneTermEqualSelector(field, src.GetName()),
+ Namespace: src.GetNamespace(),
+ }
+ err := r.List(context.TODO(), crList, listOps)
+ if err != nil {
+ return []reconcile.Request{}
+ }
+
+ for _, item := range crList.Items {
+ l.Info(fmt.Sprintf("input source %s changed, reconcile: %s - %s", src.GetName(), item.GetName(), item.GetNamespace()))
+
+ requests = append(requests,
+ reconcile.Request{
+ NamespacedName: types.NamespacedName{
+ Name: item.GetName(),
+ Namespace: item.GetNamespace(),
+ },
+ },
+ )
+ }
+ }
+
+ return requests
+}
+
func (r *ManilaShareReconciler) reconcileDelete(ctx context.Context, instance *manilav1beta1.ManilaShare, helper *helper.Helper) (ctrl.Result, error) {
r.Log.Info(fmt.Sprintf("Reconciling Service '%s' delete", instance.Name))
@@ -303,6 +371,38 @@ func (r *ManilaShareReconciler) reconcileNormal(ctx context.Context, instance *m
}
instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
+ //
+ // TLS input validation
+ //
+ // Validate the CA cert secret if provided
+ if instance.Spec.TLS.CaBundleSecretName != "" {
+ hash, ctrlResult, err := tls.ValidateCACertSecret(
+ ctx,
+ helper.GetClient(),
+ types.NamespacedName{
+ Name: instance.Spec.TLS.CaBundleSecretName,
+ Namespace: instance.Namespace,
+ },
+ )
+ if err != nil {
+ instance.Status.Conditions.Set(condition.FalseCondition(
+ condition.TLSInputReadyCondition,
+ condition.ErrorReason,
+ condition.SeverityWarning,
+ condition.TLSInputErrorMessage,
+ err.Error()))
+ return ctrlResult, err
+ } else if (ctrlResult != ctrl.Result{}) {
+ return ctrlResult, nil
+ }
+
+ if hash != "" {
+ configVars[tls.CABundleKey] = env.SetValue(hash)
+ }
+ }
+ // all cert input checks out so report InputReady
+ instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage)
+
serviceLabels := map[string]string{
common.AppSelector: manila.ServiceName,
common.ComponentSelector: manilashare.Component,
diff --git a/go.mod b/go.mod
index 76ff5eba..eb354ae1 100644
--- a/go.mod
+++ b/go.mod
@@ -59,7 +59,7 @@ require (
github.com/spf13/pflag v1.0.5 // indirect
go.uber.org/multierr v1.10.0 // indirect
go.uber.org/zap v1.26.0 // indirect
- golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect
+ golang.org/x/exp v0.0.0-20240119083558-1b970713d09a
golang.org/x/mod v0.14.0 // indirect
golang.org/x/net v0.20.0 // indirect
golang.org/x/oauth2 v0.7.0 // indirect
diff --git a/pkg/manila/cronjob.go b/pkg/manila/cronjob.go
index 0b158897..1c4a54f9 100644
--- a/pkg/manila/cronjob.go
+++ b/pkg/manila/cronjob.go
@@ -17,6 +17,7 @@ package manila
import (
"fmt"
+
manilav1 "github.com/openstack-k8s-operators/manila-operator/api/v1beta1"
batchv1 "k8s.io/api/batch/v1"
@@ -73,6 +74,12 @@ func CronJob(
},
}
+ // add CA cert if defined
+ if instance.Spec.ManilaAPI.TLS.CaBundleSecretName != "" {
+ cronJobVolume = append(cronJobVolume, instance.Spec.ManilaAPI.TLS.CreateVolume())
+ cronJobVolumeMounts = append(cronJobVolumeMounts, instance.Spec.ManilaAPI.TLS.CreateVolumeMounts(nil)...)
+ }
+
cronjob := &batchv1.CronJob{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("%s-db-purge", ServiceName),
diff --git a/pkg/manila/dbsync.go b/pkg/manila/dbsync.go
index f8292245..3000311e 100644
--- a/pkg/manila/dbsync.go
+++ b/pkg/manila/dbsync.go
@@ -34,6 +34,10 @@ func DbSyncJob(instance *manilav1.Manila, labels map[string]string, annotations
Key: DefaultsConfigFileName,
Path: DefaultsConfigFileName,
},
+ {
+ Key: CustomConfigFileName,
+ Path: CustomConfigFileName,
+ },
},
},
},
@@ -64,6 +68,13 @@ func DbSyncJob(instance *manilav1.Manila, labels map[string]string, annotations
}
args := []string{"-c", DBSyncCommand}
+
+ // add CA cert if defined
+ if instance.Spec.ManilaAPI.TLS.CaBundleSecretName != "" {
+ dbSyncVolume = append(dbSyncVolume, instance.Spec.ManilaAPI.TLS.CreateVolume())
+ dbSyncMounts = append(dbSyncMounts, instance.Spec.ManilaAPI.TLS.CreateVolumeMounts(nil)...)
+ }
+
runAsUser := int64(0)
envVars := map[string]env.Setter{}
envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
diff --git a/pkg/manilaapi/statefulset.go b/pkg/manilaapi/statefulset.go
index fde2bff1..7a40de4f 100644
--- a/pkg/manilaapi/statefulset.go
+++ b/pkg/manilaapi/statefulset.go
@@ -16,6 +16,8 @@ import (
common "github.com/openstack-k8s-operators/lib-common/modules/common"
"github.com/openstack-k8s-operators/lib-common/modules/common/affinity"
"github.com/openstack-k8s-operators/lib-common/modules/common/env"
+ "github.com/openstack-k8s-operators/lib-common/modules/common/service"
+ "github.com/openstack-k8s-operators/lib-common/modules/common/tls"
manilav1 "github.com/openstack-k8s-operators/manila-operator/api/v1beta1"
manila "github.com/openstack-k8s-operators/manila-operator/pkg/manila"
@@ -36,7 +38,7 @@ func StatefulSet(
configHash string,
labels map[string]string,
annotations map[string]string,
-) *appsv1.StatefulSet {
+) (*appsv1.StatefulSet, error) {
runAsUser := int64(0)
livenessProbe := &corev1.Probe{
@@ -54,12 +56,47 @@ func StatefulSet(
//
// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
//
+
livenessProbe.HTTPGet = &corev1.HTTPGetAction{
Path: "/healthcheck",
Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(manila.ManilaPublicPort)},
}
readinessProbe.HTTPGet = livenessProbe.HTTPGet
+ if instance.Spec.TLS.API.Enabled(service.EndpointPublic) {
+ livenessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS
+ readinessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS
+ }
+
+ // create Volume and VolumeMounts
+ volumes := append(GetVolumes(manila.GetOwningManilaName(instance), instance.Name, instance.Spec.ExtraMounts), GetLogVolume())
+ volumeMounts := append(GetVolumeMounts(instance.Spec.ExtraMounts), GetLogVolumeMount())
+
+ // add CA cert if defined
+ if instance.Spec.TLS.CaBundleSecretName != "" {
+ volumes = append(volumes, instance.Spec.TLS.CreateVolume())
+ volumeMounts = append(volumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
+ }
+
+ for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
+ if instance.Spec.TLS.API.Enabled(endpt) {
+ var tlsEndptCfg tls.GenericService
+ switch endpt {
+ case service.EndpointPublic:
+ tlsEndptCfg = instance.Spec.TLS.API.Public
+ case service.EndpointInternal:
+ tlsEndptCfg = instance.Spec.TLS.API.Internal
+ }
+
+ svc, err := tlsEndptCfg.ToService()
+ if err != nil {
+ return nil, err
+ }
+ volumes = append(volumes, svc.CreateVolume(endpt.String()))
+ volumeMounts = append(volumeMounts, svc.CreateVolumeMounts(endpt.String())...)
+ }
+ }
+
envVars := map[string]env.Setter{}
envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
envVars["CONFIG_HASH"] = env.SetValue(configHash)
@@ -116,23 +153,20 @@ func StatefulSet(
SecurityContext: &corev1.SecurityContext{
RunAsUser: &runAsUser,
},
- Env: env.MergeEnvs([]corev1.EnvVar{}, envVars),
- VolumeMounts: append(GetVolumeMounts(instance.Spec.ExtraMounts),
- []corev1.VolumeMount{GetLogVolumeMount()}...),
+ Env: env.MergeEnvs([]corev1.EnvVar{}, envVars),
+ VolumeMounts: volumeMounts,
Resources: instance.Spec.Resources,
ReadinessProbe: readinessProbe,
LivenessProbe: livenessProbe,
},
},
NodeSelector: instance.Spec.NodeSelector,
+ Volumes: volumes,
},
},
},
}
- statefulset.Spec.Template.Spec.Volumes = append(GetVolumes(
- manila.GetOwningManilaName(instance),
- instance.Name,
- instance.Spec.ExtraMounts), GetLogVolume())
+
// If possible two pods of the same service should not
// run on the same worker node. If this is not possible
// the get still created on the same worker node.
@@ -147,5 +181,5 @@ func StatefulSet(
statefulset.Spec.Template.Spec.NodeSelector = instance.Spec.NodeSelector
}
- return statefulset
+ return statefulset, nil
}
diff --git a/pkg/manilascheduler/statefulset.go b/pkg/manilascheduler/statefulset.go
index 2818018a..3d27387a 100644
--- a/pkg/manilascheduler/statefulset.go
+++ b/pkg/manilascheduler/statefulset.go
@@ -73,8 +73,18 @@ func StatefulSet(
envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
envVars["CONFIG_HASH"] = env.SetValue(configHash)
+ volumes := GetVolumes(
+ manila.GetOwningManilaName(instance),
+ instance.Name,
+ instance.Spec.ExtraMounts)
+
volumeMounts := GetVolumeMounts(instance.Spec.ExtraMounts)
+ // Add the CA bundle
+ if instance.Spec.TLS.CaBundleSecretName != "" {
+ volumes = append(volumes, instance.Spec.TLS.CreateVolume())
+ volumeMounts = append(volumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
+ }
statefulset := &appsv1.StatefulSet{
ObjectMeta: metav1.ObjectMeta{
Name: instance.Name,
@@ -122,15 +132,12 @@ func StatefulSet(
},
},
NodeSelector: instance.Spec.NodeSelector,
+ Volumes: volumes,
},
},
},
}
- statefulset.Spec.Template.Spec.Volumes = GetVolumes(
- manila.GetOwningManilaName(instance),
- instance.Name,
- instance.Spec.ExtraMounts,
- )
+
// If possible two pods of the same service should not
// run on the same worker node. If this is not possible
// the get still created on the same worker node.
diff --git a/pkg/manilashare/statefulset.go b/pkg/manilashare/statefulset.go
index 0f455157..713eb826 100644
--- a/pkg/manilashare/statefulset.go
+++ b/pkg/manilashare/statefulset.go
@@ -83,11 +83,22 @@ func StatefulSet(
envVars["MALLOC_MMAP_THRESHOLD_"] = env.SetValue("131072")
envVars["MALLOC_TRIM_THRESHOLD_"] = env.SetValue("262144")
+ volumes := GetVolumes(
+ manila.GetOwningManilaName(instance),
+ instance.Name,
+ instance.Spec.ExtraMounts)
+
volumeMounts := GetVolumeMounts(
instance.Name,
instance.Spec.ExtraMounts,
)
+ // Add the CA bundle
+ if instance.Spec.TLS.CaBundleSecretName != "" {
+ volumes = append(volumes, instance.Spec.TLS.CreateVolume())
+ volumeMounts = append(volumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
+ }
+
statefulset := &appsv1.StatefulSet{
ObjectMeta: metav1.ObjectMeta{
Name: instance.Name,
@@ -136,15 +147,12 @@ func StatefulSet(
},
},
NodeSelector: instance.Spec.NodeSelector,
+ Volumes: volumes,
},
},
},
}
- statefulset.Spec.Template.Spec.Volumes = GetVolumes(
- manila.GetOwningManilaName(instance),
- instance.Name,
- instance.Spec.ExtraMounts,
- )
+
// If possible two pods of the same service should not
// run on the same worker node. If this is not possible
// the get still created on the same worker node.
diff --git a/templates/manila/config/10-manila_wsgi.conf b/templates/manila/config/10-manila_wsgi.conf
index 7c170151..81a4d0a9 100644
--- a/templates/manila/config/10-manila_wsgi.conf
+++ b/templates/manila/config/10-manila_wsgi.conf
@@ -1,5 +1,7 @@
+{{ range $endpt, $vhost := .VHosts }}
+# {{ $endpt }} vhost {{ $vhost.ServerName }} configuration
- ServerName manilaapi.openstack.svc
+ ServerName {{ $vhost.ServerName }}
## Vhost docroot
DocumentRoot "/var/www/cgi-bin/manila"
@@ -16,11 +18,21 @@
ErrorLog /dev/stdout
ServerSignature Off
CustomLog /dev/stdout combined
+
+{{- if $vhost.TLS }}
SetEnvIf X-Forwarded-Proto https HTTPS=1
+ ## SSL directives
+ SSLEngine on
+ SSLCertificateFile "{{ $vhost.SSLCertificateFile }}"
+ SSLCertificateKeyFile "{{ $vhost.SSLCertificateKeyFile }}"
+{{- end }}
+
## WSGI configuration
WSGIApplicationGroup %{GLOBAL}
- WSGIDaemonProcess manila-api display-name=manila_wsgi group=manila processes=4 threads=1 user=manila
- WSGIProcessGroup manila-api
+ WSGIDaemonProcess {{ $endpt }} display-name={{ $endpt }} group=manila processes=4 threads=1 user=manila
+ WSGIProcessGroup {{ $endpt }}
WSGIScriptAlias / "/var/www/cgi-bin/manila/manila-wsgi"
+ WSGIPassAuthorization On
+{{ end }}
diff --git a/templates/manila/config/manila-api-config.json b/templates/manila/config/manila-api-config.json
index f58c45b0..6c33a8b3 100644
--- a/templates/manila/config/manila-api-config.json
+++ b/templates/manila/config/manila-api-config.json
@@ -12,6 +12,28 @@
"dest": "/etc/httpd/conf.d/10-manila_wsgi.conf",
"owner": "root",
"perm": "0644"
+ },
+ {
+ "source": "/var/lib/config-data/default/ssl.conf",
+ "dest": "/etc/httpd/conf.d/ssl.conf",
+ "owner": "root",
+ "perm": "0644"
+ },
+ {
+ "source": "/var/lib/config-data/tls/certs/*",
+ "dest": "/etc/pki/tls/certs/",
+ "owner": "root",
+ "perm": "0640",
+ "optional": true,
+ "merge": true
+ },
+ {
+ "source": "/var/lib/config-data/tls/private/*",
+ "dest": "/etc/pki/tls/private/",
+ "owner": "root",
+ "perm": "0600",
+ "optional": true,
+ "merge": true
}
],
"permissions": [
diff --git a/templates/manila/config/ssl.conf b/templates/manila/config/ssl.conf
new file mode 100644
index 00000000..e3da4ecb
--- /dev/null
+++ b/templates/manila/config/ssl.conf
@@ -0,0 +1,21 @@
+
+ SSLRandomSeed startup builtin
+ SSLRandomSeed startup file:/dev/urandom 512
+ SSLRandomSeed connect builtin
+ SSLRandomSeed connect file:/dev/urandom 512
+
+ AddType application/x-x509-ca-cert .crt
+ AddType application/x-pkcs7-crl .crl
+
+ SSLPassPhraseDialog builtin
+ SSLSessionCache "shmcb:/var/cache/mod_ssl/scache(512000)"
+ SSLSessionCacheTimeout 300
+ Mutex default
+ SSLCryptoDevice builtin
+ SSLHonorCipherOrder On
+ SSLUseStapling Off
+ SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(32768)"
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES
+ SSLProtocol all -SSLv2 -SSLv3 -TLSv1
+ SSLOptions StdEnvVars
+
diff --git a/test/functional/base_test.go b/test/functional/base_test.go
index e5f67a6e..bfd3104c 100644
--- a/test/functional/base_test.go
+++ b/test/functional/base_test.go
@@ -15,7 +15,9 @@ package functional
import (
"fmt"
+
. "github.com/onsi/gomega"
+ "golang.org/x/exp/maps"
corev1 "k8s.io/api/core/v1"
k8s_errors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -103,6 +105,15 @@ func GetManilaCommonSpec(spec map[string]interface{}) map[string]interface{} {
return defaultSpec
}
+func GetTLSManilaSpec() map[string]interface{} {
+ return map[string]interface{}{
+ "databaseInstance": "openstack",
+ "secret": SecretName,
+ "manilaAPI": GetTLSManilaAPISpec(),
+ "manilaScheduler": GetDefaultManilaSchedulerSpec(),
+ }
+}
+
func GetDefaultManilaAPISpec() map[string]interface{} {
return map[string]interface{}{
"secret": SecretName,
@@ -234,6 +245,25 @@ func GetManilaShare(name types.NamespacedName) *manilav1.ManilaShare {
return instance
}
+func GetTLSManilaAPISpec() map[string]interface{} {
+ spec := GetDefaultManilaAPISpec()
+ maps.Copy(spec, map[string]interface{}{
+ "tls": map[string]interface{}{
+ "api": map[string]interface{}{
+ "internal": map[string]interface{}{
+ "secretName": InternalCertSecretName,
+ },
+ "public": map[string]interface{}{
+ "secretName": PublicCertSecretName,
+ },
+ },
+ "caBundleSecretName": CABundleSecretName,
+ },
+ })
+
+ return spec
+}
+
func ManilaAPIConditionGetter(name types.NamespacedName) condition.Conditions {
instance := GetManilaAPI(name)
return instance.Status.Conditions
diff --git a/test/functional/manila_controller_test.go b/test/functional/manila_controller_test.go
index c2b65c4d..91dec208 100644
--- a/test/functional/manila_controller_test.go
+++ b/test/functional/manila_controller_test.go
@@ -445,4 +445,159 @@ var _ = Describe("Manila controller", func() {
Expect(endpoints).To(HaveKeyWithValue("internal", "http://manila-internal."+manila.Namespace+".svc:8786/v2"))
})
})
+ When("A Manila with TLS is created", func() {
+ BeforeEach(func() {
+ DeferCleanup(th.DeleteInstance, CreateManila(manilaTest.Instance, GetTLSManilaSpec()))
+ DeferCleanup(k8sClient.Delete, ctx, CreateManilaMessageBusSecret(manilaTest.Instance.Namespace, manilaTest.RabbitmqSecretName))
+ DeferCleanup(th.DeleteInstance, CreateManilaAPI(manilaTest.Instance, GetDefaultManilaAPISpec()))
+ DeferCleanup(th.DeleteInstance, CreateManilaScheduler(manilaTest.Instance, GetDefaultManilaSchedulerSpec()))
+ DeferCleanup(th.DeleteInstance, CreateManilaShare(manilaTest.Instance, GetDefaultManilaShareSpec()))
+ DeferCleanup(
+ mariadb.DeleteDBService,
+ mariadb.CreateDBService(
+ manilaTest.Instance.Namespace,
+ GetManila(manilaName).Spec.DatabaseInstance,
+ corev1.ServiceSpec{
+ Ports: []corev1.ServicePort{{Port: 3306}},
+ },
+ ),
+ )
+ infra.SimulateTransportURLReady(manilaTest.ManilaTransportURL)
+ DeferCleanup(infra.DeleteMemcached, infra.CreateMemcached(namespace, manilaTest.MemcachedInstance, memcachedSpec))
+ infra.SimulateMemcachedReady(manilaTest.ManilaMemcached)
+ DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(manilaTest.Instance.Namespace))
+ mariadb.SimulateMariaDBDatabaseCompleted(manilaTest.Instance)
+ mariadb.SimulateMariaDBAccountCompleted(manilaTest.Instance)
+ th.SimulateJobSuccess(manilaTest.ManilaDBSync)
+ })
+
+ It("reports that the CA secret is missing", func() {
+ th.ExpectConditionWithDetails(
+ manilaTest.ManilaAPI,
+ ConditionGetterFunc(ManilaAPIConditionGetter),
+ condition.TLSInputReadyCondition,
+ corev1.ConditionFalse,
+ condition.ErrorReason,
+ fmt.Sprintf("TLSInput error occured in TLS sources Secret %s/combined-ca-bundle not found", namespace),
+ )
+
+ th.ExpectConditionWithDetails(
+ manilaTest.ManilaScheduler,
+ ConditionGetterFunc(ManilaSchedulerConditionGetter),
+ condition.TLSInputReadyCondition,
+ corev1.ConditionFalse,
+ condition.ErrorReason,
+ fmt.Sprintf("TLSInput error occured in TLS sources Secret %s/combined-ca-bundle not found", namespace),
+ )
+ })
+
+ It("reports that the internal cert secret is missing", func() {
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCABundleSecret(manilaTest.CABundleSecret))
+ th.ExpectConditionWithDetails(
+ manilaTest.ManilaAPI,
+ ConditionGetterFunc(ManilaAPIConditionGetter),
+ condition.TLSInputReadyCondition,
+ corev1.ConditionFalse,
+ condition.ErrorReason,
+ fmt.Sprintf("TLSInput error occured in TLS sources Secret %s/internal-tls-certs not found", namespace),
+ )
+ })
+
+ It("reports that the public cert secret is missing", func() {
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCABundleSecret(manilaTest.CABundleSecret))
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(manilaTest.InternalCertSecret))
+ th.ExpectConditionWithDetails(
+ manilaTest.ManilaAPI,
+ ConditionGetterFunc(ManilaAPIConditionGetter),
+ condition.TLSInputReadyCondition,
+ corev1.ConditionFalse,
+ condition.ErrorReason,
+ fmt.Sprintf("TLSInput error occured in TLS sources Secret %s/public-tls-certs not found", namespace),
+ )
+ })
+
+ It("Creates ManilaAPI", func() {
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCABundleSecret(manilaTest.CABundleSecret))
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(manilaTest.InternalCertSecret))
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(manilaTest.PublicCertSecret))
+ keystone.SimulateKeystoneEndpointReady(manilaTest.ManilaKeystoneEndpoint)
+
+ ManilaAPIExists(manilaTest.Instance)
+
+ d := th.GetStatefulSet(manilaTest.ManilaAPI)
+ // Check the resulting deployment fields
+ Expect(int(*d.Spec.Replicas)).To(Equal(1))
+
+ Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(9))
+ Expect(d.Spec.Template.Spec.Containers).To(HaveLen(2))
+
+ // cert deployment volumes
+ th.AssertVolumeExists(manilaTest.CABundleSecret.Name, d.Spec.Template.Spec.Volumes)
+ th.AssertVolumeExists(manilaTest.InternalCertSecret.Name, d.Spec.Template.Spec.Volumes)
+ th.AssertVolumeExists(manilaTest.PublicCertSecret.Name, d.Spec.Template.Spec.Volumes)
+
+ // cert volumeMounts
+ container := d.Spec.Template.Spec.Containers[1]
+ th.AssertVolumeMountExists(manilaTest.InternalCertSecret.Name, "tls.key", container.VolumeMounts)
+ th.AssertVolumeMountExists(manilaTest.InternalCertSecret.Name, "tls.crt", container.VolumeMounts)
+ th.AssertVolumeMountExists(manilaTest.PublicCertSecret.Name, "tls.key", container.VolumeMounts)
+ th.AssertVolumeMountExists(manilaTest.PublicCertSecret.Name, "tls.crt", container.VolumeMounts)
+ th.AssertVolumeMountExists(manilaTest.CABundleSecret.Name, "tls-ca-bundle.pem", container.VolumeMounts)
+
+ Expect(container.ReadinessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTPS))
+ Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTPS))
+ })
+
+ It("reconfigures the manila pods when CA changes", func() {
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCABundleSecret(manilaTest.CABundleSecret))
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(manilaTest.InternalCertSecret))
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(manilaTest.PublicCertSecret))
+ //keystone.SimulateKeystoneServiceReady(manilaTest.ManilaKeystoneService)
+ keystone.SimulateKeystoneEndpointReady(manilaTest.ManilaKeystoneEndpoint)
+
+ ManilaAPIExists(manilaTest.Instance)
+ ManilaSchedulerExists(manilaTest.Instance)
+
+ // Grab the current config hash
+ apiOriginalHash := GetEnvVarValue(
+ th.GetStatefulSet(manilaTest.ManilaAPI).Spec.Template.Spec.Containers[0].Env, "CONFIG_HASH", "")
+ Expect(apiOriginalHash).NotTo(BeEmpty())
+ schedulerOriginalHash := GetEnvVarValue(
+ th.GetStatefulSet(manilaTest.ManilaScheduler).Spec.Template.Spec.Containers[0].Env, "CONFIG_HASH", "")
+ Expect(schedulerOriginalHash).NotTo(BeEmpty())
+
+ // Change the content of the CA secret
+ th.UpdateSecret(manilaTest.CABundleSecret, "tls-ca-bundle.pem", []byte("DifferentCAData"))
+
+ // Assert that the deployment is updated
+ Eventually(func(g Gomega) {
+ newHash := GetEnvVarValue(
+ th.GetStatefulSet(manilaTest.ManilaAPI).Spec.Template.Spec.Containers[0].Env, "CONFIG_HASH", "")
+ g.Expect(newHash).NotTo(BeEmpty())
+ g.Expect(newHash).NotTo(Equal(apiOriginalHash))
+ }, timeout, interval).Should(Succeed())
+ Eventually(func(g Gomega) {
+ newHash := GetEnvVarValue(
+ th.GetStatefulSet(manilaTest.ManilaScheduler).Spec.Template.Spec.Containers[0].Env, "CONFIG_HASH", "")
+ g.Expect(newHash).NotTo(BeEmpty())
+ g.Expect(newHash).NotTo(Equal(schedulerOriginalHash))
+ }, timeout, interval).Should(Succeed())
+ })
+
+ It("Assert Services are created", func() {
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCABundleSecret(manilaTest.CABundleSecret))
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(manilaTest.InternalCertSecret))
+ DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(manilaTest.PublicCertSecret))
+ keystone.SimulateKeystoneEndpointReady(manilaTest.ManilaKeystoneEndpoint)
+
+ th.AssertServiceExists(manilaTest.ManilaServicePublic)
+ th.AssertServiceExists(manilaTest.ManilaServiceInternal)
+
+ // check keystone endpoints
+ keystoneEndpoint := keystone.GetKeystoneEndpoint(manilaTest.ManilaKeystoneEndpoint)
+ endpoints := keystoneEndpoint.Spec.Endpoints
+ Expect(endpoints).To(HaveKeyWithValue("public", "https://manila-public."+namespace+".svc:8786/v2"))
+ Expect(endpoints).To(HaveKeyWithValue("internal", "https://manila-internal."+namespace+".svc:8786/v2"))
+ })
+ })
})
diff --git a/test/functional/manila_test_data.go b/test/functional/manila_test_data.go
index 13b90e34..479d7db6 100644
--- a/test/functional/manila_test_data.go
+++ b/test/functional/manila_test_data.go
@@ -19,12 +19,19 @@ package functional
import (
"fmt"
+
"k8s.io/apimachinery/pkg/types"
)
const (
// MemcachedInstance - name of the memcached instance
MemcachedInstance = "memcached"
+ //PublicCertSecretName -
+ PublicCertSecretName = "public-tls-certs"
+ //InternalCertSecretName -
+ InternalCertSecretName = "internal-tls-certs"
+ //CABundleSecretName -
+ CABundleSecretName = "combined-ca-bundle"
)
// ManilaTestData is the data structure used to provide input data to envTest
@@ -57,6 +64,9 @@ type ManilaTestData struct {
ManilaDefaultShare types.NamespacedName
InternalAPINAD types.NamespacedName
ContainerImage string
+ CABundleSecret types.NamespacedName
+ InternalCertSecret types.NamespacedName
+ PublicCertSecret types.NamespacedName
}
// GetManilaTestData is a function that initialize the ManilaTestData
@@ -159,5 +169,18 @@ func GetManilaTestData(manilaName types.NamespacedName) ManilaTestData {
ManilaPassword: "12345678",
ManilaServiceUser: "manila",
ContainerImage: "test://manila",
+ CABundleSecret: types.NamespacedName{
+ Namespace: manilaName.Namespace,
+ Name: CABundleSecretName,
+ },
+
+ InternalCertSecret: types.NamespacedName{
+ Namespace: manilaName.Namespace,
+ Name: InternalCertSecretName,
+ },
+ PublicCertSecret: types.NamespacedName{
+ Namespace: manilaName.Namespace,
+ Name: PublicCertSecretName,
+ },
}
}
diff --git a/test/kuttl/tests/manila-multibackend/01-assert.yaml b/test/kuttl/tests/manila-multibackend/01-assert.yaml
index d3af2ed2..a777270d 100644
--- a/test/kuttl/tests/manila-multibackend/01-assert.yaml
+++ b/test/kuttl/tests/manila-multibackend/01-assert.yaml
@@ -205,6 +205,10 @@ status:
reason: Ready
status: "True"
type: ServiceConfigReady
+ - message: Input data complete
+ reason: Ready
+ status: "True"
+ type: TLSInputReady
readyCount: 1
---
# when using image digests the containerImage URLs are SHA's so we verify them with a script
diff --git a/test/kuttl/tests/manila-multibackend/02-assert.yaml b/test/kuttl/tests/manila-multibackend/02-assert.yaml
index bd28a69a..9fbc8693 100644
--- a/test/kuttl/tests/manila-multibackend/02-assert.yaml
+++ b/test/kuttl/tests/manila-multibackend/02-assert.yaml
@@ -211,6 +211,10 @@ status:
reason: Ready
status: "True"
type: ServiceConfigReady
+ - message: Input data complete
+ reason: Ready
+ status: "True"
+ type: TLSInputReady
readyCount: 1
---
apiVersion: manila.openstack.org/v1beta1
@@ -250,4 +254,8 @@ status:
reason: Ready
status: "True"
type: ServiceConfigReady
+ - message: Input data complete
+ reason: Ready
+ status: "True"
+ type: TLSInputReady
readyCount: 1
diff --git a/test/kuttl/tests/manila-multibackend/03-assert.yaml b/test/kuttl/tests/manila-multibackend/03-assert.yaml
index cb12a501..99a469f6 100644
--- a/test/kuttl/tests/manila-multibackend/03-assert.yaml
+++ b/test/kuttl/tests/manila-multibackend/03-assert.yaml
@@ -207,6 +207,10 @@ status:
reason: Ready
status: "True"
type: ServiceConfigReady
+ - message: Input data complete
+ reason: Ready
+ status: "True"
+ type: TLSInputReady
readyCount: 1
---
# when using image digests the containerImage URLs are SHA's so we verify them with a script
diff --git a/test/kuttl/tests/manila-tls/01-assert.yaml b/test/kuttl/tests/manila-tls/01-assert.yaml
new file mode 100644
index 00000000..8d5a6043
--- /dev/null
+++ b/test/kuttl/tests/manila-tls/01-assert.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cert-manila-internal-svc
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cert-manila-public-svc
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: combined-ca-bundle
diff --git a/test/kuttl/tests/manila-tls/01-tls_certificates.yaml b/test/kuttl/tests/manila-tls/01-tls_certificates.yaml
new file mode 100644
index 00000000..8f6f8797
--- /dev/null
+++ b/test/kuttl/tests/manila-tls/01-tls_certificates.yaml
@@ -0,0 +1,31 @@
+# Hardcoded certs secret, so kuttl doesn't require cert-manager at test runtime
+apiVersion: v1
+kind: Secret
+metadata:
+ name: combined-ca-bundle
+ labels:
+ service: manila
+data:
+ tls-ca-bundle.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmVENDQVNLZ0F3SUJBZ0lRUHhtRFFscmxjNTNhb215RVU5MU9pakFLQmdncWhrak9QUVFEQWpBZU1Sd3cKR2dZRFZRUURFeE5yZFhSMGJDMXpaV3htYzJsbmJtVmtMV05oTUI0WERUSXpNVEF4T0RFeU1EazFNMW9YRFRJMApNREV4TmpFeU1EazFNMW93SGpFY01Cb0dBMVVFQXhNVGEzVjBkR3d0YzJWc1puTnBaMjVsWkMxallUQlpNQk1HCkJ5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCSVdJY0JiR0cveEg4Lzlkc2lMbkJCdnRqcEZoQ2JRM3U4R0EKZXBVcnhTY25XM0hrZ2hrc1BCVE12M3NCeGdnVFQwL0Eva0dtazRYTkJ0dElnbUZJaFBpalFqQkFNQTRHQTFVZApEd0VCL3dRRUF3SUNwREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlFKaDd3VklFYjgxcFlsCkl3RDAraTBwSnlCTjNqQUtCZ2dxaGtqT1BRUURBZ05KQURCR0FpRUF2a3h5RzZjNzltSDlRWHRIVWFSM014REkKUUVRRGVtL1hZR3VGY1ZCUDJpQUNJUUNFeEZqeStQUTBkNFU5dEJacTVOd1gzdmxibnQxVlNCYWE5VFIrNkNkbAozdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tIyByb290Y2EtaW50ZXJuYWwKLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmekNDQVNhZ0F3SUJBZ0lRUWxlcTNZcDBtU2kwVDNiTm03Q29UVEFLQmdncWhrak9QUVFEQWpBZ01SNHcKSEFZRFZRUURFeFZ5YjI5MFkyRXRhM1YwZEd3dGFXNTBaWEp1WVd3d0hoY05NalF3TVRFMU1URTBOelUwV2hjTgpNelF3TVRFeU1URTBOelUwV2pBZ01SNHdIQVlEVlFRREV4VnliMjkwWTJFdGEzVjBkR3d0YVc1MFpYSnVZV3d3CldUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTRk9rNHJPUldVUGhoTjUrK09EN1I2MW5Gb1lBY0QKenpvUS91SW93NktjeGhwRWNQTDFxb3ZZUGxUYUJabEh3c2FpNE50VHA4aDA1RHVRSGZKOE9JNXFvMEl3UURBTwpCZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVXE3TGtFSk1TCm1MOVpKWjBSOUluKzZkclhycEl3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnVlN1K00ydnZ3QlF3eTJHMVlhdkkKQld2RGtSNlRla0I5U0VqdzJIblRSMWtDSUZSNFNkWGFPQkFGWjVHa2RLWCtSY2IzaDFIZm52eFJEVW96bTl2agphenp3Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KIyByb290Y2EtcHVibGljCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlCZXpDQ0FTS2dBd0lCQWdJUU5IREdZc0JzNzk4aWJERDdxL28ybGpBS0JnZ3Foa2pPUFFRREFqQWVNUnd3CkdnWURWUVFERXhOeWIyOTBZMkV0YTNWMGRHd3RjSFZpYkdsak1CNFhEVEkwTURFeE5URXdNVFV6TmxvWERUTTAKTURFeE1qRXdNVFV6Tmxvd0hqRWNNQm9HQTFVRUF4TVRjbTl2ZEdOaExXdDFkSFJzTFhCMVlteHBZekJaTUJNRwpCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkQ3OGF2WHFocmhDNXc4czlXa2Q0SXBiZUV1MDNDUitYWFVkCmtEek9SeXhhOXdjY0lkRGl2YkdKakpGWlRUY1ZtYmpxMUJNWXNqcjEyVUlFNUVUM1ZscWpRakJBTUE0R0ExVWQKRHdFQi93UUVBd0lDcERBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJUS0ppeldVSjllVUtpMQpkczBscjZjNnNEN0VCREFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUJJWndZcTYxQnFNSmFCNlVjRm9Sc3hlY3dICjV6L3pNT2RyT3llMG1OaThKZ0lnUUxCNHdES3JwZjl0WDJsb00rMHVUb3BBRFNZSW5yY2ZWdTRGQnVZVTNJZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cert-manila-internal-svc
+ labels:
+ service: manila
+data:
+ ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkVENDQVJxZ0F3SUJBZ0lRTkZUVDE2eTc0RGJaOGJTL25ESDBkakFLQmdncWhrak9QUVFEQWpBYU1SZ3cKRmdZRFZRUURFdzl5YjI5MFkyRXRhVzUwWlhKdVlXd3dIaGNOTWpRd01URXdNVFV5T0RBMFdoY05NalF3TkRBNQpNVFV5T0RBMFdqQWFNUmd3RmdZRFZRUURFdzl5YjI5MFkyRXRhVzUwWlhKdVlXd3dXVEFUQmdjcWhrak9QUUlCCkJnZ3Foa2pPUFFNQkJ3TkNBQVFjK2d5OVFCNmw1NFNBQlkxUTJKZWx5MEhSTGEvMzlkRUxzU2RhNnJDRENKQWwKWjJ2bGlGbUo5WVlJNCtSbGRIejJWNXYvYjBpK2x0RjcxMGZ1OHJTbW8wSXdRREFPQmdOVkhROEJBZjhFQkFNQwpBcVF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVeUsyc0hXaUxHNnR6bWlVbENkUmhsRTJLCnNHSXdDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBSzVtTi9zQlBVcXAwckd1QjhnMVRxY21KR3ZMVUpyNjlnaEEKaEozMldCT1BBaUVBbEtwU0dVTzhac25UcVQrQ1hWbXNuWkxBcVJMV1NhbUI5U2NyczNDZ05zWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNhekNDQWhHZ0F3SUJBZ0lSQU1GRmpzWkpHY3BuaVBFNXNmQytrOEV3Q2dZSUtvWkl6ajBFQXdJd0dqRVkKTUJZR0ExVUVBeE1QY205dmRHTmhMV2x1ZEdWeWJtRnNNQjRYRFRJME1ERXhOVEV4TkRnMU1sb1hEVE0wTURFeApNakV4TkRnMU1sb3dBRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNRzhQSWwzCnc4RXdXMHdUUG5qRURpU2dTdVI4WHJaajcrSjYyUkJMTHJ3ZUxKdWd1Wm1MaUh3M09uSldWa0hEOVpaZzlYSGUKbGZ6UDY3Wi8rYXBNMzJ5VWJTVUcrRjlBdXlGMHRTK2lPODFkUFRSY1luNzVBK0xWdnk1UkVpOGIvTFkzNTNPbgpxUEhuK2kyeTNLUC9HZkhjSi9lVlVXNFJkV2wyTHEyejRtRDRUK2twS0VwSnRGSTJQa2lrSVNOV2RRdmtEeW1WClF3a1B3U01FVy9yaEdGL2s3b0gvVWtwdy9wU1N1R0M2a1lpSnlwOTFHT0xCMlVoc254Z3dLelh5VS9MdGFrZXoKS2RHSFUvNUNLTTRKczg0ZnlNTDBBNXMxalpZQXZEWkVLNEgvYVpCb3EzV0NoQ1R4WWhIOVVuczhIQy9KbHJCMApHaitwVHNuaEc2cUlFQ2tDQXdFQUFhT0JoakNCZ3pBT0JnTlZIUThCQWY4RUJBTUNCYUF3RXdZRFZSMGxCQXd3CkNnWUlLd1lCQlFVSEF3RXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCVElyYXdkYUlzYnEzT2EKSlNVSjFHR1VUWXF3WWpBdEJnTlZIUkVCQWY4RUl6QWhnaDlyWlhsemRHOXVaUzFwYm5SbGNtNWhiQzV2Y0dWdQpjM1JoWTJzdWMzWmpNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJRTFJYXcxcnRnU0ROZmxBSjJRek9VQjJxU1llCk03ZWdsaXZLVW01cmVOZThBaUVBMU93SGcwQ1YxOUNhYUpSSi9SS25UcXNJTGhNdjBEUVNPdnFwbWc0MWZDTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+ tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBd2J3OGlYZkR3VEJiVEJNK2VNUU9KS0JLNUh4ZXRtUHY0bnJaRUVzdXZCNHNtNkM1Cm1ZdUlmRGM2Y2xaV1FjUDFsbUQxY2Q2Vi9NL3J0bi81cWt6ZmJKUnRKUWI0WDBDN0lYUzFMNkk3elYwOU5GeGkKZnZrRDR0Vy9MbEVTTHh2OHRqZm5jNmVvOGVmNkxiTGNvLzhaOGR3bjk1VlJiaEYxYVhZdXJiUGlZUGhQNlNrbwpTa20wVWpZK1NLUWhJMVoxQytRUEtaVkRDUS9CSXdSYit1RVlYK1R1Z2Y5U1NuRCtsSks0WUxxUmlJbktuM1VZCjRzSFpTR3lmR0RBck5mSlQ4dTFxUjdNcDBZZFQva0lvemdtenpoL0l3dlFEbXpXTmxnQzhOa1FyZ2Y5cGtHaXIKZFlLRUpQRmlFZjFTZXp3Y0w4bVdzSFFhUDZsT3llRWJxb2dRS1FJREFRQUJBb0lCQVFDQ0hweUdNK05OY040UQo1V2Z6RXJMeEZKdlloRlBVcXFDbWU1NG9uR1ppUU4zekZPc3pYbzBuNkt3ZnVTOHI4cUtUQXNJM1hhbGRhSVRIClNZTDFSN1pVSmdoOGN3Y0VhdVNFbnU5R2MrODRpbVFlTStLUHAwNWQzdlFOOXJPQTRvcEVGSjRtaHJnbzZZYVYKaE9rK1dJc2piNXVFWlV5UTRiYjdRejRzdW9IVVlDYXFkVGlqU1lYQzNOd092YUlwa3pTNEo0cU5CUlhyYnNWSwowaGt4ZFNIY1hKNEREN0hybktpcEsxT2xUbUVObVZYbmlaNnRPcWc2eUNFeXFteWN0UnlUVTZRRzVPbVM2clJVCm82Z25EclA1TlgwRUhuakY3b1lka0JVbGJxWk96UHVGbG5CdUVKOFpTUEtOZHA5ejhuS3lqbGJiL0YxWGRDdEkKZERhVUhmREZBb0dCQVBFZkZZbDhPb2VhU21oSElKcGpxd3RCanYrRjFuOXNJbHNuZWNyQ1JmN243RW53d1hXaQpReStXQ3l6aDJGRVVad1dod2RQeXFJT3NVaG1vaXBIQmN3NlVUaW9xalM4SlpvSDlURFBQUEd5OXIwMHZwRkNuCnFkdjNXMkhWVytRckMrWk1nc2ZKdUlTTnFtbFdFeHpCNFBJQWRHQTdKVzFMY0ZCcG1Zd25DdXZyQW9HQkFNMncKbS94cVRhMmgySjFnNUI0elE5UnBhM280SEoyL2pTaHEzNW9heVNGNWJDYWtnWGRxek0yU0FwQ0x4dzlvY3doRAp3WWRaMWliaHl6b1dDQVZZZ0RlaXViUi96ZTN3Nzk4NktScUNmNnptMk5HOEoxODVDZDdKSjBiaTZBTTgvalpTCnFqWkJIK0FqanF2aFFJM0FMMEdzNlFvc2Z3L3hOL2k1cG00UWM5TTdBb0dBZjZCbFpQVmxnWnN3WVV1c3ZTdWUKUUlIOTc5Qm12ZUY5dWVRR09rVmtpVTAzSzlnTWZuaFp1WmxnNXV2UDlQS29xVGw2Zi9aRUxoWUxDdHZFSk94UgpPMWxTbWswVmw5MFE3aU1scjVLMHVCWWE4TzhUdVVGVnprRjZsQ2s3ejJUZGtwUFM4VzhiaE1YN2VtLytBODIzCmhFQ3JXTGhWMGlrSkZQY2dPQ2YrUnVzQ2dZQTYvcld1cnhxNmUxb3l3WENNVE8zZWhhSUMrd2NTSTdlcjZRTmIKSXVXZlNVRkEwQndtRVNiT3ExczY5Q3hTK2dWTVVJcTRkSWJjdmhSWkE2cW5SZHY0bVI2a2E2ZTM0RXdjZllUKwppb0Z1S1FQMUcvODY2NVF1SndteDVqRGZoT1h3MU1MbkxzU2l0L0FhMGs5K21LbTFMNC9qa0NHZGcvVW16TEMwCmp0bDVzd0tCZ0VPTVI3ODVLT2hyNXFoWmE2b0MvU25JeEptS1FxTWdXU0NGV1pGMDZrVlRnSmthb1hwUEl0bUIKOUZGbE1nTTJSeC91S2V3YTNDSTdQK240ek1uYSswTmhDL0RwNkMxVFVsVWlrcnJYQ3I5a1NPR2dXaEFISDljTwozRENvdkhOcE1PaG51dnhoMlpDeTdYbjFJeGgxWXdlYnVobFZzeTFvR0tDQ0lJb00rOVg1Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cert-manila-public-svc
+ labels:
+ service: manila
+data:
+ ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlekNDQVNLZ0F3SUJBZ0lRTkhER1lzQnM3OThpYkREN3EvbzJsakFLQmdncWhrak9QUVFEQWpBZU1Sd3cKR2dZRFZRUURFeE55YjI5MFkyRXRhM1YwZEd3dGNIVmliR2xqTUI0WERUSTBNREV4TlRFd01UVXpObG9YRFRNMApNREV4TWpFd01UVXpObG93SGpFY01Cb0dBMVVFQXhNVGNtOXZkR05oTFd0MWRIUnNMWEIxWW14cFl6QlpNQk1HCkJ5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCRDc4YXZYcWhyaEM1dzhzOVdrZDRJcGJlRXUwM0NSK1hYVWQKa0R6T1J5eGE5d2NjSWREaXZiR0pqSkZaVFRjVm1ianExQk1Zc2pyMTJVSUU1RVQzVmxxalFqQkFNQTRHQTFVZApEd0VCL3dRRUF3SUNwREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlRLSml6V1VKOWVVS2kxCmRzMGxyNmM2c0Q3RUJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRUFpQklad1lxNjFCcU1KYUI2VWNGb1JzeGVjd0gKNXovek1PZHJPeWUwbU5pOEpnSWdRTEI0d0RLcnBmOXRYMmxvTSswdVRvcEFEU1lJbnJjZlZ1NEZCdVlVM0lnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNiVENDQWhPZ0F3SUJBZ0lSQUtacXlMbUhLNC9VRTZmMi9LNWxiQnN3Q2dZSUtvWkl6ajBFQXdJd0hqRWMKTUJvR0ExVUVBeE1UY205dmRHTmhMV3QxZEhSc0xYQjFZbXhwWXpBZUZ3MHlOREF4TVRVeE1ESXdOVFJhRncwegpOREF4TVRJeE1ESXdOVFJhTUFBd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUMxCjhDcFJRVG1abHNzSUlmZ2hIK2ltUUtFMFdZVlJOeS8vMVM0aDVtV2tBcUZiVkhoUmptbFJ2cCtQUWpKOU16TDUKMXpXdmYxandEQ2pzYUxvL2FwSW9OSXJIcjN4TTRoYWl0emU0RjFwZzNoL3MvblExNWN5Q2U5dHdHR0RuWEllMwo2djBuNE9LNnAwSWJjcVk2Q1RBMTBwcGJZa3V6bzdVRkx6ZWxsc1ZhRlhzZ21JWDg4bTRXNmNBTi84cjJPWUI3Ck9HM0ZNOXAxSUFxT0hyT21EelFlTldqOUVjQy9TSCs5MGg4c1FyY1pvMWtWa1g1b2tpSUhDZjRlc2o3Q08rTGgKR3lsTmZyRzl6QTlPM0c3QVNDWVdPVWwyZTBhNHhZbE9QMmI4ejFEV3NIMTBVYXVsZHlRQXNtbkhtaW1VNzBmKwpEazZkQ1hXVHN4cGZ2cXphOVR4YkFnTUJBQUdqZ1lRd2dZRXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CTUdBMVVkCkpRUU1NQW9HQ0NzR0FRVUZCd01CTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVeWlZczFsQ2YKWGxDb3RYYk5KYStuT3JBK3hBUXdLd1lEVlIwUkFRSC9CQ0V3SDRJZGEyVjVjM1J2Ym1VdGNIVmliR2xqTG05dwpaVzV6ZEdGamF5NXpkbU13Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnTzAzT2JmNm9uV2RiZG4xa282OVpuTFhMCmtQSHFYU3VRNlcxTDFvY3NDR3NDSVFEakEyVm9pWVdYN0hzSjVGNkZYV3FsZnl0RmduVVgvTmhvT1lIVnB2TWQKSGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdGZBcVVVRTVtWmJMQ0NINElSL29wa0NoTkZtRlVUY3YvOVV1SWVabHBBS2hXMVI0ClVZNXBVYjZmajBJeWZUTXkrZGMxcjM5WThBd283R2k2UDJxU0tEU0t4Njk4VE9JV29yYzN1QmRhWU40ZjdQNTAKTmVYTWdudmJjQmhnNTF5SHQrcjlKK0RpdXFkQ0czS21PZ2t3TmRLYVcySkxzNk8xQlM4M3BaYkZXaFY3SUppRgovUEp1RnVuQURmL0s5am1BZXpodHhUUGFkU0FLamg2enBnODBIalZvL1JIQXYwaC92ZElmTEVLM0dhTlpGWkYrCmFKSWlCd24rSHJJK3dqdmk0UnNwVFg2eHZjd1BUdHh1d0VnbUZqbEpkbnRHdU1XSlRqOW0vTTlRMXJCOWRGR3IKcFhja0FMSnB4NW9wbE85SC9nNU9uUWwxazdNYVg3NnMydlU4V3dJREFRQUJBb0lCQUd0eVdvdUNLYkk3Qzh6Ugp3dWhOSCtpUFlxUzMrYlB0RTd2UytsdXE1WHZtMGNST0xvQjd5bGNzYks3K09UTVhlWk56TlpGZmMvYlFONXJtCmZwZlZLRnYySzcraU01WjBMMG9KU2k2K0cvSDVQSUdLQkxlUDd5ZGdYa2ZsSGRXRkgrSE9OWlBIakI4UGlFc04KZW4zcnp6ejZFNDdFamxDWTdkOFI4NXNuWDRYREN2bG1CQnhvcnpqVERuK1dTWWpKS09SSk5zY3oxQXFYR1VjVwpQaHRNYkwybC8zN2hPbTA4SjRRWXowTWduOWE5VUFXLzFNS2lXbHVpc1NHNG9YaFNPS1hkdk1IS3VxS09sUDJzCk9xWjBlR3JBNmpKdWlmZVY2Q2NIU2p3VUgwdHpiMmdZQVM2cm5RQlREbFkxR1I4Skx0YWhWREtqdUwyV0hjclkKbHhCOGZBRUNnWUVBMWpxc01weFo5cG9LNkpmRDZzVTU0ZUU1UWlNYlB0MERRZjlYU1J6NW5zQXlraHdKWEZDVwpKWTNiU3BhcGREeEgzakpDQ0VzN3NSWUhUeDRzNVJQSldtWC9oZTFwVEs4TDVlaFV2TmVudG5nVTB3aE4rZVEzCjl4Sk1VbHVYdGkvU0FpNi9jQk5HY1ZjQjFGRStmVzY0VDhqYVVQakRrL0Z2dFRXOXkzZnNVZnNDZ1lFQTJXbXMKYStuZ2RaS24rVTlCMlFCTXB0K0RLL0txNVF6RW1qZDVMSjJMb3FLUjhGbjlpVVZoUVljUEpobDJVV3VjTTl0RQp0QUlYdEY0anVUejlqUUNMMGQ5a09DeCswdTBKUFZJejdlVmFFVGs1enF0azRsTnhVUkJhQ3pCUEJkdjZJd3BDCkR4UXJWRXBXYlMra1JvYTNKSElOdHdjUWt2Nk50N1JIajd1WEVTRUNnWUJsREozbTdZc2Q0QUZmUHg4Qm9YQXgKRkt5T2ZzSytQei9uSkl0R2lHMVNMWFJ0S041ZGRnR3N5eUh5SitqY1ZBYk9UMFNJWnZ4TUJva0NEOGk3Y1Q3Ygo3aHErVUlNSDBkVzU1NEg0NVh4TmZJek9FaSs5dktHTllFc3gyZFJROG5PTDVnTVUyWEt6eVllcVgzd3JiRXR5CkR0cXpzUE9IMkMySiswU0FNaHY5ZXdLQmdRQ2szeWs5TUwvaUNWUk9rTmNybTdtRk5xeS9rQ2dleU43eTRDeUoKTS9RbllrZHYwSjZmRWJrZU96QzJ3TXBrRmtuL1hVR3RqSVN6YUV5STlnS0ZnaXVGL1hWL3orWmhTQllncFl6eAoxR0xIK3ZDbWxIMU4wTjkzRFFKcng3ZTFoc3NhOVhXQS85ZVg5VU96UzFTMWt3V2hvc2haeXdhN29rU1FVaXVPCmlVQ1hZUUtCZ1FEUVZUVHc3WUY3QzNTVmg5OWRObUdTaHV2LzZ2aTJmNDlOMklGMURNQ1haaEpoOUVZck9TV2kKY05oakxGRFhmdzVlZlFURWU3Ykx5bTJGVDd0YnZFSm5USHFyakVuUDRUWExqZnczL3RiQ3RxWVNZRlRqdThFUApadHVwd21ZWjhFVU1pSnVHS2l2SExmSjk2dy8xR21BOHVCZUVtV05YRW9FUU1ySmxuM3g5d3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
diff --git a/test/kuttl/tests/manila-tls/02-manila-deploy.yaml b/test/kuttl/tests/manila-tls/02-manila-deploy.yaml
new file mode 100644
index 00000000..6da54441
--- /dev/null
+++ b/test/kuttl/tests/manila-tls/02-manila-deploy.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+ - script: |
+ oc kustomize ../../../../config/samples/layout/tls | oc apply -n $NAMESPACE -f -
diff --git a/test/kuttl/tests/manila-tls/03-assert.yaml b/test/kuttl/tests/manila-tls/03-assert.yaml
new file mode 100644
index 00000000..6392a8fd
--- /dev/null
+++ b/test/kuttl/tests/manila-tls/03-assert.yaml
@@ -0,0 +1,535 @@
+apiVersion: manila.openstack.org/v1beta1
+kind: Manila
+metadata:
+ name: manila
+ namespace: manila-kuttl-tests
+spec:
+ customServiceConfig: |
+ [DEFAULT]
+ debug = true
+ databaseInstance: openstack
+ databaseUser: manila
+ dbPurge:
+ age: 30
+ schedule: 1 0 * * *
+ extraMounts:
+ - extraVol:
+ - extraVolType: Ceph
+ mounts:
+ - mountPath: /etc/ceph
+ name: ceph
+ readOnly: true
+ propagation:
+ - share0
+ volumes:
+ - name: ceph
+ projected:
+ sources:
+ - secret:
+ name: ceph-conf-files
+ name: v1
+ region: r1
+ manilaAPI:
+ customServiceConfig: |
+ [DEFAULT]
+ enabled_share_protocols = cephfs
+ override: {}
+ replicas: 1
+ resources: {}
+ tls:
+ api:
+ internal:
+ secretName: cert-manila-internal-svc
+ public:
+ secretName: cert-manila-public-svc
+ caBundleSecretName: combined-ca-bundle
+ manilaScheduler:
+ customServiceConfig: '# add your customization here'
+ replicas: 1
+ resources: {}
+ manilaShares:
+ share0:
+ customServiceConfig: |
+ [DEFAULT]
+ enabled_share_backends = cephfs
+ [cephfs]
+ driver_handles_share_servers=False
+ share_backend_name=cephfs
+ share_driver=manila.share.drivers.cephfs.driver.CephFSDriver
+ cephfs_conf_path=/etc/ceph/ceph.conf
+ cephfs_auth_id=openstack
+ cephfs_cluster_name=ceph
+ cephfs_protocol_helper_type=CEPHFS
+ replicas: 1
+ resources: {}
+ memcachedInstance: memcached
+ passwordSelectors:
+ database: ManilaDatabasePassword
+ service: ManilaPassword
+ preserveJobs: false
+ rabbitMqClusterName: rabbitmq
+ secret: osp-secret
+ serviceUser: manila
+status:
+ conditions:
+ - message: Setup complete
+ reason: Ready
+ status: "True"
+ type: Ready
+ - message: CronJob completed
+ reason: Ready
+ status: "True"
+ type: CronJobReady
+ - message: DB create completed
+ reason: Ready
+ status: "True"
+ type: DBReady
+ - message: DBsync completed
+ reason: Ready
+ status: "True"
+ type: DBSyncReady
+ - message: Input data complete
+ reason: Ready
+ status: "True"
+ type: InputReady
+ - message: Setup complete
+ reason: Ready
+ status: "True"
+ type: ManilaAPIReady
+ - message: Setup complete
+ reason: Ready
+ status: "True"
+ type: ManilaSchedulerReady
+ - message: Deployment completed
+ reason: Ready
+ status: "True"
+ type: ManilaShareReady
+ - message: " Memcached instance has been provisioned"
+ reason: Ready
+ status: "True"
+ type: MemcachedReady
+ - message: NetworkAttachments completed
+ reason: Ready
+ status: "True"
+ type: NetworkAttachmentsReady
+ - message: RabbitMqTransportURL successfully created
+ reason: Ready
+ status: "True"
+ type: RabbitMqTransportURLReady
+ - message: RoleBinding created
+ reason: Ready
+ status: "True"
+ type: RoleBindingReady
+ - message: Role created
+ reason: Ready
+ status: "True"
+ type: RoleReady
+ - message: ServiceAccount created
+ reason: Ready
+ status: "True"
+ type: ServiceAccountReady
+ - message: Service config create completed
+ reason: Ready
+ status: "True"
+ type: ServiceConfigReady
+ databaseHostname: openstack.manila-kuttl-tests.svc
+ manilaAPIReadyCount: 1
+ manilaSchedulerReadyCount: 1
+ manilaSharesReadyCounts:
+ share0: 1
+ transportURLSecret: rabbitmq-transport-url-manila-manila-transport
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+ name: manila-db-purge
+spec:
+ jobTemplate:
+ metadata:
+ labels:
+ service: manila
+ spec:
+ completions: 1
+ parallelism: 1
+ template:
+ spec:
+ containers:
+ - args:
+ - -c
+ - /usr/bin/manila-manage --config-dir /etc/manila/manila.conf.d
+ db purge 30
+ command:
+ - /bin/bash
+ name: manila-db-purge
+ volumeMounts:
+ - mountPath: /etc/manila/manila.conf.d
+ name: db-purge-config-data
+ readOnly: true
+ - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+ name: combined-ca-bundle
+ readOnly: true
+ serviceAccount: manila-manila
+ serviceAccountName: manila-manila
+ volumes:
+ - name: db-purge-config-data
+ secret:
+ defaultMode: 420
+ items:
+ - key: 00-config.conf
+ path: 00-config.conf
+ secretName: manila-config-data
+ - name: combined-ca-bundle
+ secret:
+ defaultMode: 292
+ secretName: combined-ca-bundle
+ schedule: 1 0 * * *
+ suspend: false
+---
+apiVersion: manila.openstack.org/v1beta1
+kind: ManilaShare
+metadata:
+ name: manila-share-share0
+spec:
+ databaseHostname: openstack.manila-kuttl-tests.svc
+ databaseUser: manila
+ passwordSelectors:
+ database: ManilaDatabasePassword
+ service: ManilaPassword
+ replicas: 1
+ resources: {}
+ secret: osp-secret
+ serviceAccount: manila-manila
+ serviceUser: manila
+ transportURLSecret: rabbitmq-transport-url-manila-manila-transport
+status:
+ conditions:
+ - message: Setup complete
+ reason: Ready
+ status: "True"
+ type: Ready
+ - message: Deployment completed
+ reason: Ready
+ status: "True"
+ type: DeploymentReady
+ - message: Input data complete
+ reason: Ready
+ status: "True"
+ type: InputReady
+ - message: NetworkAttachments completed
+ reason: Ready
+ status: "True"
+ type: NetworkAttachmentsReady
+ - message: Service config create completed
+ reason: Ready
+ status: "True"
+ type: ServiceConfigReady
+ - message: Input data complete
+ reason: Ready
+ status: "True"
+ type: TLSInputReady
+ readyCount: 1
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: manila-api
+ namespace: manila-kuttl-tests
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ component: manila-api
+ service: manila
+ template:
+ metadata:
+ labels:
+ component: manila-api
+ service: manila
+ spec:
+ serviceAccountName: manila-manila
+ containers:
+ - args:
+ - --single-child
+ - --
+ - /usr/bin/tail
+ - -n+1
+ - -F
+ - /var/log/manila/manila-api.log
+ volumeMounts:
+ - name: logs
+ mountPath: /var/log/manila
+ - args:
+ - -c
+ - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+ volumeMounts:
+ - mountPath: /etc/machine-id
+ name: etc-machine-id
+ readOnly: true
+ - mountPath: /etc/localtime
+ name: etc-localtime
+ readOnly: true
+ - mountPath: /var/lib/config-data/default
+ name: config-data
+ - mountPath: /usr/local/bin/container-scripts
+ name: scripts
+ - mountPath: /etc/manila/manila.conf.d
+ name: config-data-custom
+ readOnly: true
+ - mountPath: /var/lib/kolla/config_files/config.json
+ name: config-data
+ readOnly: true
+ subPath: manila-api-config.json
+ - mountPath: /var/log/manila
+ name: logs
+ - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+ name: combined-ca-bundle
+ readOnly: true
+ - mountPath: /var/lib/config-data/tls/certs/internal.crt
+ name: internal-tls-certs
+ readOnly: true
+ subPath: tls.crt
+ - mountPath: /var/lib/config-data/tls/private/internal.key
+ name: internal-tls-certs
+ readOnly: true
+ subPath: tls.key
+ - mountPath: /var/lib/config-data/tls/certs/public.crt
+ name: public-tls-certs
+ readOnly: true
+ subPath: tls.crt
+ - mountPath: /var/lib/config-data/tls/private/public.key
+ name: public-tls-certs
+ readOnly: true
+ subPath: tls.key
+ volumes:
+ - name: etc-machine-id
+ hostPath:
+ path: /etc/machine-id
+ - name: etc-localtime
+ hostPath:
+ path: /etc/localtime
+ - name: scripts
+ secret:
+ secretName: manila-scripts
+ - name: config-data
+ secret:
+ secretName: manila-config-data
+ - name: config-data-custom
+ secret:
+ secretName: manila-api-config-data
+ - name: logs
+ emptyDir: {}
+ - name: combined-ca-bundle
+ secret:
+ defaultMode: 292
+ secretName: combined-ca-bundle
+ - name: internal-tls-certs
+ secret:
+ defaultMode: 256
+ secretName: cert-manila-internal-svc
+ - name: public-tls-certs
+ secret:
+ defaultMode: 256
+ secretName: cert-manila-public-svc
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: manila-share-share0
+ namespace: manila-kuttl-tests
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ component: manila-share
+ service: manila
+ template:
+ metadata:
+ labels:
+ component: manila-share
+ service: manila
+ spec:
+ serviceAccountName: manila-manila
+ containers:
+ - args:
+ - -c
+ - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+ volumeMounts:
+ - mountPath: /etc/machine-id
+ name: etc-machine-id
+ - mountPath: /etc/localtime
+ name: etc-localtime
+ readOnly: true
+ - mountPath: /var/lib/config-data/default
+ name: config-data
+ readOnly: true
+ - mountPath: /usr/local/bin/container-scripts
+ name: scripts
+ readOnly: true
+ - mountPath: /etc/ceph
+ name: ceph
+ readOnly: true
+ - mountPath: /etc/manila/manila.conf.d
+ name: config-data-custom
+ readOnly: true
+ - mountPath: /var/lib/manila
+ name: var-lib-manila
+ - mountPath: /var/lib/kolla/config_files/config.json
+ name: config-data
+ readOnly: true
+ subPath: manila-share-config.json
+ - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+ name: combined-ca-bundle
+ readOnly: true
+ subPath: tls-ca-bundle.pem
+ - command:
+ - /usr/local/bin/container-scripts/healthcheck.py
+ - share
+ - /etc/manila/manila.conf.d
+ volumeMounts:
+ - mountPath: /etc/machine-id
+ name: etc-machine-id
+ - mountPath: /etc/localtime
+ name: etc-localtime
+ readOnly: true
+ - mountPath: /var/lib/config-data/default
+ name: config-data
+ readOnly: true
+ - mountPath: /usr/local/bin/container-scripts
+ name: scripts
+ readOnly: true
+ - mountPath: /etc/ceph
+ name: ceph
+ readOnly: true
+ - mountPath: /etc/manila/manila.conf.d
+ name: config-data-custom
+ readOnly: true
+ - mountPath: /var/lib/manila
+ name: var-lib-manila
+ - mountPath: /var/lib/kolla/config_files/config.json
+ name: config-data
+ readOnly: true
+ subPath: manila-share-config.json
+ - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+ name: combined-ca-bundle
+ readOnly: true
+ subPath: tls-ca-bundle.pem
+ volumes:
+ - name: etc-machine-id
+ hostPath:
+ path: /etc/machine-id
+ - name: etc-localtime
+ hostPath:
+ path: /etc/localtime
+ - name: scripts
+ secret:
+ secretName: manila-scripts
+ - name: config-data
+ secret:
+ secretName: manila-config-data
+ - name: ceph
+ projected:
+ sources:
+ - secret:
+ name: ceph-conf-files
+ - name: var-lib-manila
+ hostPath:
+ path: /var/lib/manila
+ - name: config-data-custom
+ secret:
+ secretName: manila-share-share0-config-data
+ - name: combined-ca-bundle
+ secret:
+ secretName: combined-ca-bundle
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: manila-scheduler
+ namespace: manila-kuttl-tests
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ component: manila-scheduler
+ service: manila
+ template:
+ metadata:
+ labels:
+ component: manila-scheduler
+ service: manila
+ spec:
+ serviceAccountName: manila-manila
+ containers:
+ - args:
+ - -c
+ - /usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_start
+ volumeMounts:
+ - mountPath: /etc/machine-id
+ name: etc-machine-id
+ - mountPath: /etc/localtime
+ name: etc-localtime
+ readOnly: true
+ - mountPath: /var/lib/config-data/default
+ name: config-data
+ readOnly: true
+ - mountPath: /usr/local/bin/container-scripts
+ name: scripts
+ readOnly: true
+ - mountPath: /etc/manila/manila.conf.d
+ name: config-data-custom
+ readOnly: true
+ - mountPath: /var/lib/kolla/config_files/config.json
+ name: config-data
+ readOnly: true
+ subPath: manila-scheduler-config.json
+ - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+ name: combined-ca-bundle
+ readOnly: true
+ subPath: tls-ca-bundle.pem
+ - command:
+ - /usr/local/bin/container-scripts/healthcheck.py
+ - scheduler
+ - /etc/manila/manila.conf.d
+ volumeMounts:
+ - mountPath: /etc/machine-id
+ name: etc-machine-id
+ readOnly: true
+ - mountPath: /etc/localtime
+ name: etc-localtime
+ readOnly: true
+ - mountPath: /var/lib/config-data/default
+ name: config-data
+ readOnly: true
+ - mountPath: /usr/local/bin/container-scripts
+ name: scripts
+ readOnly: true
+ - mountPath: /etc/manila/manila.conf.d
+ name: config-data-custom
+ readOnly: true
+ - mountPath: /var/lib/kolla/config_files/config.json
+ name: config-data
+ readOnly: true
+ subPath: manila-scheduler-config.json
+ - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+ name: combined-ca-bundle
+ readOnly: true
+ subPath: tls-ca-bundle.pem
+ volumes:
+ - name: etc-machine-id
+ hostPath:
+ path: /etc/machine-id
+ - name: etc-localtime
+ hostPath:
+ path: /etc/localtime
+ - name: scripts
+ secret:
+ secretName: manila-scripts
+ - name: config-data
+ secret:
+ secretName: manila-config-data
+ - name: config-data-custom
+ secret:
+ secretName: manila-scheduler-config-data
+ - name: combined-ca-bundle
+ secret:
+ secretName: combined-ca-bundle
diff --git a/test/kuttl/tests/manila-tls/04-cleanup-manila.yaml b/test/kuttl/tests/manila-tls/04-cleanup-manila.yaml
new file mode 100644
index 00000000..884b9d39
--- /dev/null
+++ b/test/kuttl/tests/manila-tls/04-cleanup-manila.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: manila.openstack.org/v1beta1
+ kind: Manila
+ name: manila