Skip to content

Commit

Permalink
[tlse] tls for ManilaAPI pod configuration
Browse files Browse the repository at this point in the history
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured.

Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators/openstack-operator#625

Signed-off-by: Veronika Fisarova <[email protected]>
  • Loading branch information
Deydra71 committed Jan 18, 2024
1 parent f8493f2 commit dbe62f8
Show file tree
Hide file tree
Showing 18 changed files with 547 additions and 11 deletions.
18 changes: 18 additions & 0 deletions api/bases/manila.openstack.org_manilaapis.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -931,6 +931,24 @@ spec:
serviceUser:
default: manila
type: string
tls:
properties:
api:
properties:
internal:
properties:
secretName:
type: string
type: object
public:
properties:
secretName:
type: string
type: object
type: object
caBundleSecretName:
type: string
type: object
transportURLSecret:
type: string
required:
Expand Down
18 changes: 18 additions & 0 deletions api/bases/manila.openstack.org_manilas.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -931,6 +931,24 @@ spec:
x-kubernetes-int-or-string: true
type: object
type: object
tls:
properties:
api:
properties:
internal:
properties:
secretName:
type: string
type: object
public:
properties:
secretName:
type: string
type: object
type: object
caBundleSecretName:
type: string
type: object
required:
- containerImage
type: object
Expand Down
5 changes: 5 additions & 0 deletions api/bases/manila.openstack.org_manilaschedulers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -880,6 +880,11 @@ spec:
serviceUser:
default: manila
type: string
tls:
properties:
caBundleSecretName:
type: string
type: object
transportURLSecret:
type: string
required:
Expand Down
5 changes: 5 additions & 0 deletions api/bases/manila.openstack.org_manilashares.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -880,6 +880,11 @@ spec:
serviceUser:
default: manila
type: string
tls:
properties:
caBundleSecretName:
type: string
type: object
transportURLSecret:
type: string
required:
Expand Down
6 changes: 6 additions & 0 deletions api/v1beta1/manilaapi_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package v1beta1
import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand All @@ -38,6 +39,11 @@ type ManilaAPITemplate struct {
// +kubebuilder:validation:Optional
// Override, provides the ability to override the generated manifest of several child resources.
Override APIOverrideSpec `json:"override,omitempty"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.API `json:"tls,omitempty"`
}

// APIOverrideSpec to override the generated manifest of several child resources.
Expand Down
6 changes: 6 additions & 0 deletions api/v1beta1/manilascheduler_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package v1beta1

import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand Down Expand Up @@ -61,6 +62,11 @@ type ManilaSchedulerSpec struct {
// +kubebuilder:validation:Required
// ServiceAccount - service account name used internally to provide the default SA name
ServiceAccount string `json:"serviceAccount"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.Ca `json:"tls,omitempty"`
}

// ManilaSchedulerStatus defines the observed state of ManilaScheduler
Expand Down
6 changes: 6 additions & 0 deletions api/v1beta1/manilashare_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package v1beta1

import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand Down Expand Up @@ -61,6 +62,11 @@ type ManilaShareSpec struct {
// +kubebuilder:validation:Required
// ServiceAccount - service account name used internally to provide the default SA name
ServiceAccount string `json:"serviceAccount"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.Ca `json:"tls,omitempty"`
}

// ManilaShareStatus defines the observed state of ManilaShare
Expand Down
3 changes: 3 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 18 additions & 0 deletions config/crd/bases/manila.openstack.org_manilaapis.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -931,6 +931,24 @@ spec:
serviceUser:
default: manila
type: string
tls:
properties:
api:
properties:
internal:
properties:
secretName:
type: string
type: object
public:
properties:
secretName:
type: string
type: object
type: object
caBundleSecretName:
type: string
type: object
transportURLSecret:
type: string
required:
Expand Down
18 changes: 18 additions & 0 deletions config/crd/bases/manila.openstack.org_manilas.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -931,6 +931,24 @@ spec:
x-kubernetes-int-or-string: true
type: object
type: object
tls:
properties:
api:
properties:
internal:
properties:
secretName:
type: string
type: object
public:
properties:
secretName:
type: string
type: object
type: object
caBundleSecretName:
type: string
type: object
required:
- containerImage
type: object
Expand Down
5 changes: 5 additions & 0 deletions config/crd/bases/manila.openstack.org_manilaschedulers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -880,6 +880,11 @@ spec:
serviceUser:
default: manila
type: string
tls:
properties:
caBundleSecretName:
type: string
type: object
transportURLSecret:
type: string
required:
Expand Down
5 changes: 5 additions & 0 deletions config/crd/bases/manila.openstack.org_manilashares.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -880,6 +880,11 @@ spec:
serviceUser:
default: manila
type: string
tls:
properties:
caBundleSecretName:
type: string
type: object
transportURLSecret:
type: string
required:
Expand Down
25 changes: 25 additions & 0 deletions config/samples/manila_v1beta1_manila_tls.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: manila.openstack.org/v1beta1
kind: Manila
metadata:
name: manila
namespace: openstack
spec:
serviceUser: manila
customServiceConfig: |
[DEFAULT]
debug = true
databaseInstance: openstack
secret: osp-secret
databaseUser: manila
rabbitMqClusterName: rabbitmq
manilaAPI:
tls:
api:
internal:
secretName: cert-manila-internal-svc
public:
secretName: cert-manila-public-svc
caBundleSecretName: combined-ca-bundle
manilaScheduler: {}
manilaShares:
share1: {}
10 changes: 10 additions & 0 deletions config/samples/manila_v1beta1_manilaapi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,13 @@ metadata:
name: manilaapi-sample
spec:
# TODO(user): Add fields here
#tls:
# api:
# # secret holding tls.crt and tls.key for the APIs internal k8s service
# internal:
# secretName: cert-internal-svc
# # secret holding tls.crt and tls.key for the APIs public k8s service
# public:
# secretName: cert-public-svc
# # secret holding the tls-ca-bundle.pem to be used as a deploymend env CA bundle
# caBundleSecretName: combined-ca-bundle
39 changes: 39 additions & 0 deletions controllers/manila_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ import (
nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment"
common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
manilav1beta1 "github.com/openstack-k8s-operators/manila-operator/api/v1beta1"
"github.com/openstack-k8s-operators/manila-operator/pkg/manila"
Expand Down Expand Up @@ -209,6 +210,27 @@ func (r *ManilaReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
return r.reconcileNormal(ctx, instance, helper)
}

// fields to index to reconcile when change
const (
passwordSecretField = ".spec.secret"
caBundleSecretNameField = ".spec.tls.caBundleSecretName"
tlsAPIInternalField = ".spec.tls.api.internal.secretName"
tlsAPIPublicField = ".spec.tls.api.public.secretName"
)

var (
commonWatchFields = []string{
passwordSecretField,
caBundleSecretNameField,
}
manilaAPIWatchFields = []string{
passwordSecretField,
caBundleSecretNameField,
tlsAPIInternalField,
tlsAPIPublicField,
}
)

// SetupWithManager sets up the controller with the Manager.
func (r *ManilaReconciler) SetupWithManager(mgr ctrl.Manager) error {
// transportURLSecretFn - Watch for changes made to the secret associated with the RabbitMQ
Expand Down Expand Up @@ -872,6 +894,21 @@ func (r *ManilaReconciler) generateServiceConfig(
"MemcachedServersWithInet": strings.Join(memcached.Status.ServerListWithInet, ","),
}

// create httpd vhost template parameters
httpdVhostConfig := map[string]interface{}{}
for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
endptConfig := map[string]interface{}{}
endptConfig["ServerName"] = fmt.Sprintf("manila-%s.%s.svc", endpt.String(), instance.Namespace)
endptConfig["TLS"] = false // default TLS to false, and set it bellow to true if enabled
if instance.Spec.ManilaAPI.TLS.API.Enabled(endpt) {
endptConfig["TLS"] = true
endptConfig["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", endpt.String())
endptConfig["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", endpt.String())
}
httpdVhostConfig[endpt.String()] = endptConfig
}
templateParameters["VHosts"] = httpdVhostConfig

configTemplates := []util.Template{
// ScriptsConfigMap
{
Expand Down Expand Up @@ -971,6 +1008,7 @@ func (r *ManilaReconciler) schedulerDeploymentCreateOrUpdate(ctx context.Context
DatabaseHostname: instance.Status.DatabaseHostname,
TransportURLSecret: instance.Status.TransportURLSecret,
ServiceAccount: instance.RbacResourceName(),
TLS: instance.Spec.ManilaAPI.TLS.Ca,
}

op, err := controllerutil.CreateOrUpdate(ctx, r.Client, deployment, func() error {
Expand Down Expand Up @@ -1007,6 +1045,7 @@ func (r *ManilaReconciler) shareDeploymentCreateOrUpdate(ctx context.Context, in
DatabaseHostname: instance.Status.DatabaseHostname,
TransportURLSecret: instance.Status.TransportURLSecret,
ServiceAccount: instance.RbacResourceName(),
TLS: instance.Spec.ManilaAPI.TLS.Ca,
}

op, err := controllerutil.CreateOrUpdate(ctx, r.Client, deployment, func() error {
Expand Down
Loading

0 comments on commit dbe62f8

Please sign in to comment.