diff --git a/docs/assemblies/custom_resources.adoc b/docs/assemblies/custom_resources.adoc index 716c36bcc..f2e8e1db1 100644 --- a/docs/assemblies/custom_resources.adoc +++ b/docs/assemblies/custom_resources.adoc @@ -316,7 +316,7 @@ OpenStackDataPlaneServiceSpec defines the desired state of OpenStackDataPlaneSer | tlsCerts | TLSCerts tls certs to be generated -| *<> +| map[string]<> | false | play @@ -340,7 +340,7 @@ OpenStackDataPlaneServiceSpec defines the desired state of OpenStackDataPlaneSer | false | certsFrom -| CertsFrom - Service name used to obtain TLSCerts and CACerts data. If both CertsFrom and either TLSCerts or CACerts is set, then those fields take precedence. +| CertsFrom - Service name used to obtain TLSCert and CACerts data. If both CertsFrom and either TLSCert or CACerts is set, then those fields take precedence. | string | false diff --git a/tests/kuttl/tests/dataplane-deploy-multiple-secrets/00-assert.yaml b/tests/kuttl/tests/dataplane-deploy-multiple-secrets/00-assert.yaml index 5b46f7333..746c4578e 100644 --- a/tests/kuttl/tests/dataplane-deploy-multiple-secrets/00-assert.yaml +++ b/tests/kuttl/tests/dataplane-deploy-multiple-secrets/00-assert.yaml @@ -4,9 +4,10 @@ metadata: name: generic-service1 spec: caCerts: combined-ca-bundle - tlsCert: - contents: - - dnsnames + tlsCerts: + default: + contents: + - dnsnames play: | - hosts: localhost gather_facts: no diff --git a/tests/kuttl/tests/dataplane-deploy-multiple-secrets/00-dataplane-create.yaml b/tests/kuttl/tests/dataplane-deploy-multiple-secrets/00-dataplane-create.yaml index 6dec0917c..63de06b74 100644 --- a/tests/kuttl/tests/dataplane-deploy-multiple-secrets/00-dataplane-create.yaml +++ b/tests/kuttl/tests/dataplane-deploy-multiple-secrets/00-dataplane-create.yaml @@ -4,9 +4,10 @@ metadata: name: generic-service1 spec: caCerts: combined-ca-bundle - tlsCert: - contents: - - dnsnames + tlsCerts: + default: + contents: + - dnsnames play: | - hosts: localhost gather_facts: no diff --git a/tests/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml b/tests/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml index 92f4636c8..e659995c7 100644 --- a/tests/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml +++ b/tests/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml @@ -1,45 +1,48 @@ apiVersion: v1 kind: Secret metadata: - name: cert-generic-service1-edpm-compute-0 + name: cert-generic-service1-default-edpm-compute-0 annotations: - cert-manager.io/certificate-name: generic-service1-edpm-compute-0 + cert-manager.io/certificate-name: generic-service1-default-edpm-compute-0 cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: Issuer cert-manager.io/issuer-name: rootca-internal labels: hostname: edpm-compute-0 osdp-service: generic-service1 + osdp-service-cert-key: default osdpns: openstack-edpm-tls type: kubernetes.io/tls --- apiVersion: v1 kind: Secret metadata: - name: cert-generic-service1-edpm-compute-1 + name: cert-generic-service1-default-edpm-compute-1 annotations: - cert-manager.io/certificate-name: generic-service1-edpm-compute-1 + cert-manager.io/certificate-name: generic-service1-default-edpm-compute-1 cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: Issuer cert-manager.io/issuer-name: rootca-internal labels: hostname: edpm-compute-1 osdp-service: generic-service1 + osdp-service-cert-key: default osdpns: openstack-edpm-tls type: kubernetes.io/tls --- apiVersion: v1 kind: Secret metadata: - name: cert-generic-service1-edpm-compute-2 + name: cert-generic-service1-default-edpm-compute-2 annotations: - cert-manager.io/certificate-name: generic-service1-edpm-compute-2 + cert-manager.io/certificate-name: generic-service1-default-edpm-compute-2 cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: Issuer cert-manager.io/issuer-name: rootca-internal labels: hostname: edpm-compute-2 osdp-service: generic-service1 + osdp-service-cert-key: default osdpns: openstack-edpm-tls type: kubernetes.io/tls --- @@ -49,7 +52,7 @@ kind: TestAssert commands: - script: | template='{{index .metadata.annotations "cert-manager.io/alt-names" }}' - names=$(oc get secret cert-generic-service1-edpm-compute-0 -n openstack -o go-template="$template") + names=$(oc get secret cert-generic-service1-default-edpm-compute-0 -n openstack -o go-template="$template") echo $names > test123.data regex="(?=.*(edpm-compute-0\.internalapi\.example\.com))(?=.*(edpm-compute-0\.storage\.example\.com))(?=.*(edpm-compute-0\.tenant\.example\.com))(?=.*(edpm-compute-0\.ctlplane\.example\.com))" matches=$(grep -P "$regex" test123.data) @@ -64,7 +67,7 @@ commands: apiVersion: v1 kind: Secret metadata: - name: openstack-edpm-tls-generic-service1-certs-0 + name: openstack-edpm-tls-generic-service1-default-certs-0 labels: numberOfSecrets: "3" secretNumber: "0" @@ -77,7 +80,7 @@ type: Opaque apiVersion: v1 kind: Secret metadata: - name: openstack-edpm-tls-generic-service1-certs-1 + name: openstack-edpm-tls-generic-service1-default-certs-1 labels: numberOfSecrets: "3" secretNumber: "1" @@ -90,7 +93,7 @@ type: Opaque apiVersion: v1 kind: Secret metadata: - name: openstack-edpm-tls-generic-service1-certs-2 + name: openstack-edpm-tls-generic-service1-default-certs-2 labels: numberOfSecrets: "3" secretNumber: "2" @@ -115,18 +118,18 @@ spec: backoffLimit: 6 extraMounts: - mounts: - - mountPath: /var/lib/openstack/certs/generic-service1 - name: openstack-edpm-tls-generic-service1-certs-0 + - mountPath: /var/lib/openstack/certs/generic-service1/default + name: openstack-edpm-tls-generic-service1-default-certs-0 volumes: - - name: openstack-edpm-tls-generic-service1-certs-0 + - name: openstack-edpm-tls-generic-service1-default-certs-0 projected: sources: - secret: - name: openstack-edpm-tls-generic-service1-certs-0 + name: openstack-edpm-tls-generic-service1-default-certs-0 - secret: - name: openstack-edpm-tls-generic-service1-certs-1 + name: openstack-edpm-tls-generic-service1-default-certs-1 - secret: - name: openstack-edpm-tls-generic-service1-certs-2 + name: openstack-edpm-tls-generic-service1-default-certs-2 - mounts: - mountPath: /var/lib/openstack/cacerts/generic-service1 name: generic-service1-combined-ca-bundle diff --git a/tests/kuttl/tests/dataplane-deploy-tls-test/00-assert.yaml b/tests/kuttl/tests/dataplane-deploy-tls-test/00-assert.yaml index 986c100ef..a1edacacc 100644 --- a/tests/kuttl/tests/dataplane-deploy-tls-test/00-assert.yaml +++ b/tests/kuttl/tests/dataplane-deploy-tls-test/00-assert.yaml @@ -4,9 +4,10 @@ metadata: name: tls-dnsnames spec: caCerts: combined-ca-bundle - tlsCert: - contents: - - dnsnames + tlsCerts: + default: + contents: + - dnsnames play: | - hosts: localhost gather_facts: no diff --git a/tests/kuttl/tests/dataplane-deploy-tls-test/00-dataplane-create.yaml b/tests/kuttl/tests/dataplane-deploy-tls-test/00-dataplane-create.yaml index 927286831..4e4237d88 100644 --- a/tests/kuttl/tests/dataplane-deploy-tls-test/00-dataplane-create.yaml +++ b/tests/kuttl/tests/dataplane-deploy-tls-test/00-dataplane-create.yaml @@ -4,9 +4,10 @@ metadata: name: tls-dnsnames spec: caCerts: combined-ca-bundle - tlsCert: - contents: - - dnsnames + tlsCerts: + default: + contents: + - dnsnames play: | - hosts: localhost gather_facts: no diff --git a/tests/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml b/tests/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml index 89680d9d0..333a4bc76 100644 --- a/tests/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml +++ b/tests/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml @@ -1,15 +1,16 @@ apiVersion: v1 kind: Secret metadata: - name: cert-tls-dnsnames-edpm-compute-0 + name: cert-tls-dnsnames-default-edpm-compute-0 annotations: - cert-manager.io/certificate-name: tls-dnsnames-edpm-compute-0 + cert-manager.io/certificate-name: tls-dnsnames-default-edpm-compute-0 cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: Issuer cert-manager.io/issuer-name: rootca-internal labels: hostname: edpm-compute-0 osdp-service: tls-dnsnames + osdp-service-cert-key: default osdpns: openstack-edpm-tls type: kubernetes.io/tls --- @@ -19,8 +20,9 @@ metadata: labels: hostname: edpm-compute-0 osdp-service: tls-dnsnames + osdp-service-cert-key: default osdpns: openstack-edpm-tls - name: tls-dnsnames-edpm-compute-0 + name: tls-dnsnames-default-edpm-compute-0 namespace: openstack ownerReferences: - apiVersion: dataplane.openstack.org/v1beta1 @@ -31,7 +33,7 @@ spec: group: cert-manager.io kind: Issuer name: rootca-internal - secretName: cert-tls-dnsnames-edpm-compute-0 + secretName: cert-tls-dnsnames-default-edpm-compute-0 secretTemplate: labels: hostname: edpm-compute-0 @@ -44,7 +46,7 @@ kind: TestAssert commands: - script: | template='{{index .spec.dnsNames }}' - names=$(oc get certificate tls-dnsnames-edpm-compute-0 -n openstack -o go-template="$template") + names=$(oc get certificate tls-dnsnames-default-edpm-compute-0 -n openstack -o go-template="$template") echo $names > test123.data regex="(?=.*(edpm-compute-0\.internalapi\.example\.com))(?=.*(edpm-compute-0\.storage\.example\.com))(?=.*(edpm-compute-0\.tenant\.example\.com))(?=.*(edpm-compute-0\.ctlplane\.example\.com))" matches=$(grep -P "$regex" test123.data) @@ -57,7 +59,7 @@ commands: fi - script: | template='{{index .spec.usages }}' - usages=$(oc get certificate tls-dnsnames-edpm-compute-0 -n openstack -o go-template="$template") + usages=$(oc get certificate tls-dnsnames-default-edpm-compute-0 -n openstack -o go-template="$template") echo $usages > test123.data regex="(?=.*(key encipherment))(?=.*(digital signature))(?=.*(server auth))" matches=$(grep -P "$regex" test123.data) @@ -84,14 +86,14 @@ spec: backoffLimit: 6 extraMounts: - mounts: - - mountPath: /var/lib/openstack/certs/tls-dnsnames - name: openstack-edpm-tls-tls-dnsnames-certs-0 + - mountPath: /var/lib/openstack/certs/tls-dnsnames/default + name: openstack-edpm-tls-tls-dnsnames-default-certs-0 volumes: - - name: openstack-edpm-tls-tls-dnsnames-certs-0 + - name: openstack-edpm-tls-tls-dnsnames-default-certs-0 projected: sources: - secret: - name: openstack-edpm-tls-tls-dnsnames-certs-0 + name: openstack-edpm-tls-tls-dnsnames-default-certs-0 - mounts: - mountPath: /var/lib/openstack/cacerts/tls-dnsnames name: tls-dnsnames-combined-ca-bundle diff --git a/tests/kuttl/tests/dataplane-deploy-tls-test/03-assert.yaml b/tests/kuttl/tests/dataplane-deploy-tls-test/03-assert.yaml index e367eec99..c807bbecb 100644 --- a/tests/kuttl/tests/dataplane-deploy-tls-test/03-assert.yaml +++ b/tests/kuttl/tests/dataplane-deploy-tls-test/03-assert.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: Secret metadata: - name: cert-tls-dns-ips-edpm-compute-0 + name: cert-tls-dns-ips-default-edpm-compute-0 annotations: cert-manager.io/alt-names: edpm-compute-0.ctlplane.example.com - cert-manager.io/certificate-name: tls-dns-ips-edpm-compute-0 + cert-manager.io/certificate-name: tls-dns-ips-default-edpm-compute-0 cert-manager.io/ip-sans: 192.168.122.100 cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: Issuer @@ -12,6 +12,7 @@ metadata: labels: hostname: edpm-compute-0 osdp-service: tls-dns-ips + osdp-service-cert-key: default osdpns: openstack-edpm-tls type: kubernetes.io/tls --- @@ -21,8 +22,9 @@ metadata: labels: hostname: edpm-compute-0 osdp-service: tls-dns-ips + osdp-service-cert-key: default osdpns: openstack-edpm-tls - name: tls-dns-ips-edpm-compute-0 + name: tls-dns-ips-default-edpm-compute-0 namespace: openstack ownerReferences: - apiVersion: dataplane.openstack.org/v1beta1 @@ -35,25 +37,27 @@ spec: group: cert-manager.io kind: Issuer name: rootca-internal - secretName: cert-tls-dns-ips-edpm-compute-0 + secretName: cert-tls-dns-ips-default-edpm-compute-0 secretTemplate: labels: hostname: edpm-compute-0 osdp-service: tls-dns-ips + osdp-service-cert-key: default osdpns: openstack-edpm-tls --- apiVersion: v1 kind: Secret metadata: - name: cert-custom-tls-dns-edpm-compute-0 + name: cert-custom-tls-dns-default-edpm-compute-0 annotations: - cert-manager.io/certificate-name: custom-tls-dns-edpm-compute-0 + cert-manager.io/certificate-name: custom-tls-dns-default-edpm-compute-0 cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: Issuer cert-manager.io/issuer-name: rootca-internal labels: hostname: edpm-compute-0 osdp-service: custom-tls-dns + osdp-service-cert-key: default osdpns: openstack-edpm-tls type: kubernetes.io/tls --- @@ -63,8 +67,9 @@ metadata: labels: hostname: edpm-compute-0 osdp-service: custom-tls-dns + osdp-service-cert-key: default osdpns: openstack-edpm-tls - name: custom-tls-dns-edpm-compute-0 + name: custom-tls-dns-default-edpm-compute-0 namespace: openstack ownerReferences: - apiVersion: dataplane.openstack.org/v1beta1 @@ -75,11 +80,12 @@ spec: group: cert-manager.io kind: Issuer name: rootca-internal - secretName: cert-custom-tls-dns-edpm-compute-0 + secretName: cert-custom-tls-dns-default-edpm-compute-0 secretTemplate: labels: hostname: edpm-compute-0 osdp-service: custom-tls-dns + osdp-service-cert-key: default osdpns: openstack-edpm-tls --- # validate the alt-names and usages - which is a list with elements that can be in any order @@ -88,7 +94,7 @@ kind: TestAssert commands: - script: | template='{{index .spec.dnsNames }}' - names=$(oc get certificate custom-tls-dns-edpm-compute-0 -n openstack -o go-template="$template") + names=$(oc get certificate custom-tls-dns-default-edpm-compute-0 -n openstack -o go-template="$template") echo $names > test123.data regex="(?=.*(edpm-compute-0\.internalapi\.example\.com))(?=.*(edpm-compute-0\.storage\.example\.com))(?=.*(edpm-compute-0\.tenant\.example\.com))(?=.*(edpm-compute-0\.ctlplane\.example\.com))" matches=$(grep -P "$regex" test123.data) @@ -101,7 +107,7 @@ commands: fi - script: | template='{{index .spec.usages }}' - usages=$(oc get certificate custom-tls-dns-edpm-compute-0 -n openstack -o go-template="$template") + usages=$(oc get certificate custom-tls-dns-default-edpm-compute-0 -n openstack -o go-template="$template") echo $usages > test123.data regex="(?=.*(key encipherment))(?=.*(digital signature))(?=.*(server auth))(?=.*(client auth))" matches=$(grep -P "$regex" test123.data) @@ -116,7 +122,7 @@ commands: apiVersion: v1 kind: Secret metadata: - name: openstack-edpm-tls-tls-dns-ips-certs-0 + name: openstack-edpm-tls-tls-dns-ips-default-certs-0 ownerReferences: - apiVersion: dataplane.openstack.org/v1beta1 kind: OpenStackDataPlaneNodeSet @@ -126,7 +132,7 @@ type: Opaque apiVersion: v1 kind: Secret metadata: - name: openstack-edpm-tls-custom-tls-dns-certs-0 + name: openstack-edpm-tls-custom-tls-dns-default-certs-0 ownerReferences: - apiVersion: dataplane.openstack.org/v1beta1 kind: OpenStackDataPlaneNodeSet @@ -148,14 +154,14 @@ spec: backoffLimit: 6 extraMounts: - mounts: - - mountPath: /var/lib/openstack/certs/tls-dns-ips - name: openstack-edpm-tls-tls-dns-ips-certs-0 + - mountPath: /var/lib/openstack/certs/tls-dns-ips/default + name: openstack-edpm-tls-tls-dns-ips-default-certs-0 volumes: - - name: openstack-edpm-tls-tls-dns-ips-certs-0 + - name: openstack-edpm-tls-tls-dns-ips-default-certs-0 projected: sources: - secret: - name: openstack-edpm-tls-tls-dns-ips-certs-0 + name: openstack-edpm-tls-tls-dns-ips-default-certs-0 - mounts: - mountPath: /var/lib/openstack/cacerts/tls-dns-ips name: tls-dns-ips-combined-ca-bundle @@ -164,14 +170,14 @@ spec: secret: secretName: combined-ca-bundle - mounts: - - mountPath: /var/lib/openstack/certs/custom-tls-dns - name: openstack-edpm-tls-custom-tls-dns-certs-0 + - mountPath: /var/lib/openstack/certs/custom-tls-dns/default + name: openstack-edpm-tls-custom-tls-dns-default-certs-0 volumes: - - name: openstack-edpm-tls-custom-tls-dns-certs-0 + - name: openstack-edpm-tls-custom-tls-dns-default-certs-0 projected: sources: - secret: - name: openstack-edpm-tls-custom-tls-dns-certs-0 + name: openstack-edpm-tls-custom-tls-dns-default-certs-0 - mounts: - mountPath: /var/lib/openstack/cacerts/custom-tls-dns name: custom-tls-dns-combined-ca-bundle diff --git a/tests/kuttl/tests/dataplane-deploy-tls-test/03-dataplane-deploy-services-override.yaml b/tests/kuttl/tests/dataplane-deploy-tls-test/03-dataplane-deploy-services-override.yaml index e61b86017..e687bcbfc 100644 --- a/tests/kuttl/tests/dataplane-deploy-tls-test/03-dataplane-deploy-services-override.yaml +++ b/tests/kuttl/tests/dataplane-deploy-tls-test/03-dataplane-deploy-services-override.yaml @@ -5,13 +5,14 @@ metadata: name: tls-dns-ips spec: caCerts: combined-ca-bundle - tlsCert: - contents: - - dnsnames - - ips - issuer: osp-rootca-issuer-internal - networks: - - ctlplane + tlsCerts: + default: + contents: + - dnsnames + - ips + issuer: osp-rootca-issuer-internal + networks: + - ctlplane play: | - hosts: localhost gather_facts: no @@ -27,14 +28,15 @@ metadata: name: custom-tls-dns spec: caCerts: combined-ca-bundle - tlsCert: - contents: - - dnsnames - keyUsages: - - key encipherment - - digital signature - - server auth - - client auth + tlsCerts: + default: + contents: + - dnsnames + keyUsages: + - key encipherment + - digital signature + - server auth + - client auth play: | - hosts: localhost gather_facts: no diff --git a/tests/kuttl/tests/dataplane-deploy-tls-test/04-rotate-certs.yaml b/tests/kuttl/tests/dataplane-deploy-tls-test/04-rotate-certs.yaml index d089d85c1..c8c820944 100644 --- a/tests/kuttl/tests/dataplane-deploy-tls-test/04-rotate-certs.yaml +++ b/tests/kuttl/tests/dataplane-deploy-tls-test/04-rotate-certs.yaml @@ -1,4 +1,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - - command: oc delete -n openstack secrets cert-custom-tls-dns-edpm-compute-0 cert-tls-dns-ips-edpm-compute-0 + - command: oc delete -n openstack secrets cert-custom-tls-dns-default-edpm-compute-0 cert-tls-dns-ips-default-edpm-compute-0 diff --git a/tests/kuttl/tests/dataplane-deploy-tls-test/05-assert.yaml b/tests/kuttl/tests/dataplane-deploy-tls-test/05-assert.yaml index e619d46b9..179a1ff64 100644 --- a/tests/kuttl/tests/dataplane-deploy-tls-test/05-assert.yaml +++ b/tests/kuttl/tests/dataplane-deploy-tls-test/05-assert.yaml @@ -10,21 +10,21 @@ commands: exit 1 fi - serial1=`oc get secret cert-custom-tls-dns-edpm-compute-0 -n openstack -o json|jq -r '.data."tls.crt"'|base64 -d |openssl x509 -noout -serial` + serial1=`oc get secret cert-custom-tls-dns-default-edpm-compute-0 -n openstack -o json|jq -r '.data."tls.crt"'|base64 -d |openssl x509 -noout -serial` echo "serial1:" $serial1 - serial2=`oc debug $PNAME -n openstack -- cat /var/lib/openstack/certs/custom-tls-dns/edpm-compute-0.ctlplane.example.com-tls.crt |openssl x509 -noout -serial` + serial2=`oc debug $PNAME -n openstack -- cat /var/lib/openstack/certs/custom-tls-dns/default/edpm-compute-0.ctlplane.example.com-tls.crt |openssl x509 -noout -serial` echo "serial2:" $serial2 if [ $serial1 != $serial2 ]; then - echo "serials for cert-custom-tls-dns-edpm-compute-0 not equal" + echo "serials for cert-custom-tls-dns-default-edpm-compute-0 not equal" exit 1 fi - serial1=`oc get secret cert-tls-dns-ips-edpm-compute-0 -n openstack -o json|jq -r '.data."tls.crt"'|base64 -d |openssl x509 -noout -serial` + serial1=`oc get secret cert-tls-dns-ips-default-edpm-compute-0 -n openstack -o json|jq -r '.data."tls.crt"'|base64 -d |openssl x509 -noout -serial` echo "serial1:" $serial1 - serial2=`oc debug $PNAME -n openstack -- cat /var/lib/openstack/certs/tls-dns-ips/edpm-compute-0.ctlplane.example.com-tls.crt |openssl x509 -noout -serial` + serial2=`oc debug $PNAME -n openstack -- cat /var/lib/openstack/certs/tls-dns-ips/default/edpm-compute-0.ctlplane.example.com-tls.crt |openssl x509 -noout -serial` echo "serial2:" $serial2 if [ $serial1 != $serial2 ]; then - echo "serials for cert-tls-dns-ips-edpm-compute-0 not equal" + echo "serials for cert-tls-dns-ips-default-edpm-compute-0 not equal" exit 1 fi