[tlse] tls for ManilaAPI pod configuration

Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
openstack-k8s-operators · Feb 9, 2024 · a93edef · a93edef
1 parent 5a5000e
commit a93edef
Show file tree

Hide file tree

Showing 39 changed files with 1,562 additions and 37 deletions.
diff --git a/api/bases/manila.openstack.org_manilaapis.yaml b/api/bases/manila.openstack.org_manilaapis.yaml
@@ -925,6 +925,24 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  api:
+                    properties:
+                      internal:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                      public:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/api/bases/manila.openstack.org_manilas.yaml b/api/bases/manila.openstack.org_manilas.yaml
@@ -922,6 +922,24 @@ spec:
                           x-kubernetes-int-or-string: true
                         type: object
                     type: object
+                  tls:
+                    properties:
+                      api:
+                        properties:
+                          internal:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                          public:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                        type: object
+                      caBundleSecretName:
+                        type: string
+                    type: object
                 required:
                 - containerImage
                 type: object

diff --git a/api/bases/manila.openstack.org_manilaschedulers.yaml b/api/bases/manila.openstack.org_manilaschedulers.yaml
@@ -874,6 +874,11 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/api/bases/manila.openstack.org_manilashares.yaml b/api/bases/manila.openstack.org_manilashares.yaml
@@ -874,6 +874,11 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/api/v1beta1/manilaapi_types.go b/api/v1beta1/manilaapi_types.go
@@ -19,6 +19,7 @@ package v1beta1
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -38,6 +39,11 @@ type ManilaAPITemplate struct {
 	// +kubebuilder:validation:Optional
 	// Override, provides the ability to override the generated manifest of several child resources.
 	Override APIOverrideSpec `json:"override,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.API `json:"tls,omitempty"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.

diff --git a/api/v1beta1/manilascheduler_types.go b/api/v1beta1/manilascheduler_types.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -61,6 +62,11 @@ type ManilaSchedulerSpec struct {
 	// +kubebuilder:validation:Required
 	// ServiceAccount - service account name used internally to provide the default SA name
 	ServiceAccount string `json:"serviceAccount"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.Ca `json:"tls,omitempty"`
 }
 
 // ManilaSchedulerStatus defines the observed state of ManilaScheduler

diff --git a/api/v1beta1/manilashare_types.go b/api/v1beta1/manilashare_types.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -61,6 +62,11 @@ type ManilaShareSpec struct {
 	// +kubebuilder:validation:Required
 	// ServiceAccount - service account name used internally to provide the default SA name
 	ServiceAccount string `json:"serviceAccount"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.Ca `json:"tls,omitempty"`
 }
 
 // ManilaShareStatus defines the observed state of ManilaShare

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/manila.openstack.org_manilaapis.yaml b/config/crd/bases/manila.openstack.org_manilaapis.yaml
@@ -925,6 +925,24 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  api:
+                    properties:
+                      internal:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                      public:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/config/crd/bases/manila.openstack.org_manilas.yaml b/config/crd/bases/manila.openstack.org_manilas.yaml
@@ -922,6 +922,24 @@ spec:
                           x-kubernetes-int-or-string: true
                         type: object
                     type: object
+                  tls:
+                    properties:
+                      api:
+                        properties:
+                          internal:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                          public:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                        type: object
+                      caBundleSecretName:
+                        type: string
+                    type: object
                 required:
                 - containerImage
                 type: object

diff --git a/config/crd/bases/manila.openstack.org_manilaschedulers.yaml b/config/crd/bases/manila.openstack.org_manilaschedulers.yaml
@@ -874,6 +874,11 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/config/crd/bases/manila.openstack.org_manilashares.yaml b/config/crd/bases/manila.openstack.org_manilashares.yaml
@@ -874,6 +874,11 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/config/samples/layout/tls/kustomization.yaml b/config/samples/layout/tls/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../bases/manila
+patches:
+- patch: |-
+    - op: replace
+      path: /spec/secret
+      value: osp-secret
+    - op: replace
+      path: /metadata/namespace
+      value: manila-kuttl-tests
+  target:
+    kind: Manila
+- path: tls.yaml
diff --git a/config/samples/layout/tls/tls.yaml b/config/samples/layout/tls/tls.yaml
@@ -0,0 +1,47 @@
+apiVersion: manila.openstack.org/v1beta1
+kind: Manila
+metadata:
+  name: manila
+  namespace: openstack
+spec:
+  manilaAPI:
+    tls:
+      api:
+        internal:
+          secretName: cert-manila-internal-svc
+        public:
+          secretName: cert-manila-public-svc
+      caBundleSecretName: combined-ca-bundle
+    customServiceConfig: |
+        [DEFAULT]
+        enabled_share_protocols = cephfs
+  manilaShares:
+    share0:
+      customServiceConfig: |
+         [DEFAULT]
+         enabled_share_backends = cephfs
+         [cephfs]
+         driver_handles_share_servers=False
+         share_backend_name=cephfs
+         share_driver=manila.share.drivers.cephfs.driver.CephFSDriver
+         cephfs_conf_path=/etc/ceph/ceph.conf
+         cephfs_auth_id=openstack
+         cephfs_cluster_name=ceph
+         cephfs_protocol_helper_type=CEPHFS
+  extraMounts:
+    - name: v1
+      region: r1
+      extraVol:
+        - propagation:
+          - share0
+          extraVolType: Ceph
+          volumes:
+          - name: ceph
+            projected:
+              sources:
+              - secret:
+                  name: ceph-conf-files
+          mounts:
+          - name: ceph
+            mountPath: "/etc/ceph"
+            readOnly: true
diff --git a/config/samples/manila_v1beta1_manila_tls.yaml b/config/samples/manila_v1beta1_manila_tls.yaml
@@ -0,0 +1,22 @@
+apiVersion: manila.openstack.org/v1beta1
+kind: Manila
+metadata:
+  name: manila
+  namespace: openstack
+spec:
+  serviceUser: manila
+  customServiceConfig: |
+    [DEFAULT]
+    debug = true
+  databaseInstance: openstack
+  secret: osp-secret
+  databaseUser: manila
+  rabbitMqClusterName: rabbitmq
+  manilaAPI:
+    tls:
+        api:
+          internal:
+            secretName: cert-manila-internal-svc
+          public:
+            secretName: cert-manila-public-svc
+        caBundleSecretName: combined-ca-bundle
diff --git a/controllers/manila_controller.go b/controllers/manila_controller.go
@@ -37,6 +37,7 @@ import (
 	nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment"
 	common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	manilav1beta1 "github.com/openstack-k8s-operators/manila-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/manila-operator/pkg/manila"
@@ -210,6 +211,27 @@ func (r *ManilaReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 	return r.reconcileNormal(ctx, instance, helper)
 }
 
+// fields to index to reconcile when change
+const (
+	passwordSecretField     = ".spec.secret"
+	caBundleSecretNameField = ".spec.tls.caBundleSecretName"
+	tlsAPIInternalField     = ".spec.tls.api.internal.secretName"
+	tlsAPIPublicField       = ".spec.tls.api.public.secretName"
+)
+
+var (
+	commonWatchFields = []string{
+		passwordSecretField,
+		caBundleSecretNameField,
+	}
+	manilaAPIWatchFields = []string{
+		passwordSecretField,
+		caBundleSecretNameField,
+		tlsAPIInternalField,
+		tlsAPIPublicField,
+	}
+)
+
 // SetupWithManager sets up the controller with the Manager.
 func (r *ManilaReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	// transportURLSecretFn - Watch for changes made to the secret associated with the RabbitMQ
@@ -874,6 +896,21 @@ func (r *ManilaReconciler) generateServiceConfig(
 		"MemcachedServersWithInet": strings.Join(memcached.Status.ServerListWithInet, ","),
 	}
 
+	// create httpd  vhost template parameters
+	httpdVhostConfig := map[string]interface{}{}
+	for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
+		endptConfig := map[string]interface{}{}
+		endptConfig["ServerName"] = fmt.Sprintf("%s-%s.%s.svc", manila.ServiceName, endpt.String(), instance.Namespace)
+		endptConfig["TLS"] = false // default TLS to false, and set it bellow to true if enabled
+		if instance.Spec.ManilaAPI.TLS.API.Enabled(endpt) {
+			endptConfig["TLS"] = true
+			endptConfig["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", endpt.String())
+			endptConfig["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", endpt.String())
+		}
+		httpdVhostConfig[endpt.String()] = endptConfig
+	}
+	templateParameters["VHosts"] = httpdVhostConfig
+
 	configTemplates := []util.Template{
 		// ScriptsConfigMap
 		{
@@ -973,6 +1010,7 @@ func (r *ManilaReconciler) schedulerDeploymentCreateOrUpdate(ctx context.Context
 		DatabaseHostname:        instance.Status.DatabaseHostname,
 		TransportURLSecret:      instance.Status.TransportURLSecret,
 		ServiceAccount:          instance.RbacResourceName(),
+		TLS:                     instance.Spec.ManilaAPI.TLS.Ca,
 	}
 
 	op, err := controllerutil.CreateOrUpdate(ctx, r.Client, deployment, func() error {
@@ -1009,6 +1047,7 @@ func (r *ManilaReconciler) shareDeploymentCreateOrUpdate(ctx context.Context, in
 		DatabaseHostname:    instance.Status.DatabaseHostname,
 		TransportURLSecret:  instance.Status.TransportURLSecret,
 		ServiceAccount:      instance.RbacResourceName(),
+		TLS:                 instance.Spec.ManilaAPI.TLS.Ca,
 	}
 
 	op, err := controllerutil.CreateOrUpdate(ctx, r.Client, deployment, func() error {