openstack-k8s-operators · openshift-merge-bot · Feb 12, 2024 · Jan 18, 2024
diff --git a/api/bases/manila.openstack.org_manilaapis.yaml b/api/bases/manila.openstack.org_manilaapis.yaml
@@ -925,6 +925,24 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  api:
+                    properties:
+                      internal:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                      public:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/api/bases/manila.openstack.org_manilas.yaml b/api/bases/manila.openstack.org_manilas.yaml
@@ -922,6 +922,24 @@ spec:
                           x-kubernetes-int-or-string: true
                         type: object
                     type: object
+                  tls:
+                    properties:
+                      api:
+                        properties:
+                          internal:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                          public:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                        type: object
+                      caBundleSecretName:
+                        type: string
+                    type: object
                 required:
                 - containerImage
                 type: object

diff --git a/api/bases/manila.openstack.org_manilaschedulers.yaml b/api/bases/manila.openstack.org_manilaschedulers.yaml
@@ -874,6 +874,11 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/api/bases/manila.openstack.org_manilashares.yaml b/api/bases/manila.openstack.org_manilashares.yaml
@@ -874,6 +874,11 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/api/v1beta1/manilaapi_types.go b/api/v1beta1/manilaapi_types.go
@@ -19,6 +19,7 @@ package v1beta1
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -38,6 +39,11 @@ type ManilaAPITemplate struct {
 	// +kubebuilder:validation:Optional
 	// Override, provides the ability to override the generated manifest of several child resources.
 	Override APIOverrideSpec `json:"override,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.API `json:"tls,omitempty"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.

diff --git a/api/v1beta1/manilascheduler_types.go b/api/v1beta1/manilascheduler_types.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -61,6 +62,11 @@ type ManilaSchedulerSpec struct {
 	// +kubebuilder:validation:Required
 	// ServiceAccount - service account name used internally to provide the default SA name
 	ServiceAccount string `json:"serviceAccount"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.Ca `json:"tls,omitempty"`
 }
 
 // ManilaSchedulerStatus defines the observed state of ManilaScheduler

diff --git a/api/v1beta1/manilashare_types.go b/api/v1beta1/manilashare_types.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -61,6 +62,11 @@ type ManilaShareSpec struct {
 	// +kubebuilder:validation:Required
 	// ServiceAccount - service account name used internally to provide the default SA name
 	ServiceAccount string `json:"serviceAccount"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.Ca `json:"tls,omitempty"`
 }
 
 // ManilaShareStatus defines the observed state of ManilaShare

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/manila.openstack.org_manilaapis.yaml b/config/crd/bases/manila.openstack.org_manilaapis.yaml
@@ -925,6 +925,24 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  api:
+                    properties:
+                      internal:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                      public:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/config/crd/bases/manila.openstack.org_manilas.yaml b/config/crd/bases/manila.openstack.org_manilas.yaml
@@ -922,6 +922,24 @@ spec:
                           x-kubernetes-int-or-string: true
                         type: object
                     type: object
+                  tls:
+                    properties:
+                      api:
+                        properties:
+                          internal:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                          public:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                        type: object
+                      caBundleSecretName:
+                        type: string
+                    type: object
                 required:
                 - containerImage
                 type: object

diff --git a/config/crd/bases/manila.openstack.org_manilaschedulers.yaml b/config/crd/bases/manila.openstack.org_manilaschedulers.yaml
@@ -874,6 +874,11 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/config/crd/bases/manila.openstack.org_manilashares.yaml b/config/crd/bases/manila.openstack.org_manilashares.yaml
@@ -874,6 +874,11 @@ spec:
               serviceUser:
                 default: manila
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/config/samples/layout/tls/kustomization.yaml b/config/samples/layout/tls/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../bases/manila
+patches:
+- patch: |-
+    - op: replace
+      path: /spec/secret
+      value: osp-secret
+    - op: replace
+      path: /metadata/namespace
+      value: manila-kuttl-tests
+  target:
+    kind: Manila
+- path: tls.yaml
diff --git a/config/samples/layout/tls/tls.yaml b/config/samples/layout/tls/tls.yaml
@@ -0,0 +1,47 @@
+apiVersion: manila.openstack.org/v1beta1
+kind: Manila
+metadata:
+  name: manila
+  namespace: openstack
+spec:
+  manilaAPI:
+    tls:
+      api:
+        internal:
+          secretName: cert-manila-internal-svc
+        public:
+          secretName: cert-manila-public-svc
+      caBundleSecretName: combined-ca-bundle
+    customServiceConfig: |
+        [DEFAULT]
+        enabled_share_protocols = cephfs
+  manilaShares:
+    share0:
+      customServiceConfig: |
+         [DEFAULT]
+         enabled_share_backends = cephfs
+         [cephfs]
+         driver_handles_share_servers=False
+         share_backend_name=cephfs
+         share_driver=manila.share.drivers.cephfs.driver.CephFSDriver
+         cephfs_conf_path=/etc/ceph/ceph.conf
+         cephfs_auth_id=openstack
+         cephfs_cluster_name=ceph
+         cephfs_protocol_helper_type=CEPHFS
+  extraMounts:
+    - name: v1
+      region: r1
+      extraVol:
+        - propagation:
+          - share0
+          extraVolType: Ceph
+          volumes:
+          - name: ceph
+            projected:
+              sources:
+              - secret:
+                  name: ceph-conf-files
+          mounts:
+          - name: ceph
+            mountPath: "/etc/ceph"
+            readOnly: true
diff --git a/config/samples/manila_v1beta1_manila_tls.yaml b/config/samples/manila_v1beta1_manila_tls.yaml
@@ -0,0 +1,22 @@
+apiVersion: manila.openstack.org/v1beta1
+kind: Manila
+metadata:
+  name: manila
+  namespace: openstack
+spec:
+  serviceUser: manila
+  customServiceConfig: |
+    [DEFAULT]
+    debug = true
+  databaseInstance: openstack
+  secret: osp-secret
+  databaseUser: manila
+  rabbitMqClusterName: rabbitmq
+  manilaAPI:
+    tls:
+        api:
+          internal:
+            secretName: cert-manila-internal-svc
+          public:
+            secretName: cert-manila-public-svc
+        caBundleSecretName: combined-ca-bundle
diff --git a/controllers/manila_controller.go b/controllers/manila_controller.go
@@ -37,6 +37,7 @@ import (
 	nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment"
 	common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	manilav1beta1 "github.com/openstack-k8s-operators/manila-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/manila-operator/pkg/manila"
@@ -210,6 +211,27 @@ func (r *ManilaReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 	return r.reconcileNormal(ctx, instance, helper)
 }
 
+// fields to index to reconcile when change
+const (
+	passwordSecretField     = ".spec.secret"
+	caBundleSecretNameField = ".spec.tls.caBundleSecretName"
+	tlsAPIInternalField     = ".spec.tls.api.internal.secretName"
+	tlsAPIPublicField       = ".spec.tls.api.public.secretName"
+)
+
+var (
+	commonWatchFields = []string{
+		passwordSecretField,
+		caBundleSecretNameField,
+	}
+	manilaAPIWatchFields = []string{
+		passwordSecretField,
+		caBundleSecretNameField,
+		tlsAPIInternalField,
+		tlsAPIPublicField,
+	}
+)
+
 // SetupWithManager sets up the controller with the Manager.
 func (r *ManilaReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	// transportURLSecretFn - Watch for changes made to the secret associated with the RabbitMQ
@@ -874,6 +896,21 @@ func (r *ManilaReconciler) generateServiceConfig(
 		"MemcachedServersWithInet": strings.Join(memcached.Status.ServerListWithInet, ","),
 	}
 
+	// create httpd  vhost template parameters
+	httpdVhostConfig := map[string]interface{}{}
+	for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
+		endptConfig := map[string]interface{}{}
+		endptConfig["ServerName"] = fmt.Sprintf("%s-%s.%s.svc", manila.ServiceName, endpt.String(), instance.Namespace)
+		endptConfig["TLS"] = false // default TLS to false, and set it bellow to true if enabled
+		if instance.Spec.ManilaAPI.TLS.API.Enabled(endpt) {
+			endptConfig["TLS"] = true
+			endptConfig["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", endpt.String())
+			endptConfig["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", endpt.String())
+		}
+		httpdVhostConfig[endpt.String()] = endptConfig
+	}
+	templateParameters["VHosts"] = httpdVhostConfig
+
 	configTemplates := []util.Template{
 		// ScriptsConfigMap
 		{
@@ -973,6 +1010,7 @@ func (r *ManilaReconciler) schedulerDeploymentCreateOrUpdate(ctx context.Context
 		DatabaseHostname:        instance.Status.DatabaseHostname,
 		TransportURLSecret:      instance.Status.TransportURLSecret,
 		ServiceAccount:          instance.RbacResourceName(),
+		TLS:                     instance.Spec.ManilaAPI.TLS.Ca,
 	}
 
 	op, err := controllerutil.CreateOrUpdate(ctx, r.Client, deployment, func() error {
@@ -1009,6 +1047,7 @@ func (r *ManilaReconciler) shareDeploymentCreateOrUpdate(ctx context.Context, in
 		DatabaseHostname:    instance.Status.DatabaseHostname,
 		TransportURLSecret:  instance.Status.TransportURLSecret,
 		ServiceAccount:      instance.RbacResourceName(),
+		TLS:                 instance.Spec.ManilaAPI.TLS.Ca,
 	}
 
 	op, err := controllerutil.CreateOrUpdate(ctx, r.Client, deployment, func() error {