Skip to content

Commit

Permalink
[tls] nova novncproxy vencrypt support
Browse files Browse the repository at this point in the history
Issues a certificate for nova novncproxy if PodLevel tls is enabled
and configures it as vencrypt secret on the novnc proxy.

Depends-On: #779
Depends-On: openstack-k8s-operators/nova-operator#748
Depends-On: openstack-k8s-operators/dataplane-operator#862

JIRA: OSPRH-6552
  • Loading branch information
stuggi committed Apr 27, 2024
1 parent 9efbf53 commit 31c8f94
Showing 1 changed file with 39 additions and 2 deletions.
41 changes: 39 additions & 2 deletions pkg/openstack/nova.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (

"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"

certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
novav1 "github.com/openstack-k8s-operators/nova-operator/api/v1beta1"
corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
k8s_errors "k8s.io/apimachinery/pkg/api/errors"
Expand Down Expand Up @@ -240,7 +241,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
tls.API{
API: tls.APIService{
Public: tls.GenericService{
SecretName: cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName,
SecretName: cellTemplate.NoVNCProxyServiceTemplate.TLS.Service.SecretName,
},
},
},
Expand All @@ -254,8 +255,44 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
routedOverrideSpec := endpointDetails.GetEndpointServiceOverrides()
cellTemplate.NoVNCProxyServiceTemplate.Override.Service = ptr.To(routedOverrideSpec[service.EndpointPublic])
// update NoVNCProxy cert secret
cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName =
cellTemplate.NoVNCProxyServiceTemplate.TLS.Service.SecretName =
endpointDetails.GetEndptCertSecret(service.EndpointPublic)

// create novncproxy vencrypt cert
if instance.Spec.TLS.PodLevel.Enabled {
serviceName := endpointDetails.EndpointDetails[service.EndpointPublic].Service.Spec.Name
certRequest := certmanager.CertificateRequest{
IssuerName: instance.GetLibvirtIssuer(),
CertName: nova.Name + "-novncproxy-" + cellName + "-vencrypt",
CommonName: ptr.To(fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace)),
Subject: &certmgrv1.X509Subject{
Organizations: []string{fmt.Sprintf("%s.%s", instance.Namespace, ClusterInternalDomain)},
},
Usages: []certmgrv1.KeyUsage{
certmgrv1.UsageKeyEncipherment,
certmgrv1.UsageDigitalSignature,
certmgrv1.UsageServerAuth,
certmgrv1.UsageClientAuth,
},
}
if instance.Spec.TLS.PodLevel.Libvirt.Cert.Duration != nil {
certRequest.Duration = &instance.Spec.TLS.PodLevel.Libvirt.Cert.Duration.Duration
}
if instance.Spec.TLS.PodLevel.Libvirt.Cert.RenewBefore != nil {
certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Libvirt.Cert.RenewBefore.Duration
}
certSecret, ctrlResult, err := certmanager.EnsureCert(
ctx,
helper,
certRequest,
nil)
if err != nil {
return ctrlResult, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
}
cellTemplate.NoVNCProxyServiceTemplate.TLS.Vencrypt.SecretName = &certSecret.Name
}
}
}

Expand Down

0 comments on commit 31c8f94

Please sign in to comment.