Skip to content

Commit

Permalink
[tlse] internal TLS support for heat
Browse files Browse the repository at this point in the history 
Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true

For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:

~~~
  customServiceConfig: |
    [keystone_authtoken]
    insecure = true
    [placement]
    insecure = true
    [neutron]
    insecure = true
    [glance]
    insecure = true
    [cinder]
    insecure = true
~~~

Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: #620
Depends-On: openstack-k8s-operators/heat-operator#300

Jira: OSPRH3851
  • Loading branch information
@stuggi
stuggi committed Jan 29, 2024
1 parent 06eb0b3 commit 4786a77
Showing 1 changed file with 18 additions and 2 deletions.
20 changes: 18 additions & 2 deletions pkg/openstack/heat.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,14 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl
}
}

// preserve any previously set TLS certs,set CA cert
if instance.Spec.TLS.Enabled(service.EndpointInternal) {
instance.Spec.Heat.Template.HeatAPI.TLS = heat.Spec.HeatAPI.TLS
instance.Spec.Heat.Template.HeatCfnAPI.TLS = heat.Spec.HeatCfnAPI.TLS
}
instance.Spec.Heat.Template.HeatAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
instance.Spec.Heat.Template.HeatCfnAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName

// Heat API
if heat.Status.Conditions.IsTrue(heatv1.HeatAPIReadyCondition) {
svcs, err := service.GetServicesListWithLabel(
Expand All @@ -88,7 +96,7 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl
instance.Spec.Heat.Template.HeatAPI.Override.Service,
instance.Spec.Heat.APIOverride,
corev1beta1.OpenStackControlPlaneExposeHeatReadyCondition,
true, // TODO: (mschuppert) disable TLS for now until implemented
false, // TODO (mschuppert) could be removed when all integrated service support TLS
)
if err != nil {
return ctrlResult, err
Expand All @@ -97,6 +105,10 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl
}

instance.Spec.Heat.Template.HeatAPI.Override.Service = endpointDetails.GetEndpointServiceOverrides()

// update TLS settings with cert secret
instance.Spec.Heat.Template.HeatAPI.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic)
instance.Spec.Heat.Template.HeatAPI.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal)
}

// Heat CFNAPI
Expand All @@ -120,7 +132,7 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl
instance.Spec.Heat.Template.HeatCfnAPI.Override.Service,
instance.Spec.Heat.CnfAPIOverride,
corev1beta1.OpenStackControlPlaneExposeHeatReadyCondition,
true, // TODO: (mschuppert) disable TLS for now until implemented
false, // TODO (mschuppert) could be removed when all integrated service support TLS
)
if err != nil {
return ctrlResult, err
Expand All @@ -129,6 +141,10 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl
}

instance.Spec.Heat.Template.HeatCfnAPI.Override.Service = endpointDetails.GetEndpointServiceOverrides()

// update TLS settings with cert secret
instance.Spec.Heat.Template.HeatCfnAPI.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic)
instance.Spec.Heat.Template.HeatCfnAPI.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal)
}

Log := GetLogger(ctx)
Expand Down

0 comments on commit 4786a77

Please sign in to comment.