From 6d269cef79127f1cfc921390f6f066304301d03e Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Fri, 12 Jan 2024 17:23:47 +0100 Subject: [PATCH] [tlse] internal TLS support for placement Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: https://github.com/openstack-k8s-operators/lib-common/pull/428 Depends-On: https://github.com/openstack-k8s-operators/openstack-operator/pull/620 Depends-On: https://github.com/openstack-k8s-operators/placement-operator/pull/92 Jira: OSPRH-2368 --- ...e.openstack.org_openstackcontrolplanes.yaml | 18 ++++++++++++++++++ apis/go.mod | 6 +++--- apis/go.sum | 12 ++++++------ ...e.openstack.org_openstackcontrolplanes.yaml | 18 ++++++++++++++++++ go.mod | 6 +++--- go.sum | 12 ++++++------ pkg/openstack/placement.go | 12 +++++++++++- 7 files changed, 65 insertions(+), 19 deletions(-) diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml index f718c3e71..939fa7d5b 100644 --- a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -10756,6 +10756,24 @@ spec: serviceUser: default: placement type: string + tls: + properties: + api: + properties: + internal: + properties: + secretName: + type: string + type: object + public: + properties: + secretName: + type: string + type: object + type: object + caBundleSecretName: + type: string + type: object required: - containerImage - databaseInstance diff --git a/apis/go.mod b/apis/go.mod index 3cf745a37..eb7980c61 100644 --- a/apis/go.mod +++ b/apis/go.mod @@ -14,14 +14,14 @@ require ( github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240104150635-c4ffc51e0752 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240112015156-0cd36db16810 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316 - github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240115104107-5b2be2642dcf + github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240122121228-01dfaafeef46 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240116121536-4104bb44912a github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240116111504-6fb96fd3a8bc github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240116204130-66ba6ed891a1 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240115202843-8f204945b887 github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240116133406-c220c5e98b5e github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240116065342-bd7f402c26c3 - github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240116173715-b3cb986c5e4f + github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240125124919-72883dc08303 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240115090752-77a04df58ad6 github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240116153046-688452fbf493 github.com/rabbitmq/cluster-operator/v2 v2.5.0 @@ -37,7 +37,7 @@ require ( github.com/rhobs/observability-operator v0.0.20 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.26.0 // indirect - golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect + golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect golang.org/x/tools v0.17.0 // indirect ) diff --git a/apis/go.sum b/apis/go.sum index 46dea5860..dee9b9eeb 100644 --- a/apis/go.sum +++ b/apis/go.sum @@ -148,8 +148,8 @@ github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240112015156-0 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240112015156-0cd36db16810/go.mod h1:ucxn3iX+wWE+8khOSw+RnE6aUhuUENF5M1MHNnlYYPo= github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316 h1:IwTuIoC78bbp3awd8P0tWeknCe2jNLB1FCJDIwI/2Pg= github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316/go.mod h1:qx+z+k0RMK8Vcl5Nug6bOScEg7ROSxEV4FFy0gjcQDQ= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240115104107-5b2be2642dcf h1:fBeLv+iCOiy8rMZqQXLdbVg1uVpOVNP8sWIdOcBiF4U= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240115104107-5b2be2642dcf/go.mod h1:gW0sefZEues1bO7J8utgMIqbXgs2WUCXNtmixYiN1ak= +github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240122121228-01dfaafeef46 h1:Dko1s0pN67F6HDD/Mx6oqDcATREDL+u5EUArLK9squE= +github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240122121228-01dfaafeef46/go.mod h1:F2490pi067Cc3tU3b1nCJPfZ5bLpm+rwldEdMUPA0d4= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240115104107-5b2be2642dcf h1:dT88WIhBNr8AOZ0GkhkwvAS1j7HB5BY5cAAEWiCF+8w= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240115104107-5b2be2642dcf/go.mod h1:RQIqP6sPb8OvtYWAvtV3SHimSrRCTDXwhZFdGtgTGN0= github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240115104107-5b2be2642dcf h1:BuoMWPkdRd85kf4xLXW8KfCq4nMw92sab/HtL7B1u5U= @@ -166,8 +166,8 @@ github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240116133406- github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240116133406-c220c5e98b5e/go.mod h1:KKhVU+ZNYFnhQ0SHoP7R63RDUmzLQ5i9zyantT5uoco= github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240116065342-bd7f402c26c3 h1:ZxhnO9E9ygxTtaqp8mg5scoAisR1Q9Q323pqaOgtlw8= github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240116065342-bd7f402c26c3/go.mod h1:dW9t4uY1crn1wyF2/ysm5Jt1mcfTd2q9l0JdsKPplTs= -github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240116173715-b3cb986c5e4f h1:TZHN7Z3SEAaBjUOt94pgzDpWZO8xYZr6GoICCR5hzdY= -github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240116173715-b3cb986c5e4f/go.mod h1:OAVBNziDY+fg/Xo/pMlooa16v2KR9wgn+TZngaRjT08= +github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240125124919-72883dc08303 h1:tFlCfWHt6AuQokBHP+BSZ3a8ouwsugEdJKzWDrUfNf0= +github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240125124919-72883dc08303/go.mod h1:G4XUqjS1C8V5U066HUcjnCyxTNhU4cSZOOGXcOCOhz4= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240115090752-77a04df58ad6 h1:5X1SqTwFD5Ps9DcAh8yMypomw630abnkNRbKYFqXvP0= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240115090752-77a04df58ad6/go.mod h1:zzYm6yi0tD4OhN7/9fk+VWkZ0k/DW7rrxH459/eCMCY= github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240116153046-688452fbf493 h1:SuEKQMCtSTPBCDZlT6nNDBmjPiw2fK6xbi9iwPtUgBo= @@ -230,8 +230,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o= -golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= +golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA= +golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml index f718c3e71..939fa7d5b 100644 --- a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -10756,6 +10756,24 @@ spec: serviceUser: default: placement type: string + tls: + properties: + api: + properties: + internal: + properties: + secretName: + type: string + type: object + public: + properties: + secretName: + type: string + type: object + type: object + caBundleSecretName: + type: string + type: object required: - containerImage - databaseInstance diff --git a/go.mod b/go.mod index 3db8090f9..8100bc94b 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240112015156-0cd36db16810 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240115104107-5b2be2642dcf - github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240115104107-5b2be2642dcf + github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240122121228-01dfaafeef46 github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240115104107-5b2be2642dcf github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240116121536-4104bb44912a github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240116111504-6fb96fd3a8bc @@ -31,13 +31,13 @@ require ( github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240116125116-e6dd38cd3c17 github.com/openstack-k8s-operators/openstack-operator/apis v0.0.0-20230725141229-4ce90d0120fd github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240116065342-bd7f402c26c3 - github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240116173715-b3cb986c5e4f + github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240125124919-72883dc08303 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240115090752-77a04df58ad6 github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240116153046-688452fbf493 github.com/operator-framework/api v0.20.0 github.com/rabbitmq/cluster-operator/v2 v2.5.0 go.uber.org/zap v1.26.0 - golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 + golang.org/x/exp v0.0.0-20240119083558-1b970713d09a k8s.io/api v0.27.7 k8s.io/apimachinery v0.27.7 k8s.io/client-go v0.27.7 diff --git a/go.sum b/go.sum index 76ce3a792..db4ea045b 100644 --- a/go.sum +++ b/go.sum @@ -163,8 +163,8 @@ github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316/go.mod h1:qx+z+k0RMK8Vcl5Nug6bOScEg7ROSxEV4FFy0gjcQDQ= github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240115104107-5b2be2642dcf h1:Fgm5/ROtNmh9mNA6cz5RCvxi7JOM6MbaXMPk34slFgg= github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240115104107-5b2be2642dcf/go.mod h1:PDUwc872cmV5SBUFO5dHAc1TE0dX6xqUNUB1d13B+xk= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240115104107-5b2be2642dcf h1:fBeLv+iCOiy8rMZqQXLdbVg1uVpOVNP8sWIdOcBiF4U= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240115104107-5b2be2642dcf/go.mod h1:gW0sefZEues1bO7J8utgMIqbXgs2WUCXNtmixYiN1ak= +github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240122121228-01dfaafeef46 h1:Dko1s0pN67F6HDD/Mx6oqDcATREDL+u5EUArLK9squE= +github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240122121228-01dfaafeef46/go.mod h1:F2490pi067Cc3tU3b1nCJPfZ5bLpm+rwldEdMUPA0d4= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240115104107-5b2be2642dcf h1:dT88WIhBNr8AOZ0GkhkwvAS1j7HB5BY5cAAEWiCF+8w= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240115104107-5b2be2642dcf/go.mod h1:RQIqP6sPb8OvtYWAvtV3SHimSrRCTDXwhZFdGtgTGN0= github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240115104107-5b2be2642dcf h1:BuoMWPkdRd85kf4xLXW8KfCq4nMw92sab/HtL7B1u5U= @@ -187,8 +187,8 @@ github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.202 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240116125116-e6dd38cd3c17/go.mod h1:UTK7po+fGYND9AwrTpQvEhWMYXmViwJaaWt0LzhleDE= github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240116065342-bd7f402c26c3 h1:ZxhnO9E9ygxTtaqp8mg5scoAisR1Q9Q323pqaOgtlw8= github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240116065342-bd7f402c26c3/go.mod h1:dW9t4uY1crn1wyF2/ysm5Jt1mcfTd2q9l0JdsKPplTs= -github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240116173715-b3cb986c5e4f h1:TZHN7Z3SEAaBjUOt94pgzDpWZO8xYZr6GoICCR5hzdY= -github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240116173715-b3cb986c5e4f/go.mod h1:OAVBNziDY+fg/Xo/pMlooa16v2KR9wgn+TZngaRjT08= +github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240125124919-72883dc08303 h1:tFlCfWHt6AuQokBHP+BSZ3a8ouwsugEdJKzWDrUfNf0= +github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240125124919-72883dc08303/go.mod h1:G4XUqjS1C8V5U066HUcjnCyxTNhU4cSZOOGXcOCOhz4= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240115090752-77a04df58ad6 h1:5X1SqTwFD5Ps9DcAh8yMypomw630abnkNRbKYFqXvP0= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240115090752-77a04df58ad6/go.mod h1:zzYm6yi0tD4OhN7/9fk+VWkZ0k/DW7rrxH459/eCMCY= github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240116153046-688452fbf493 h1:SuEKQMCtSTPBCDZlT6nNDBmjPiw2fK6xbi9iwPtUgBo= @@ -255,8 +255,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o= -golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= +golang.org/x/exp v0.0.0-20240119083558-1b970713d09a h1:Q8/wZp0KX97QFTc2ywcOE0YRjZPVIx+MXInMzdvQqcA= +golang.org/x/exp v0.0.0-20240119083558-1b970713d09a/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= diff --git a/pkg/openstack/placement.go b/pkg/openstack/placement.go index 7e04c78a2..156f36bbd 100644 --- a/pkg/openstack/placement.go +++ b/pkg/openstack/placement.go @@ -55,6 +55,12 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC } } + // set CA cert and preserve any previously set TLS certs + if instance.Spec.TLS.Enabled(service.EndpointInternal) { + instance.Spec.Placement.Template.TLS = placementAPI.Spec.TLS + } + instance.Spec.Placement.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + if placementAPI.Status.Conditions.IsTrue(condition.ExposeServiceReadyCondition) { svcs, err := service.GetServicesListWithLabel( ctx, @@ -75,7 +81,7 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC instance.Spec.Placement.Template.Override.Service, instance.Spec.Placement.APIOverride, corev1beta1.OpenStackControlPlaneExposePlacementAPIReadyCondition, - true, // TODO: (mschuppert) disable TLS for now until implemented + false, // TODO (mschuppert) could be removed when all integrated service support TLS ) if err != nil { return ctrlResult, err @@ -84,6 +90,10 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC } instance.Spec.Placement.Template.Override.Service = endpointDetails.GetEndpointServiceOverrides() + + // update TLS settings with cert secret + instance.Spec.Placement.Template.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic) + instance.Spec.Placement.Template.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal) } Log.Info("Reconciling PlacementAPI", "PlacementAPI.Namespace", instance.Namespace, "PlacementAPI.Name", "placement")