Merge pull request #624 from stuggi/tlse_cinder

[tlse] internal TLS support for cinder
openstack-k8s-operators · Feb 12, 2024 · 8b079de · 8b079de
2 parents d831e76 + 562401e
commit 8b079de
Show file tree

Hide file tree

Showing 7 changed files with 53 additions and 7 deletions.
diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -669,6 +669,24 @@ spec:
                                   x-kubernetes-int-or-string: true
                                 type: object
                             type: object
+                          tls:
+                            properties:
+                              api:
+                                properties:
+                                  internal:
+                                    properties:
+                                      secretName:
+                                        type: string
+                                    type: object
+                                  public:
+                                    properties:
+                                      secretName:
+                                        type: string
+                                    type: object
+                                type: object
+                              caBundleSecretName:
+                                type: string
+                            type: object
                         required:
                         - containerImage
                         type: object

diff --git a/apis/go.mod b/apis/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.14.0
 	github.com/onsi/gomega v1.30.0
 	github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240205082437-655a181feae0
-	github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240131135629-5e8e748d6046
+	github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240207124115-6572d1bc92c9
 	github.com/openstack-k8s-operators/designate-operator/api v0.0.0-20240205082155-620a93388acf
 	github.com/openstack-k8s-operators/glance-operator/api v0.3.1-0.20240206110918-d3646fda9535
 	github.com/openstack-k8s-operators/heat-operator/api v0.3.1-0.20240205114610-35cd4930ad3b

diff --git a/apis/go.sum b/apis/go.sum
@@ -132,8 +132,8 @@ github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 h1:rncLxJBpFGqBztyxC
 github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7/go.mod h1:ctXNyWanKEjGj8sss1KjjHQ3ENKFm33FFnS5BKaIPh4=
 github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240205082437-655a181feae0 h1:ms/NDnz14E3AfX6dYl/JhSHPuHYjLkO/Zc9UMMYjVeA=
 github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240205082437-655a181feae0/go.mod h1:mC7tpqh65pTV1tm3lFX/Onya/OAWfD8kssfrnvjj5n8=
-github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240131135629-5e8e748d6046 h1:e0/Y91PcpmV+7xqu9ZwSOLN+lGexwmbHpm4B456XhiE=
-github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240131135629-5e8e748d6046/go.mod h1:dmFpsn/Ad88blxLOsDp1rKzcz+/hQ7FtsYPxKrYphdA=
+github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240207124115-6572d1bc92c9 h1:ncNVImtQifj8arpR5b9yhZa6L3q3fPYZFxZUpTkOYWE=
+github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240207124115-6572d1bc92c9/go.mod h1:dmFpsn/Ad88blxLOsDp1rKzcz+/hQ7FtsYPxKrYphdA=
 github.com/openstack-k8s-operators/designate-operator/api v0.0.0-20240205082155-620a93388acf h1:uDIKwac+IXC7biK/XRygnR2qSVWFUdx1Jj3MrPB8DIs=
 github.com/openstack-k8s-operators/designate-operator/api v0.0.0-20240205082155-620a93388acf/go.mod h1:lKjYKU6WeGidYNhTOdiEvKRpgl3NVewmcM4b5mROGQ0=
 github.com/openstack-k8s-operators/glance-operator/api v0.3.1-0.20240206110918-d3646fda9535 h1:iS4FHKleKOMy8750d95+baxj8y1diIMJCRHdRCsMLTU=

diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -669,6 +669,24 @@ spec:
                                   x-kubernetes-int-or-string: true
                                 type: object
                             type: object
+                          tls:
+                            properties:
+                              api:
+                                properties:
+                                  internal:
+                                    properties:
+                                      secretName:
+                                        type: string
+                                    type: object
+                                  public:
+                                    properties:
+                                      secretName:
+                                        type: string
+                                    type: object
+                                type: object
+                              caBundleSecretName:
+                                type: string
+                            type: object
                         required:
                         - containerImage
                         type: object

diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.14.0
 	github.com/onsi/gomega v1.30.0
 	github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240205082437-655a181feae0
-	github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240131135629-5e8e748d6046
+	github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240207124115-6572d1bc92c9
 	github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240206123725-eb350187c545
 	github.com/openstack-k8s-operators/designate-operator/api v0.0.0-20240205082155-620a93388acf
 	github.com/openstack-k8s-operators/glance-operator/api v0.3.1-0.20240206110918-d3646fda9535

diff --git a/go.sum b/go.sum
@@ -143,8 +143,8 @@ github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 h1:rncLxJBpFGqBztyxC
 github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7/go.mod h1:ctXNyWanKEjGj8sss1KjjHQ3ENKFm33FFnS5BKaIPh4=
 github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240205082437-655a181feae0 h1:ms/NDnz14E3AfX6dYl/JhSHPuHYjLkO/Zc9UMMYjVeA=
 github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240205082437-655a181feae0/go.mod h1:mC7tpqh65pTV1tm3lFX/Onya/OAWfD8kssfrnvjj5n8=
-github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240131135629-5e8e748d6046 h1:e0/Y91PcpmV+7xqu9ZwSOLN+lGexwmbHpm4B456XhiE=
-github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240131135629-5e8e748d6046/go.mod h1:dmFpsn/Ad88blxLOsDp1rKzcz+/hQ7FtsYPxKrYphdA=
+github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240207124115-6572d1bc92c9 h1:ncNVImtQifj8arpR5b9yhZa6L3q3fPYZFxZUpTkOYWE=
+github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240207124115-6572d1bc92c9/go.mod h1:dmFpsn/Ad88blxLOsDp1rKzcz+/hQ7FtsYPxKrYphdA=
 github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240206123725-eb350187c545 h1:eiUyijt5ij1Do1abYQjqzcFujjGSMJRQbP8Z/L+MqfY=
 github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240206123725-eb350187c545/go.mod h1:Q21yYPSzEhCLoi4aJyl1AW+V5RQE3+GzXaxhtGp2x/Y=
 github.com/openstack-k8s-operators/designate-operator/api v0.0.0-20240205082155-620a93388acf h1:uDIKwac+IXC7biK/XRygnR2qSVWFUdx1Jj3MrPB8DIs=

diff --git a/pkg/openstack/cinder.go b/pkg/openstack/cinder.go
@@ -56,6 +56,12 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl
 		}
 	}
 
+	// preserve any previously set TLS certs,set CA cert
+	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+		instance.Spec.Cinder.Template.CinderAPI.TLS = cinder.Spec.CinderAPI.TLS
+	}
+	instance.Spec.Cinder.Template.CinderAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+
 	if cinder.Status.Conditions.IsTrue(cinderv1.CinderAPIReadyCondition) {
 		svcs, err := service.GetServicesListWithLabel(
 			ctx,
@@ -76,7 +82,7 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Cinder.Template.CinderAPI.Override.Service,
 			instance.Spec.Cinder.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeCinderReadyCondition,
-			true, // TODO: (mschuppert) disable TLS for now until implemented
+			false, // TODO (mschuppert) could be removed when all integrated service support TLS
 		)
 		if err != nil {
 			return ctrlResult, err
@@ -85,6 +91,10 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl
 		}
 
 		instance.Spec.Cinder.Template.CinderAPI.Override.Service = endpointDetails.GetEndpointServiceOverrides()
+
+		// update TLS settings with cert secret
+		instance.Spec.Cinder.Template.CinderAPI.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic)
+		instance.Spec.Cinder.Template.CinderAPI.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal)
 	}
 
 	Log.Info("Reconciling Cinder", "Cinder.Namespace", instance.Namespace, "Cinder.Name", "cinder")