[tlse] internal TLS support for keystone

Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For services which at this point don't support TLS, cert validation could be disabled using customService config like e.g.: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true ~~~ For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: #620 Depends-On: openstack-k8s-operators/keystone-operator#348 Jira: OSPRH-2183
openstack-k8s-operators · Jan 29, 2024 · 8cee472 · 8cee472
1 parent 06eb0b3
commit 8cee472
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/pkg/openstack/keystone.go b/pkg/openstack/keystone.go
@@ -57,6 +57,12 @@ func ReconcileKeystoneAPI(ctx context.Context, instance *corev1beta1.OpenStackCo
 		}
 	}
 
+	// preserve any previously set TLS certs,set CA cert
+	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+		instance.Spec.Keystone.Template.TLS = keystoneAPI.Spec.TLS
+	}
+	instance.Spec.Keystone.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+
 	if keystoneAPI.Status.Conditions.IsTrue(condition.ExposeServiceReadyCondition) {
 		svcs, err := service.GetServicesListWithLabel(
 			ctx,
@@ -77,7 +83,7 @@ func ReconcileKeystoneAPI(ctx context.Context, instance *corev1beta1.OpenStackCo
 			instance.Spec.Keystone.Template.Override.Service,
 			instance.Spec.Keystone.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeKeystoneAPIReadyCondition,
-			true, // TODO: (mschuppert) disable TLS for now until implemented
+			false, // TODO (mschuppert) could be removed when all integrated service support TLS
 		)
 		if err != nil {
 			return ctrlResult, err
@@ -86,9 +92,12 @@ func ReconcileKeystoneAPI(ctx context.Context, instance *corev1beta1.OpenStackCo
 		}
 
 		instance.Spec.Keystone.Template.Override.Service = endpointDetails.GetEndpointServiceOverrides()
+
+		// update TLS settings with cert secret
+		instance.Spec.Keystone.Template.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic)
+		instance.Spec.Keystone.Template.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal)
 	}
 
-	helper.GetLogger().Info("Reconciling KeystoneAPI", "KeystoneAPI.Namespace", instance.Namespace, "KeystoneAPI.Name", "keystone")
 	Log.Info("Reconciling KeystoneAPI", "KeystoneAPI.Namespace", instance.Namespace, "KeystoneAPI.Name", "keystone")
 	op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), keystoneAPI, func() error {
 		instance.Spec.Keystone.Template.DeepCopyInto(&keystoneAPI.Spec)
@@ -103,6 +112,7 @@ func ReconcileKeystoneAPI(ctx context.Context, instance *corev1beta1.OpenStackCo
 			//keystoneAPI.Spec.DatabaseInstance = instance.Name // name of MariaDB we create here
 			keystoneAPI.Spec.DatabaseInstance = "openstack" //FIXME: see above
 		}
+
 		err := controllerutil.SetControllerReference(helper.GetBeforeObject(), keystoneAPI, helper.GetScheme())
 		if err != nil {
 			return err