From 67b52c78062b93075d25dd6776d564bf8793489e Mon Sep 17 00:00:00 2001 From: Dave Wilde Date: Tue, 16 Jan 2024 11:59:30 -0600 Subject: [PATCH] [tlse] internal TLS support for barbican Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: openstack-k8s-operators#620 Depends-On: openstack-k8s-operators/barbican-operator#55 Jira: OSPRH-2349 --- ....openstack.org_openstackcontrolplanes.yaml | 18 ++++++++++++++ apis/go.mod | 2 ++ apis/go.sum | 4 ++-- ....openstack.org_openstackcontrolplanes.yaml | 18 ++++++++++++++ go.mod | 2 ++ go.sum | 4 ++-- pkg/openstack/barbican.go | 24 ++++++++++++------- 7 files changed, 60 insertions(+), 12 deletions(-) diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml index 6269c9730..0e0a18d11 100644 --- a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -267,6 +267,24 @@ spec: x-kubernetes-int-or-string: true type: object type: object + tls: + properties: + api: + properties: + internal: + properties: + secretName: + type: string + type: object + public: + properties: + secretName: + type: string + type: object + type: object + caBundleSecretName: + type: string + type: object required: - containerImage type: object diff --git a/apis/go.mod b/apis/go.mod index 74a98dca8..521e5ff27 100644 --- a/apis/go.mod +++ b/apis/go.mod @@ -112,3 +112,5 @@ replace ( //allow-merging // mschuppert: map to latest commit from release-4.13 tag // must consistent within modules and service operators replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging + +replace github.com/openstack-k8s-operators/barbican-operator/api => github.com/d34dh0r53/barbican-operator/api v0.0.0-20240105224926-8416f11cbe53 diff --git a/apis/go.sum b/apis/go.sum index 656253209..7a09ab0ff 100644 --- a/apis/go.sum +++ b/apis/go.sum @@ -16,6 +16,8 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/d34dh0r53/barbican-operator/api v0.0.0-20240105224926-8416f11cbe53 h1:HHxveOjLllfVxodwgC2RNhTEVz+b04Esrn+VKEP/9OA= +github.com/d34dh0r53/barbican-operator/api v0.0.0-20240105224926-8416f11cbe53/go.mod h1:FEjlJ/OucsDfiHYfqFX2Ylgcv79+nv4AX4iZoCvzqA0= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -130,8 +132,6 @@ github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 h1:rncLxJBpFGqBztyxCMwNRnMjhhIDOWHJowi6q8G6koI= github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7/go.mod h1:ctXNyWanKEjGj8sss1KjjHQ3ENKFm33FFnS5BKaIPh4= -github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240108170652-68675ce2dc07 h1:MTk4rGxi3H1CBX95mpdZj1H8yUjXTv+/dWrWyXip7RI= -github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240108170652-68675ce2dc07/go.mod h1:AKxAjtiCm9hzPxuir8M/4wecI2o0ioNw11vVT9nPNlc= github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240111110121-f5a20fbbe1a1 h1:OEVscieEdZptZd5Ny64e5NyBWql7HywNIkIXqfiufsU= github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240111110121-f5a20fbbe1a1/go.mod h1:ME6rLv+DDUbGDzyE+oEOZLGgYrPc8MaAAmvRLWnBA1Y= github.com/openstack-k8s-operators/designate-operator/api v0.0.0-20240104144436-858a0383741c h1:XSRqnJnHCUjn3PRQX16J7gasxnl5DIlyfE3p0F72gL8= diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml index 6269c9730..0e0a18d11 100644 --- a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -267,6 +267,24 @@ spec: x-kubernetes-int-or-string: true type: object type: object + tls: + properties: + api: + properties: + internal: + properties: + secretName: + type: string + type: object + public: + properties: + secretName: + type: string + type: object + type: object + caBundleSecretName: + type: string + type: object required: - containerImage type: object diff --git a/go.mod b/go.mod index 7a735143f..99374dd56 100644 --- a/go.mod +++ b/go.mod @@ -130,3 +130,5 @@ replace github.com/openstack-k8s-operators/openstack-operator/apis => ./apis // mschuppert: map to latest commit from release-4.13 tag // must consistent within modules and service operators replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging + +replace github.com/openstack-k8s-operators/barbican-operator/api => github.com/d34dh0r53/barbican-operator/api v0.0.0-20240105224926-8416f11cbe53 diff --git a/go.sum b/go.sum index 97ea2131a..516744fa7 100644 --- a/go.sum +++ b/go.sum @@ -20,6 +20,8 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/d34dh0r53/barbican-operator/api v0.0.0-20240105224926-8416f11cbe53 h1:HHxveOjLllfVxodwgC2RNhTEVz+b04Esrn+VKEP/9OA= +github.com/d34dh0r53/barbican-operator/api v0.0.0-20240105224926-8416f11cbe53/go.mod h1:FEjlJ/OucsDfiHYfqFX2Ylgcv79+nv4AX4iZoCvzqA0= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -141,8 +143,6 @@ github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 h1:rncLxJBpFGqBztyxCMwNRnMjhhIDOWHJowi6q8G6koI= github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7/go.mod h1:ctXNyWanKEjGj8sss1KjjHQ3ENKFm33FFnS5BKaIPh4= -github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240108170652-68675ce2dc07 h1:MTk4rGxi3H1CBX95mpdZj1H8yUjXTv+/dWrWyXip7RI= -github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240108170652-68675ce2dc07/go.mod h1:AKxAjtiCm9hzPxuir8M/4wecI2o0ioNw11vVT9nPNlc= github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240111110121-f5a20fbbe1a1 h1:OEVscieEdZptZd5Ny64e5NyBWql7HywNIkIXqfiufsU= github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240111110121-f5a20fbbe1a1/go.mod h1:ME6rLv+DDUbGDzyE+oEOZLGgYrPc8MaAAmvRLWnBA1Y= github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240111133808-bbed168b7f62 h1:Va40oho+l/PzLH7t2QW4NXn/u48rVxANdak6sKHKIiM= diff --git a/pkg/openstack/barbican.go b/pkg/openstack/barbican.go index 3ffe6493c..af561d628 100644 --- a/pkg/openstack/barbican.go +++ b/pkg/openstack/barbican.go @@ -42,10 +42,9 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr if instance.Spec.Barbican.Template.BarbicanAPI.Override.Service == nil { instance.Spec.Barbican.Template.BarbicanAPI.Override.Service = map[service.Endpoint]service.RoutedOverrideSpec{} } - instance.Spec.Barbican.Template.BarbicanAPI.Override.Service[endpointType] = - AddServiceComponentLabel( - instance.Spec.Barbican.Template.BarbicanAPI.Override.Service[endpointType], - barbican.Name) + instance.Spec.Barbican.Template.BarbicanAPI.Override.Service[endpointType] = AddServiceComponentLabel( + instance.Spec.Barbican.Template.BarbicanAPI.Override.Service[endpointType], + barbican.Name) } // When component services got created check if there is the need to create a route @@ -55,6 +54,12 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr } } + // preserve any previously set TLS certs, set CA cert + if instance.Spec.TLS.Enabled(service.EndpointInternal) { + instance.Spec.Barbican.Template.BarbicanAPI.TLS = barbican.Spec.BarbicanAPI.TLS + } + instance.Spec.Barbican.Template.BarbicanAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + if barbican.Status.Conditions.IsTrue(barbicanv1.BarbicanAPIReadyCondition) { svcs, err := service.GetServicesListWithLabel( ctx, @@ -75,7 +80,7 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr instance.Spec.Barbican.Template.BarbicanAPI.Override.Service, instance.Spec.Barbican.APIOverride, corev1beta1.OpenStackControlPlaneExposeBarbicanReadyCondition, - true, // TODO: (mschuppert) disable TLS for now until implemented + false, // TODO: (mschuppert) could be removed when all integrated service support TLS ) if err != nil { return ctrlResult, err @@ -84,6 +89,10 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr } instance.Spec.Barbican.Template.BarbicanAPI.Override.Service = endpointDetails.GetEndpointServiceOverrides() + + // update TLS settings with cert secret + instance.Spec.Barbican.Template.BarbicanAPI.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic) + instance.Spec.Barbican.Template.BarbicanAPI.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal) } helper.GetLogger().Info("Reconciling Barbican", "Barbican.Namespace", instance.Namespace, "Barbican.Name", "barbican") @@ -97,8 +106,8 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr barbican.Spec.NodeSelector = instance.Spec.NodeSelector } if barbican.Spec.DatabaseInstance == "" { - //barbican.Spec.DatabaseInstance = instance.Name // name of MariaDB we create here - barbican.Spec.DatabaseInstance = "openstack" //FIXME: see above + // barbican.Spec.DatabaseInstance = instance.Name // name of MariaDB we create here + barbican.Spec.DatabaseInstance = "openstack" // FIXME: see above } err := controllerutil.SetControllerReference(helper.GetBeforeObject(), barbican, helper.GetScheme()) @@ -107,7 +116,6 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr } return nil }) - if err != nil { instance.Status.Conditions.Set(condition.FalseCondition( corev1beta1.OpenStackControlPlaneBarbicanReadyCondition,