From 15d7bf8bb5df6a8c942887e6ca55e536064abeaf Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Wed, 16 Oct 2024 16:28:09 +0200 Subject: [PATCH] Set combined-ca-bundle as the default CACerts secret name If one misses to add the CACerts parameter to an OpenStackDataPlaneService the resulting deployment won't receive the cacert bundle. This defaults to combined-ca-bundle, which is also set in all the default services. Signed-off-by: Martin Schuppert --- .../dataplane.openstack.org_openstackdataplaneservices.yaml | 1 + apis/dataplane/v1beta1/openstackdataplaneservice_types.go | 3 ++- .../dataplane.openstack.org_openstackdataplaneservices.yaml | 1 + .../dataplane-deploy-global-service-test/01-assert.yaml | 6 ++++++ .../tests/dataplane-deploy-multiple-secrets/02-assert.yaml | 6 ++++++ tests/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml | 6 ++++++ 6 files changed, 22 insertions(+), 1 deletion(-) diff --git a/apis/bases/dataplane.openstack.org_openstackdataplaneservices.yaml b/apis/bases/dataplane.openstack.org_openstackdataplaneservices.yaml index 85330b265..f4eb7e6ca 100644 --- a/apis/bases/dataplane.openstack.org_openstackdataplaneservices.yaml +++ b/apis/bases/dataplane.openstack.org_openstackdataplaneservices.yaml @@ -35,6 +35,7 @@ spec: default: false type: boolean caCerts: + default: combined-ca-bundle maxLength: 253 type: string certsFrom: diff --git a/apis/dataplane/v1beta1/openstackdataplaneservice_types.go b/apis/dataplane/v1beta1/openstackdataplaneservice_types.go index 607863151..475446b37 100644 --- a/apis/dataplane/v1beta1/openstackdataplaneservice_types.go +++ b/apis/dataplane/v1beta1/openstackdataplaneservice_types.go @@ -75,7 +75,8 @@ type OpenStackDataPlaneServiceSpec struct { // CACerts - Secret containing the CA certificate chain // +kubebuilder:validation:Optional // +kubebuilder:validation:MaxLength:=253 - CACerts string `json:"caCerts,omitempty" yaml:"caCerts,omitempty"` + // +kubebuilder:default="combined-ca-bundle" + CACerts string `json:"caCerts" yaml:"caCerts"` // OpenStackAnsibleEERunnerImage image to use as the ansibleEE runner image // +kubebuilder:validation:Optional diff --git a/config/crd/bases/dataplane.openstack.org_openstackdataplaneservices.yaml b/config/crd/bases/dataplane.openstack.org_openstackdataplaneservices.yaml index 85330b265..f4eb7e6ca 100644 --- a/config/crd/bases/dataplane.openstack.org_openstackdataplaneservices.yaml +++ b/config/crd/bases/dataplane.openstack.org_openstackdataplaneservices.yaml @@ -35,6 +35,7 @@ spec: default: false type: boolean caCerts: + default: combined-ca-bundle maxLength: 253 type: string certsFrom: diff --git a/tests/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml b/tests/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml index 5c9a258fc..b28671b2e 100644 --- a/tests/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml +++ b/tests/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml @@ -805,6 +805,8 @@ spec: name: libvirt-combined-ca-bundle - mountPath: /var/lib/openstack/cacerts/nova name: nova-combined-ca-bundle + - mountPath: /var/lib/openstack/cacerts/custom-global-service + name: custom-global-service-combined-ca-bundle - mountPath: /runner/env/ssh_key name: ssh-key subPath: ssh_key @@ -846,6 +848,10 @@ spec: secret: defaultMode: 420 secretName: combined-ca-bundle + - name: custom-global-service-combined-ca-bundle + secret: + defaultMode: 420 + secretName: combined-ca-bundle - name: ssh-key secret: defaultMode: 420 diff --git a/tests/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml b/tests/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml index 96105317f..6e8882745 100644 --- a/tests/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml +++ b/tests/kuttl/tests/dataplane-deploy-multiple-secrets/02-assert.yaml @@ -179,6 +179,8 @@ spec: terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: + - mountPath: /var/lib/openstack/cacerts/install-certs-ovr + name: install-certs-ovr-combined-ca-bundle - mountPath: /var/lib/openstack/certs/generic-service1/default name: openstack-edpm-tls-generic-service1-default-certs-0 - mountPath: /var/lib/openstack/cacerts/generic-service1 @@ -196,6 +198,10 @@ spec: serviceAccountName: openstack-edpm-tls terminationGracePeriodSeconds: 30 volumes: + - name: install-certs-ovr-combined-ca-bundle + secret: + defaultMode: 420 + secretName: combined-ca-bundle - name: openstack-edpm-tls-generic-service1-default-certs-0 projected: defaultMode: 420 diff --git a/tests/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml b/tests/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml index 6784278a5..d5da8bb2c 100644 --- a/tests/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml +++ b/tests/kuttl/tests/dataplane-deploy-tls-test/02-assert.yaml @@ -212,6 +212,8 @@ spec: terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: + - mountPath: /var/lib/openstack/cacerts/install-certs-ovrd + name: install-certs-ovrd-combined-ca-bundle - mountPath: /var/lib/openstack/certs/tls-dnsnames/default name: openstack-edpm-tls-tls-dnsnames-default-certs-0 - mountPath: /var/lib/openstack/certs/tls-dnsnames/second @@ -231,6 +233,10 @@ spec: serviceAccountName: openstack-edpm-tls terminationGracePeriodSeconds: 30 volumes: + - name: install-certs-ovrd-combined-ca-bundle + secret: + defaultMode: 420 + secretName: combined-ca-bundle - name: openstack-edpm-tls-tls-dnsnames-default-certs-0 projected: defaultMode: 420