[tlse] internal TLS support for placement

Creates certs for k8s service of the service operator when
spec.tls.endpoint.internal.enabled: true

For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:

~~~
  customServiceConfig: |
    [keystone_authtoken]
    insecure = true
    [placement]
    insecure = true
    [neutron]
    insecure = true
    [glance]
    insecure = true
    [cinder]
    insecure = true
~~~

Depends-On: openstack-k8s-operators/lib-common#428
Depends-On: #620
Depends-On: openstack-k8s-operators/placement-operator#92

Jira: OSPRH-2368

apis/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -10756,6 +10756,24 @@ spec:
                       serviceUser:
                         default: placement
                         type: string
+                      tls:
+                        properties:
+                          api:
+                            properties:
+                              internal:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                              public:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                            type: object
+                          caBundleSecretName:
+                            type: string
+                        type: object
                     required:
                     - containerImage
                     - databaseInstance

apis/go.mod

@@ -112,3 +112,5 @@ replace ( //allow-merging
 // mschuppert: map to latest commit from release-4.13 tag
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
+
+replace github.com/openstack-k8s-operators/placement-operator/api => github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e

apis/go.sum

@@ -20,6 +20,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e h1:tXTZoa8tsmJVp7+zRzJKQaVJYtwhZ31SPIxIuN6m2hk=
+github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e/go.mod h1:DS/ei404MC7NKLi2uYMRGpUBouEjXL/wkfpN0Of67Tg=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
@@ -166,8 +168,6 @@ github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240111141638-
 github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240111141638-941aa4c7af37/go.mod h1:KKhVU+ZNYFnhQ0SHoP7R63RDUmzLQ5i9zyantT5uoco=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240111085209-325aba74512e h1:chk5DpAXCx6fJbnYtIcid6TpRW/QIEh2zt2g4LJHLPA=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240111085209-325aba74512e/go.mod h1:dW9t4uY1crn1wyF2/ysm5Jt1mcfTd2q9l0JdsKPplTs=
-github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626 h1:ApB8Am6T10duf3yo4cFXI8aJ9dK3pBvO+Ml67CDkx7Q=
-github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626/go.mod h1:KTxmLkSbU4UPncQyrAfDUgTH/mbgFm9FR6Uq8zcUeiA=
 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240108172732-c16308f718a3 h1:oEmzvsFf5enmSxGHRzw0ZwiF34didSmLTU+sRbTLNZ8=
 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240108172732-c16308f718a3/go.mod h1:+AKxGjuWbDzsqWK3bz0yNP1tghBgkBTpxSrgh4BTWpQ=
 github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240110160147-9348e8bb5a55 h1:Iz1JOKMLU6bcsJeGI0UtZwvSgoLcnogI4TwIuqAxJHQ=

config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -10756,6 +10756,24 @@ spec:
                       serviceUser:
                         default: placement
                         type: string
+                      tls:
+                        properties:
+                          api:
+                            properties:
+                              internal:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                              public:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                            type: object
+                          caBundleSecretName:
+                            type: string
+                        type: object
                     required:
                     - containerImage
                     - databaseInstance

go.mod

@@ -130,3 +130,5 @@ replace github.com/openstack-k8s-operators/openstack-operator/apis => ./apis
 // mschuppert: map to latest commit from release-4.13 tag
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
+
+replace github.com/openstack-k8s-operators/placement-operator/api => github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e

go.sum

@@ -24,6 +24,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e h1:tXTZoa8tsmJVp7+zRzJKQaVJYtwhZ31SPIxIuN6m2hk=
+github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e/go.mod h1:DS/ei404MC7NKLi2uYMRGpUBouEjXL/wkfpN0Of67Tg=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
@@ -187,8 +189,6 @@ github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.202
 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240108171105-f5670a7e8c64/go.mod h1:UTK7po+fGYND9AwrTpQvEhWMYXmViwJaaWt0LzhleDE=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240111085209-325aba74512e h1:chk5DpAXCx6fJbnYtIcid6TpRW/QIEh2zt2g4LJHLPA=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240111085209-325aba74512e/go.mod h1:dW9t4uY1crn1wyF2/ysm5Jt1mcfTd2q9l0JdsKPplTs=
-github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626 h1:ApB8Am6T10duf3yo4cFXI8aJ9dK3pBvO+Ml67CDkx7Q=
-github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626/go.mod h1:KTxmLkSbU4UPncQyrAfDUgTH/mbgFm9FR6Uq8zcUeiA=
 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240108172732-c16308f718a3 h1:oEmzvsFf5enmSxGHRzw0ZwiF34didSmLTU+sRbTLNZ8=
 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240108172732-c16308f718a3/go.mod h1:+AKxGjuWbDzsqWK3bz0yNP1tghBgkBTpxSrgh4BTWpQ=
 github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240110160147-9348e8bb5a55 h1:Iz1JOKMLU6bcsJeGI0UtZwvSgoLcnogI4TwIuqAxJHQ=

pkg/openstack/placement.go

@@ -55,6 +55,12 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC
 		}
 	}
 
+	// set CA cert and preserve any previously set TLS certs
+	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+		instance.Spec.Placement.Template.TLS = placementAPI.Spec.TLS
+	}
+	instance.Spec.Placement.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+
 	if placementAPI.Status.Conditions.IsTrue(condition.ExposeServiceReadyCondition) {
 		svcs, err := service.GetServicesListWithLabel(
 			ctx,
@@ -75,7 +81,7 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC
 			instance.Spec.Placement.Template.Override.Service,
 			instance.Spec.Placement.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposePlacementAPIReadyCondition,
-			true, // TODO: (mschuppert) disable TLS for now until implemented
+			false, // TODO (mschuppert) could be removed when all integrated service support TLS
 		)
 		if err != nil {
 			return ctrlResult, err
@@ -84,6 +90,10 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC
 		}
 
 		instance.Spec.Placement.Template.Override.Service = endpointDetails.GetEndpointServiceOverrides()
+
+		// update TLS settings with cert secret
+		instance.Spec.Placement.Template.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic)
+		instance.Spec.Placement.Template.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal)
 	}
 
 	Log.Info("Reconciling PlacementAPI", "PlacementAPI.Namespace", instance.Namespace, "PlacementAPI.Name", "placement")