From 9a7f93835a8fa0f60aee97ece3b31bcd789f1d35 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Fri, 12 Jan 2024 17:23:47 +0100 Subject: [PATCH] [tlse] internal TLS support for placement Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: https://github.com/openstack-k8s-operators/lib-common/pull/428 Depends-On: https://github.com/openstack-k8s-operators/openstack-operator/pull/620 Depends-On: https://github.com/openstack-k8s-operators/placement-operator/pull/92 Jira: OSPRH-2368 --- ...e.openstack.org_openstackcontrolplanes.yaml | 18 ++++++++++++++++++ apis/go.mod | 2 ++ apis/go.sum | 4 ++-- ...e.openstack.org_openstackcontrolplanes.yaml | 18 ++++++++++++++++++ go.mod | 2 ++ go.sum | 4 ++-- pkg/openstack/placement.go | 12 +++++++++++- 7 files changed, 55 insertions(+), 5 deletions(-) diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml index 6269c9730..a9e0d88ee 100644 --- a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -10756,6 +10756,24 @@ spec: serviceUser: default: placement type: string + tls: + properties: + api: + properties: + internal: + properties: + secretName: + type: string + type: object + public: + properties: + secretName: + type: string + type: object + type: object + caBundleSecretName: + type: string + type: object required: - containerImage - databaseInstance diff --git a/apis/go.mod b/apis/go.mod index 74a98dca8..2a44c6b71 100644 --- a/apis/go.mod +++ b/apis/go.mod @@ -112,3 +112,5 @@ replace ( //allow-merging // mschuppert: map to latest commit from release-4.13 tag // must consistent within modules and service operators replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging + +replace github.com/openstack-k8s-operators/placement-operator/api => github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e diff --git a/apis/go.sum b/apis/go.sum index 656253209..6ee00531c 100644 --- a/apis/go.sum +++ b/apis/go.sum @@ -20,6 +20,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e h1:tXTZoa8tsmJVp7+zRzJKQaVJYtwhZ31SPIxIuN6m2hk= +github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e/go.mod h1:DS/ei404MC7NKLi2uYMRGpUBouEjXL/wkfpN0Of67Tg= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= @@ -166,8 +168,6 @@ github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240111141638- github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240111141638-941aa4c7af37/go.mod h1:KKhVU+ZNYFnhQ0SHoP7R63RDUmzLQ5i9zyantT5uoco= github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240111085209-325aba74512e h1:chk5DpAXCx6fJbnYtIcid6TpRW/QIEh2zt2g4LJHLPA= github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240111085209-325aba74512e/go.mod h1:dW9t4uY1crn1wyF2/ysm5Jt1mcfTd2q9l0JdsKPplTs= -github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626 h1:ApB8Am6T10duf3yo4cFXI8aJ9dK3pBvO+Ml67CDkx7Q= -github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626/go.mod h1:KTxmLkSbU4UPncQyrAfDUgTH/mbgFm9FR6Uq8zcUeiA= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240108172732-c16308f718a3 h1:oEmzvsFf5enmSxGHRzw0ZwiF34didSmLTU+sRbTLNZ8= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240108172732-c16308f718a3/go.mod h1:+AKxGjuWbDzsqWK3bz0yNP1tghBgkBTpxSrgh4BTWpQ= github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240110160147-9348e8bb5a55 h1:Iz1JOKMLU6bcsJeGI0UtZwvSgoLcnogI4TwIuqAxJHQ= diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml index 6269c9730..a9e0d88ee 100644 --- a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -10756,6 +10756,24 @@ spec: serviceUser: default: placement type: string + tls: + properties: + api: + properties: + internal: + properties: + secretName: + type: string + type: object + public: + properties: + secretName: + type: string + type: object + type: object + caBundleSecretName: + type: string + type: object required: - containerImage - databaseInstance diff --git a/go.mod b/go.mod index 7a735143f..716311c71 100644 --- a/go.mod +++ b/go.mod @@ -130,3 +130,5 @@ replace github.com/openstack-k8s-operators/openstack-operator/apis => ./apis // mschuppert: map to latest commit from release-4.13 tag // must consistent within modules and service operators replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging + +replace github.com/openstack-k8s-operators/placement-operator/api => github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e diff --git a/go.sum b/go.sum index 97ea2131a..839cb68d8 100644 --- a/go.sum +++ b/go.sum @@ -24,6 +24,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e h1:tXTZoa8tsmJVp7+zRzJKQaVJYtwhZ31SPIxIuN6m2hk= +github.com/deydra71/placement-operator/api v0.0.0-20240111095748-ebe486a46a6e/go.mod h1:DS/ei404MC7NKLi2uYMRGpUBouEjXL/wkfpN0Of67Tg= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= @@ -187,8 +189,6 @@ github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.202 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240108171105-f5670a7e8c64/go.mod h1:UTK7po+fGYND9AwrTpQvEhWMYXmViwJaaWt0LzhleDE= github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240111085209-325aba74512e h1:chk5DpAXCx6fJbnYtIcid6TpRW/QIEh2zt2g4LJHLPA= github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240111085209-325aba74512e/go.mod h1:dW9t4uY1crn1wyF2/ysm5Jt1mcfTd2q9l0JdsKPplTs= -github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626 h1:ApB8Am6T10duf3yo4cFXI8aJ9dK3pBvO+Ml67CDkx7Q= -github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626/go.mod h1:KTxmLkSbU4UPncQyrAfDUgTH/mbgFm9FR6Uq8zcUeiA= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240108172732-c16308f718a3 h1:oEmzvsFf5enmSxGHRzw0ZwiF34didSmLTU+sRbTLNZ8= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240108172732-c16308f718a3/go.mod h1:+AKxGjuWbDzsqWK3bz0yNP1tghBgkBTpxSrgh4BTWpQ= github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240110160147-9348e8bb5a55 h1:Iz1JOKMLU6bcsJeGI0UtZwvSgoLcnogI4TwIuqAxJHQ= diff --git a/pkg/openstack/placement.go b/pkg/openstack/placement.go index 7e04c78a2..156f36bbd 100644 --- a/pkg/openstack/placement.go +++ b/pkg/openstack/placement.go @@ -55,6 +55,12 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC } } + // set CA cert and preserve any previously set TLS certs + if instance.Spec.TLS.Enabled(service.EndpointInternal) { + instance.Spec.Placement.Template.TLS = placementAPI.Spec.TLS + } + instance.Spec.Placement.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + if placementAPI.Status.Conditions.IsTrue(condition.ExposeServiceReadyCondition) { svcs, err := service.GetServicesListWithLabel( ctx, @@ -75,7 +81,7 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC instance.Spec.Placement.Template.Override.Service, instance.Spec.Placement.APIOverride, corev1beta1.OpenStackControlPlaneExposePlacementAPIReadyCondition, - true, // TODO: (mschuppert) disable TLS for now until implemented + false, // TODO (mschuppert) could be removed when all integrated service support TLS ) if err != nil { return ctrlResult, err @@ -84,6 +90,10 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC } instance.Spec.Placement.Template.Override.Service = endpointDetails.GetEndpointServiceOverrides() + + // update TLS settings with cert secret + instance.Spec.Placement.Template.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic) + instance.Spec.Placement.Template.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal) } Log.Info("Reconciling PlacementAPI", "PlacementAPI.Namespace", instance.Namespace, "PlacementAPI.Name", "placement")