[TLS] Create full CA bundle from operator base image

Instead of adding additional CAs (public, internal, 3rd party) to
the deployments, this will create a full tls-ca-bundle.pem using
the operator image ca-bundle as base and adds the public, internal
and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
into the deployment pod and don't have to rely on kolla to run
update-ca-trust which requires container to run as root.

Jira: OSP-26299

apis/go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/openstack-k8s-operators/infra-operator/apis v0.1.1-0.20231001103054-f74a88ed4971
 	github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20231006045519-4d73854cb09a
 	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20231005132119-e75019792469
-	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231006072650-7fe7fe16bcd1
+	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231009135225-e0907a2df5d8
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20231006072008-252ecd8282fd
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.0
 	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20231005123831-d6230489c98e

apis/go.sum

@@ -142,8 +142,8 @@ github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20231006045519-4
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20231006045519-4d73854cb09a/go.mod h1:NR5xmmZQz/v1EgGfSrL/4yCbQpRbaWLoIx1CgpGiWck=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20231005132119-e75019792469 h1:gi9kvJAF8YrsQnRhOVjTWtcjhOqFe7rD3uU6g6pKCFQ=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20231005132119-e75019792469/go.mod h1:5v0ngxNmFp8QsINo2bufx1/COJc0q6jm3FMhP3xIAWE=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231006072650-7fe7fe16bcd1 h1:ALZWU2GFDSoOKoBsGbsdgAzlJzGFFsBVFyLvrJIZ+ss=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231006072650-7fe7fe16bcd1/go.mod h1:Ozg6SxfwOtMkiH553c0XQBWuygZQq4jDQCpR4hZqlxM=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231009135225-e0907a2df5d8 h1:qXeMYpPJgfZef/0fISzAcwW5+v0QJmSzWyBdaHwcWIk=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231009135225-e0907a2df5d8/go.mod h1:Ozg6SxfwOtMkiH553c0XQBWuygZQq4jDQCpR4hZqlxM=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20231006072650-7fe7fe16bcd1 h1:C1UGjKkwP1d/GwAjoIlgA6h/8FcIAT5De7ShPGSTXEw=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20231006072650-7fe7fe16bcd1/go.mod h1:LOXXvTQCwhOBNd+0FTlgllpa3wqlkI6Vf3Q5QVRVPlw=
 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20231006072650-7fe7fe16bcd1 h1:+vRt690N+He4uJM0Cvk7Fguw0zs395A8qfV5Uq8B7kw=

config/samples/core_v1beta1_openstackcontrolplane.yaml

@@ -10,9 +10,6 @@ spec:
       enabled: false
     publicEndpoints:
       enabled: true
-  openstackclient:
-    template:
-      containerImage: quay.io/mschuppe/openstack-openstackclient:current-podified
   keystone:
     template:
       databaseInstance: openstack

config/samples/core_v1beta1_openstackcontrolplane_galera_network_isolation.yaml

@@ -10,9 +10,6 @@ spec:
       enabled: false
     publicEndpoints:
       enabled: true
-  openstackclient:
-    template:
-      containerImage: quay.io/mschuppe/openstack-openstackclient:current-podified
   dns:
     template:
       override:

config/samples/core_v1beta1_openstackcontrolplane_galera_network_isolation_3replicas.yaml

@@ -10,9 +10,6 @@ spec:
       enabled: false
     publicEndpoints:
       enabled: true
-  openstackclient:
-    template:
-      containerImage: quay.io/mschuppe/openstack-openstackclient:current-podified
   dns:
     template:
       override:

config/samples/core_v1beta1_openstackcontrolplane_network_isolation.yaml

@@ -10,9 +10,6 @@ spec:
       enabled: false
     publicEndpoints:
       enabled: true
-  openstackclient:
-    template:
-      containerImage: quay.io/mschuppe/openstack-openstackclient:current-podified
   dns:
     template:
       override:

controllers/core/openstackcontrolplane_controller.go

@@ -31,6 +31,7 @@ import (
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
+	corev1 "k8s.io/api/core/v1"
 
 	manilav1 "github.com/openstack-k8s-operators/manila-operator/api/v1beta1"
 	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
@@ -328,6 +329,7 @@ func (r *OpenStackControlPlaneReconciler) reconcileNormal(ctx context.Context, i
 func (r *OpenStackControlPlaneReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&corev1beta1.OpenStackControlPlane{}).
+		Owns(&corev1.Secret{}).
 		Owns(&mariadbv1.MariaDB{}).
 		Owns(&mariadbv1.Galera{}).
 		Owns(&memcachedv1.Memcached{}).

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20231006045519-4d73854cb09a
 	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20231005132119-e75019792469
 	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20231006072650-7fe7fe16bcd1
-	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231006072650-7fe7fe16bcd1
+	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231009135225-e0907a2df5d8
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20231006072008-252ecd8282fd
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.0
 	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20231005123831-d6230489c98e
@@ -34,6 +34,7 @@ require (
 	github.com/operator-framework/api v0.17.6
 	github.com/rabbitmq/cluster-operator/v2 v2.5.0
 	go.uber.org/zap v1.26.0
+	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
 	k8s.io/api v0.27.2
 	k8s.io/apimachinery v0.27.4
 	k8s.io/client-go v0.27.2
@@ -46,7 +47,6 @@ require (
 	github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 // indirect
 	github.com/metal3-io/baremetal-operator/apis v0.3.1 // indirect
 	github.com/metal3-io/baremetal-operator/pkg/hardwareutils v0.2.0 // indirect
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/tools v0.13.0 // indirect
 	sigs.k8s.io/gateway-api v0.6.0 // indirect
 )

go.sum

@@ -155,8 +155,8 @@ github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20231005132119
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20231005132119-e75019792469/go.mod h1:5v0ngxNmFp8QsINo2bufx1/COJc0q6jm3FMhP3xIAWE=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20231006072650-7fe7fe16bcd1 h1:sE/qio/WNUEng0VBmefSr46e/cq4R83payEzge/Y48U=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20231006072650-7fe7fe16bcd1/go.mod h1:u1pqzqGNLcof95aqhLfU6xHVTD6ZTc5gWy2FE03UrZQ=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231006072650-7fe7fe16bcd1 h1:ALZWU2GFDSoOKoBsGbsdgAzlJzGFFsBVFyLvrJIZ+ss=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231006072650-7fe7fe16bcd1/go.mod h1:Ozg6SxfwOtMkiH553c0XQBWuygZQq4jDQCpR4hZqlxM=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231009135225-e0907a2df5d8 h1:qXeMYpPJgfZef/0fISzAcwW5+v0QJmSzWyBdaHwcWIk=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231009135225-e0907a2df5d8/go.mod h1:Ozg6SxfwOtMkiH553c0XQBWuygZQq4jDQCpR4hZqlxM=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20231006072650-7fe7fe16bcd1 h1:C1UGjKkwP1d/GwAjoIlgA6h/8FcIAT5De7ShPGSTXEw=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20231006072650-7fe7fe16bcd1/go.mod h1:LOXXvTQCwhOBNd+0FTlgllpa3wqlkI6Vf3Q5QVRVPlw=
 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20231006072650-7fe7fe16bcd1 h1:+vRt690N+He4uJM0Cvk7Fguw0zs395A8qfV5Uq8B7kw=