[tlse] internal TLS support for keystone

Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For services which at this point don't support TLS, cert validation could be disabled using customService config like e.g.: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true ~~~ For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: #620 Depends-On: openstack-k8s-operators/keystone-operator#348 Jira: OSPRH-2183
openstack-k8s-operators · Jan 12, 2024 · c7b408b · c7b408b
1 parent 437be4d
commit c7b408b
Show file tree

Hide file tree

Showing 7 changed files with 58 additions and 6 deletions.
diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -6432,6 +6432,24 @@ spec:
                         type: object
                       secret:
                         type: string
+                      tls:
+                        properties:
+                          api:
+                            properties:
+                              internal:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                              public:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                            type: object
+                          caBundleSecretName:
+                            type: string
+                        type: object
                       trustFlushArgs:
                         default: ""
                         type: string
@@ -6445,6 +6463,7 @@ spec:
                     - containerImage
                     - databaseInstance
                     - memcachedInstance
+                    - rabbitMqClusterName
                     - secret
                     type: object
                 type: object

diff --git a/apis/go.mod b/apis/go.mod
@@ -112,3 +112,5 @@ replace ( //allow-merging
 // mschuppert: map to latest commit from release-4.13 tag
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
+
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6
diff --git a/apis/go.sum b/apis/go.sum
@@ -146,8 +146,6 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240104150635-c
 github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240104150635-c4ffc51e0752/go.mod h1:y4qeIT1ubUm9SKrvhVTuEYWSm0so38P5Hu3ZpdMJMek=
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240110024944-744b2fd381ed h1:T3DoXtxj2bb5yNDmM8nzWhWVpqmwiI3UPD7nJrTAgfg=
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240110024944-744b2fd381ed/go.mod h1:ucxn3iX+wWE+8khOSw+RnE6aUhuUENF5M1MHNnlYYPo=
-github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316 h1:IwTuIoC78bbp3awd8P0tWeknCe2jNLB1FCJDIwI/2Pg=
-github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316/go.mod h1:qx+z+k0RMK8Vcl5Nug6bOScEg7ROSxEV4FFy0gjcQDQ=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240110131857-e70e1dec4d14 h1:8batipIElAHscbsVUJz8w/2NOvu+pRi8ixF1XUP6WiQ=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240110131857-e70e1dec4d14/go.mod h1:ov4lAbniNUsLqZCBp1RTixpqXc8JlzA5B+yTcCkJXQg=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240110131857-e70e1dec4d14 h1:95VORmL7rHRMKPo/E3G+oUpDT7g90+tw3Mdxc1Tfv6E=
@@ -209,6 +207,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6 h1:NPd4H7TpNCDO8VT/8H3O4kot8+AZYUraO0Sx6OP5V1Q=
+github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6/go.mod h1:5quo1o1B7wLTXAD6j8sPXDxB5ASYaL9ImyiouAPrXtg=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=

diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -6432,6 +6432,24 @@ spec:
                         type: object
                       secret:
                         type: string
+                      tls:
+                        properties:
+                          api:
+                            properties:
+                              internal:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                              public:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                            type: object
+                          caBundleSecretName:
+                            type: string
+                        type: object
                       trustFlushArgs:
                         default: ""
                         type: string
@@ -6445,6 +6463,7 @@ spec:
                     - containerImage
                     - databaseInstance
                     - memcachedInstance
+                    - rabbitMqClusterName
                     - secret
                     type: object
                 type: object

diff --git a/go.mod b/go.mod
@@ -130,3 +130,5 @@ replace github.com/openstack-k8s-operators/openstack-operator/apis => ./apis
 // mschuppert: map to latest commit from release-4.13 tag
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
+
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6
diff --git a/go.sum b/go.sum
@@ -159,8 +159,6 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240104150635-c
 github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240104150635-c4ffc51e0752/go.mod h1:y4qeIT1ubUm9SKrvhVTuEYWSm0so38P5Hu3ZpdMJMek=
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240110024944-744b2fd381ed h1:T3DoXtxj2bb5yNDmM8nzWhWVpqmwiI3UPD7nJrTAgfg=
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240110024944-744b2fd381ed/go.mod h1:ucxn3iX+wWE+8khOSw+RnE6aUhuUENF5M1MHNnlYYPo=
-github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316 h1:IwTuIoC78bbp3awd8P0tWeknCe2jNLB1FCJDIwI/2Pg=
-github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240104144437-5355d932c316/go.mod h1:qx+z+k0RMK8Vcl5Nug6bOScEg7ROSxEV4FFy0gjcQDQ=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240110131857-e70e1dec4d14 h1:ufG9wUWSMiOMkJuzOGAoShuULamanaM5gfaAaUPXx2g=
 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240110131857-e70e1dec4d14/go.mod h1:XGpipHyxzc+oqOX0aJFYtdGms9SiJwkAooyYc6MW4Ys=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240110131857-e70e1dec4d14 h1:8batipIElAHscbsVUJz8w/2NOvu+pRi8ixF1XUP6WiQ=
@@ -234,6 +232,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6 h1:NPd4H7TpNCDO8VT/8H3O4kot8+AZYUraO0Sx6OP5V1Q=
+github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6/go.mod h1:5quo1o1B7wLTXAD6j8sPXDxB5ASYaL9ImyiouAPrXtg=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=

diff --git a/pkg/openstack/keystone.go b/pkg/openstack/keystone.go
@@ -57,6 +57,12 @@ func ReconcileKeystoneAPI(ctx context.Context, instance *corev1beta1.OpenStackCo
 		}
 	}
 
+	// preserve any previously set TLS certs,set CA cert
+	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+		instance.Spec.Keystone.Template.TLS = keystoneAPI.Spec.TLS
+	}
+	instance.Spec.Keystone.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+
 	if keystoneAPI.Status.Conditions.IsTrue(condition.ExposeServiceReadyCondition) {
 		svcs, err := service.GetServicesListWithLabel(
 			ctx,
@@ -77,7 +83,7 @@ func ReconcileKeystoneAPI(ctx context.Context, instance *corev1beta1.OpenStackCo
 			instance.Spec.Keystone.Template.Override.Service,
 			instance.Spec.Keystone.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeKeystoneAPIReadyCondition,
-			true, // TODO: (mschuppert) disable TLS for now until implemented
+			false, // TODO (mschuppert) could be removed when all integrated service support TLS
 		)
 		if err != nil {
 			return ctrlResult, err
@@ -86,9 +92,12 @@ func ReconcileKeystoneAPI(ctx context.Context, instance *corev1beta1.OpenStackCo
 		}
 
 		instance.Spec.Keystone.Template.Override.Service = endpointDetails.GetEndpointServiceOverrides()
+
+		// update TLS settings with cert secret
+		instance.Spec.Keystone.Template.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic)
+		instance.Spec.Keystone.Template.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal)
 	}
 
-	helper.GetLogger().Info("Reconciling KeystoneAPI", "KeystoneAPI.Namespace", instance.Namespace, "KeystoneAPI.Name", "keystone")
 	Log.Info("Reconciling KeystoneAPI", "KeystoneAPI.Namespace", instance.Namespace, "KeystoneAPI.Name", "keystone")
 	op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), keystoneAPI, func() error {
 		instance.Spec.Keystone.Template.DeepCopyInto(&keystoneAPI.Spec)
@@ -103,6 +112,7 @@ func ReconcileKeystoneAPI(ctx context.Context, instance *corev1beta1.OpenStackCo
 			//keystoneAPI.Spec.DatabaseInstance = instance.Name // name of MariaDB we create here
 			keystoneAPI.Spec.DatabaseInstance = "openstack" //FIXME: see above
 		}
+
 		err := controllerutil.SetControllerReference(helper.GetBeforeObject(), keystoneAPI, helper.GetScheme())
 		if err != nil {
 			return err