[tlse] tls for PlacementAPI pod configuration

Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs are mounted to in var/lib/config-data/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. Server cert and key are intended to be moved by kolla to /etc/pki/tls/certs|private. Depends-On: openstack-k8s-operators/lib-common#428 Signed-off-by: Veronika Fisarova <[email protected]>
openstack-k8s-operators · Jan 25, 2024 · 72883dc · 72883dc
1 parent 2729bbc
commit 72883dc
Show file tree

Hide file tree

Showing 24 changed files with 873 additions and 30 deletions.
diff --git a/api/bases/placement.openstack.org_placementapis.yaml b/api/bases/placement.openstack.org_placementapis.yaml
@@ -365,6 +365,36 @@ spec:
                 description: ServiceUser - optional username used for this service
                   to register in keystone
                 type: string
+              tls:
+                description: TLS - Parameters related to the TLS
+                properties:
+                  api:
+                    description: API tls type which encapsulates for API services
+                    properties:
+                      internal:
+                        description: Internal GenericService - holds the secret for
+                          the internal endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                      public:
+                        description: Public GenericService - holds the secret for
+                          the public endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    description: CaBundleSecretName - holding the CA certs in a pre-created
+                      bundle file
+                    type: string
+                type: object
             required:
             - containerImage
             - databaseInstance

diff --git a/api/v1beta1/placementapi_types.go b/api/v1beta1/placementapi_types.go
@@ -19,6 +19,7 @@ package v1beta1
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 
 	corev1 "k8s.io/api/core/v1"
@@ -115,6 +116,11 @@ type PlacementAPISpec struct {
 	// +kubebuilder:validation:Optional
 	// Override, provides the ability to override the generated manifest of several child resources.
 	Override APIOverrideSpec `json:"override,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.API `json:"tls,omitempty"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/placement.openstack.org_placementapis.yaml b/config/crd/bases/placement.openstack.org_placementapis.yaml
@@ -365,6 +365,36 @@ spec:
                 description: ServiceUser - optional username used for this service
                   to register in keystone
                 type: string
+              tls:
+                description: TLS - Parameters related to the TLS
+                properties:
+                  api:
+                    description: API tls type which encapsulates for API services
+                    properties:
+                      internal:
+                        description: Internal GenericService - holds the secret for
+                          the internal endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                      public:
+                        description: Public GenericService - holds the secret for
+                          the public endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    description: CaBundleSecretName - holding the CA certs in a pre-created
+                      bundle file
+                    type: string
+                type: object
             required:
             - containerImage
             - databaseInstance

diff --git a/config/samples/placement_v1beta1_placementtls.yaml b/config/samples/placement_v1beta1_placementtls.yaml
@@ -0,0 +1,24 @@
+apiVersion: placement.openstack.org/v1beta1
+kind: PlacementAPI
+metadata:
+  name: placement
+spec:
+  serviceUser: placement
+  customServiceConfig: |
+    [DEFAULT]
+    debug = true
+  databaseInstance: openstack
+  databaseUser: placement
+  debug:
+    dbSync: false
+    service: false
+  preserveJobs: false
+  replicas: 1
+  secret: placement-secret
+  tls:
+    api:
+      internal:
+        secretName: cert-internal-svc
+      public:
+        secretName: cert-public-svc
+    caBundleSecretName: combined-ca-bundle