Add support for the TLS configuration

Update the volumes initialisation to support TLS config

Signed-off-by: Veronika Fisarova <[email protected]>

api/bases/placement.openstack.org_placementapis.yaml

@@ -365,6 +365,29 @@ spec:
                 description: ServiceUser - optional username used for this service
                   to register in keystone
                 type: string
+              tls:
+                description: TLS certificate and CA for internal TLS traffic
+                properties:
+                  ca:
+                    description: Ca contains CA-specific settings, which could be
+                      used both by services (to define their own CA certificates)
+                      and by clients (to verify the server's certificate)
+                    properties:
+                      caSecretName:
+                        type: string
+                    type: object
+                  service:
+                    description: Service contains server-specific TLS secret
+                    properties:
+                      disableNonTLSListeners:
+                        type: boolean
+                      secretName:
+                        type: string
+                    type: object
+                required:
+                - ca
+                - service
+                type: object
             required:
             - containerImage
             - databaseInstance

api/v1beta1/placementapi_types.go

@@ -19,6 +19,7 @@ package v1beta1
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 
 	corev1 "k8s.io/api/core/v1"
@@ -115,6 +116,10 @@ type PlacementAPISpec struct {
 	// +kubebuilder:validation:Optional
 	// Override, provides the ability to override the generated manifest of several child resources.
 	Override APIOverrideSpec `json:"override,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// TLS certificate and CA for internal TLS traffic
+	TLS *tls.TLS `json:"tls,omitempty"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.

config/crd/bases/placement.openstack.org_placementapis.yaml

@@ -365,6 +365,29 @@ spec:
                 description: ServiceUser - optional username used for this service
                   to register in keystone
                 type: string
+              tls:
+                description: TLS certificate and CA for internal TLS traffic
+                properties:
+                  ca:
+                    description: Ca contains CA-specific settings, which could be
+                      used both by services (to define their own CA certificates)
+                      and by clients (to verify the server's certificate)
+                    properties:
+                      caSecretName:
+                        type: string
+                    type: object
+                  service:
+                    description: Service contains server-specific TLS secret
+                    properties:
+                      disableNonTLSListeners:
+                        type: boolean
+                      secretName:
+                        type: string
+                    type: object
+                required:
+                - ca
+                - service
+                type: object
             required:
             - containerImage
             - databaseInstance

pkg/placement/dbsync.go

@@ -76,15 +76,15 @@ func DbSyncJob(
 								RunAsUser: &runAsUser,
 							},
 							Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts: getVolumeMounts(),
+							VolumeMounts: getVolumeMounts(instance),
 						},
 					},
 				},
 			},
 		},
 	}
 
-	job.Spec.Template.Spec.Volumes = getVolumes(ServiceName)
+	job.Spec.Template.Spec.Volumes = getVolumes(instance)
 
 	initContainerDetails := APIDetails{
 		ContainerImage:       instance.Spec.ContainerImage,
@@ -94,7 +94,7 @@ func DbSyncJob(
 		OSPSecret:            instance.Spec.Secret,
 		DBPasswordSelector:   instance.Spec.PasswordSelectors.Database,
 		UserPasswordSelector: instance.Spec.PasswordSelectors.Service,
-		VolumeMounts:         getInitVolumeMounts(),
+		VolumeMounts:         getInitVolumeMounts(instance),
 	}
 	job.Spec.Template.Spec.InitContainers = initContainer(initContainerDetails)
 

pkg/placement/deployment.go

@@ -115,7 +115,7 @@ func Deployment(
 								RunAsUser: &runAsUser,
 							},
 							Env:            env.MergeEnvs([]corev1.EnvVar{}, envVars),
-							VolumeMounts:   getVolumeMounts(),
+							VolumeMounts:   getVolumeMounts(instance),
 							Resources:      instance.Spec.Resources,
 							ReadinessProbe: readinessProbe,
 							LivenessProbe:  livenessProbe,
@@ -126,7 +126,7 @@ func Deployment(
 		},
 	}
 
-	deployment.Spec.Template.Spec.Volumes = getVolumes(instance.Name)
+	deployment.Spec.Template.Spec.Volumes = getVolumes(instance)
 	// If possible two pods of the same service should not
 	// run on the same worker node. If this is not possible
 	// the get still created on the same worker node.
@@ -149,7 +149,7 @@ func Deployment(
 		OSPSecret:            instance.Spec.Secret,
 		DBPasswordSelector:   instance.Spec.PasswordSelectors.Database,
 		UserPasswordSelector: instance.Spec.PasswordSelectors.Service,
-		VolumeMounts:         getInitVolumeMounts(),
+		VolumeMounts:         getInitVolumeMounts(instance),
 	}
 	deployment.Spec.Template.Spec.InitContainers = initContainer(initContainerDetails)
 

pkg/placement/initcontainer.go

@@ -90,7 +90,7 @@ func initContainer(init APIDetails) []corev1.Container {
 			},
 			Args:         args,
 			Env:          envs,
-			VolumeMounts: getInitVolumeMounts(),
+			VolumeMounts: init.VolumeMounts,
 		},
 	}
 }

pkg/placement/volumes.go

@@ -16,22 +16,23 @@ limitations under the License.
 package placement
 
 import (
+	placementv1 "github.com/openstack-k8s-operators/placement-operator/api/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 )
 
 // getVolumes - service volumes
-func getVolumes(name string) []corev1.Volume {
+func getVolumes(instance *placementv1.PlacementAPI) []corev1.Volume {
 	var scriptsVolumeDefaultMode int32 = 0755
 	var config0640AccessMode int32 = 0640
 
-	return []corev1.Volume{
+	volumes := []corev1.Volume{
 		{
 			Name: "scripts",
 			VolumeSource: corev1.VolumeSource{
 				ConfigMap: &corev1.ConfigMapVolumeSource{
 					DefaultMode: &scriptsVolumeDefaultMode,
 					LocalObjectReference: corev1.LocalObjectReference{
-						Name: name + "-scripts",
+						Name: instance.Name + "-scripts",
 					},
 				},
 			},
@@ -42,7 +43,7 @@ func getVolumes(name string) []corev1.Volume {
 				ConfigMap: &corev1.ConfigMapVolumeSource{
 					DefaultMode: &config0640AccessMode,
 					LocalObjectReference: corev1.LocalObjectReference{
-						Name: name + "-config-data",
+						Name: instance.Name + "-config-data",
 					},
 				},
 			},
@@ -55,11 +56,18 @@ func getVolumes(name string) []corev1.Volume {
 		},
 	}
 
+	if instance.Spec.TLS != nil {
+		caVolumes := instance.Spec.TLS.CreateVolumes()
+		volumes = append(volumes, caVolumes...)
+	}
+
+	return volumes
+
 }
 
 // getInitVolumeMounts - general init task VolumeMounts
-func getInitVolumeMounts() []corev1.VolumeMount {
-	return []corev1.VolumeMount{
+func getInitVolumeMounts(instance *placementv1.PlacementAPI) []corev1.VolumeMount {
+	volumeMounts := []corev1.VolumeMount{
 		{
 			Name:      "scripts",
 			MountPath: "/usr/local/bin/container-scripts",
@@ -76,11 +84,18 @@ func getInitVolumeMounts() []corev1.VolumeMount {
 			ReadOnly:  false,
 		},
 	}
+
+	if instance.Spec.TLS != nil {
+		caVolumeMounts := instance.Spec.TLS.CreateVolumeMounts()
+		volumeMounts = append(volumeMounts, caVolumeMounts...)
+	}
+
+	return volumeMounts
 }
 
 // getVolumeMounts - general VolumeMounts
-func getVolumeMounts() []corev1.VolumeMount {
-	return []corev1.VolumeMount{
+func getVolumeMounts(instance *placementv1.PlacementAPI) []corev1.VolumeMount {
+	volumeMounts := []corev1.VolumeMount{
 		{
 			Name:      "scripts",
 			MountPath: "/usr/local/bin/container-scripts",
@@ -98,4 +113,11 @@ func getVolumeMounts() []corev1.VolumeMount {
 			ReadOnly:  true,
 		},
 	}
+
+	if instance.Spec.TLS != nil {
+		caVolumeMounts := instance.Spec.TLS.CreateVolumeMounts()
+		volumeMounts = append(volumeMounts, caVolumeMounts...)
+	}
+
+	return volumeMounts
 }

tests/functional/placementapi_controller_test.go

@@ -683,4 +683,41 @@ var _ = Describe("PlacementAPI controller", func() {
 		})
 
 	})
+
+	When("TLS config is present", func() {
+		var placementAPINames Names
+
+		BeforeEach(func() {
+			specWithTLS := GetDefaultPlacementAPISpec()
+			instance := CreatePlacementAPI(names.PlacementAPIName, specWithTLS)
+
+			placementAPINames = CreateNames(types.NamespacedName{
+				Namespace: instance.GetNamespace(),
+				Name:      instance.GetName(),
+			})
+		})
+
+		It("should create volumes with the TLS information", func() {
+			deployment := th.GetDeployment(names.DeploymentName)
+			Eventually(func() {
+				Expect(k8sClient.Get(ctx, placementAPINames.DeploymentName, deployment)).To(Succeed())
+			}).Should(Succeed())
+			Expect(deployment.Spec.Template.Spec.Volumes).To(ContainElement(HaveField("Name", Equal("tls-certs"))))
+			Expect(deployment.Spec.Template.Spec.Volumes).To(ContainElement(HaveField("Name", Equal("ca-certs"))))
+		})
+
+		It("should create volume mounts with the TLS information", func() {
+			deployment := th.GetDeployment(names.DeploymentName)
+			Eventually(func() {
+				Expect(k8sClient.Get(ctx, placementAPINames.DeploymentName, deployment)).To(Succeed())
+			}).Should(Succeed())
+
+			container := deployment.Spec.Template.Spec.Containers[0]
+
+			Expect(container.VolumeMounts).To(ContainElement(HaveField("Name", Equal("tls-crt"))))
+			Expect(container.VolumeMounts).To(ContainElement(HaveField("Name", Equal("tls-key"))))
+			Expect(container.VolumeMounts).To(ContainElement(HaveField("Name", Equal("ca-certs"))))
+		})
+	})
+
 })