Skip to content

Commit

Permalink
[tlse] tls support for octaviaAPI, amphora pod configuration, add TLS…
Browse files Browse the repository at this point in the history 
… databse connection

Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured.

Depends-On: openstack-k8s-operators/lib-common#428

Signed-off-by: Veronika Fisarova <[email protected]>
  • Loading branch information
@Deydra71
Deydra71 committed Mar 14, 2024
1 parent d81f1e5 commit 19ee0f7
Show file tree
Hide file tree
Showing 26 changed files with 1,058 additions and 15 deletions.
8 changes: 8 additions & 0 deletions api/bases/octavia.openstack.org_octaviaamphoracontrollers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that controls
the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
30 changes: 30 additions & 0 deletions api/bases/octavia.openstack.org_octaviaapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -362,6 +362,36 @@ spec:
default: octavia
description: ServiceUser - service user name
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
api:
description: API tls type which encapsulates for API services
properties:
internal:
description: Internal GenericService - holds the secret for
the internal endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
public:
description: Public GenericService - holds the secret for
the public endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
type: object
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
54 changes: 54 additions & 0 deletions api/bases/octavia.openstack.org_octavias.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -442,6 +442,36 @@ spec:
default: octavia
description: ServiceUser - service user name
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
api:
description: API tls type which encapsulates for API services
properties:
internal:
description: Internal GenericService - holds the secret
for the internal endpoint
properties:
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
public:
description: Public GenericService - holds the secret
for the public endpoint
properties:
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
type: object
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -640,6 +670,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -838,6 +876,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -1036,6 +1082,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
7 changes: 7 additions & 0 deletions api/go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU=
github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
Expand Down Expand Up @@ -58,7 +59,9 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
Expand Down Expand Up @@ -87,16 +90,19 @@ github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1B
github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
Expand Down Expand Up @@ -167,6 +173,7 @@ google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7
google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
Expand Down
4 changes: 4 additions & 0 deletions api/v1beta1/amphoracontroller_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package v1beta1

import (
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -135,6 +136,9 @@ type OctaviaAmphoraControllerSpecCore struct {
// +kubebuilder:default={}
// List of Redis Host IP addresses
RedisHostIPs []string `json:"redisHostIPs,omitempty"`
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.Ca `json:"tls,omitempty"`
}

// OctaviaAmphoraControllerStatus defines the observed state of the Octavia Amphora Controller
Expand Down
6 changes: 6 additions & 0 deletions api/v1beta1/octaviaapi_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package v1beta1
import (
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -132,6 +133,11 @@ type OctaviaAPISpecCore struct {
// +kubebuilder:validation:Optional
// NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network
NetworkAttachments []string `json:"networkAttachments,omitempty"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.API `json:"tls,omitempty"`
}

// APIOverrideSpec to override the generated manifest of several child resources.
Expand Down
2 changes: 2 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions config/crd/bases/octavia.openstack.org_octaviaamphoracontrollers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that controls
the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
30 changes: 30 additions & 0 deletions config/crd/bases/octavia.openstack.org_octaviaapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -362,6 +362,36 @@ spec:
default: octavia
description: ServiceUser - service user name
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
api:
description: API tls type which encapsulates for API services
properties:
internal:
description: Internal GenericService - holds the secret for
the internal endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
public:
description: Public GenericService - holds the secret for
the public endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
type: object
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
54 changes: 54 additions & 0 deletions config/crd/bases/octavia.openstack.org_octavias.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -442,6 +442,36 @@ spec:
default: octavia
description: ServiceUser - service user name
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
api:
description: API tls type which encapsulates for API services
properties:
internal:
description: Internal GenericService - holds the secret
for the internal endpoint
properties:
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
public:
description: Public GenericService - holds the secret
for the public endpoint
properties:
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
type: object
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -640,6 +670,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -838,6 +876,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -1036,6 +1082,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
Loading

0 comments on commit 19ee0f7

Please sign in to comment.