Skip to content

Commit

Permalink
[tlse] tls support for octaviaAPI, amphora pod configuration, add TLS…
Browse files Browse the repository at this point in the history 
… databse connection

Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured.

Depends-On: openstack-k8s-operators/lib-common#428

Signed-off-by: Veronika Fisarova <[email protected]>
  • Loading branch information
@Deydra71
Deydra71 committed Mar 19, 2024
1 parent 8675466 commit f03ec3d
Show file tree
Hide file tree
Showing 25 changed files with 1,077 additions and 40 deletions.
8 changes: 8 additions & 0 deletions api/bases/octavia.openstack.org_octaviaamphoracontrollers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that controls
the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
30 changes: 30 additions & 0 deletions api/bases/octavia.openstack.org_octaviaapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -362,6 +362,36 @@ spec:
default: octavia
description: ServiceUser - service user name
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
api:
description: API tls type which encapsulates for API services
properties:
internal:
description: Internal GenericService - holds the secret for
the internal endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
public:
description: Public GenericService - holds the secret for
the public endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
type: object
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
54 changes: 54 additions & 0 deletions api/bases/octavia.openstack.org_octavias.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -448,6 +448,36 @@ spec:
default: octavia
description: ServiceUser - service user name
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
api:
description: API tls type which encapsulates for API services
properties:
internal:
description: Internal GenericService - holds the secret
for the internal endpoint
properties:
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
public:
description: Public GenericService - holds the secret
for the public endpoint
properties:
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
type: object
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -646,6 +676,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -844,6 +882,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -1042,6 +1088,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
4 changes: 4 additions & 0 deletions api/v1beta1/amphoracontroller_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package v1beta1

import (
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -135,6 +136,9 @@ type OctaviaAmphoraControllerSpecCore struct {
// +kubebuilder:default={}
// List of Redis Host IP addresses
RedisHostIPs []string `json:"redisHostIPs,omitempty"`
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.Ca `json:"tls,omitempty"`
}

// OctaviaAmphoraControllerStatus defines the observed state of the Octavia Amphora Controller
Expand Down
6 changes: 6 additions & 0 deletions api/v1beta1/octaviaapi_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package v1beta1
import (
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -135,6 +136,11 @@ type OctaviaAPISpecCore struct {
// +kubebuilder:validation:Optional
// NetworkAttachments is a list of NetworkAttachment resource names to expose the services to the given network
NetworkAttachments []string `json:"networkAttachments,omitempty"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.API `json:"tls,omitempty"`
}

// APIOverrideSpec to override the generated manifest of several child resources.
Expand Down
2 changes: 2 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions config/crd/bases/octavia.openstack.org_octaviaamphoracontrollers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that controls
the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
30 changes: 30 additions & 0 deletions config/crd/bases/octavia.openstack.org_octaviaapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -362,6 +362,36 @@ spec:
default: octavia
description: ServiceUser - service user name
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
api:
description: API tls type which encapsulates for API services
properties:
internal:
description: Internal GenericService - holds the secret for
the internal endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
public:
description: Public GenericService - holds the secret for
the public endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
type: object
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
54 changes: 54 additions & 0 deletions config/crd/bases/octavia.openstack.org_octavias.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -448,6 +448,36 @@ spec:
default: octavia
description: ServiceUser - service user name
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
api:
description: API tls type which encapsulates for API services
properties:
internal:
description: Internal GenericService - holds the secret
for the internal endpoint
properties:
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
public:
description: Public GenericService - holds the secret
for the public endpoint
properties:
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
type: object
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -646,6 +676,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -844,6 +882,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down Expand Up @@ -1042,6 +1088,14 @@ spec:
description: TenantName - the name of the OpenStack tenant that
controls the Octavia resources TODO(gthiemonge) same as ServiceAccount?
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
type: string
Expand Down
70 changes: 70 additions & 0 deletions config/samples/octavia_v1beta1_octavia_tls.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
apiVersion: octavia.openstack.org/v1beta1
kind: Octavia
metadata:
name: octavia
spec:
databaseInstance: openstack
databaseUser: octavia
serviceUser: octavia
rabbitMqClusterName: rabbitmq
secret: osp-secret
preserveJobs: false
customServiceConfig: |
[DEFAULT]
debug = true
octaviaHousekeeping:
databaseInstance: openstack
databaseUser: octavia
serviceUser: octavia
serviceAccount: octavia
role: housekeeping
certssecret: octavia-amp-cert-data
certspassphrasesecret: octavia-ca-passphrase
secret: osp-secret
preserveJobs: false
customServiceConfig: |
[DEFAULT]
debug = true
octaviaHealthManager:
databaseInstance: openstack
databaseUser: octavia
serviceUser: octavia
serviceAccount: octavia
role: healthmanager
certssecret: octavia-amp-cert-data
certspassphrasesecret: octavia-ca-passphrase
secret: osp-secret
preserveJobs: false
customServiceConfig: |
[DEFAULT]
debug = true
octaviaWorker:
databaseInstance: openstack
databaseUser: octavia
serviceUser: octavia
serviceAccount: octavia
role: worker
certssecret: octavia-amp-cert-data
certspassphrasesecret: octavia-ca-passphrase
secret: osp-secret
preserveJobs: false
customServiceConfig: |
[DEFAULT]
debug = true
octaviaAPI:
databaseInstance: openstack
databaseUser: octavia
serviceUser: octavia
serviceAccount: octavia
secret: osp-secret
preserveJobs: false
customServiceConfig: |
[DEFAULT]
debug = true
tls:
api:
internal:
secretName: cert-octavia-internal-svc
public:
secretName: cert-octavia-public-svc
caBundleSecretName: combined-ca-bundle
Loading

0 comments on commit f03ec3d

Please sign in to comment.