Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use dns cluster info from lib common get function
Browse files Browse the repository at this point in the history
Openshift coreDNS creates the domain name using an string
located in dnses.operator.openshift.io. This string can
change in the future, calling lib-common/GetDNSClusterDomain
the responsability of gathering this information correctly
only falls under lib-common intead of all operators.

Depends-on: openstack-k8s-operators/lib-common#580
Resolves: OSPRH-3627
averdagu committed Dec 10, 2024
1 parent c8ed999 commit b8ad389
Showing 9 changed files with 40 additions and 24 deletions.
9 changes: 4 additions & 5 deletions pkg/openstack/common.go
Original file line number Diff line number Diff line change
@@ -20,6 +20,7 @@ import (
keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
"github.com/openstack-k8s-operators/lib-common/modules/common/route"
"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
@@ -58,9 +59,6 @@ const (
// overrides
ooAppSelector = "osctlplane-service"

// ClusterInternalDomain - cluster internal dns domain
ClusterInternalDomain = "cluster.local"

// serviceCertSelector selector passed to cert-manager to set on the service cert secret
serviceCertSelector = "service-cert"

@@ -209,6 +207,7 @@ func EnsureEndpointConfig(
endpoints := Endpoints{
EndpointDetails: map[service.Endpoint]EndpointDetail{},
}
clusterDomain := clusterdns.GetDNSClusterDomain()

for _, svc := range svcs.Items {
ed := EndpointDetail{
@@ -316,7 +315,7 @@ func EnsureEndpointConfig(
CertName: ed.Service.TLS.CertName,
Hostnames: []string{
fmt.Sprintf("%s.%s.svc", ed.Name, instance.Namespace),
fmt.Sprintf("%s.%s.svc.%s", ed.Name, instance.Namespace, ClusterInternalDomain),
fmt.Sprintf("%s.%s.svc.%s", ed.Name, instance.Namespace, clusterDomain),
},
Ips: nil,
Annotations: ed.Annotations,
@@ -366,7 +365,7 @@ func EnsureEndpointConfig(
CertName: ed.Service.TLS.CertName,
Hostnames: []string{
fmt.Sprintf("%s.%s.svc", ed.Name, instance.Namespace),
fmt.Sprintf("%s.%s.svc.%s", ed.Name, instance.Namespace, ClusterInternalDomain),
fmt.Sprintf("%s.%s.svc.%s", ed.Name, instance.Namespace, clusterDomain),
},
Ips: nil,
Annotations: ed.Annotations,
10 changes: 6 additions & 4 deletions pkg/openstack/galera.go
Original file line number Diff line number Diff line change
@@ -8,6 +8,7 @@ import (
certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"

@@ -41,6 +42,7 @@ func ReconcileGaleras(

var failures = []string{}
var inprogress = []string{}
clusterDomain := clusterdns.GetDNSClusterDomain()

if instance.Spec.Galera.Templates == nil {
instance.Spec.Galera.Templates = ptr.To(map[string]mariadbv1.GaleraSpecCore{})
@@ -57,19 +59,19 @@ func ReconcileGaleras(
CertName: fmt.Sprintf("galera-%s-svc", name),
Hostnames: []string{
hostname,
fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain),
fmt.Sprintf("%s.%s", hostname, clusterDomain),
hostnameHeadless,
fmt.Sprintf("%s.%s", hostnameHeadless, ClusterInternalDomain),
fmt.Sprintf("%s.%s", hostnameHeadless, clusterDomain),
fmt.Sprintf("*.%s", hostnameHeadless),
fmt.Sprintf("*.%s.%s", hostnameHeadless, ClusterInternalDomain),
fmt.Sprintf("*.%s.%s", hostnameHeadless, clusterDomain),
},
// Note (dciabrin) from https://github.com/openstack-k8s-operators/openstack-operator/pull/678#issuecomment-1952459166
// the certificate created for galera should populate the 'organization' field,
// otherwise this trip the SST transfer setup done by wsrep_sst_rsync. This will not show
// at the initial deployment because there is no SST involved when the DB is bootstrapped
// as there are no data to be transferred yet.
Subject: &certmgrv1.X509Subject{
Organizations: []string{fmt.Sprintf("%s.%s", instance.Namespace, ClusterInternalDomain)},
Organizations: []string{fmt.Sprintf("%s.%s", instance.Namespace, clusterDomain)},
},
Usages: []certmgrv1.KeyUsage{
"key encipherment",
6 changes: 4 additions & 2 deletions pkg/openstack/memcached.go
Original file line number Diff line number Diff line change
@@ -8,6 +8,7 @@ import (
memcachedv1 "github.com/openstack-k8s-operators/infra-operator/apis/memcached/v1beta1"
"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"

@@ -168,14 +169,15 @@ func reconcileMemcached(
tlsCert := ""
if instance.Spec.TLS.PodLevel.Enabled {
Log.Info("Reconciling Memcached TLS", "Memcached.Namespace", instance.Namespace, "Memcached.Name", name)
clusterDomain := clusterdns.GetDNSClusterDomain()
certRequest := certmanager.CertificateRequest{
IssuerName: instance.GetInternalIssuer(),
CertName: fmt.Sprintf("%s-svc", memcached.Name),
Hostnames: []string{
fmt.Sprintf("%s.%s.svc", name, instance.Namespace),
fmt.Sprintf("*.%s.%s.svc", name, instance.Namespace),
fmt.Sprintf("%s.%s.svc.%s", name, instance.Namespace, ClusterInternalDomain),
fmt.Sprintf("*.%s.%s.svc.%s", name, instance.Namespace, ClusterInternalDomain),
fmt.Sprintf("%s.%s.svc.%s", name, instance.Namespace, clusterDomain),
fmt.Sprintf("*.%s.%s.svc.%s", name, instance.Namespace, clusterDomain),
},
Labels: map[string]string{serviceCertSelector: ""},
}
4 changes: 3 additions & 1 deletion pkg/openstack/neutron.go
Original file line number Diff line number Diff line change
@@ -7,6 +7,7 @@ import (
certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
@@ -68,13 +69,14 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro
instance.Spec.Neutron.Template.TLS = neutronAPI.Spec.TLS

serviceName := "neutron"
clusterDomain := clusterdns.GetDNSClusterDomain()
// create ovndb client certificate for neutron
certRequest := certmanager.CertificateRequest{
IssuerName: instance.GetOvnIssuer(),
CertName: fmt.Sprintf("%s-ovndbs", serviceName),
Hostnames: []string{
fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, "cluster.local"),
fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, clusterDomain),
},
Ips: nil,
Usages: []certmgrv1.KeyUsage{
6 changes: 4 additions & 2 deletions pkg/openstack/nova.go
Original file line number Diff line number Diff line change
@@ -22,6 +22,7 @@ import (

"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
@@ -273,6 +274,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl

// create novncproxy vencrypt cert
if instance.Spec.TLS.PodLevel.Enabled {
clusterDomain := coredns.GetDNSClusterDomain()
serviceName := endpointDetails.EndpointDetails[service.EndpointPublic].Service.Spec.Name
hostname := fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace)
certRequest := certmanager.CertificateRequest{
@@ -281,10 +283,10 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
CommonName: ptr.To(serviceName), // common name has a max length of 64bytes, therefore just set the short name
Hostnames: []string{
hostname,
fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain),
fmt.Sprintf("%s.%s", hostname, clusterDomain),
},
Subject: &certmgrv1.X509Subject{
Organizations: []string{fmt.Sprintf("%s.%s", instance.Namespace, ClusterInternalDomain)},
Organizations: []string{fmt.Sprintf("%s.%s", instance.Namespace, clusterDomain)},
},
Usages: []certmgrv1.KeyUsage{
certmgrv1.UsageKeyEncipherment,
4 changes: 3 additions & 1 deletion pkg/openstack/octavia.go
Original file line number Diff line number Diff line change
@@ -23,6 +23,7 @@ import (
certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
@@ -81,6 +82,7 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro

// preserve any previously set TLS certs, set CA cert
if instance.Spec.TLS.PodLevel.Enabled {
clusterDomain := clusterdns.GetDNSClusterDomain()
instance.Spec.Octavia.Template.OctaviaAPI.TLS = octavia.Spec.OctaviaAPI.TLS

serviceName := "octavia"
@@ -90,7 +92,7 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
CertName: fmt.Sprintf("%s-ovndbs", serviceName),
Hostnames: []string{
fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ClusterInternalDomain),
fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, clusterDomain),
},
Ips: nil,
Usages: []certmgrv1.KeyUsage{
9 changes: 6 additions & 3 deletions pkg/openstack/ovn.go
Original file line number Diff line number Diff line change
@@ -5,6 +5,7 @@ import (
"fmt"

"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"

@@ -73,6 +74,7 @@ func ReconcileOVN(ctx context.Context, instance *corev1beta1.OpenStackControlPla

func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *helper.Helper) (bool, error) {
Log := GetLogger(ctx)
dnsSuffix := clusterdns.GetDNSClusterDomain()

OVNDBClustersReady := len(instance.Spec.Ovn.Template.OVNDBCluster) != 0
for name, dbcluster := range instance.Spec.Ovn.Template.OVNDBCluster {
@@ -111,7 +113,7 @@ func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStack
// Cert needs to be valid for the individual pods in the statefulset so make this a wildcard cert
Hostnames: []string{
fmt.Sprintf("*.%s.svc", instance.Namespace),
fmt.Sprintf("*.%s.svc.%s", instance.Namespace, ovnv1.DNSSuffix),
fmt.Sprintf("*.%s.svc.%s", instance.Namespace, dnsSuffix),
},
Ips: nil,
Usages: []certmgrv1.KeyUsage{
@@ -225,7 +227,7 @@ func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackCont
CertName: fmt.Sprintf("%s-ovndbs", "ovnnorthd"),
Hostnames: []string{
fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ovnv1.DNSSuffix),
fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, dnsSuffix),
},
Ips: nil,
Usages: []certmgrv1.KeyUsage{
@@ -338,6 +340,7 @@ func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStack
}
}
if instance.Spec.TLS.PodLevel.Enabled {
dnsSuffix := clusterdns.GetDNSClusterDomain()
ovnControllerSpec.TLS = OVNController.Spec.TLS

serviceName := ovnv1.ServiceNameOvnController
@@ -347,7 +350,7 @@ func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStack
CertName: fmt.Sprintf("%s-ovndbs", "ovncontroller"),
Hostnames: []string{
fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ovnv1.DNSSuffix),
fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, dnsSuffix),
},
Ips: nil,
Usages: []certmgrv1.KeyUsage{
8 changes: 5 additions & 3 deletions pkg/openstack/rabbitmq.go
Original file line number Diff line number Diff line change
@@ -8,6 +8,7 @@ import (
certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
networkv1 "github.com/openstack-k8s-operators/infra-operator/apis/network/v1beta1"
"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -259,13 +260,14 @@ func reconcileRabbitMQ(
},
}

clusterDomain := clusterdns.GetDNSClusterDomain()
hostname := fmt.Sprintf("%s.%s.svc", name, instance.Namespace)
hostnameHeadless := fmt.Sprintf("%s-nodes.%s.svc", name, instance.Namespace)
hostnames := []string{
hostname,
fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain),
fmt.Sprintf("%s.%s", hostname, clusterDomain),
hostnameHeadless,
fmt.Sprintf("%s.%s", hostnameHeadless, ClusterInternalDomain),
fmt.Sprintf("%s.%s", hostnameHeadless, clusterDomain),
}
for i := 0; i < int(*spec.Replicas); i++ {
hostnames = append(hostnames, fmt.Sprintf("%s-server-%d.%s-nodes.%s", name, i, name, instance.Namespace))
@@ -278,7 +280,7 @@ func reconcileRabbitMQ(
CertName: fmt.Sprintf("%s-svc", rabbitmq.Name),
Hostnames: hostnames,
Subject: &certmgrv1.X509Subject{
Organizations: []string{fmt.Sprintf("%s.%s", rabbitmq.Namespace, ClusterInternalDomain)},
Organizations: []string{fmt.Sprintf("%s.%s", rabbitmq.Namespace, clusterDomain)},
},
Usages: []certmgrv1.KeyUsage{
certmgrv1.UsageKeyEncipherment,
8 changes: 5 additions & 3 deletions pkg/openstack/redis.go
Original file line number Diff line number Diff line change
@@ -8,6 +8,7 @@ import (
certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
redisv1 "github.com/openstack-k8s-operators/infra-operator/apis/redis/v1beta1"
"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
@@ -180,17 +181,18 @@ func reconcileRedis(

tlsCert := ""
if instance.Spec.TLS.PodLevel.Enabled {
clusterDomain := clusterdns.GetDNSClusterDomain()
certRequest := certmanager.CertificateRequest{
IssuerName: instance.GetInternalIssuer(),
CertName: fmt.Sprintf("%s-svc", redis.Name),
Hostnames: []string{
fmt.Sprintf("redis-%s.%s.svc", name, instance.Namespace),
fmt.Sprintf("*.redis-%s.%s.svc", name, instance.Namespace),
fmt.Sprintf("redis-%s.%s.svc.%s", name, instance.Namespace, ClusterInternalDomain),
fmt.Sprintf("*.redis-%s.%s.svc.%s", name, instance.Namespace, ClusterInternalDomain),
fmt.Sprintf("redis-%s.%s.svc.%s", name, instance.Namespace, clusterDomain),
fmt.Sprintf("*.redis-%s.%s.svc.%s", name, instance.Namespace, clusterDomain),
},
Subject: &certmgrv1.X509Subject{
Organizations: []string{fmt.Sprintf("%s.%s", instance.Namespace, ClusterInternalDomain)},
Organizations: []string{fmt.Sprintf("%s.%s", instance.Namespace, clusterDomain)},
},
Usages: []certmgrv1.KeyUsage{
"key encipherment",

0 comments on commit b8ad389

Please sign in to comment.