Skip to content

Commit

Permalink
[tlse] tls for NovaAPI, NovaMetadata and NovNoVNCProxy
Browse files Browse the repository at this point in the history 
Public/Internal service cert secrets and the CA bundle secret
can be passed to configure httpd virtual hosts for tls termination.
The certs get direct mounted to the appropriate place in
/etc/pki/tls/certs/%s.crt|key and a CA bundle to
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments
for bootstrap/cron and NovaConductor, NovaScheduler and NovaCompute
get the CA bundle added if configured.

Also indexes the named input resources for CA bundle, and tls secrets
to be able to watch them for a change and reconcile.

Depends-On: openstack-k8s-operators/lib-common#384

Jira: TODO
  • Loading branch information
@stuggi @d34dh0r53
stuggi authored and d34dh0r53 committed Jan 8, 2024
1 parent 13980c2 commit 4ba0f04
Show file tree
Hide file tree
Showing 58 changed files with 2,128 additions and 115 deletions.
65 changes: 65 additions & 0 deletions api/bases/nova.openstack.org_nova.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,36 @@ spec:
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
tls:
description: TLS - Parameters related to the TLS
properties:
api:
description: API tls type which encapsulates for API services
properties:
internal:
description: Internal GenericService - holds the secret
for the internal endpoint
properties:
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
public:
description: Public GenericService - holds the secret
for the public endpoint
properties:
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
type: object
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
type: object
type: object
cellTemplates:
additionalProperties:
Expand Down Expand Up @@ -745,6 +775,18 @@ spec:
value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs
in a pre-created bundle file
type: string
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
type: object
noVNCProxyServiceTemplate:
description: NoVNCProxyServiceTemplate - defines the novncproxy
Expand Down Expand Up @@ -1040,6 +1082,18 @@ spec:
value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs
in a pre-created bundle file
type: string
secretName:
description: SecretName - holding the cert, key for
the service
type: string
type: object
type: object
nodeSelector:
additionalProperties:
Expand Down Expand Up @@ -1497,6 +1551,17 @@ spec:
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
type: object
nodeSelector:
additionalProperties:
Expand Down
30 changes: 30 additions & 0 deletions api/bases/nova.openstack.org_novaapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -383,6 +383,36 @@ spec:
description: ServiceUser - optional username used for this service
to register in keystone
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
api:
description: API tls type which encapsulates for API services
properties:
internal:
description: Internal GenericService - holds the secret for
the internal endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
public:
description: Public GenericService - holds the secret for
the public endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
type: object
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
required:
- apiDatabaseHostname
- cell0DatabaseHostname
Expand Down
30 changes: 30 additions & 0 deletions api/bases/nova.openstack.org_novacells.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,17 @@ spec:
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
type: object
noVNCProxyServiceTemplate:
description: NoVNCProxyServiceTemplate - defines the novvncproxy service
Expand Down Expand Up @@ -729,6 +740,17 @@ spec:
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
type: object
nodeSelector:
additionalProperties:
Expand Down Expand Up @@ -861,6 +883,14 @@ spec:
description: ServiceUser - optional username used for this service
to register in keystone
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
required:
- cellDatabaseHostname
- cellName
Expand Down
8 changes: 8 additions & 0 deletions api/bases/nova.openstack.org_novacomputes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,14 @@ spec:
description: ServiceUser - optional username used for this service
to register in keystone
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
required:
- cellName
- computeDriver
Expand Down
8 changes: 8 additions & 0 deletions api/bases/nova.openstack.org_novaconductors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,14 @@ spec:
description: ServiceUser - optional username used for this service
to register in keystone
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
required:
- cellName
- keystoneAuthURL
Expand Down
11 changes: 11 additions & 0 deletions api/bases/nova.openstack.org_novametadata.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -378,6 +378,17 @@ spec:
description: ServiceUser - optional username used for this service
to register in keystone
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
required:
- keystoneAuthURL
- secret
Expand Down
11 changes: 11 additions & 0 deletions api/bases/nova.openstack.org_novanovncproxies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -356,6 +356,17 @@ spec:
description: ServiceUser - optional username used for this service
to register in keystone
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
required:
- cellDatabaseHostname
- cellName
Expand Down
8 changes: 8 additions & 0 deletions api/bases/nova.openstack.org_novaschedulers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,14 @@ spec:
description: ServiceUser - optional username used for this service
to register in keystone
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
required:
- apiDatabaseHostname
- cell0DatabaseHostname
Expand Down
2 changes: 2 additions & 0 deletions api/go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,5 @@ require (
// mschuppert: map to latest commit from release-4.13 tag
// must consistent within modules and service operators
replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging

replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236
4 changes: 2 additions & 2 deletions api/go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236 h1:Fo59uOmrnWdVX9WanZofoB2YnmlxDP2wbm7jHGgBIOA=
github.com/deydra71/lib-common/modules/common v0.0.0-20231221132238-bb04f7477236/go.mod h1:YgWd1xXF9VgsfPIwkCv3Q0j2akpnojs9zgso87tvCXY=
github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ=
github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
Expand Down Expand Up @@ -220,8 +222,6 @@ github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRW
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs=
github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231230095328-700482794743 h1:nElSEojlu7JxfpmF5c4zb2F3bjbQigpeiheV6Eus6RI=
github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231230095328-700482794743/go.mod h1:IDd4i2ZXWELCF+Y8Zu9bQBobE6yy3HOEjUeLnSuSWaM=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
Expand Down
11 changes: 11 additions & 0 deletions api/v1beta1/novaapi_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package v1beta1
import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
service "github.com/openstack-k8s-operators/lib-common/modules/common/service"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"

corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -72,6 +73,11 @@ type NovaAPITemplate struct {
// +kubebuilder:validation:Optional
// Override, provides the ability to override the generated manifest of several child resources.
Override APIOverrideSpec `json:"override,omitempty"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.API `json:"tls,omitempty"`
}

// APIOverrideSpec to override the generated manifest of several child resources.
Expand Down Expand Up @@ -153,6 +159,11 @@ type NovaAPISpec struct {
// reconfigured to trigger refresh of the in memory cell caches of the
// service.
RegisteredCells map[string]string `json:"registeredCells"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.API `json:"tls,omitempty"`
}

// NovaAPIStatus defines the observed state of NovaAPI
Expand Down
6 changes: 6 additions & 0 deletions api/v1beta1/novacell_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package v1beta1

import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

Expand Down Expand Up @@ -173,6 +174,11 @@ type NovaCellSpec struct {
// +kubebuilder:validation:Required
// ServiceAccount - service account name used internally to provide Nova services the default SA name
ServiceAccount string `json:"serviceAccount"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.Ca `json:"tls,omitempty"`
}

// NovaCellStatus defines the observed state of NovaCell
Expand Down
7 changes: 7 additions & 0 deletions api/v1beta1/novacompute_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package v1beta1

import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"

corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -118,6 +119,11 @@ type NovaComputeSpec struct {
// +kubebuilder:validation:Enum=ironic.IronicDriver;fake.FakeDriver
// ComputeDriver defines which driver to use for controlling virtualization
ComputeDriver string `json:"computeDriver"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.Ca `json:"tls,omitempty"`
}

// NovaComputeStatus defines the observed state of NovaCompute
Expand Down Expand Up @@ -213,6 +219,7 @@ func NewNovaComputeSpec(
ServiceUser: novaCell.ServiceUser,
ServiceAccount: novaCell.ServiceAccount,
ComputeDriver: computeTemplate.ComputeDriver,
TLS: novaCell.TLS,
}
return novacomputeSpec
}
7 changes: 7 additions & 0 deletions api/v1beta1/novaconductor_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package v1beta1

import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -127,6 +128,11 @@ type NovaConductorSpec struct {
// +kubebuilder:validation:Required
// ServiceAccount - service account name used internally to provide Nova services the default SA name
ServiceAccount string `json:"serviceAccount"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.Ca `json:"tls,omitempty"`
}

// NovaConductorStatus defines the observed state of NovaConductor
Expand Down Expand Up @@ -196,6 +202,7 @@ func NewNovaConductorSpec(
KeystoneAuthURL: novaCell.KeystoneAuthURL,
ServiceUser: novaCell.ServiceUser,
ServiceAccount: novaCell.ServiceAccount,
TLS: novaCell.TLS,
}
return conductorSpec
}
Expand Down
Loading

0 comments on commit 4ba0f04

Please sign in to comment.