Skip to content
This repository has been archived by the owner on Jun 25, 2024. It is now read-only.

Add infrastructure for edpm certs #553

Merged
merged 2 commits into from
Dec 1, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -1876,6 +1876,8 @@ spec:
items:
type: string
type: array
tlsEnabled:
type: boolean
required:
- nodeTemplate
- nodes
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,18 @@ spec:
type: object
spec:
properties:
caCerts:
type: string
configMaps:
items:
type: string
type: array
hasTLSCerts:
type: boolean
issuers:
additionalProperties:
type: string
type: object
label:
maxLength: 53
pattern: '[a-z]([-a-z0-9]*[a-z0-9])'
Expand Down
5 changes: 5 additions & 0 deletions api/v1beta1/openstackdataplanenodeset_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@ type OpenStackDataPlaneNodeSetSpec struct {
// +kubebuilder:default={download-cache,bootstrap,configure-network,validate-network,install-os,configure-os,run-os,ovn,neutron-metadata,libvirt,nova,telemetry}
// Services list
Services []string `json:"services"`

// TLSEnabled - Whether the node set has TLS enabled.
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
TLSEnabled *bool `json:"tlsEnabled,omitempty" yaml:"tlsEnabled,omitempty"`
}

//+kubebuilder:object:root=true
Expand Down
13 changes: 13 additions & 0 deletions api/v1beta1/openstackdataplaneservice_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,19 @@ type OpenStackDataPlaneServiceSpec struct {
// OpenStackAnsibleEERunnerImage image to use as the ansibleEE runner image
// +kubebuilder:validation:Optional
OpenStackAnsibleEERunnerImage string `json:"openStackAnsibleEERunnerImage,omitempty" yaml:"openStackAnsibleEERunnerImage,omitempty"`

// HasTLSCerts - Whether the nodes have TLS certs
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
HasTLSCerts *bool `json:"hasTLSCerts,omitempty" yaml:"hasTLSCerts,omitempty"`

// Issuers - Issuers to issue TLS Certificates
// +kubebuilder:validation:Optional
Issuers map[string]string `json:"issuers,omitempty"`

// CACerts - Secret containing the CA certificate chain
// +kubebuilder:validation:Optional
CACerts string `json:"caCerts,omitempty" yaml:"caCerts,omitempty"`
}

// OpenStackDataPlaneServiceStatus defines the observed state of OpenStackDataPlaneService
Expand Down
17 changes: 17 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -1876,6 +1876,8 @@ spec:
items:
type: string
type: array
tlsEnabled:
type: boolean
required:
- nodeTemplate
- nodes
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,18 @@ spec:
type: object
spec:
properties:
caCerts:
type: string
configMaps:
items:
type: string
type: array
hasTLSCerts:
type: boolean
issuers:
additionalProperties:
type: string
type: object
label:
maxLength: 53
pattern: '[a-z]([-a-z0-9]*[a-z0-9])'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,12 @@ spec:
displayName: OpenStack Data Plane Service
kind: OpenStackDataPlaneService
name: openstackdataplaneservices.dataplane.openstack.org
specDescriptors:
- description: HasTLSCerts - Whether the nodes have TLS certs
displayName: Has TLSCerts
path: hasTLSCerts
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
statusDescriptors:
- description: Conditions
displayName: Conditions
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,6 @@ metadata:
spec:
label: libvirt
playbook: osp.edpm.libvirt
hasTLSCerts: True
issuers:
default: osp-rootca-issuer-internal
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,6 @@ spec:
# and ssh-publickey
- nova-migration-ssh-key
playbook: osp.edpm.nova
hasTLSCerts: True
issuers:
default: osp-rootca-issuer-internal
20 changes: 19 additions & 1 deletion controllers/openstackdataplanenodeset_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ func (r *OpenStackDataPlaneNodeSetReconciler) Reconcile(ctx context.Context, req
}

// Ensure DNSData Required for Nodes
dnsAddresses, dnsClusterAddresses, ctlplaneSearchDomain, isReady, err := deployment.EnsureDNSData(
dnsAddresses, dnsClusterAddresses, ctlplaneSearchDomain, isReady, allHostnames, allIPs, err := deployment.EnsureDNSData(
ctx, helper,
instance, allIPSets)
if err != nil || !isReady {
Expand All @@ -209,6 +209,24 @@ func (r *OpenStackDataPlaneNodeSetReconciler) Reconcile(ctx context.Context, req
instance.Status.DNSClusterAddresses = dnsClusterAddresses
instance.Status.CtlplaneSearchDomain = ctlplaneSearchDomain

// Issue certs for TLS for services that need them
if instance.Spec.TLSEnabled != nil && *instance.Spec.TLSEnabled {
for _, serviceName := range instance.Spec.Services {
service, err := deployment.GetService(ctx, helper, serviceName)
if err != nil {
return ctrl.Result{}, err
}
if service.Spec.HasTLSCerts != nil && *service.Spec.HasTLSCerts {
result, err = deployment.EnsureTLSCerts(ctx, helper, instance, allHostnames, allIPs, service)
if err != nil {
return ctrl.Result{}, err
} else if (result != ctrl.Result{}) {
return result, nil
}
}
}
}

ansibleSSHPrivateKeySecret := instance.Spec.NodeTemplate.AnsibleSSHPrivateKeySecret

secretKeys := []string{}
Expand Down
1 change: 1 addition & 0 deletions docs/openstack_dataplanenodeset.md
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,7 @@ OpenStackDataPlaneNodeSetSpec defines the desired state of OpenStackDataPlaneNod
| env | Env is a list containing the environment variables to pass to the pod | []corev1.EnvVar | false |
| networkAttachments | NetworkAttachments is a list of NetworkAttachment resource names to pass to the ansibleee resource which allows to connect the ansibleee runner to the given network | []string | false |
| services | Services list | []string | true |
| tlsEnabled | TLSEnabled - Whether the node set has TLS enabled. | *bool | false |

[Back to Custom Resources](#custom-resources)

Expand Down
3 changes: 3 additions & 0 deletions docs/openstack_dataplaneservice.md
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,9 @@ OpenStackDataPlaneServiceSpec defines the desired state of OpenStackDataPlaneSer
| configMaps | ConfigMaps list of ConfigMap names to mount as ExtraMounts for the OpenStackAnsibleEE | []string | false |
| secrets | Secrets list of Secret names to mount as ExtraMounts for the OpenStackAnsibleEE | []string | false |
| openStackAnsibleEERunnerImage | OpenStackAnsibleEERunnerImage image to use as the ansibleEE runner image | string | false |
| hasTLSCerts | HasTLSCerts - Whether the nodes have TLS certs | *bool | false |
| issuers | Issuers - Issuers to issue TLS Certificates | map[string]string | false |
| caCerts | CACerts - Secret containing the CA certificate chain | string | false |

[Back to Custom Resources](#custom-resources)

Expand Down
5 changes: 4 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ replace golang.org/x/net => golang.org/x/net v0.18.0 //allow-merging
replace github.com/openstack-k8s-operators/dataplane-operator/api => ./api

require (
github.com/cert-manager/cert-manager v1.11.5
github.com/go-logr/logr v1.3.0
github.com/google/uuid v1.4.0
github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0
Expand All @@ -16,6 +17,7 @@ require (
github.com/openstack-k8s-operators/dataplane-operator/api v0.0.0-20230724101130-2d6fe1f4706b
github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20231122104142-3b449040167e
github.com/openstack-k8s-operators/lib-common/modules/ansible v0.3.1-0.20231128145648-956f4d361a63
github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20231109064837-a0ac89bc5a39
github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231128145648-956f4d361a63
github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20231128145648-956f4d361a63
github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20231128145648-956f4d361a63
Expand All @@ -26,6 +28,7 @@ require (
k8s.io/api v0.26.11
k8s.io/apimachinery v0.26.11
k8s.io/client-go v0.26.11
k8s.io/utils v0.0.0-20231127182322-b307cd553661
sigs.k8s.io/controller-runtime v0.14.7
)

Expand Down Expand Up @@ -84,7 +87,7 @@ require (
k8s.io/component-base v0.26.11 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5 // indirect
k8s.io/utils v0.0.0-20231127182322-b307cd553661 // indirect
sigs.k8s.io/gateway-api v0.6.0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
Expand Down
6 changes: 6 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/cert-manager/cert-manager v1.11.5 h1:K2LurvwIE4hIhODQZnkOW6ljYe3lVMAliS/to+gI05o=
github.com/cert-manager/cert-manager v1.11.5/go.mod h1:zNOyoTEwdn9Rtj5Or2pjBY1Bqwtw4vBElP2fKSP8/g8=
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
Expand Down Expand Up @@ -239,6 +241,8 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20231122104142-3
github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20231122104142-3b449040167e/go.mod h1:FnKU6sravC43Uj0iq2bhZaPMjoPCBhkNlVdiVoGi5/E=
github.com/openstack-k8s-operators/lib-common/modules/ansible v0.3.1-0.20231128145648-956f4d361a63 h1:Dm2f2i/GDDIpxk1gjhFD1fhHT3naXbXCUmLhyv/jBqk=
github.com/openstack-k8s-operators/lib-common/modules/ansible v0.3.1-0.20231128145648-956f4d361a63/go.mod h1:A9sWNibvjr1a9B/mpy4k6J9xkH11fnn0Dx/X1EZ3On8=
github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20231109064837-a0ac89bc5a39 h1:f6F22jZ6HNBdlrTBDziaoWM1HqW2LOME3nq+07SuC+s=
github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20231109064837-a0ac89bc5a39/go.mod h1:Gr8E0kTkczsoUJ1AIzj9Z5vhl6V21ZrNJXICMB527qI=
github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231128145648-956f4d361a63 h1:iA/8vt+o2bMxYvvenNB7VArBvM8UyDLw3G7S/teMLc0=
github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231128145648-956f4d361a63/go.mod h1:OYad2L+OD4j5CR49di7gu3Q1UkLBmpYwvtdoGlnasL4=
github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20231128145648-956f4d361a63 h1:ok420+r0QGypb4ORk2Zi4k9i0pgXjMZHQ1w/6zgxyrE=
Expand Down Expand Up @@ -643,6 +647,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
sigs.k8s.io/controller-runtime v0.14.7 h1:Vrnm2vk9ZFlRkXATHz0W0wXcqNl7kPat8q2JyxVy0Q8=
sigs.k8s.io/controller-runtime v0.14.7/go.mod h1:ErTs3SJCOujNUnTz4AS+uh8hp6DHMo1gj6fFndJT1X8=
sigs.k8s.io/gateway-api v0.6.0 h1:v2FqrN2ROWZLrSnI2o91taHR8Sj3s+Eh3QU7gLNWIqA=
sigs.k8s.io/gateway-api v0.6.0/go.mod h1:EYJT+jlPWTeNskjV0JTki/03WX1cyAnBhwBJfYHpV/0=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
Expand Down
4 changes: 4 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ import (
baremetalv1 "github.com/openstack-k8s-operators/openstack-baremetal-operator/api/v1beta1"
"sigs.k8s.io/controller-runtime/pkg/client/config"

certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
certmgrmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
dataplanev1 "github.com/openstack-k8s-operators/dataplane-operator/api/v1beta1"
dataplanev1beta1 "github.com/openstack-k8s-operators/dataplane-operator/api/v1beta1"
"github.com/openstack-k8s-operators/dataplane-operator/controllers"
Expand All @@ -61,6 +63,8 @@ func init() {
utilruntime.Must(baremetalv1.AddToScheme(scheme))
utilruntime.Must(infranetworkv1.AddToScheme(scheme))
utilruntime.Must(dataplanev1beta1.AddToScheme(scheme))
utilruntime.Must(certmgrv1.AddToScheme(scheme))
utilruntime.Must(certmgrmetav1.AddToScheme(scheme))
//+kubebuilder:scaffold:scheme
}

Expand Down
Loading
Loading