Skip to content

Commit

Permalink
Merge pull request #288 from gthiemonge/fix-tlse
Browse files Browse the repository at this point in the history 
Fix TLSe
  • Loading branch information
@openshift-merge-bot
openshift-merge-bot[bot] authored Apr 16, 2024
2 parents f4d5094 + ec89103 commit 468bde1
Show file tree
Hide file tree
Showing 11 changed files with 128 additions and 2 deletions.
8 changes: 8 additions & 0 deletions api/bases/octavia.openstack.org_octaviaapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -391,6 +391,14 @@ spec:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
ovn:
description: Ovn GenericService - holds the secret for the OvnDb
client cert
properties:
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
Expand Down
9 changes: 9 additions & 0 deletions api/bases/octavia.openstack.org_octavias.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -477,6 +477,15 @@ spec:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
ovn:
description: Ovn GenericService - holds the secret for the
OvnDb client cert
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
Expand Down
17 changes: 16 additions & 1 deletion api/v1beta1/octaviaapi_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,22 @@ type OctaviaAPISpecCore struct {
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.API `json:"tls,omitempty"`
TLS OctaviaApiTLS `json:"tls,omitempty"`
}

type OctaviaApiTLS struct {
// +kubebuilder:validation:optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// API tls type which encapsulates for API services
API tls.APIService `json:"api,omitempty"`
// +kubebuilder:validation:optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// Secret containing CA bundle
tls.Ca `json:",inline"`
// +kubebuilder:validation:optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// Ovn GenericService - holds the secret for the OvnDb client cert
Ovn tls.GenericService `json:"ovn,omitempty"`
}

// APIOverrideSpec to override the generated manifest of several child resources.
Expand Down
18 changes: 18 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions config/crd/bases/octavia.openstack.org_octaviaapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -391,6 +391,14 @@ spec:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
ovn:
description: Ovn GenericService - holds the secret for the OvnDb
client cert
properties:
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
Expand Down
9 changes: 9 additions & 0 deletions config/crd/bases/octavia.openstack.org_octavias.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -477,6 +477,15 @@ spec:
description: CaBundleSecretName - holding the CA certs in
a pre-created bundle file
type: string
ovn:
description: Ovn GenericService - holds the secret for the
OvnDb client cert
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
type: object
transportURLSecret:
description: TransportURLSecret - Secret containing RabbitMQ transportURL
Expand Down
2 changes: 2 additions & 0 deletions controllers/octavia_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,7 @@ const (
caBundleSecretNameField = ".spec.tls.caBundleSecretName"
tlsAPIInternalField = ".spec.tls.api.internal.secretName"
tlsAPIPublicField = ".spec.tls.api.public.secretName"
tlsOvnField = ".spec.tls.ovn.secretName"
)

var (
Expand All @@ -229,6 +230,7 @@ var (
caBundleSecretNameField,
tlsAPIInternalField,
tlsAPIPublicField,
tlsOvnField,
}
)

Expand Down
13 changes: 13 additions & 0 deletions controllers/octaviaapi_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,18 @@ func (r *OctaviaAPIReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Ma
return err
}

// index tlsOvnField
if err := mgr.GetFieldIndexer().IndexField(context.Background(), &octaviav1.OctaviaAPI{}, tlsOvnField, func(rawObj client.Object) []string {
// Extract the secret name from the spec, if one is provided
cr := rawObj.(*octaviav1.OctaviaAPI)
if cr.Spec.TLS.Ovn.SecretName == nil {
return nil
}
return []string{*cr.Spec.TLS.Ovn.SecretName}
}); err != nil {
return err
}

return ctrl.NewControllerManagedBy(mgr).
For(&octaviav1.OctaviaAPI{}).
Owns(&keystonev1.KeystoneService{}).
Expand Down Expand Up @@ -946,6 +958,7 @@ func (r *OctaviaAPIReconciler) generateServiceConfigMaps(
if err != nil {
return err
}
templateParameters["OVNDB_TLS"] = instance.Spec.TLS.Ovn.Enabled()

// create httpd vhost template parameters
httpdVhostConfig := map[string]interface{}{}
Expand Down
27 changes: 27 additions & 0 deletions pkg/octavia/client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package octavia
import (
"context"
"fmt"
"net/url"
"time"

"github.com/gophercloud/gophercloud"
Expand Down Expand Up @@ -44,6 +45,18 @@ func GetAdminServiceClient(
return nil, ctrl.Result{}, err
}

parsedAuthURL, err := url.Parse(authURL)
if err != nil {
return nil, ctrl.Result{}, err
}

tlsConfig := &openstack.TLSConfig{}
if parsedAuthURL.Scheme == "https" {
// TODO: (mschuppert) for now just set to insecure, when keystone got
// enabled for internal tls, get the CA secret name from the keystoneAPI
tlsConfig.Insecure = true
}

// get the password of the admin user from Spec.Secret
// using PasswordSelectors.Admin
authPassword, ctrlResult, err := secret.GetDataFromSecret(
Expand All @@ -66,6 +79,7 @@ func GetAdminServiceClient(
TenantName: keystoneAPI.Spec.AdminProject,
DomainName: "Default",
Region: keystoneAPI.Spec.Region,
TLS: tlsConfig,
}

os, err := openstack.NewOpenStack(
Expand All @@ -92,6 +106,18 @@ func GetServiceClient(
return nil, ctrl.Result{}, err
}

parsedAuthURL, err := url.Parse(authURL)
if err != nil {
return nil, ctrl.Result{}, err
}

tlsConfig := &openstack.TLSConfig{}
if parsedAuthURL.Scheme == "https" {
// TODO: (mschuppert) for now just set to insecure, when keystone got
// enabled for internal tls, get the CA secret name from the keystoneAPI
tlsConfig.Insecure = true
}

// get the password of the admin user from Spec.Secret
// using PasswordSelectors.Admin
authPassword, ctrlResult, err := secret.GetDataFromSecret(
Expand All @@ -114,6 +140,7 @@ func GetServiceClient(
TenantName: octavia.Spec.TenantName,
DomainName: "Default",
Region: keystoneAPI.Spec.Region,
TLS: tlsConfig,
}

os, err := openstack.NewOpenStack(
Expand Down
10 changes: 10 additions & 0 deletions pkg/octaviaapi/deployment.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/utils/ptr"
)

const (
Expand Down Expand Up @@ -107,6 +108,15 @@ func Deployment(
}
}

if instance.Spec.TLS.Ovn.Enabled() {
svc := tls.Service{
SecretName: *instance.Spec.TLS.Ovn.SecretName,
CaMount: ptr.To("/var/lib/config-data/tls/certs/ovndbca.crt"),
}
volumes = append(volumes, svc.CreateVolume("ovndb"))
volumeMounts = append(volumeMounts, svc.CreateVolumeMounts("ovndb")...)
}

envVars := map[string]env.Setter{}
envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
envVars["CONFIG_HASH"] = env.SetValue(configHash)
Expand Down
9 changes: 8 additions & 1 deletion templates/octaviaapi/config/octavia.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,14 @@ enabled_provider_agents=ovn
[ovn]
ovn_nb_connection={{ .NBConnection }}
ovn_sb_connection={{ .SBConnection }}
# OVN/TODO double check defaultsj
{{- if .OVNDB_TLS }}
ovn_nb_private_key = /etc/pki/tls/private/ovndb.key
ovn_nb_certificate = /etc/pki/tls/certs/ovndb.crt
ovn_nb_ca_cert = /etc/pki/tls/certs/ovndbca.crt
ovn_sb_private_key = /etc/pki/tls/private/ovndb.key
ovn_sb_certificate = /etc/pki/tls/certs/ovndb.crt
ovn_sb_ca_cert = /etc/pki/tls/certs/ovndbca.crt
{{- end }}

[oslo_policy]
enforce_scope = True
Expand Down

0 comments on commit 468bde1

Please sign in to comment.