diff --git a/api/bases/octavia.openstack.org_octaviaapis.yaml b/api/bases/octavia.openstack.org_octaviaapis.yaml index 2743a14b..4f0a4fb8 100644 --- a/api/bases/octavia.openstack.org_octaviaapis.yaml +++ b/api/bases/octavia.openstack.org_octaviaapis.yaml @@ -391,6 +391,14 @@ spec: description: CaBundleSecretName - holding the CA certs in a pre-created bundle file type: string + ovn: + description: Ovn GenericService - holds the secret for the OvnDb + client cert + properties: + secretName: + description: SecretName - holding the cert, key for the service + type: string + type: object type: object transportURLSecret: description: TransportURLSecret - Secret containing RabbitMQ transportURL diff --git a/api/bases/octavia.openstack.org_octavias.yaml b/api/bases/octavia.openstack.org_octavias.yaml index 9f1331cf..d58a95b9 100644 --- a/api/bases/octavia.openstack.org_octavias.yaml +++ b/api/bases/octavia.openstack.org_octavias.yaml @@ -477,6 +477,15 @@ spec: description: CaBundleSecretName - holding the CA certs in a pre-created bundle file type: string + ovn: + description: Ovn GenericService - holds the secret for the + OvnDb client cert + properties: + secretName: + description: SecretName - holding the cert, key for the + service + type: string + type: object type: object transportURLSecret: description: TransportURLSecret - Secret containing RabbitMQ transportURL diff --git a/api/v1beta1/octaviaapi_types.go b/api/v1beta1/octaviaapi_types.go index c0ef3879..bd44e54b 100644 --- a/api/v1beta1/octaviaapi_types.go +++ b/api/v1beta1/octaviaapi_types.go @@ -140,7 +140,22 @@ type OctaviaAPISpecCore struct { // +kubebuilder:validation:Optional // +operator-sdk:csv:customresourcedefinitions:type=spec // TLS - Parameters related to the TLS - TLS tls.API `json:"tls,omitempty"` + TLS OctaviaApiTLS `json:"tls,omitempty"` +} + +type OctaviaApiTLS struct { + // +kubebuilder:validation:optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // API tls type which encapsulates for API services + API tls.APIService `json:"api,omitempty"` + // +kubebuilder:validation:optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // Secret containing CA bundle + tls.Ca `json:",inline"` + // +kubebuilder:validation:optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // Ovn GenericService - holds the secret for the OvnDb client cert + Ovn tls.GenericService `json:"ovn,omitempty"` } // APIOverrideSpec to override the generated manifest of several child resources. diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index dee6925c..80525a4b 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -419,6 +419,24 @@ func (in *OctaviaAmphoraFlavor) DeepCopy() *OctaviaAmphoraFlavor { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OctaviaApiTLS) DeepCopyInto(out *OctaviaApiTLS) { + *out = *in + in.API.DeepCopyInto(&out.API) + out.Ca = in.Ca + in.Ovn.DeepCopyInto(&out.Ovn) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OctaviaApiTLS. +func (in *OctaviaApiTLS) DeepCopy() *OctaviaApiTLS { + if in == nil { + return nil + } + out := new(OctaviaApiTLS) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OctaviaDefaults) DeepCopyInto(out *OctaviaDefaults) { *out = *in diff --git a/config/crd/bases/octavia.openstack.org_octaviaapis.yaml b/config/crd/bases/octavia.openstack.org_octaviaapis.yaml index 2743a14b..4f0a4fb8 100644 --- a/config/crd/bases/octavia.openstack.org_octaviaapis.yaml +++ b/config/crd/bases/octavia.openstack.org_octaviaapis.yaml @@ -391,6 +391,14 @@ spec: description: CaBundleSecretName - holding the CA certs in a pre-created bundle file type: string + ovn: + description: Ovn GenericService - holds the secret for the OvnDb + client cert + properties: + secretName: + description: SecretName - holding the cert, key for the service + type: string + type: object type: object transportURLSecret: description: TransportURLSecret - Secret containing RabbitMQ transportURL diff --git a/config/crd/bases/octavia.openstack.org_octavias.yaml b/config/crd/bases/octavia.openstack.org_octavias.yaml index 9f1331cf..d58a95b9 100644 --- a/config/crd/bases/octavia.openstack.org_octavias.yaml +++ b/config/crd/bases/octavia.openstack.org_octavias.yaml @@ -477,6 +477,15 @@ spec: description: CaBundleSecretName - holding the CA certs in a pre-created bundle file type: string + ovn: + description: Ovn GenericService - holds the secret for the + OvnDb client cert + properties: + secretName: + description: SecretName - holding the cert, key for the + service + type: string + type: object type: object transportURLSecret: description: TransportURLSecret - Secret containing RabbitMQ transportURL diff --git a/controllers/octavia_controller.go b/controllers/octavia_controller.go index d2b44bf1..008af94d 100644 --- a/controllers/octavia_controller.go +++ b/controllers/octavia_controller.go @@ -221,6 +221,7 @@ const ( caBundleSecretNameField = ".spec.tls.caBundleSecretName" tlsAPIInternalField = ".spec.tls.api.internal.secretName" tlsAPIPublicField = ".spec.tls.api.public.secretName" + tlsOvnField = ".spec.tls.ovn.secretName" ) var ( @@ -229,6 +230,7 @@ var ( caBundleSecretNameField, tlsAPIInternalField, tlsAPIPublicField, + tlsOvnField, } ) diff --git a/controllers/octaviaapi_controller.go b/controllers/octaviaapi_controller.go index 14b114a0..ddc9db59 100644 --- a/controllers/octaviaapi_controller.go +++ b/controllers/octaviaapi_controller.go @@ -246,6 +246,18 @@ func (r *OctaviaAPIReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Ma return err } + // index tlsOvnField + if err := mgr.GetFieldIndexer().IndexField(context.Background(), &octaviav1.OctaviaAPI{}, tlsOvnField, func(rawObj client.Object) []string { + // Extract the secret name from the spec, if one is provided + cr := rawObj.(*octaviav1.OctaviaAPI) + if cr.Spec.TLS.Ovn.SecretName == nil { + return nil + } + return []string{*cr.Spec.TLS.Ovn.SecretName} + }); err != nil { + return err + } + return ctrl.NewControllerManagedBy(mgr). For(&octaviav1.OctaviaAPI{}). Owns(&keystonev1.KeystoneService{}). @@ -946,6 +958,7 @@ func (r *OctaviaAPIReconciler) generateServiceConfigMaps( if err != nil { return err } + templateParameters["OVNDB_TLS"] = instance.Spec.TLS.Ovn.Enabled() // create httpd vhost template parameters httpdVhostConfig := map[string]interface{}{} diff --git a/pkg/octavia/client.go b/pkg/octavia/client.go index 10dc43b7..5556cae1 100644 --- a/pkg/octavia/client.go +++ b/pkg/octavia/client.go @@ -17,6 +17,7 @@ package octavia import ( "context" "fmt" + "net/url" "time" "github.com/gophercloud/gophercloud" @@ -44,6 +45,18 @@ func GetAdminServiceClient( return nil, ctrl.Result{}, err } + parsedAuthURL, err := url.Parse(authURL) + if err != nil { + return nil, ctrl.Result{}, err + } + + tlsConfig := &openstack.TLSConfig{} + if parsedAuthURL.Scheme == "https" { + // TODO: (mschuppert) for now just set to insecure, when keystone got + // enabled for internal tls, get the CA secret name from the keystoneAPI + tlsConfig.Insecure = true + } + // get the password of the admin user from Spec.Secret // using PasswordSelectors.Admin authPassword, ctrlResult, err := secret.GetDataFromSecret( @@ -66,6 +79,7 @@ func GetAdminServiceClient( TenantName: keystoneAPI.Spec.AdminProject, DomainName: "Default", Region: keystoneAPI.Spec.Region, + TLS: tlsConfig, } os, err := openstack.NewOpenStack( @@ -92,6 +106,18 @@ func GetServiceClient( return nil, ctrl.Result{}, err } + parsedAuthURL, err := url.Parse(authURL) + if err != nil { + return nil, ctrl.Result{}, err + } + + tlsConfig := &openstack.TLSConfig{} + if parsedAuthURL.Scheme == "https" { + // TODO: (mschuppert) for now just set to insecure, when keystone got + // enabled for internal tls, get the CA secret name from the keystoneAPI + tlsConfig.Insecure = true + } + // get the password of the admin user from Spec.Secret // using PasswordSelectors.Admin authPassword, ctrlResult, err := secret.GetDataFromSecret( @@ -114,6 +140,7 @@ func GetServiceClient( TenantName: octavia.Spec.TenantName, DomainName: "Default", Region: keystoneAPI.Spec.Region, + TLS: tlsConfig, } os, err := openstack.NewOpenStack( diff --git a/pkg/octaviaapi/deployment.go b/pkg/octaviaapi/deployment.go index 529508ec..d8fa605e 100644 --- a/pkg/octaviaapi/deployment.go +++ b/pkg/octaviaapi/deployment.go @@ -30,6 +30,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) const ( @@ -107,6 +108,15 @@ func Deployment( } } + if instance.Spec.TLS.Ovn.Enabled() { + svc := tls.Service{ + SecretName: *instance.Spec.TLS.Ovn.SecretName, + CaMount: ptr.To("/var/lib/config-data/tls/certs/ovndbca.crt"), + } + volumes = append(volumes, svc.CreateVolume("ovndb")) + volumeMounts = append(volumeMounts, svc.CreateVolumeMounts("ovndb")...) + } + envVars := map[string]env.Setter{} envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS") envVars["CONFIG_HASH"] = env.SetValue(configHash) diff --git a/templates/octaviaapi/config/octavia.conf b/templates/octaviaapi/config/octavia.conf index 79bd58ae..5906565a 100644 --- a/templates/octaviaapi/config/octavia.conf +++ b/templates/octaviaapi/config/octavia.conf @@ -113,7 +113,14 @@ enabled_provider_agents=ovn [ovn] ovn_nb_connection={{ .NBConnection }} ovn_sb_connection={{ .SBConnection }} -# OVN/TODO double check defaultsj +{{- if .OVNDB_TLS }} +ovn_nb_private_key = /etc/pki/tls/private/ovndb.key +ovn_nb_certificate = /etc/pki/tls/certs/ovndb.crt +ovn_nb_ca_cert = /etc/pki/tls/certs/ovndbca.crt +ovn_sb_private_key = /etc/pki/tls/private/ovndb.key +ovn_sb_certificate = /etc/pki/tls/certs/ovndb.crt +ovn_sb_ca_cert = /etc/pki/tls/certs/ovndbca.crt +{{- end }} [oslo_policy] enforce_scope = True