Skip to content

Commit

Permalink
Merge pull request #204 from weinimo/cert-management
Browse files Browse the repository at this point in the history
Cert management
  • Loading branch information
openshift-merge-bot[bot] authored Nov 30, 2023
2 parents 388eee6 + 34f4a11 commit f7663b9
Show file tree
Hide file tree
Showing 11 changed files with 384 additions and 24 deletions.
10 changes: 8 additions & 2 deletions api/bases/octavia.openstack.org_octaviaamphoracontrollers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,15 @@ spec:
description: OctaviaAmphoraControllerSpec defines common state for all
Octavia Amphora Controllers
properties:
certspassphrasesecret:
default: octavia-ca-passphrase
description: Name of secret containing passphrase for the CA private
keys
type: string
certssecret:
description: '*kubebuilder:validation:Required Secret containing certs
for securing communication with amphora based Load Balancers'
default: octavia-certs-secret
description: LoadBalancerCerts - Secret containing certs for securing
communication with amphora based Load Balancers
type: string
containerImage:
description: ContainerImage - Amphora Controller Container Image URL
Expand Down
30 changes: 24 additions & 6 deletions api/bases/octavia.openstack.org_octavias.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -456,9 +456,15 @@ spec:
description: OctaviaHousekeeping - Spec definition for the Octavia
Housekeeping agent for the Octavia deployment
properties:
certspassphrasesecret:
default: octavia-ca-passphrase
description: Name of secret containing passphrase for the CA private
keys
type: string
certssecret:
description: '*kubebuilder:validation:Required Secret containing
certs for securing communication with amphora based Load Balancers'
default: octavia-certs-secret
description: LoadBalancerCerts - Secret containing certs for securing
communication with amphora based Load Balancers
type: string
containerImage:
description: ContainerImage - Amphora Controller Container Image
Expand Down Expand Up @@ -632,9 +638,15 @@ spec:
description: OctaviaHousekeeping - Spec definition for the Octavia
Housekeeping agent for the Octavia deployment
properties:
certspassphrasesecret:
default: octavia-ca-passphrase
description: Name of secret containing passphrase for the CA private
keys
type: string
certssecret:
description: '*kubebuilder:validation:Required Secret containing
certs for securing communication with amphora based Load Balancers'
default: octavia-certs-secret
description: LoadBalancerCerts - Secret containing certs for securing
communication with amphora based Load Balancers
type: string
containerImage:
description: ContainerImage - Amphora Controller Container Image
Expand Down Expand Up @@ -808,9 +820,15 @@ spec:
description: OctaviaHousekeeping - Spec definition for the Octavia
Housekeeping agent for the Octavia deployment
properties:
certspassphrasesecret:
default: octavia-ca-passphrase
description: Name of secret containing passphrase for the CA private
keys
type: string
certssecret:
description: '*kubebuilder:validation:Required Secret containing
certs for securing communication with amphora based Load Balancers'
default: octavia-certs-secret
description: LoadBalancerCerts - Secret containing certs for securing
communication with amphora based Load Balancers
type: string
containerImage:
description: ContainerImage - Amphora Controller Container Image
Expand Down
10 changes: 8 additions & 2 deletions api/v1beta1/amphoracontroller_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,16 @@ type OctaviaAmphoraControllerSpec struct {
// Secret containing OpenStack password information for octavia OctaviaDatabasePassword, AdminPassword
Secret string `json:"secret"`

// *kubebuilder:validation:Required
// Secret containing certs for securing communication with amphora based Load Balancers
// +kubebuilder:validation:Required
// +kubebuilder:default=octavia-certs-secret
// LoadBalancerCerts - Secret containing certs for securing communication with amphora based Load Balancers
LoadBalancerCerts string `json:"certssecret"`

// +kubebuilder:validation:Optional
// +kubebuilder:default=octavia-ca-passphrase
// Name of secret containing passphrase for the CA private keys
CAKeyPassphraseSecret string `json:"certspassphrasesecret"`

// +kubebuilder:validation:Optional
// +kubebuilder:default={database: OctaviaDatabasePassword, service: OctaviaPassword}
// PasswordSelectors - Selectors to identify the DB and AdminUser password from the Secret
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,15 @@ spec:
description: OctaviaAmphoraControllerSpec defines common state for all
Octavia Amphora Controllers
properties:
certspassphrasesecret:
default: octavia-ca-passphrase
description: Name of secret containing passphrase for the CA private
keys
type: string
certssecret:
description: '*kubebuilder:validation:Required Secret containing certs
for securing communication with amphora based Load Balancers'
default: octavia-certs-secret
description: LoadBalancerCerts - Secret containing certs for securing
communication with amphora based Load Balancers
type: string
containerImage:
description: ContainerImage - Amphora Controller Container Image URL
Expand Down
30 changes: 24 additions & 6 deletions config/crd/bases/octavia.openstack.org_octavias.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -456,9 +456,15 @@ spec:
description: OctaviaHousekeeping - Spec definition for the Octavia
Housekeeping agent for the Octavia deployment
properties:
certspassphrasesecret:
default: octavia-ca-passphrase
description: Name of secret containing passphrase for the CA private
keys
type: string
certssecret:
description: '*kubebuilder:validation:Required Secret containing
certs for securing communication with amphora based Load Balancers'
default: octavia-certs-secret
description: LoadBalancerCerts - Secret containing certs for securing
communication with amphora based Load Balancers
type: string
containerImage:
description: ContainerImage - Amphora Controller Container Image
Expand Down Expand Up @@ -632,9 +638,15 @@ spec:
description: OctaviaHousekeeping - Spec definition for the Octavia
Housekeeping agent for the Octavia deployment
properties:
certspassphrasesecret:
default: octavia-ca-passphrase
description: Name of secret containing passphrase for the CA private
keys
type: string
certssecret:
description: '*kubebuilder:validation:Required Secret containing
certs for securing communication with amphora based Load Balancers'
default: octavia-certs-secret
description: LoadBalancerCerts - Secret containing certs for securing
communication with amphora based Load Balancers
type: string
containerImage:
description: ContainerImage - Amphora Controller Container Image
Expand Down Expand Up @@ -808,9 +820,15 @@ spec:
description: OctaviaHousekeeping - Spec definition for the Octavia
Housekeeping agent for the Octavia deployment
properties:
certspassphrasesecret:
default: octavia-ca-passphrase
description: Name of secret containing passphrase for the CA private
keys
type: string
certssecret:
description: '*kubebuilder:validation:Required Secret containing
certs for securing communication with amphora based Load Balancers'
default: octavia-certs-secret
description: LoadBalancerCerts - Secret containing certs for securing
communication with amphora based Load Balancers
type: string
containerImage:
description: ContainerImage - Amphora Controller Container Image
Expand Down
6 changes: 3 additions & 3 deletions config/samples/octavia_v1beta1_octavia.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ spec:
serviceUser: octavia
serviceAccount: octavia
role: housekeeping
certssecret: todo
certssecret: octavia-amp-cert-data
secret: osp-secret
preserveJobs: false
customServiceConfig: |
Expand All @@ -33,7 +33,7 @@ spec:
serviceUser: octavia
serviceAccount: octavia
role: healthmanager
certssecret: todo
certssecret: octavia-amp-cert-data
secret: osp-secret
preserveJobs: false
customServiceConfig: |
Expand All @@ -45,7 +45,7 @@ spec:
serviceUser: octavia
serviceAccount: octavia
role: worker
certssecret: todo
certssecret: octavia-amp-cert-data
secret: osp-secret
preserveJobs: false
customServiceConfig: |
Expand Down
29 changes: 27 additions & 2 deletions controllers/amphoracontroller_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
"github.com/openstack-k8s-operators/lib-common/modules/common/labels"
nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment"
"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
"github.com/openstack-k8s-operators/lib-common/modules/common/util"

keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
Expand Down Expand Up @@ -253,6 +254,17 @@ func (r *OctaviaAmphoraControllerReconciler) reconcileNormal(ctx context.Context
return ctrl.Result{}, err
}

err = amphoracontrollers.EnsureAmphoraCerts(ctx, instance, helper, &Log)
if err != nil {
instance.Status.Conditions.Set(condition.FalseCondition(
condition.ServiceConfigReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
condition.ServiceConfigReadyErrorMessage,
err.Error()))
return ctrl.Result{}, err
}

instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)

//
Expand Down Expand Up @@ -417,12 +429,25 @@ func (r *OctaviaAmphoraControllerReconciler) generateServiceConfigMaps(
if err != nil {
return err
}
templateParameters["ServiceUser"] = instance.Spec.ServiceUser
caPassSecret, _, err := secret.GetSecret(
ctx, helper, instance.Spec.CAKeyPassphraseSecret, instance.Namespace)
if err != nil {
return err
}
spec := instance.Spec
templateParameters["ServiceUser"] = spec.ServiceUser
templateParameters["KeystoneInternalURL"] = keystoneInternalURL
templateParameters["KeystonePublicURL"] = keystonePublicURL
templateParameters["ServiceRoleName"] = instance.Spec.Role
templateParameters["ServiceRoleName"] = spec.Role
templateParameters["LbMgmtNetworkId"] = templateVars.LbMgmtNetworkID
templateParameters["AmpFlavorId"] = templateVars.AmphoraDefaultFlavorID
serverCAPassphrase := caPassSecret.Data["server-ca-passphrase"]
if serverCAPassphrase != nil {
templateParameters["ServerCAKeyPassphrase"] = string(serverCAPassphrase)
} else {
// Can't do string(nil)
templateParameters["ServerCAKeyPassphrase"] = ""
}

// TODO(beagles): populate the template parameters
cms := []util.Template{
Expand Down
Loading

0 comments on commit f7663b9

Please sign in to comment.