Skip to content

Commit

Permalink
[TLS] Get CA from secret references in custom public issuer
Browse files Browse the repository at this point in the history
Jira: OSP-26299
  • Loading branch information
stuggi committed Oct 23, 2023
1 parent 31eef46 commit 24de243
Showing 1 changed file with 59 additions and 4 deletions.
63 changes: 59 additions & 4 deletions pkg/openstack/ca.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
"golang.org/x/exp/slices"
k8s_errors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"

corev1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"

Expand Down Expand Up @@ -120,7 +121,45 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
return ctrlResult, nil
}
} else {
// TODO get secret name from issuer and get ca.crt
customIssuerName := *instance.Spec.TLS.PublicEndpoints.Issuer
caSecretName, err := getCASecretFromIssuer(
ctx,
instance,
helper,
customIssuerName,
)
if err != nil {
instance.Status.Conditions.Set(condition.FalseCondition(
corev1.OpenStackControlPlaneCAReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
corev1.OpenStackControlPlaneCAReadyErrorMessage,
issuerReq.Kind,
customIssuerName,
err.Error()))

return ctrl.Result{}, err
}
caCert, ctrlResult, err = getCAFromSecret(
ctx,
instance,
helper,
caSecretName,
)
if err != nil {
instance.Status.Conditions.Set(condition.FalseCondition(
corev1.OpenStackControlPlaneCAReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
corev1.OpenStackControlPlaneCAReadyErrorMessage,
issuerReq.Kind,
customIssuerName,
err.Error()))

return ctrlResult, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrlResult, nil
}
}

err = bundle.getCertsFromPEM(caCert)
Expand Down Expand Up @@ -322,21 +361,37 @@ func createRootCACertAndIssuer(
return caCert, ctrl.Result{}, nil
}

func getCASecretFromIssuer(
ctx context.Context,
instance *corev1.OpenStackControlPlane,
helper *helper.Helper,
issuerName string,
) (string, error) {
issuer := &certmgrv1.Issuer{}

err := helper.GetClient().Get(ctx, types.NamespacedName{Name: issuerName, Namespace: instance.Namespace}, issuer)
if err != nil && !k8s_errors.IsNotFound(err) {
return "", err
}

return issuer.Spec.CA.SecretName, nil
}

func getCAFromSecret(
ctx context.Context,
instance *corev1.OpenStackControlPlane,
helper *helper.Helper,
caName string,
secretName string,
) ([]byte, ctrl.Result, error) {
caSecret, ctrlResult, err := secret.GetDataFromSecret(ctx, helper, caName, time.Duration(5), "ca.crt")
caSecret, ctrlResult, err := secret.GetDataFromSecret(ctx, helper, secretName, time.Duration(5), "ca.crt")
if err != nil {
instance.Status.Conditions.Set(condition.FalseCondition(
corev1.OpenStackControlPlaneCAReadyCondition,
condition.ErrorReason,
condition.SeverityWarning,
corev1.OpenStackControlPlaneCAReadyErrorMessage,
"secret",
caName,
secretName,
err.Error()))

return nil, ctrlResult, err
Expand Down

0 comments on commit 24de243

Please sign in to comment.