From 25e5b3ebfdfa1dac1bfabdfe69ae1a4dda05befc Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Wed, 13 Dec 2023 17:58:42 +0100 Subject: [PATCH] [tlse] internal TLS support for Nova Creates TLS certs via cert-manager for NovaAPI, NovaMetadata and NovaNoVNCProxy. Depends-On: https://github.com/openstack-k8s-operators/lib-common/pull/428 Jira: TODO --- ....openstack.org_openstackcontrolplanes.yaml | 39 +++ apis/go.mod | 2 + apis/go.sum | 4 +- ....openstack.org_openstackcontrolplanes.yaml | 39 +++ go.mod | 2 + go.sum | 4 +- pkg/openstack/nova.go | 228 +++++++++++++----- 7 files changed, 253 insertions(+), 65 deletions(-) diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml index 498d8b602..ffc10ad79 100644 --- a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -9089,6 +9089,24 @@ spec: x-kubernetes-int-or-string: true type: object type: object + tls: + properties: + api: + properties: + internal: + properties: + secretName: + type: string + type: object + public: + properties: + secretName: + type: string + type: object + type: object + caBundleSecretName: + type: string + type: object type: object cellTemplates: additionalProperties: @@ -9263,6 +9281,13 @@ spec: x-kubernetes-int-or-string: true type: object type: object + tls: + properties: + caBundleSecretName: + type: string + secretName: + type: string + type: object type: object noVNCProxyServiceTemplate: properties: @@ -9370,6 +9395,13 @@ spec: x-kubernetes-int-or-string: true type: object type: object + tls: + properties: + caBundleSecretName: + type: string + secretName: + type: string + type: object type: object nodeSelector: additionalProperties: @@ -9583,6 +9615,13 @@ spec: x-kubernetes-int-or-string: true type: object type: object + tls: + properties: + caBundleSecretName: + type: string + secretName: + type: string + type: object type: object nodeSelector: additionalProperties: diff --git a/apis/go.mod b/apis/go.mod index ec3766ded..0d4eecb57 100644 --- a/apis/go.mod +++ b/apis/go.mod @@ -124,3 +124,5 @@ replace github.com/openstack-k8s-operators/glance-operator/api => github.com/stu replace github.com/openstack-k8s-operators/cinder-operator/api => github.com/stuggi/cinder-operator/api v0.0.0-20240110132541-fed2378a8cb1 replace github.com/openstack-k8s-operators/placement-operator/api => github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab + +replace github.com/openstack-k8s-operators/nova-operator/api => github.com/stuggi/nova-operator/api v0.0.0-20240110132701-d343627c1d40 diff --git a/apis/go.sum b/apis/go.sum index 77134255e..86d3d6a11 100644 --- a/apis/go.sum +++ b/apis/go.sum @@ -154,8 +154,6 @@ github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240104144719-7 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240104144719-72b9a4ab968c/go.mod h1:AIdqCEAycRS/78wgnLhAjRkgkt7gygVmakvOp//vlz0= github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240104162634-fe72003c6343 h1:KrzABqo34PVd4kGxVwTZj/j4ZbTmH/vE/TL13t/ojGA= github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240104162634-fe72003c6343/go.mod h1:Ehw3pMZJrmmIscJ4npkAux7BuZ+2XSXnCuSeF1tzeL0= -github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240104123738-13980c2f529d h1:bQWbPEd9iBcFoil+id1kYUcxjxI83DLscgLZlyz0Hz0= -github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240104123738-13980c2f529d/go.mod h1:NuZtXGv0KqWpN9A6HeclDgIQZn9SD3ompfiiyI2fV4c= github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240104150350-1cb9656d2d92 h1:mJyxKHC80qo1F9FtYrg7ZUgb8QQ80zdc1VRHlaHfZT8= github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240104150350-1cb9656d2d92/go.mod h1:661OeCQQ1NlU8lg0zzZOY/qi1R800JshTNLaXNE4aEQ= github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240104133234-31762c2b9fda h1:F4S4fHht/zEOeZH/ZqPTxxNPEs+M9wwrKwnkGv8amR0= @@ -209,6 +207,8 @@ github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6 h1:NP github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6/go.mod h1:5quo1o1B7wLTXAD6j8sPXDxB5ASYaL9ImyiouAPrXtg= github.com/stuggi/neutron-operator/api v0.0.0-20240110132446-b7dd116f719a h1:r19DMgleke1s0KfyMFawd6Zs3WmOL3bOE0JZwrMYVnY= github.com/stuggi/neutron-operator/api v0.0.0-20240110132446-b7dd116f719a/go.mod h1:yPMojR9cveY8v9D33Xg7TKgMLv1/eC5iUx38I+oW+os= +github.com/stuggi/nova-operator/api v0.0.0-20240110132701-d343627c1d40 h1:1JsmWURQ1DLsX9VLwJPSh+T93XNXRMXS/8C1oqtJbFY= +github.com/stuggi/nova-operator/api v0.0.0-20240110132701-d343627c1d40/go.mod h1:5Zn+uNB6bWf5NzrVCO479Y+cFpXBs37zZ2gsO4cF+dI= github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab h1:S+0i4XbDtElrNkMMa+uwCd3Le8AWWM/kQIg1ip9VGHM= github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab/go.mod h1:AAwgTkClTNTxz+2V0drAqYAbzQ54TxFAbzcGPGinbAQ= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml index 498d8b602..ffc10ad79 100644 --- a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -9089,6 +9089,24 @@ spec: x-kubernetes-int-or-string: true type: object type: object + tls: + properties: + api: + properties: + internal: + properties: + secretName: + type: string + type: object + public: + properties: + secretName: + type: string + type: object + type: object + caBundleSecretName: + type: string + type: object type: object cellTemplates: additionalProperties: @@ -9263,6 +9281,13 @@ spec: x-kubernetes-int-or-string: true type: object type: object + tls: + properties: + caBundleSecretName: + type: string + secretName: + type: string + type: object type: object noVNCProxyServiceTemplate: properties: @@ -9370,6 +9395,13 @@ spec: x-kubernetes-int-or-string: true type: object type: object + tls: + properties: + caBundleSecretName: + type: string + secretName: + type: string + type: object type: object nodeSelector: additionalProperties: @@ -9583,6 +9615,13 @@ spec: x-kubernetes-int-or-string: true type: object type: object + tls: + properties: + caBundleSecretName: + type: string + secretName: + type: string + type: object type: object nodeSelector: additionalProperties: diff --git a/go.mod b/go.mod index e24c6b13c..bf04784ae 100644 --- a/go.mod +++ b/go.mod @@ -144,3 +144,5 @@ replace github.com/openstack-k8s-operators/glance-operator/api => github.com/stu replace github.com/openstack-k8s-operators/cinder-operator/api => github.com/stuggi/cinder-operator/api v0.0.0-20240110132541-fed2378a8cb1 replace github.com/openstack-k8s-operators/placement-operator/api => github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab + +replace github.com/openstack-k8s-operators/nova-operator/api => github.com/stuggi/nova-operator/api v0.0.0-20240110132701-d343627c1d40 diff --git a/go.sum b/go.sum index 665ab8586..e2986a015 100644 --- a/go.sum +++ b/go.sum @@ -169,8 +169,6 @@ github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240104144719-7 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240104144719-72b9a4ab968c/go.mod h1:AIdqCEAycRS/78wgnLhAjRkgkt7gygVmakvOp//vlz0= github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240104162634-fe72003c6343 h1:KrzABqo34PVd4kGxVwTZj/j4ZbTmH/vE/TL13t/ojGA= github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240104162634-fe72003c6343/go.mod h1:Ehw3pMZJrmmIscJ4npkAux7BuZ+2XSXnCuSeF1tzeL0= -github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240104123738-13980c2f529d h1:bQWbPEd9iBcFoil+id1kYUcxjxI83DLscgLZlyz0Hz0= -github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240104123738-13980c2f529d/go.mod h1:NuZtXGv0KqWpN9A6HeclDgIQZn9SD3ompfiiyI2fV4c= github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240104150350-1cb9656d2d92 h1:mJyxKHC80qo1F9FtYrg7ZUgb8QQ80zdc1VRHlaHfZT8= github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240104150350-1cb9656d2d92/go.mod h1:661OeCQQ1NlU8lg0zzZOY/qi1R800JshTNLaXNE4aEQ= github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240104130219-48e65da33a9a h1:hyIPlkfk0pcblLiLGxhtDrmGNAGJs3b4rusoFVlKGB4= @@ -232,6 +230,8 @@ github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6 h1:NP github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6/go.mod h1:5quo1o1B7wLTXAD6j8sPXDxB5ASYaL9ImyiouAPrXtg= github.com/stuggi/neutron-operator/api v0.0.0-20240110132446-b7dd116f719a h1:r19DMgleke1s0KfyMFawd6Zs3WmOL3bOE0JZwrMYVnY= github.com/stuggi/neutron-operator/api v0.0.0-20240110132446-b7dd116f719a/go.mod h1:yPMojR9cveY8v9D33Xg7TKgMLv1/eC5iUx38I+oW+os= +github.com/stuggi/nova-operator/api v0.0.0-20240110132701-d343627c1d40 h1:1JsmWURQ1DLsX9VLwJPSh+T93XNXRMXS/8C1oqtJbFY= +github.com/stuggi/nova-operator/api v0.0.0-20240110132701-d343627c1d40/go.mod h1:5Zn+uNB6bWf5NzrVCO479Y+cFpXBs37zZ2gsO4cF+dI= github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab h1:S+0i4XbDtElrNkMMa+uwCd3Le8AWWM/kQIg1ip9VGHM= github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab/go.mod h1:AAwgTkClTNTxz+2V0drAqYAbzQ54TxFAbzcGPGinbAQ= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= diff --git a/pkg/openstack/nova.go b/pkg/openstack/nova.go index 79704135e..02bd956d8 100644 --- a/pkg/openstack/nova.go +++ b/pkg/openstack/nova.go @@ -20,10 +20,12 @@ import ( "context" "fmt" + "github.com/openstack-k8s-operators/lib-common/modules/certmanager" "github.com/openstack-k8s-operators/lib-common/modules/common" "github.com/openstack-k8s-operators/lib-common/modules/common/condition" "github.com/openstack-k8s-operators/lib-common/modules/common/helper" "github.com/openstack-k8s-operators/lib-common/modules/common/service" + "github.com/openstack-k8s-operators/lib-common/modules/common/tls" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" "sigs.k8s.io/controller-runtime/pkg/reconcile" @@ -56,9 +58,16 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl return ctrl.Result{}, nil } - // add selector to service overrides + // When component services got created check if there is the need to create routes and certificates + if err := helper.GetClient().Get(ctx, types.NamespacedName{Name: "nova", Namespace: instance.Namespace}, nova); err != nil { + if !k8s_errors.IsNotFound(err) { + return ctrl.Result{}, err + } + } + + // Add selectors and CA bundle to service overrides for api, metadata and novncproxy + // NovaAPI for _, endpointType := range []service.Endpoint{service.EndpointPublic, service.EndpointInternal} { - // NovaAPI if instance.Spec.Nova.Template.APIServiceTemplate.Override.Service == nil { instance.Spec.Nova.Template.APIServiceTemplate.Override.Service = map[service.Endpoint]service.RoutedOverrideSpec{} } @@ -66,31 +75,56 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl AddServiceComponentLabel( instance.Spec.Nova.Template.APIServiceTemplate.Override.Service[endpointType], nova.Name+"-api") + } + // preserve any previously set TLS certs,set CA cert + if instance.Spec.TLS.Enabled(service.EndpointInternal) { + instance.Spec.Nova.Template.APIServiceTemplate.TLS = nova.Spec.APIServiceTemplate.TLS + } + instance.Spec.Nova.Template.APIServiceTemplate.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName - // cell NoVNCProxy service override - for cellName, cellTemplate := range instance.Spec.Nova.Template.CellTemplates { - // skip adding override for all the cells where novncproxy is disabled - if cellTemplate.NoVNCProxyServiceTemplate.Enabled == ptr.To(false) { - continue - } + // NovaMetadata + if metadataEnabled(instance.Spec.Nova.Template.MetadataServiceTemplate) { + if instance.Spec.Nova.Template.MetadataServiceTemplate.Override.Service == nil { + instance.Spec.Nova.Template.MetadataServiceTemplate.Override.Service = &service.OverrideSpec{} + } + instance.Spec.Nova.Template.MetadataServiceTemplate.Override.Service.AddLabel(centralMetadataLabelMap(nova.Name)) + + // preserve any previously set TLS certs,set CA cert + if instance.Spec.TLS.Enabled(service.EndpointInternal) { + instance.Spec.Nova.Template.MetadataServiceTemplate.TLS = nova.Spec.MetadataServiceTemplate.TLS + } + instance.Spec.Nova.Template.MetadataServiceTemplate.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + } + // Cells + for cellName, cellTemplate := range instance.Spec.Nova.Template.CellTemplates { + // add override where novncproxy enabled is not specified or explicitely set to true + if noVNCProxyEnabled(cellTemplate.NoVNCProxyServiceTemplate) { if cellTemplate.NoVNCProxyServiceTemplate.Override.Service == nil { cellTemplate.NoVNCProxyServiceTemplate.Override.Service = &service.RoutedOverrideSpec{} } + cellTemplate.NoVNCProxyServiceTemplate.Override.Service.AddLabel(getNoVNCProxyLabelMap(nova.Name, cellName)) - *cellTemplate.NoVNCProxyServiceTemplate.Override.Service = - AddServiceComponentLabel( - *cellTemplate.NoVNCProxyServiceTemplate.Override.Service, - getNoVNCProxyServiceLabel(nova.Name, cellName)) - - instance.Spec.Nova.Template.CellTemplates[cellName] = cellTemplate + // preserve any previously set TLS certs,set CA cert + if instance.Spec.TLS.Enabled(service.EndpointInternal) { + cellTemplate.NoVNCProxyServiceTemplate.TLS = nova.Spec.CellTemplates[cellName].NoVNCProxyServiceTemplate.TLS + } + cellTemplate.NoVNCProxyServiceTemplate.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName } - } - // When component services got created check if there is the need to create a route - if err := helper.GetClient().Get(ctx, types.NamespacedName{Name: "nova", Namespace: instance.Namespace}, nova); err != nil { - if !k8s_errors.IsNotFound(err) { - return ctrl.Result{}, err + // add override where metadata enabled is set to true + if metadataEnabled(cellTemplate.MetadataServiceTemplate) { + if cellTemplate.MetadataServiceTemplate.Override.Service == nil { + cellTemplate.MetadataServiceTemplate.Override.Service = &service.OverrideSpec{} + } + cellTemplate.MetadataServiceTemplate.Override.Service.AddLabel(cellMetadataLabelMap(nova.Name, cellName)) + + // preserve any previously set TLS certs,set CA cert + if instance.Spec.TLS.Enabled(service.EndpointInternal) { + cellTemplate.MetadataServiceTemplate.TLS = nova.Spec.CellTemplates[cellName].MetadataServiceTemplate.TLS + } + cellTemplate.MetadataServiceTemplate.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName } + instance.Spec.Nova.Template.CellTemplates[cellName] = cellTemplate } // Nova API @@ -116,7 +150,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl instance.Spec.Nova.Template.APIServiceTemplate.Override.Service, instance.Spec.Nova.APIOverride, corev1beta1.OpenStackControlPlaneExposeNovaReadyCondition, - true, // TODO: (mschuppert) disable TLS for now until implemented + false, // TODO (mschuppert) could be removed when all integrated service support TLS ) if err != nil { return ctrlResult, err @@ -125,58 +159,102 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl } instance.Spec.Nova.Template.APIServiceTemplate.Override.Service = apiServiceEndpointDetails.GetEndpointServiceOverrides() + + // set NovaAPI TLS cert secret + instance.Spec.Nova.Template.APIServiceTemplate.TLS.API.Public.SecretName = + apiServiceEndpointDetails.GetEndptCertSecret(service.EndpointPublic) + instance.Spec.Nova.Template.APIServiceTemplate.TLS.API.Internal.SecretName = + apiServiceEndpointDetails.GetEndptCertSecret(service.EndpointInternal) } if nova.Status.Conditions.IsTrue(novav1.NovaAllCellsReadyCondition) { - // cell NoVNCProxy - for cellName, cellTemplate := range instance.Spec.Nova.Template.CellTemplates { - // skip checking for/creating route if service is not enabled - if cellTemplate.NoVNCProxyServiceTemplate.Enabled == ptr.To(false) { - continue - } - - if cellTemplate.NoVNCProxyServiceTemplate.Override.Service == nil { - cellTemplate.NoVNCProxyServiceTemplate.Override.Service = &service.RoutedOverrideSpec{} - } - - svcs, err := service.GetServicesListWithLabel( - ctx, - helper, - instance.Namespace, - map[string]string{ - common.AppSelector: getNoVNCProxyServiceLabel(nova.Name, cellName), - }, - ) - if err != nil { - return ctrl.Result{}, err - } - - var ctrlResult reconcile.Result - var cellServiceEndpointDetails = Endpoints{} - cellServiceEndpointDetails, ctrlResult, err = EnsureEndpointConfig( + // create certificate for central Metadata agent if internal TLS and Metadata are enabled + if instance.Spec.TLS.Enabled(service.EndpointInternal) && + metadataEnabled(instance.Spec.Nova.Template.MetadataServiceTemplate) { + certScrt, ctrlResult, err := certmanager.EnsureCertForServiceWithSelector( ctx, - instance, helper, - nova, - svcs, - map[service.Endpoint]service.RoutedOverrideSpec{ - service.EndpointPublic: *cellTemplate.NoVNCProxyServiceTemplate.Override.Service, - }, - instance.Spec.Nova.CellOverride[cellName].NoVNCProxy, - corev1beta1.OpenStackControlPlaneExposeNovaReadyCondition, - true, // TODO: (mschuppert) disable TLS for now until implemented - ) + nova.Namespace, + instance.Spec.Nova.Template.MetadataServiceTemplate.Override.Service.Labels, + tls.DefaultCAPrefix+string(service.EndpointInternal)) if err != nil { return ctrlResult, err } else if (ctrlResult != ctrl.Result{}) { return ctrlResult, nil } - routedOverrideSpec := cellServiceEndpointDetails.GetEndpointServiceOverrides() - cellTemplate.NoVNCProxyServiceTemplate.Override.Service = ptr.To(routedOverrideSpec[service.EndpointPublic]) + // update NovaMetadata cert secret + instance.Spec.Nova.Template.MetadataServiceTemplate.TLS.SecretName = ptr.To(certScrt) + } - instance.Spec.Nova.Template.CellTemplates[cellName] = cellTemplate + // cell Metadata and NoVNCProxy + for cellName, cellTemplate := range instance.Spec.Nova.Template.CellTemplates { + // create certificate for Metadata agend if internal TLS and Metadata per cell is enabled + if instance.Spec.TLS.Enabled(service.EndpointInternal) && + metadataEnabled(cellTemplate.MetadataServiceTemplate) { + + certScrt, ctrlResult, err := certmanager.EnsureCertForServiceWithSelector( + ctx, + helper, + nova.Namespace, + cellTemplate.MetadataServiceTemplate.Override.Service.Labels, + tls.DefaultCAPrefix+string(service.EndpointInternal)) + if err != nil { + return ctrlResult, err + } else if (ctrlResult != ctrl.Result{}) { + return ctrlResult, nil + } + + // update NovaMetadata cert secret + cellTemplate.MetadataServiceTemplate.TLS.SecretName = ptr.To(certScrt) + } + + // NoVNCProxy check for/creating route if service is enabled + if noVNCProxyEnabled(cellTemplate.NoVNCProxyServiceTemplate) { + if cellTemplate.NoVNCProxyServiceTemplate.Override.Service == nil { + cellTemplate.NoVNCProxyServiceTemplate.Override.Service = &service.RoutedOverrideSpec{} + } + + svcs, err := service.GetServicesListWithLabel( + ctx, + helper, + instance.Namespace, + getNoVNCProxyLabelMap(nova.Name, cellName), + ) + if err != nil { + return ctrl.Result{}, err + } + + var ctrlResult reconcile.Result + var cellServiceEndpointDetails = Endpoints{} + cellServiceEndpointDetails, ctrlResult, err = EnsureEndpointConfig( + ctx, + instance, + helper, + nova, + svcs, + map[service.Endpoint]service.RoutedOverrideSpec{ + service.EndpointPublic: *cellTemplate.NoVNCProxyServiceTemplate.Override.Service, + }, + instance.Spec.Nova.CellOverride[cellName].NoVNCProxy, + corev1beta1.OpenStackControlPlaneExposeNovaReadyCondition, + false, // TODO (mschuppert) could be removed when all integrated service support TLS + ) + if err != nil { + return ctrlResult, err + } else if (ctrlResult != ctrl.Result{}) { + return ctrlResult, nil + } + + routedOverrideSpec := cellServiceEndpointDetails.GetEndpointServiceOverrides() + cellTemplate.NoVNCProxyServiceTemplate.Override.Service = ptr.To(routedOverrideSpec[service.EndpointPublic]) + // update NoVNCProxy cert secret + cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName = + cellServiceEndpointDetails.GetEndptCertSecret(service.EndpointPublic) + } + + instance.Spec.Nova.Template.CellTemplates[cellName] = cellTemplate } } @@ -233,6 +311,34 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl return ctrl.Result{}, nil } -func getNoVNCProxyServiceLabel(name string, cellName string) string { - return name + "-novncproxy-" + cellName +func getNoVNCProxyLabelMap(name string, cellName string) map[string]string { + return map[string]string{ + common.AppSelector: name + "-novncproxy", + "cell": cellName, + } +} + +func getMetadataLabelMap(name string, instType string) map[string]string { + return map[string]string{ + common.AppSelector: name + "-metadata", + "type": instType, + } +} + +func centralMetadataLabelMap(name string) map[string]string { + return getMetadataLabelMap(name, "central") +} + +func cellMetadataLabelMap(name string, cell string) map[string]string { + lm := getMetadataLabelMap(name, "cell") + lm["cell"] = cell + return lm +} + +func metadataEnabled(metadata novav1.NovaMetadataTemplate) bool { + return metadata.Enabled != nil && *metadata.Enabled == true +} + +func noVNCProxyEnabled(vncproxy novav1.NovaNoVNCProxyTemplate) bool { + return vncproxy.Enabled != nil && *vncproxy.Enabled == true }