[tlse] internal TLS support for placement

Creates TLS certs via cert-manager for placement.

Depends-On: openstack-k8s-operators/lib-common#428

Jira: OSPRH-2368

apis/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -10831,6 +10831,24 @@ spec:
                       serviceUser:
                         default: placement
                         type: string
+                      tls:
+                        properties:
+                          api:
+                            properties:
+                              internal:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                              public:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                            type: object
+                          caBundleSecretName:
+                            type: string
+                        type: object
                     required:
                     - containerImage
                     - databaseInstance

apis/go.mod

@@ -122,3 +122,5 @@ replace github.com/openstack-k8s-operators/neutron-operator/api => github.com/st
 replace github.com/openstack-k8s-operators/glance-operator/api => github.com/stuggi/glance-operator/api v0.0.0-20240110132620-5095f52f92f2
 
 replace github.com/openstack-k8s-operators/cinder-operator/api => github.com/stuggi/cinder-operator/api v0.0.0-20240110132541-fed2378a8cb1
+
+replace github.com/openstack-k8s-operators/placement-operator/api => github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab

apis/go.sum

@@ -160,8 +160,6 @@ github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240104150350-
 github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240104150350-1cb9656d2d92/go.mod h1:661OeCQQ1NlU8lg0zzZOY/qi1R800JshTNLaXNE4aEQ=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240104133234-31762c2b9fda h1:F4S4fHht/zEOeZH/ZqPTxxNPEs+M9wwrKwnkGv8amR0=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240104133234-31762c2b9fda/go.mod h1:mDiJuW2bPgD45yXgWgZtbluMr2NOm8tbYdu5xOrQe88=
-github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626 h1:ApB8Am6T10duf3yo4cFXI8aJ9dK3pBvO+Ml67CDkx7Q=
-github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626/go.mod h1:KTxmLkSbU4UPncQyrAfDUgTH/mbgFm9FR6Uq8zcUeiA=
 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240104130506-42419651f900 h1:KdpEKM6SDFnLoWaSJy9JtXrPWOESxlXHZo4xBo33qsc=
 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240104130506-42419651f900/go.mod h1:qtmCTt7oNM58iCrHGZhNtyWNUhpHqMuH3AU+KAGwG5g=
 github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240103003254-97178240dd81 h1:K805MjEY6QGQ6T2tAWBaFPeoYx3S036h7o0Ms7MjGuQ=
@@ -211,6 +209,8 @@ github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6 h1:NP
 github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6/go.mod h1:5quo1o1B7wLTXAD6j8sPXDxB5ASYaL9ImyiouAPrXtg=
 github.com/stuggi/neutron-operator/api v0.0.0-20240110132446-b7dd116f719a h1:r19DMgleke1s0KfyMFawd6Zs3WmOL3bOE0JZwrMYVnY=
 github.com/stuggi/neutron-operator/api v0.0.0-20240110132446-b7dd116f719a/go.mod h1:yPMojR9cveY8v9D33Xg7TKgMLv1/eC5iUx38I+oW+os=
+github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab h1:S+0i4XbDtElrNkMMa+uwCd3Le8AWWM/kQIg1ip9VGHM=
+github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab/go.mod h1:AAwgTkClTNTxz+2V0drAqYAbzQ54TxFAbzcGPGinbAQ=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=

config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -10831,6 +10831,24 @@ spec:
                       serviceUser:
                         default: placement
                         type: string
+                      tls:
+                        properties:
+                          api:
+                            properties:
+                              internal:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                              public:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                            type: object
+                          caBundleSecretName:
+                            type: string
+                        type: object
                     required:
                     - containerImage
                     - databaseInstance

go.mod

@@ -142,3 +142,5 @@ replace github.com/openstack-k8s-operators/neutron-operator/api => github.com/st
 replace github.com/openstack-k8s-operators/glance-operator/api => github.com/stuggi/glance-operator/api v0.0.0-20240110132620-5095f52f92f2
 
 replace github.com/openstack-k8s-operators/cinder-operator/api => github.com/stuggi/cinder-operator/api v0.0.0-20240110132541-fed2378a8cb1
+
+replace github.com/openstack-k8s-operators/placement-operator/api => github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab

go.sum

@@ -179,8 +179,6 @@ github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.202
 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240104150636-35632735d92f/go.mod h1:JLCVgdpOAk/zcJPJ+od/d0qOb41vkKsi9kzfjSQ6BAU=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240104133234-31762c2b9fda h1:F4S4fHht/zEOeZH/ZqPTxxNPEs+M9wwrKwnkGv8amR0=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240104133234-31762c2b9fda/go.mod h1:mDiJuW2bPgD45yXgWgZtbluMr2NOm8tbYdu5xOrQe88=
-github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626 h1:ApB8Am6T10duf3yo4cFXI8aJ9dK3pBvO+Ml67CDkx7Q=
-github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240104123737-45f6dc371626/go.mod h1:KTxmLkSbU4UPncQyrAfDUgTH/mbgFm9FR6Uq8zcUeiA=
 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240104130506-42419651f900 h1:KdpEKM6SDFnLoWaSJy9JtXrPWOESxlXHZo4xBo33qsc=
 github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240104130506-42419651f900/go.mod h1:qtmCTt7oNM58iCrHGZhNtyWNUhpHqMuH3AU+KAGwG5g=
 github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240103003254-97178240dd81 h1:K805MjEY6QGQ6T2tAWBaFPeoYx3S036h7o0Ms7MjGuQ=
@@ -234,6 +232,8 @@ github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6 h1:NP
 github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6/go.mod h1:5quo1o1B7wLTXAD6j8sPXDxB5ASYaL9ImyiouAPrXtg=
 github.com/stuggi/neutron-operator/api v0.0.0-20240110132446-b7dd116f719a h1:r19DMgleke1s0KfyMFawd6Zs3WmOL3bOE0JZwrMYVnY=
 github.com/stuggi/neutron-operator/api v0.0.0-20240110132446-b7dd116f719a/go.mod h1:yPMojR9cveY8v9D33Xg7TKgMLv1/eC5iUx38I+oW+os=
+github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab h1:S+0i4XbDtElrNkMMa+uwCd3Le8AWWM/kQIg1ip9VGHM=
+github.com/stuggi/placement-operator/api v0.0.0-20231220103240-24d8879cbaab/go.mod h1:AAwgTkClTNTxz+2V0drAqYAbzQ54TxFAbzcGPGinbAQ=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=

pkg/openstack/placement.go

@@ -56,6 +56,12 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC
 		}
 	}
 
+	// set CA cert and preserve any previously set TLS certs
+	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+		instance.Spec.Placement.Template.TLS = placementAPI.Spec.TLS
+	}
+	instance.Spec.Placement.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+
 	var endpointDetails = Endpoints{}
 	if placementAPI.Status.Conditions.IsTrue(condition.ExposeServiceReadyCondition) {
 		svcs, err := service.GetServicesListWithLabel(
@@ -78,7 +84,7 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC
 			instance.Spec.Placement.Template.Override.Service,
 			instance.Spec.Placement.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposePlacementAPIReadyCondition,
-			true, // TODO: (mschuppert) disable TLS for now until implemented
+			false, // TODO (mschuppert) could be removed when all integrated service support TLS
 		)
 		if err != nil {
 			return ctrlResult, err
@@ -87,6 +93,10 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC
 		}
 
 		instance.Spec.Placement.Template.Override.Service = endpointDetails.GetEndpointServiceOverrides()
+
+		// update TLS settings with cert secret
+		instance.Spec.Placement.Template.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic)
+		instance.Spec.Placement.Template.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal)
 	}
 
 	Log.Info("Reconciling PlacementAPI", "PlacementAPI.Namespace", instance.Namespace, "PlacementAPI.Name", "placement")