From a0af954b62e7d4de9e71232ab8fd9938f9ca18f2 Mon Sep 17 00:00:00 2001 From: Veronika Fisarova Date: Thu, 7 Mar 2024 11:41:58 +0100 Subject: [PATCH] [tlse] internal TLS support for telemetry aodh service Creates the telemetry aodh route and svc overrides. Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: ~~~ customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true ~~~ Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: openstack-k8s-operators#620 Depends-On: openstack-k8s-operators/telemetry-operator#310 Depends-On: openstack-k8s-operators/telemetry-operator#327 Depends-On: openstack-k8s-operators/telemetry-operator#330 Signed-off-by: Veronika Fisarova --- ....openstack.org_openstackcontrolplanes.yaml | 190 ++++++++++++++---- apis/core/v1beta1/conditions.go | 3 + .../v1beta1/openstackcontrolplane_types.go | 5 + apis/core/v1beta1/zz_generated.deepcopy.go | 1 + apis/go.mod | 2 +- apis/go.sum | 4 +- ....openstack.org_openstackcontrolplanes.yaml | 190 ++++++++++++++---- ...nstack-operator.clusterserviceversion.yaml | 7 + go.mod | 2 +- go.sum | 4 +- pkg/openstack/telemetry.go | 54 +++++ 11 files changed, 374 insertions(+), 88 deletions(-) diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml index f7ce222b0..8ce47be25 100644 --- a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -15324,6 +15324,112 @@ spec: type: object telemetry: properties: + apiOverride: + properties: + route: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + properties: + alternateBackends: + items: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + maxItems: 3 + type: array + host: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + path: + pattern: ^/ + type: string + port: + properties: + targetPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - targetPort + type: object + subdomain: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + tls: + properties: + caCertificate: + type: string + certificate: + type: string + destinationCACertificate: + type: string + insecureEdgeTerminationPolicy: + type: string + key: + type: string + termination: + enum: + - edge + - reencrypt + - passthrough + type: string + required: + - termination + type: object + to: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + wildcardPolicy: + enum: + - None + - Subdomain + - "" + type: string + type: object + type: object + tls: + properties: + secretName: + type: string + type: object + type: object enabled: default: true type: boolean @@ -15363,50 +15469,52 @@ spec: override: properties: service: - properties: - endpointURL: - type: string - metadata: - properties: - annotations: - additionalProperties: + additionalProperties: + properties: + endpointURL: + type: string + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + properties: + externalName: type: string - type: object - labels: - additionalProperties: + externalTrafficPolicy: type: string - type: object - type: object - spec: - properties: - externalName: - type: string - externalTrafficPolicy: - type: string - internalTrafficPolicy: - type: string - ipFamilyPolicy: - type: string - loadBalancerClass: - type: string - loadBalancerSourceRanges: - items: + internalTrafficPolicy: type: string - type: array - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - type: - type: string - type: object + ipFamilyPolicy: + type: string + loadBalancerClass: + type: string + loadBalancerSourceRanges: + items: + type: string + type: array + sessionAffinity: + type: string + sessionAffinityConfig: + properties: + clientIP: + properties: + timeoutSeconds: + format: int32 + type: integer + type: object + type: object + type: + type: string + type: object + type: object type: object type: object passwordSelector: diff --git a/apis/core/v1beta1/conditions.go b/apis/core/v1beta1/conditions.go index 5729afe3c..80d566065 100644 --- a/apis/core/v1beta1/conditions.go +++ b/apis/core/v1beta1/conditions.go @@ -108,6 +108,9 @@ const ( // OpenStackControlPlaneTelemetryReadyCondition Status=True condition which indicates if OpenStack Telemetry service is configured and operational OpenStackControlPlaneTelemetryReadyCondition condition.Type = "OpenStackControlPlaneTelemetryReady" + // OpenStackControlPlaneExposeTelemetryReadyCondition Status=True condition which indicates if Telemetry is exposed via a route + OpenStackControlPlaneExposeTelemetryReadyCondition condition.Type = "OpenStackControlPlaneExposeTelemetryReady" + // OpenStackControlPlaneServiceOverrideReadyCondition Status=True condition which indicates if OpenStack service override has created ok OpenStackControlPlaneServiceOverrideReadyCondition condition.Type = "OpenStackControlPlaneServiceOverrideReady" diff --git a/apis/core/v1beta1/openstackcontrolplane_types.go b/apis/core/v1beta1/openstackcontrolplane_types.go index 5eb9533f0..fb584b05e 100644 --- a/apis/core/v1beta1/openstackcontrolplane_types.go +++ b/apis/core/v1beta1/openstackcontrolplane_types.go @@ -604,6 +604,11 @@ type TelemetrySection struct { //+operator-sdk:csv:customresourcedefinitions:type=spec // Template - Overrides to use when creating the OpenStack Telemetry services Template telemetryv1.TelemetrySpec `json:"template,omitempty"` + + // +kubebuilder:validation:Optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // APIOverride, provides the ability to override the generated manifest of several child resources. + APIOverride Override `json:"apiOverride,omitempty"` } // SwiftSection defines the desired state of Swift service diff --git a/apis/core/v1beta1/zz_generated.deepcopy.go b/apis/core/v1beta1/zz_generated.deepcopy.go index c087f1adb..aa951fe78 100644 --- a/apis/core/v1beta1/zz_generated.deepcopy.go +++ b/apis/core/v1beta1/zz_generated.deepcopy.go @@ -822,6 +822,7 @@ func (in *TLSStatus) DeepCopy() *TLSStatus { func (in *TelemetrySection) DeepCopyInto(out *TelemetrySection) { *out = *in in.Template.DeepCopyInto(&out.Template) + in.APIOverride.DeepCopyInto(&out.APIOverride) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TelemetrySection. diff --git a/apis/go.mod b/apis/go.mod index 0f64626c5..02b76b720 100644 --- a/apis/go.mod +++ b/apis/go.mod @@ -24,7 +24,7 @@ require ( github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240307150054-826f3260f9aa github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240307105529-ab602118fd5d github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240307114522-1fa027839890 - github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240307120415-25f01ea4a7fd + github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961 github.com/rabbitmq/cluster-operator/v2 v2.6.0 k8s.io/api v0.28.7 k8s.io/apimachinery v0.28.7 diff --git a/apis/go.sum b/apis/go.sum index 28af2c1a3..72dd1e518 100644 --- a/apis/go.sum +++ b/apis/go.sum @@ -113,8 +113,8 @@ github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.2024030710552 github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240307105529-ab602118fd5d/go.mod h1:PmT8kZ4JmtjHLAcsr9BNqD3gSSM9QrMLqokapSxaPJs= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240307114522-1fa027839890 h1:jW8UefyCC49Xj/BCMy0LrKPD9CvNivWNwaIHCzPuWis= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240307114522-1fa027839890/go.mod h1:GaoEq+SBg1xlafynZQEyK7wU0YMkajHEbig6J1CQjUo= -github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240307120415-25f01ea4a7fd h1:4du2HsmcEZRc06Ams3FI9kQZDkcYg3FxeDXsfkx9jSg= -github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240307120415-25f01ea4a7fd/go.mod h1:QUHaxzPPQ1OzWvG8BJIE+D1LSpm+bdv2yfrXHXiYQ+4= +github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961 h1:YYeHx9q2/ohmCwezfdw+qDJywpSZVgo9Ud24Oyie2J4= +github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961/go.mod h1:QUHaxzPPQ1OzWvG8BJIE+D1LSpm+bdv2yfrXHXiYQ+4= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml index f7ce222b0..8ce47be25 100644 --- a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -15324,6 +15324,112 @@ spec: type: object telemetry: properties: + apiOverride: + properties: + route: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + properties: + alternateBackends: + items: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + maxItems: 3 + type: array + host: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + path: + pattern: ^/ + type: string + port: + properties: + targetPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - targetPort + type: object + subdomain: + maxLength: 253 + pattern: ^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])(\.([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9]))*$ + type: string + tls: + properties: + caCertificate: + type: string + certificate: + type: string + destinationCACertificate: + type: string + insecureEdgeTerminationPolicy: + type: string + key: + type: string + termination: + enum: + - edge + - reencrypt + - passthrough + type: string + required: + - termination + type: object + to: + properties: + kind: + enum: + - Service + - "" + type: string + name: + type: string + weight: + format: int32 + maximum: 256 + minimum: 0 + type: integer + type: object + wildcardPolicy: + enum: + - None + - Subdomain + - "" + type: string + type: object + type: object + tls: + properties: + secretName: + type: string + type: object + type: object enabled: default: true type: boolean @@ -15363,50 +15469,52 @@ spec: override: properties: service: - properties: - endpointURL: - type: string - metadata: - properties: - annotations: - additionalProperties: + additionalProperties: + properties: + endpointURL: + type: string + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + properties: + externalName: type: string - type: object - labels: - additionalProperties: + externalTrafficPolicy: type: string - type: object - type: object - spec: - properties: - externalName: - type: string - externalTrafficPolicy: - type: string - internalTrafficPolicy: - type: string - ipFamilyPolicy: - type: string - loadBalancerClass: - type: string - loadBalancerSourceRanges: - items: + internalTrafficPolicy: type: string - type: array - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - type: - type: string - type: object + ipFamilyPolicy: + type: string + loadBalancerClass: + type: string + loadBalancerSourceRanges: + items: + type: string + type: array + sessionAffinity: + type: string + sessionAffinityConfig: + properties: + clientIP: + properties: + timeoutSeconds: + format: int32 + type: integer + type: object + type: object + type: + type: string + type: object + type: object type: object type: object passwordSelector: diff --git a/config/manifests/bases/openstack-operator.clusterserviceversion.yaml b/config/manifests/bases/openstack-operator.clusterserviceversion.yaml index e30074916..cb1012746 100644 --- a/config/manifests/bases/openstack-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/openstack-operator.clusterserviceversion.yaml @@ -379,6 +379,13 @@ spec: - description: Template - Overrides to use when creating Swift Resources displayName: Template path: swift.template + - description: APIOverride, provides the ability to override the generated manifest + of several child resources. + displayName: APIOverride + path: telemetry.apiOverride + - description: TLS - overrides tls parameters for public endpoint + displayName: TLS + path: telemetry.apiOverride.tls - description: Enabled - Whether OpenStack Telemetry services should be deployed and managed displayName: Enabled diff --git a/go.mod b/go.mod index 108939e51..60f3cbacd 100644 --- a/go.mod +++ b/go.mod @@ -36,7 +36,7 @@ require ( github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240307150054-826f3260f9aa github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240307105529-ab602118fd5d github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240307114522-1fa027839890 - github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240307120415-25f01ea4a7fd + github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961 github.com/operator-framework/api v0.20.0 github.com/rabbitmq/cluster-operator/v2 v2.6.0 go.uber.org/zap v1.27.0 diff --git a/go.sum b/go.sum index 21119329f..46e7b4f84 100644 --- a/go.sum +++ b/go.sum @@ -135,8 +135,8 @@ github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.2024030710552 github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240307105529-ab602118fd5d/go.mod h1:PmT8kZ4JmtjHLAcsr9BNqD3gSSM9QrMLqokapSxaPJs= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240307114522-1fa027839890 h1:jW8UefyCC49Xj/BCMy0LrKPD9CvNivWNwaIHCzPuWis= github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240307114522-1fa027839890/go.mod h1:GaoEq+SBg1xlafynZQEyK7wU0YMkajHEbig6J1CQjUo= -github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240307120415-25f01ea4a7fd h1:4du2HsmcEZRc06Ams3FI9kQZDkcYg3FxeDXsfkx9jSg= -github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240307120415-25f01ea4a7fd/go.mod h1:QUHaxzPPQ1OzWvG8BJIE+D1LSpm+bdv2yfrXHXiYQ+4= +github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961 h1:YYeHx9q2/ohmCwezfdw+qDJywpSZVgo9Ud24Oyie2J4= +github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240311060559-4ecd4f5c3961/go.mod h1:QUHaxzPPQ1OzWvG8BJIE+D1LSpm+bdv2yfrXHXiYQ+4= github.com/operator-framework/api v0.20.0 h1:A2YCRhr+6s0k3pRJacnwjh1Ue8BqjIGuQ2jvPg9XCB4= github.com/operator-framework/api v0.20.0/go.mod h1:rXPOhrQ6mMeXqCmpDgt1ALoar9ZlHL+Iy5qut9R99a4= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= diff --git a/pkg/openstack/telemetry.go b/pkg/openstack/telemetry.go index cbe776dbe..ab1aba1d8 100644 --- a/pkg/openstack/telemetry.go +++ b/pkg/openstack/telemetry.go @@ -6,6 +6,7 @@ import ( "github.com/openstack-k8s-operators/lib-common/modules/common/condition" "github.com/openstack-k8s-operators/lib-common/modules/common/helper" + "github.com/openstack-k8s-operators/lib-common/modules/common/service" corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1" telemetryv1 "github.com/openstack-k8s-operators/telemetry-operator/api/v1beta1" @@ -38,6 +39,59 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont return ctrl.Result{}, nil } + // add selector to service overrides + for _, endpointType := range []service.Endpoint{service.EndpointPublic, service.EndpointInternal} { + if instance.Spec.Telemetry.Template.Autoscaling.Aodh.Override.Service == nil { + instance.Spec.Telemetry.Template.Autoscaling.Aodh.Override.Service = make(map[service.Endpoint]service.RoutedOverrideSpec) + } + instance.Spec.Telemetry.Template.Autoscaling.Aodh.Override.Service[endpointType] = + AddServiceOpenStackOperatorLabel( + instance.Spec.Telemetry.Template.Autoscaling.Aodh.Override.Service[endpointType], + telemetry.Name) + } + + // preserve any previously set TLS certs, set CA cert + if instance.Spec.TLS.PodLevel.Enabled { + instance.Spec.Telemetry.Template.Autoscaling.Aodh.TLS = telemetry.Spec.Autoscaling.Aodh.TLS + } + instance.Spec.Telemetry.Template.Autoscaling.Aodh.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + + svcs, err := service.GetServicesListWithLabel( + ctx, + helper, + instance.Namespace, + GetServiceOpenStackOperatorLabel(telemetry.Name), + ) + if err != nil { + return ctrl.Result{}, err + } + + // make sure to get to EndpointConfig when all service got created + if len(svcs.Items) == len(instance.Spec.Telemetry.Template.Autoscaling.Aodh.Override.Service) { + endpointDetails, ctrlResult, err := EnsureEndpointConfig( + ctx, + instance, + helper, + telemetry, + svcs, + instance.Spec.Telemetry.Template.Autoscaling.Aodh.Override.Service, + instance.Spec.Telemetry.APIOverride, + corev1beta1.OpenStackControlPlaneExposeTelemetryReadyCondition, + false, // TODO (mschuppert) could be removed when all integrated service support TLS + instance.Spec.Telemetry.Template.Autoscaling.Aodh.TLS, + ) + if err != nil { + return ctrlResult, err + } else if (ctrlResult != ctrl.Result{}) { + return ctrlResult, nil + } + // set service overrides + instance.Spec.Telemetry.Template.Autoscaling.Aodh.Override.Service = endpointDetails.GetEndpointServiceOverrides() + // update TLS settings with cert secret + instance.Spec.Telemetry.Template.Autoscaling.Aodh.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic) + instance.Spec.Telemetry.Template.Autoscaling.Aodh.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal) + } + helper.GetLogger().Info("Reconciling Telemetry", telemetryNamespaceLabel, instance.Namespace, telemetryNameLabel, telemetryName) op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), telemetry, func() error { instance.Spec.Telemetry.Template.DeepCopyInto(&telemetry.Spec)