From 0f03872f3cd4b55abc1690e91f77f4da1dcdb961 Mon Sep 17 00:00:00 2001 From: Damien Ciabrini Date: Tue, 5 Sep 2023 09:15:39 +0000 Subject: [PATCH] TLS connection to database service This adds the ability to configure oslo.db/pymysql to connect to the database service over TLS. It requires adding TLS options to bind-mount a CA that can validate the TLS certificate exposed by the database service. --- .../keystone.openstack.org_keystoneapis.yaml | 23 ++++ api/go.mod | 30 ++--- api/go.sum | 58 +++++----- api/v1beta1/keystoneapi_types.go | 5 + api/v1beta1/zz_generated.deepcopy.go | 6 + .../keystone.openstack.org_keystoneapis.yaml | 23 ++++ controllers/keystoneapi_controller.go | 7 ++ go.mod | 44 ++++---- go.sum | 71 ++++++------ pkg/keystone/bootstrap.go | 8 +- pkg/keystone/cronjob.go | 8 +- pkg/keystone/dbsync.go | 6 +- pkg/keystone/deployment.go | 6 +- pkg/keystone/initcontainer.go | 2 +- pkg/keystone/volumes.go | 53 +++++++-- templates/keystoneapi/bin/init.sh | 2 +- .../config/keystone-api-config.json | 21 ++++ templates/keystoneapi/config/my.cnf | 3 + tests/functional/base_test.go | 34 ++++++ .../functional/keystoneapi_controller_test.go | 103 ++++++++++++++++++ tests/functional/suite_test.go | 2 + 21 files changed, 393 insertions(+), 122 deletions(-) create mode 100644 templates/keystoneapi/config/my.cnf diff --git a/api/bases/keystone.openstack.org_keystoneapis.yaml b/api/bases/keystone.openstack.org_keystoneapis.yaml index c7db9e18..66b64d2c 100644 --- a/api/bases/keystone.openstack.org_keystoneapis.yaml +++ b/api/bases/keystone.openstack.org_keystoneapis.yaml @@ -381,6 +381,29 @@ spec: description: Secret containing OpenStack password information for keystone KeystoneDatabasePassword, AdminPassword type: string + tls: + description: TLS certificate and CA for internal TLS traffic + properties: + ca: + description: Ca contains CA-specific settings, which could be + used both by services (to define their own CA certificates) + and by clients (to verify the server's certificate) + properties: + caSecretName: + type: string + type: object + service: + description: Service contains server-specific TLS secret + properties: + disableNonTLSListeners: + type: boolean + secretName: + type: string + type: object + required: + - ca + - service + type: object trustFlushArgs: default: "" description: TrustFlushArgs - Arguments added to keystone-manage trust_flush diff --git a/api/go.mod b/api/go.mod index bc5697fd..9ec482ce 100644 --- a/api/go.mod +++ b/api/go.mod @@ -3,15 +3,15 @@ module github.com/openstack-k8s-operators/keystone-operator/api go 1.19 require ( - github.com/go-logr/logr v1.2.4 - github.com/google/uuid v1.3.1 - github.com/onsi/gomega v1.28.0 - github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231011150636-e8a0540a3c32 + github.com/go-logr/logr v1.3.0 + github.com/google/uuid v1.4.0 + github.com/onsi/gomega v1.30.0 + github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231113161013-c2905b3dfe21 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.1.1-0.20231001084618-12369665b166 - github.com/openstack-k8s-operators/lib-common/modules/test v0.1.2-0.20231001084618-12369665b166 - k8s.io/api v0.26.9 - k8s.io/apimachinery v0.26.9 - sigs.k8s.io/controller-runtime v0.14.6 + github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20230922161820-e6fe1f3e921b + k8s.io/api v0.26.10 + k8s.io/apimachinery v0.26.10 + sigs.k8s.io/controller-runtime v0.14.7 ) require ( @@ -28,7 +28,7 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/gnostic v0.6.9 // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/gophercloud/gophercloud v1.7.0 github.com/imdario/mergo v0.3.16 // indirect @@ -47,10 +47,10 @@ require ( github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - golang.org/x/exp v0.0.0-20230905200255-921286631fa9 - golang.org/x/net v0.15.0 // indirect + golang.org/x/exp v0.0.0-20231006140011-7918f672742d + golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.4.0 // indirect - golang.org/x/sys v0.13.0 // indirect + golang.org/x/sys v0.14.0 // indirect golang.org/x/term v0.13.0 // indirect golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.3.0 // indirect @@ -60,9 +60,9 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.26.9 // indirect; indirect // indirect - k8s.io/client-go v0.26.9 // indirect - k8s.io/component-base v0.26.9 // indirect; indirect // indirect + k8s.io/apiextensions-apiserver v0.26.10 // indirect; indirect // indirect + k8s.io/client-go v0.26.10 // indirect + k8s.io/component-base v0.26.10 // indirect; indirect // indirect k8s.io/klog/v2 v2.100.1 // indirect k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a // indirect; indirect // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect; indirect // indirect diff --git a/api/go.sum b/api/go.sum index 5e5d6430..cc890e81 100644 --- a/api/go.sum +++ b/api/go.sum @@ -91,8 +91,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= @@ -149,8 +149,8 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -166,8 +166,8 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= -github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= +github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gophercloud/gophercloud v1.7.0 h1:fyJGKh0LBvIZKLvBWvQdIgkaV5yTM3Jh9EYUh+UNCAs= @@ -223,17 +223,16 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= -github.com/onsi/gomega v1.28.0 h1:i2rg/p9n/UqIDAMFUJ6qIUUMcsqOuUHgbpbu235Vr1c= -github.com/onsi/gomega v1.28.0/go.mod h1:A1H2JE76sI14WIP57LMKj7FVfCHx3g3BcZVjJG8bjX8= +github.com/onsi/ginkgo/v2 v2.13.1 h1:LNGfMbR2OVGBfXjvRZIZ2YCTQdGKtPLvuI1rMCCj3OU= +github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= +github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 h1:rncLxJBpFGqBztyxCMwNRnMjhhIDOWHJowi6q8G6koI= github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7/go.mod h1:ctXNyWanKEjGj8sss1KjjHQ3ENKFm33FFnS5BKaIPh4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231011150636-e8a0540a3c32 h1:r24jE5tdacLivcZczb3t6RvbvHp6kXQrW2ECuekzgH8= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231011150636-e8a0540a3c32/go.mod h1:xXAuy7HtWN4p7LF5Q+NHLkwAsKVh0KrzpnuPYIG3XaA= +github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231113161013-c2905b3dfe21 h1:9DUCS3xvyPrOaghgmYM+Rw9AthskNcpxQr/x16pzJqI= +github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231113161013-c2905b3dfe21/go.mod h1:mxh1HCiMTZm4cAqUK5yPigbZ5JJs3gOVgDVwbTbFAYk= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.1.1-0.20231001084618-12369665b166 h1:zOnRGMdgq2XvOCCtF1lY4tFhKx3jXrcrtOiZZ1PR6M8= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.1.1-0.20231001084618-12369665b166/go.mod h1:LOXXvTQCwhOBNd+0FTlgllpa3wqlkI6Vf3Q5QVRVPlw= -github.com/openstack-k8s-operators/lib-common/modules/test v0.1.2-0.20231001084618-12369665b166 h1:lh3WHM+3DcPlXK4I3QWHmvV+cPCy+dmiMdfImHF/Nqc= -github.com/openstack-k8s-operators/lib-common/modules/test v0.1.2-0.20231001084618-12369665b166/go.mod h1:z/Plc5ef+C/lFZMTHGdOdoo04mimjXyqS9DZKxCzlXk= +github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20230922161820-e6fe1f3e921b h1:zCTs15tQr6yaUThGBWAGT9sg51lG8JZZ1SB7EAIeysg= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -322,8 +321,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= -golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= +golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI= +golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -409,8 +408,9 @@ golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= @@ -473,7 +473,7 @@ golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -594,16 +594,16 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.26.9 h1:s8Y+G1u2JM55b90+Yo2RVb3PGT/hkWNVPN4idPERxJg= -k8s.io/api v0.26.9/go.mod h1:W/W4fEWRVzPD36820LlVUQfNBiSbiq0VPWRFJKwzmUg= -k8s.io/apiextensions-apiserver v0.26.9 h1:aJqWRuBj9i9J6tIDniqUDYM5QCRajTKXK/GO+zEccGQ= -k8s.io/apiextensions-apiserver v0.26.9/go.mod h1:L1uysxOP2kC1vkZTlHGUlUl5WSpa7e4GHJmGEZY7yLg= -k8s.io/apimachinery v0.26.9 h1:5yAV9cFR7Z4gIorKcAjWnx4uxtxiFsERwq4Pvmx0CCg= -k8s.io/apimachinery v0.26.9/go.mod h1:qYzLkrQ9lhrZRh0jNKo2cfvf/R1/kQONnSiyB7NUJU0= -k8s.io/client-go v0.26.9 h1:TGWi/6guEjIgT0Hg871Gsmx0qFuoGyGFjlFedrk7It0= -k8s.io/client-go v0.26.9/go.mod h1:tU1FZS0bwAmAFyPYpZycUQrQnUMzQ5MHloop7EbX6ow= -k8s.io/component-base v0.26.9 h1:qQVdQgyEIUe8EUkB3EEuQ9l5sgVlG2KgOB519yWEBGw= -k8s.io/component-base v0.26.9/go.mod h1:3WmW9lH9tbjpuvpAc22cPF/6C3VxCjMxkOU1j2mpzr8= +k8s.io/api v0.26.10 h1:skTnrDR0r8dg4MMLf6YZIzugxNM0BjFsWKPkNc5kOvk= +k8s.io/api v0.26.10/go.mod h1:ou/H3yviqrHtP/DSPVTfsc7qNfmU06OhajytJfYXkXw= +k8s.io/apiextensions-apiserver v0.26.10 h1:wAriTUc6l7gUqJKOxhmXnYo/VNJzk4oh4QLCUR4Uq+k= +k8s.io/apiextensions-apiserver v0.26.10/go.mod h1:N2qhlxkhJLSoC4f0M1/1lNG627b45SYqnOPEVFoQXw4= +k8s.io/apimachinery v0.26.10 h1:aE+J2KIbjctFqPp3Y0q4Wh2PD+l1p2g3Zp4UYjSvtGU= +k8s.io/apimachinery v0.26.10/go.mod h1:iT1ZP4JBP34wwM+ZQ8ByPEQ81u043iqAcsJYftX9amM= +k8s.io/client-go v0.26.10 h1:4mDzl+1IrfRxh4Ro0s65JRGJp14w77gSMUTjACYWVRo= +k8s.io/client-go v0.26.10/go.mod h1:sh74ig838gCckU4ElYclWb24lTesPdEDPnlyg5vcbkA= +k8s.io/component-base v0.26.10 h1:vl3Gfe5aC09mNxfnQtTng7u3rnBVrShOK3MAkqEleb0= +k8s.io/component-base v0.26.10/go.mod h1:/IDdENUHG5uGxqcofZajovYXE9KSPzJ4yQbkYQt7oN0= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a h1:gmovKNur38vgoWfGtP5QOGNOA7ki4n6qNYoFAgMlNvg= @@ -613,8 +613,8 @@ k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA= -sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= +sigs.k8s.io/controller-runtime v0.14.7 h1:Vrnm2vk9ZFlRkXATHz0W0wXcqNl7kPat8q2JyxVy0Q8= +sigs.k8s.io/controller-runtime v0.14.7/go.mod h1:ErTs3SJCOujNUnTz4AS+uh8hp6DHMo1gj6fFndJT1X8= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= diff --git a/api/v1beta1/keystoneapi_types.go b/api/v1beta1/keystoneapi_types.go index b687f957..68ed2760 100644 --- a/api/v1beta1/keystoneapi_types.go +++ b/api/v1beta1/keystoneapi_types.go @@ -23,6 +23,7 @@ import ( "github.com/openstack-k8s-operators/lib-common/modules/common/endpoint" "github.com/openstack-k8s-operators/lib-common/modules/common/service" "github.com/openstack-k8s-operators/lib-common/modules/common/util" + "github.com/openstack-k8s-operators/lib-common/modules/common/tls" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -153,6 +154,10 @@ type KeystoneAPISpec struct { // +kubebuilder:validation:Optional // Override, provides the ability to override the generated manifest of several child resources. Override APIOverrideSpec `json:"override,omitempty"` + + // +kubebuilder:validation:Optional + // TLS certificate and CA for internal TLS traffic + TLS *tls.TLS `json:"tls,omitempty"` } // APIOverrideSpec to override the generated manifest of several child resources. diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 416bcb5a..166f29ec 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -24,6 +24,7 @@ package v1beta1 import ( "github.com/openstack-k8s-operators/lib-common/modules/common/condition" "github.com/openstack-k8s-operators/lib-common/modules/common/service" + "github.com/openstack-k8s-operators/lib-common/modules/common/tls" "k8s.io/apimachinery/pkg/runtime" ) @@ -154,6 +155,11 @@ func (in *KeystoneAPISpec) DeepCopyInto(out *KeystoneAPISpec) { copy(*out, *in) } in.Override.DeepCopyInto(&out.Override) + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(tls.TLS) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeystoneAPISpec. diff --git a/config/crd/bases/keystone.openstack.org_keystoneapis.yaml b/config/crd/bases/keystone.openstack.org_keystoneapis.yaml index c7db9e18..66b64d2c 100644 --- a/config/crd/bases/keystone.openstack.org_keystoneapis.yaml +++ b/config/crd/bases/keystone.openstack.org_keystoneapis.yaml @@ -381,6 +381,29 @@ spec: description: Secret containing OpenStack password information for keystone KeystoneDatabasePassword, AdminPassword type: string + tls: + description: TLS certificate and CA for internal TLS traffic + properties: + ca: + description: Ca contains CA-specific settings, which could be + used both by services (to define their own CA certificates) + and by clients (to verify the server's certificate) + properties: + caSecretName: + type: string + type: object + service: + description: Service contains server-specific TLS secret + properties: + disableNonTLSListeners: + type: boolean + secretName: + type: string + type: object + required: + - ca + - service + type: object trustFlushArgs: default: "" description: TrustFlushArgs - Arguments added to keystone-manage trust_flush diff --git a/controllers/keystoneapi_controller.go b/controllers/keystoneapi_controller.go index 09d05afe..bc2c7534 100644 --- a/controllers/keystoneapi_controller.go +++ b/controllers/keystoneapi_controller.go @@ -948,8 +948,15 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps( customData[key] = data } + var mysqlTLSConfig string + if instance.Spec.TLS != nil { + mysqlTLSConfig = instance.Spec.TLS.CreateDatabaseClientConfig() + } else { + mysqlTLSConfig = "" + } templateParameters := map[string]interface{}{ "memcachedServers": strings.Join(mc.Status.ServerList, ","), + "mysqlTLSConfig": mysqlTLSConfig, } cms := []util.Template{ diff --git a/go.mod b/go.mod index 2b32833b..51a91194 100644 --- a/go.mod +++ b/go.mod @@ -3,23 +3,25 @@ module github.com/openstack-k8s-operators/keystone-operator go 1.19 require ( - github.com/go-logr/logr v1.2.4 + github.com/go-logr/logr v1.3.0 github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 - github.com/onsi/ginkgo/v2 v2.13.0 - github.com/onsi/gomega v1.28.0 + github.com/onsi/ginkgo/v2 v2.13.1 + github.com/onsi/gomega v1.30.0 github.com/openstack-k8s-operators/infra-operator/apis v0.1.1-0.20231001103054-f74a88ed4971 - github.com/openstack-k8s-operators/keystone-operator/api v0.1.1-0.20230920085319-92ae0260bbf3 - github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231011150636-e8a0540a3c32 + github.com/openstack-k8s-operators/keystone-operator/api v0.1.1-0.20230914163026-da9aa9de960a + github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231113161013-c2905b3dfe21 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.1.1-0.20231001084618-12369665b166 - github.com/openstack-k8s-operators/lib-common/modules/test v0.1.2-0.20231001084618-12369665b166 + github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20230922161820-e6fe1f3e921b github.com/openstack-k8s-operators/mariadb-operator/api v0.3.0 gopkg.in/yaml.v3 v3.0.1 - k8s.io/api v0.26.9 - k8s.io/apimachinery v0.26.9 - k8s.io/client-go v0.26.9 - sigs.k8s.io/controller-runtime v0.14.6 + k8s.io/api v0.26.10 + k8s.io/apimachinery v0.26.10 + k8s.io/client-go v0.26.10 + sigs.k8s.io/controller-runtime v0.14.7 ) +require golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect + require ( github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect @@ -36,10 +38,10 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/gnostic v0.6.9 // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect - github.com/google/uuid v1.3.1 + github.com/google/uuid v1.4.0 github.com/gophercloud/gophercloud v1.7.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -58,22 +60,21 @@ require ( github.com/spf13/pflag v1.0.5 // indirect go.uber.org/multierr v1.10.0 // indirect go.uber.org/zap v1.26.0 - golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect - golang.org/x/mod v0.12.0 // indirect - golang.org/x/net v0.15.0 // indirect + golang.org/x/mod v0.13.0 // indirect + golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.4.0 // indirect - golang.org/x/sys v0.13.0 // indirect + golang.org/x/sys v0.14.0 // indirect golang.org/x/term v0.13.0 // indirect golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.13.0 // indirect + golang.org/x/tools v0.14.0 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/apiextensions-apiserver v0.26.9 // indirect; indirect // indirect - k8s.io/component-base v0.26.9 // indirect; indirect // indirect + k8s.io/apiextensions-apiserver v0.26.10 // indirect; indirect // indirect + k8s.io/component-base v0.26.10 // indirect; indirect // indirect k8s.io/klog/v2 v2.100.1 // indirect k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a // indirect; indirect // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect // indirect @@ -90,3 +91,8 @@ replace github.com/openstack-k8s-operators/keystone-operator/api => ./api // mschuppert: map to latest commit from release-4.13 tag // must consistent within modules and service operators replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging + +// WIP +replace github.com/openstack-k8s-operators/mariadb-operator/api => github.com/dciabrin/mariadb-operator/api v0.0.0-20231109132245-e4f24a0c5588 + +replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/dciabrin/lib-common/modules/common v0.0.0-20231006083235-f21280cd22c6 diff --git a/go.sum b/go.sum index 7eaf4a4b..c95a5c1d 100644 --- a/go.sum +++ b/go.sum @@ -63,6 +63,10 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dciabrin/lib-common/modules/common v0.0.0-20231006083235-f21280cd22c6 h1:oVbzrlKnO5HVgBfiw4uhPrKhJpfx97BbeedKJaPNLgk= +github.com/dciabrin/lib-common/modules/common v0.0.0-20231006083235-f21280cd22c6/go.mod h1:Ozg6SxfwOtMkiH553c0XQBWuygZQq4jDQCpR4hZqlxM= +github.com/dciabrin/mariadb-operator/api v0.0.0-20231109132245-e4f24a0c5588 h1:+ynbrYE8kqFcmd06A8HYjCGOyfWym4JWnwvunnpYrfA= +github.com/dciabrin/mariadb-operator/api v0.0.0-20231109132245-e4f24a0c5588/go.mod h1:hlfG6l/GU3deSCrjPIBbh3Lm+Oa+rbkc5M/0X+/3wEw= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ= github.com/emicklei/go-restful/v3 v3.10.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= @@ -93,8 +97,8 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= @@ -153,8 +157,8 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -171,8 +175,8 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJY github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= -github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= +github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gophercloud/gophercloud v1.7.0 h1:fyJGKh0LBvIZKLvBWvQdIgkaV5yTM3Jh9EYUh+UNCAs= @@ -228,22 +232,18 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= -github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= -github.com/onsi/gomega v1.28.0 h1:i2rg/p9n/UqIDAMFUJ6qIUUMcsqOuUHgbpbu235Vr1c= -github.com/onsi/gomega v1.28.0/go.mod h1:A1H2JE76sI14WIP57LMKj7FVfCHx3g3BcZVjJG8bjX8= +github.com/onsi/ginkgo/v2 v2.13.1 h1:LNGfMbR2OVGBfXjvRZIZ2YCTQdGKtPLvuI1rMCCj3OU= +github.com/onsi/ginkgo/v2 v2.13.1/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= +github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= +github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 h1:rncLxJBpFGqBztyxCMwNRnMjhhIDOWHJowi6q8G6koI= github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7/go.mod h1:ctXNyWanKEjGj8sss1KjjHQ3ENKFm33FFnS5BKaIPh4= github.com/openstack-k8s-operators/infra-operator/apis v0.1.1-0.20231001103054-f74a88ed4971 h1:5kNS+gseixkgRhYPukQVJyewPTM0lfUOmKP0A03wFFY= github.com/openstack-k8s-operators/infra-operator/apis v0.1.1-0.20231001103054-f74a88ed4971/go.mod h1:zqFs5MrBKeaE4HQroUgMWwIkBwmmcygg6sghcidSdCA= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231011150636-e8a0540a3c32 h1:r24jE5tdacLivcZczb3t6RvbvHp6kXQrW2ECuekzgH8= -github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231011150636-e8a0540a3c32/go.mod h1:xXAuy7HtWN4p7LF5Q+NHLkwAsKVh0KrzpnuPYIG3XaA= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.1.1-0.20231001084618-12369665b166 h1:zOnRGMdgq2XvOCCtF1lY4tFhKx3jXrcrtOiZZ1PR6M8= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.1.1-0.20231001084618-12369665b166/go.mod h1:LOXXvTQCwhOBNd+0FTlgllpa3wqlkI6Vf3Q5QVRVPlw= -github.com/openstack-k8s-operators/lib-common/modules/test v0.1.2-0.20231001084618-12369665b166 h1:lh3WHM+3DcPlXK4I3QWHmvV+cPCy+dmiMdfImHF/Nqc= -github.com/openstack-k8s-operators/lib-common/modules/test v0.1.2-0.20231001084618-12369665b166/go.mod h1:z/Plc5ef+C/lFZMTHGdOdoo04mimjXyqS9DZKxCzlXk= -github.com/openstack-k8s-operators/mariadb-operator/api v0.3.0 h1:FB0xB6whYM6W4XIncYo2mPiOJWkFsIOWtCT+UOtvOaQ= -github.com/openstack-k8s-operators/mariadb-operator/api v0.3.0/go.mod h1:xhiz5wFdKWwVM7BF/VYon4TT3NuUPXp/Pyn2hWcp0CE= +github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20230922161820-e6fe1f3e921b h1:zCTs15tQr6yaUThGBWAGT9sg51lG8JZZ1SB7EAIeysg= +github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20230922161820-e6fe1f3e921b/go.mod h1:RfLOPJbmPzPZ4XHwwDc2tFbbw5zxZL15JFGwb5c6VaU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -340,8 +340,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= -golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= +golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI= +golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -364,8 +364,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= -golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= +golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -429,8 +429,9 @@ golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= @@ -494,8 +495,8 @@ golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= -golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= +golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -617,16 +618,16 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.26.9 h1:s8Y+G1u2JM55b90+Yo2RVb3PGT/hkWNVPN4idPERxJg= -k8s.io/api v0.26.9/go.mod h1:W/W4fEWRVzPD36820LlVUQfNBiSbiq0VPWRFJKwzmUg= -k8s.io/apiextensions-apiserver v0.26.9 h1:aJqWRuBj9i9J6tIDniqUDYM5QCRajTKXK/GO+zEccGQ= -k8s.io/apiextensions-apiserver v0.26.9/go.mod h1:L1uysxOP2kC1vkZTlHGUlUl5WSpa7e4GHJmGEZY7yLg= -k8s.io/apimachinery v0.26.9 h1:5yAV9cFR7Z4gIorKcAjWnx4uxtxiFsERwq4Pvmx0CCg= -k8s.io/apimachinery v0.26.9/go.mod h1:qYzLkrQ9lhrZRh0jNKo2cfvf/R1/kQONnSiyB7NUJU0= -k8s.io/client-go v0.26.9 h1:TGWi/6guEjIgT0Hg871Gsmx0qFuoGyGFjlFedrk7It0= -k8s.io/client-go v0.26.9/go.mod h1:tU1FZS0bwAmAFyPYpZycUQrQnUMzQ5MHloop7EbX6ow= -k8s.io/component-base v0.26.9 h1:qQVdQgyEIUe8EUkB3EEuQ9l5sgVlG2KgOB519yWEBGw= -k8s.io/component-base v0.26.9/go.mod h1:3WmW9lH9tbjpuvpAc22cPF/6C3VxCjMxkOU1j2mpzr8= +k8s.io/api v0.26.10 h1:skTnrDR0r8dg4MMLf6YZIzugxNM0BjFsWKPkNc5kOvk= +k8s.io/api v0.26.10/go.mod h1:ou/H3yviqrHtP/DSPVTfsc7qNfmU06OhajytJfYXkXw= +k8s.io/apiextensions-apiserver v0.26.10 h1:wAriTUc6l7gUqJKOxhmXnYo/VNJzk4oh4QLCUR4Uq+k= +k8s.io/apiextensions-apiserver v0.26.10/go.mod h1:N2qhlxkhJLSoC4f0M1/1lNG627b45SYqnOPEVFoQXw4= +k8s.io/apimachinery v0.26.10 h1:aE+J2KIbjctFqPp3Y0q4Wh2PD+l1p2g3Zp4UYjSvtGU= +k8s.io/apimachinery v0.26.10/go.mod h1:iT1ZP4JBP34wwM+ZQ8ByPEQ81u043iqAcsJYftX9amM= +k8s.io/client-go v0.26.10 h1:4mDzl+1IrfRxh4Ro0s65JRGJp14w77gSMUTjACYWVRo= +k8s.io/client-go v0.26.10/go.mod h1:sh74ig838gCckU4ElYclWb24lTesPdEDPnlyg5vcbkA= +k8s.io/component-base v0.26.10 h1:vl3Gfe5aC09mNxfnQtTng7u3rnBVrShOK3MAkqEleb0= +k8s.io/component-base v0.26.10/go.mod h1:/IDdENUHG5uGxqcofZajovYXE9KSPzJ4yQbkYQt7oN0= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a h1:gmovKNur38vgoWfGtP5QOGNOA7ki4n6qNYoFAgMlNvg= @@ -636,8 +637,8 @@ k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA= -sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= +sigs.k8s.io/controller-runtime v0.14.7 h1:Vrnm2vk9ZFlRkXATHz0W0wXcqNl7kPat8q2JyxVy0Q8= +sigs.k8s.io/controller-runtime v0.14.7/go.mod h1:ErTs3SJCOujNUnTz4AS+uh8hp6DHMo1gj6fFndJT1X8= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= diff --git a/pkg/keystone/bootstrap.go b/pkg/keystone/bootstrap.go index 7f33840e..440c89d3 100644 --- a/pkg/keystone/bootstrap.go +++ b/pkg/keystone/bootstrap.go @@ -27,7 +27,7 @@ import ( const ( // BootstrapCommand - - BootstrapCommand = "/usr/local/bin/kolla_set_configs && keystone-manage bootstrap" + BootstrapCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_copy_cacerts && keystone-manage bootstrap" ) // BootstrapJob func @@ -102,7 +102,7 @@ func BootstrapJob( }, }, }, - VolumeMounts: getVolumeMounts(), + VolumeMounts: getVolumeMounts(instance), }, }, }, @@ -110,7 +110,7 @@ func BootstrapJob( }, } job.Spec.Template.Spec.Containers[0].Env = env.MergeEnvs(job.Spec.Template.Spec.Containers[0].Env, envVars) - job.Spec.Template.Spec.Volumes = getVolumes(instance.Name) + job.Spec.Template.Spec.Volumes = getVolumes(instance) initContainerDetails := APIDetails{ ContainerImage: instance.Spec.ContainerImage, @@ -120,7 +120,7 @@ func BootstrapJob( OSPSecret: instance.Spec.Secret, DBPasswordSelector: instance.Spec.PasswordSelectors.Database, UserPasswordSelector: instance.Spec.PasswordSelectors.Admin, - VolumeMounts: getInitVolumeMounts(), + VolumeMounts: getInitVolumeMounts(instance), } job.Spec.Template.Spec.InitContainers = initContainer(initContainerDetails) diff --git a/pkg/keystone/cronjob.go b/pkg/keystone/cronjob.go index 0b2f7225..ef6dcd11 100644 --- a/pkg/keystone/cronjob.go +++ b/pkg/keystone/cronjob.go @@ -27,7 +27,7 @@ import ( const ( // TrustFlushCommand - - TrustFlushCommand = "/usr/local/bin/kolla_set_configs && keystone-manage trust_flush" + TrustFlushCommand = "/usr/local/bin/kolla_set_configs && /usr/local/bin/kolla_copy_cacerts && keystone-manage trust_flush" ) // CronJob func @@ -79,13 +79,13 @@ func CronJob( }, Args: args, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: getVolumeMounts(), + VolumeMounts: getVolumeMounts(instance), SecurityContext: &corev1.SecurityContext{ RunAsUser: &runAsUser, }, }, }, - Volumes: getVolumes(instance.Name), + Volumes: getVolumes(instance), RestartPolicy: corev1.RestartPolicyNever, ServiceAccountName: instance.RbacResourceName(), }, @@ -106,7 +106,7 @@ func CronJob( OSPSecret: instance.Spec.Secret, DBPasswordSelector: instance.Spec.PasswordSelectors.Database, UserPasswordSelector: instance.Spec.PasswordSelectors.Admin, - VolumeMounts: getInitVolumeMounts(), + VolumeMounts: getInitVolumeMounts(instance), } cronjob.Spec.JobTemplate.Spec.Template.Spec.InitContainers = initContainer(initContainerDetails) diff --git a/pkg/keystone/dbsync.go b/pkg/keystone/dbsync.go index 22b49f4f..af89272c 100644 --- a/pkg/keystone/dbsync.go +++ b/pkg/keystone/dbsync.go @@ -75,7 +75,7 @@ func DbSyncJob( RunAsUser: &runAsUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: getVolumeMounts(), + VolumeMounts: getVolumeMounts(instance), }, }, }, @@ -83,7 +83,7 @@ func DbSyncJob( }, } - job.Spec.Template.Spec.Volumes = getVolumes(ServiceName) + job.Spec.Template.Spec.Volumes = getVolumes(instance) initContainerDetails := APIDetails{ ContainerImage: instance.Spec.ContainerImage, DatabaseHost: instance.Status.DatabaseHostname, @@ -92,7 +92,7 @@ func DbSyncJob( OSPSecret: instance.Spec.Secret, DBPasswordSelector: instance.Spec.PasswordSelectors.Database, UserPasswordSelector: instance.Spec.PasswordSelectors.Admin, - VolumeMounts: getInitVolumeMounts(), + VolumeMounts: getInitVolumeMounts(instance), } job.Spec.Template.Spec.InitContainers = initContainer(initContainerDetails) diff --git a/pkg/keystone/deployment.go b/pkg/keystone/deployment.go index b02a722e..3e848478 100644 --- a/pkg/keystone/deployment.go +++ b/pkg/keystone/deployment.go @@ -105,7 +105,7 @@ func Deployment( }, Spec: corev1.PodSpec{ ServiceAccountName: instance.RbacResourceName(), - Volumes: getVolumes(instance.Name), + Volumes: getVolumes(instance), Containers: []corev1.Container{ { Name: ServiceName + "-api", @@ -118,7 +118,7 @@ func Deployment( RunAsUser: &runAsUser, }, Env: env.MergeEnvs([]corev1.EnvVar{}, envVars), - VolumeMounts: getVolumeMounts(), + VolumeMounts: getVolumeMounts(instance), Resources: instance.Spec.Resources, ReadinessProbe: readinessProbe, LivenessProbe: livenessProbe, @@ -150,7 +150,7 @@ func Deployment( OSPSecret: instance.Spec.Secret, DBPasswordSelector: instance.Spec.PasswordSelectors.Database, UserPasswordSelector: instance.Spec.PasswordSelectors.Admin, - VolumeMounts: getInitVolumeMounts(), + VolumeMounts: getInitVolumeMounts(instance), } deployment.Spec.Template.Spec.InitContainers = initContainer(initContainerDetails) diff --git a/pkg/keystone/initcontainer.go b/pkg/keystone/initcontainer.go index 5559a591..c0607451 100644 --- a/pkg/keystone/initcontainer.go +++ b/pkg/keystone/initcontainer.go @@ -90,7 +90,7 @@ func initContainer(init APIDetails) []corev1.Container { }, Args: args, Env: envs, - VolumeMounts: getInitVolumeMounts(), + VolumeMounts: init.VolumeMounts, }, } } diff --git a/pkg/keystone/volumes.go b/pkg/keystone/volumes.go index fe901e3c..1c0af032 100644 --- a/pkg/keystone/volumes.go +++ b/pkg/keystone/volumes.go @@ -16,22 +16,23 @@ limitations under the License. package keystone import ( + keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1" corev1 "k8s.io/api/core/v1" ) // getVolumes - service volumes -func getVolumes(name string) []corev1.Volume { +func getVolumes(instance *keystonev1.KeystoneAPI) []corev1.Volume { var scriptsVolumeDefaultMode int32 = 0755 var config0640AccessMode int32 = 0640 - return []corev1.Volume{ + volumes := []corev1.Volume{ { Name: "scripts", VolumeSource: corev1.VolumeSource{ ConfigMap: &corev1.ConfigMapVolumeSource{ DefaultMode: &scriptsVolumeDefaultMode, LocalObjectReference: corev1.LocalObjectReference{ - Name: name + "-scripts", + Name: instance.Name + "-scripts", }, }, }, @@ -42,7 +43,18 @@ func getVolumes(name string) []corev1.Volume { ConfigMap: &corev1.ConfigMapVolumeSource{ DefaultMode: &config0640AccessMode, LocalObjectReference: corev1.LocalObjectReference{ - Name: name + "-config-data", + Name: instance.Name + "-config-data", + }, + }, + }, + }, + { + Name: "mysql-config-data", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + DefaultMode: &config0640AccessMode, + LocalObjectReference: corev1.LocalObjectReference{ + Name: "openstack-config-data", }, }, }, @@ -91,11 +103,17 @@ func getVolumes(name string) []corev1.Volume { }, } + if instance.Spec.TLS != nil { + caVolumes := instance.Spec.TLS.CreateVolumes() + volumes = append(volumes, caVolumes...) + } + + return volumes } // getInitVolumeMounts - general init task VolumeMounts -func getInitVolumeMounts() []corev1.VolumeMount { - return []corev1.VolumeMount{ +func getInitVolumeMounts(instance *keystonev1.KeystoneAPI) []corev1.VolumeMount { + volumeMounts := []corev1.VolumeMount{ { Name: "scripts", MountPath: "/usr/local/bin/container-scripts", @@ -112,11 +130,18 @@ func getInitVolumeMounts() []corev1.VolumeMount { ReadOnly: false, }, } + + if instance.Spec.TLS != nil { + caVolumeMounts := instance.Spec.TLS.CreateVolumeMounts() + volumeMounts = append(volumeMounts, caVolumeMounts...) + } + + return volumeMounts } // getVolumeMounts - general VolumeMounts -func getVolumeMounts() []corev1.VolumeMount { - return []corev1.VolumeMount{ +func getVolumeMounts(instance *keystonev1.KeystoneAPI) []corev1.VolumeMount { + volumeMounts := []corev1.VolumeMount{ { Name: "scripts", MountPath: "/usr/local/bin/container-scripts", @@ -143,5 +168,17 @@ func getVolumeMounts() []corev1.VolumeMount { ReadOnly: true, Name: "credential-keys", }, + { + Name: "mysql-config-data", + MountPath: "/var/lib/mysql-config-data", + ReadOnly: true, + }, } + + if instance.Spec.TLS != nil { + caVolumeMounts := instance.Spec.TLS.CreateVolumeMounts() + volumeMounts = append(volumeMounts, caVolumeMounts...) + } + + return volumeMounts } diff --git a/templates/keystoneapi/bin/init.sh b/templates/keystoneapi/bin/init.sh index bc9c7935..761a573b 100755 --- a/templates/keystoneapi/bin/init.sh +++ b/templates/keystoneapi/bin/init.sh @@ -38,4 +38,4 @@ for dir in /var/lib/config-data/default;do done # set secrets -crudini --set ${SVC_CFG_MERGED} database connection mysql+pymysql://${DBUSER}:${DBPASSWORD}@${DBHOST}/${DB} +crudini --set ${SVC_CFG_MERGED} database connection mysql+pymysql://${DBUSER}:${DBPASSWORD}@${DBHOST}/${DB}?read_default_file='/etc/my.cnf' diff --git a/templates/keystoneapi/config/keystone-api-config.json b/templates/keystoneapi/config/keystone-api-config.json index 545778bd..a44e00fa 100644 --- a/templates/keystoneapi/config/keystone-api-config.json +++ b/templates/keystoneapi/config/keystone-api-config.json @@ -30,6 +30,27 @@ "dest": "/etc/keystone/", "owner": "keystone:keystone", "perm": "0700" + }, + { + "source": "/var/lib/config-data/tls-certificates/tls.key", + "dest": "/etc/pki/tls/private/tls.key", + "owner": "keystone", + "perm": "0600", + "optional": true + }, + { + "source": "/var/lib/config-data/tls-certificates/tls.crt", + "dest": "/etc/pki/tls/certs/tls.crt", + "owner": "keystone", + "perm": "0755", + "optional": true + }, + { + "source": "/var/lib/config-data/merged/my.cnf", + "dest": "/etc/my.cnf", + "owner": "keystone", + "perm": "0600", + "optional": true } ] } diff --git a/templates/keystoneapi/config/my.cnf b/templates/keystoneapi/config/my.cnf new file mode 100644 index 00000000..0da3ab06 --- /dev/null +++ b/templates/keystoneapi/config/my.cnf @@ -0,0 +1,3 @@ +[client] +# options to connect to the remote mariadb server +{{ .mysqlTLSConfig }} diff --git a/tests/functional/base_test.go b/tests/functional/base_test.go index 4eeb62a7..2e5f16c5 100644 --- a/tests/functional/base_test.go +++ b/tests/functional/base_test.go @@ -36,6 +36,40 @@ func GetDefaultKeystoneAPISpec() map[string]interface{} { } } +func GetDefaultKeystoneAPITLSSpec() map[string]interface{} { + return map[string]interface{}{ + "databaseInstance": "openstack", + "replicas": 1, + "secret": SecretName, + "tls": map[string]interface{}{ + "service": map[string]interface{}{ + "secretName": CertName, + }, + "ca": map[string]interface{}{ + "caSecretName": CaCertName, + }, + }, + } +} + +func CreateKeystoneAPICert(namespace string, name string) *corev1.Secret { + return th.CreateSecret( + types.NamespacedName{Namespace: namespace, Name: name}, + map[string][]byte{ + "tls.crt": []byte("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURhRENDQXc2Z0F3SUJBZ0lSQU94OFdCL1JjQnhvRFFxV01Qc1NkTGd3Q2dZSUtvWkl6ajBFQXdJd0d6RVoKTUJjR0ExVUVBeE1RYlhrdGMyVnNabk5wWjI1bFpDMWpZVEFlRncweU16RXhNVFF3T1RNeE5EbGFGdzB5TXpFeApNVFF4TlRNeE5EbGFNRE14RmpBVUJnTlZCQW9URFdOc2RYTjBaWEl1Ykc5allXd3hHVEFYQmdOVkJBTVRFRzl3ClpXNXpkR0ZqYXkxbllXeGxjbUV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFYKbk9UU3JObjN6MGg0M3laUUJXTHUvYVVOcHFmWGdaSVB2Z3FiUHBRaTMvc0VnUDdFb2VtU2tCKy9mVk5WOW9aNApPUFdBOWxOUFZPa1d1OXI1TlNYMVJlYlRLUjZ3a1FWc2tiNHMrR2ZKZXBGQm1wZ2JrcmtabzJqa1UzT3k3cTA0Ci9tU0JKaEwrNFVWVGN4cTJUc0dlMmNxbTZ5cy9HdEZtaFphVC9vNTVOOG5ZdjA4OUl1WGFaQVVWQXJpOG1tK2MKaHNYckFtK05GYzVXQU10Zll0Njk0UVJxZVBEWFZZWnBzMUNjMnUvcUYzQjdxVndnYXFWT00rU2hDMFdvcjIxQwpwNk1EYWY2SnJtNzhaS2dNTlpJN0NXMjZHcFpYQW4yT0EwNUswbDhlYU9ROHNGaVIrRDBVR2ZDUHQxdW1iaG4wCnRtamd6a3V6bHBubXJqaHNhQ3dmQWdNQkFBR2pnZ0ZPTUlJQlNqQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0QKQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRVzdnNmFQM0F6ZnIzYgpzOUptNUJBOWxHYi96ekNCK1FZRFZSMFJCSUh4TUlIdWdoZHZjR1Z1YzNSaFkyc3ViM0JsYm5OMFlXTnJMbk4yClk0SWxiM0JsYm5OMFlXTnJMbTl3Wlc1emRHRmpheTV6ZG1NdVkyeDFjM1JsY2k1c2IyTmhiSUlTS2k1dmNHVnUKYzNSaFkyc3RaMkZzWlhKaGdod3FMbTl3Wlc1emRHRmpheTFuWVd4bGNtRXViM0JsYm5OMFlXTnJnaUFxTG05dwpaVzV6ZEdGamF5MW5ZV3hsY21FdWIzQmxibk4wWVdOckxuTjJZNElvS2k1dmNHVnVjM1JoWTJzdFoyRnNaWEpoCkxtOXdaVzV6ZEdGamF5NXpkbU11WTJ4MWMzUmxjb0l1S2k1dmNHVnVjM1JoWTJzdFoyRnNaWEpoTG05d1pXNXoKZEdGamF5NXpkbU11WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05JQURCRkFpQkN0Tk9leE9QSApnV0dPY2tZeTVjbnlZQkNmOHJRMTA2R3VFU1VJbUZvbWtnSWhBUGtrditoblNuYTZYYUtuaDM5Y20ybmp6QzNzClhwT0svWENOQUJJU2ZyVncKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="), + "tls.key": []byte("LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRFZuT1RTck5uM3owaDQKM3laUUJXTHUvYVVOcHFmWGdaSVB2Z3FiUHBRaTMvc0VnUDdFb2VtU2tCKy9mVk5WOW9aNE9QV0E5bE5QVk9rVwp1OXI1TlNYMVJlYlRLUjZ3a1FWc2tiNHMrR2ZKZXBGQm1wZ2JrcmtabzJqa1UzT3k3cTA0L21TQkpoTCs0VVZUCmN4cTJUc0dlMmNxbTZ5cy9HdEZtaFphVC9vNTVOOG5ZdjA4OUl1WGFaQVVWQXJpOG1tK2Noc1hyQW0rTkZjNVcKQU10Zll0Njk0UVJxZVBEWFZZWnBzMUNjMnUvcUYzQjdxVndnYXFWT00rU2hDMFdvcjIxQ3A2TURhZjZKcm03OApaS2dNTlpJN0NXMjZHcFpYQW4yT0EwNUswbDhlYU9ROHNGaVIrRDBVR2ZDUHQxdW1iaG4wdG1qZ3prdXpscG5tCnJqaHNhQ3dmQWdNQkFBRUNnZ0VBRkZrOHh3RG1ScC85VkY1VmhQdnVYN3ZUMUVnUzV3bVZ3MkFrSElQS2tzUHAKWXBWekw0SUpBUWd2cmdzZlBDb2V4eWNONC9vVEY1U01HN2xMYzcvblhNVUs1d1Njd3M4ZHlDamVCK1NsNW1DQgpvOUU1T2k4dzZNdFRPNlRqZWFFWTZUdjZrUDd5Z2tzdFVuUzlqNjVTN1hIcnh4alI1dElFTHBMOU5CM2tycEZBClJ2blArenJVaEQyWHZNaVgxK1lqSFpReGpqR3pYVTN3L3MvbmJncmxPVXh6VHk0QmxINVFqdklHdVZPMjF6QWMKS2lTTW9aOEo2YW5RaWxYT0hWWEVDaThoeGcvcGpNNndUeG1MZjhOWUh2SnJTQUJlUUY2emdkTVBrVm9RR0MvNQpBSlRRM3FpSHZ1dUt5NHIwOFk2L1M1Z0huTmxwZWNqeUFoSzJaQlVMMlFLQmdRRDZDdmpENW9tSVhkK2xOZG9vCmpUL29wS1EwdXhpTkZsL3A1c2FsT0ZUUlRIRTRQMXJDR0dWOEhkdzlHdTgybVpseFowbCtmMFExT1hxZGQvSmYKMFFTZEdUWW1JZStNTWNDeFlSNmdDbzRIQVFqSlArcWVBM2J0RDVtQ01JdHF2N3JXZ0NJeWplODA2VW5TV0h4SwpXbDlla1pRZmFSMmVaVC9qZEZIL2VPRWdVd0tCZ1FEYXM3dXQ4Zzl1Z0Q2QVZUM3hUczVUemZiY0RFOVo5R3dSCndaSTRSNFNyOXMwa29pVXAySDBaTmpTL1RzODN4OXpKbzNTMHZWV3lITnFtQUVnOXdOOXpDaHVWQm5xQTZYMXIKcjNSWDZoVWR6NUhxeVFQZzF6ZVczb0lFQkk4bDBBNzc0RkhrYllieHpQQkhRbHAveVhkaW1HMmx2Ri9DU3YvKwpYcy9YRkJ2N2hRS0JnUUNmR1FRWWdrUFloUUtjdUp0TFdqVGo3bjZkSHI4TVpzUTRyQ0tSVmpxQndrWDRLRGV6CmNKcUNVdTJqNDlONXhsb2dFanh0Uk1VOXFJa2dVUVhqZWJlWnprVHFGb1c1aXA2MVBycWgwcFYwVjNBanZZdW4KWjBUd3FoQmZDa3hyYS91U0tJMlo1VDNqU04wei9pRjNuZkU0MXlDTXEvR3dxM1B2WWtBYWNldXRDUUtCZ1FDbQorK3FGMHJkem9KbVlOUDJabkprdkphaWh0UWgxWDRtUU9TTWlzNENhS0ZQVDc3VytjSng3dm9haHQxUENmR2lZCjBLUVFTQ3dCVmNTZ1VNRFgzY2IrdUMzOUtEZ3E2NXdtdDQxMmZyVm0wSkRTR205S29pakFtZDNkb1htRzNvaEMKU3JGY1gwQlVxU3lnekFuN1hlRTR0N2VvZnQ4Q28yODRVajRSTXpwMlhRS0JnRHkwT1dhQVBleU1ueVBwMyttcwo2RFBGVCtKcm5yRGtVckt2UGVkMll2MnZuMGUwc2gzSncyRHlONzU0M2U1REJWNnpNS0MvN211T1NVQ2ZxaWV0CnVWWEZTQmVxaC9mS2JlbmhkR1VHMU0vSk5xaWNTelJlK3R3T0dtWSt0aEkycFJJSXBuVDBpeXlsbk5GZTlWNUgKcmFkS3l5Ti9FVGMvMjNsbVVRYW51OHc2Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K"), + }, + ) +} +func CreateKeystoneAPICaCert(namespace string, name string) *corev1.Secret { + return th.CreateSecret( + types.NamespacedName{Namespace: namespace, Name: name}, + map[string][]byte{ + "ca.crt": []byte("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lSQU43WEZBeFBuZk1mTGdmdTJ0VzRXVXd3Q2dZSUtvWkl6ajBFQXdJd0d6RVoKTUJjR0ExVUVBeE1RYlhrdGMyVnNabk5wWjI1bFpDMWpZVEFlRncweU16RXdNREl4TkRJME16SmFGdzB5TXpFeQpNekV4TkRJME16SmFNQnN4R1RBWEJnTlZCQU1URUcxNUxYTmxiR1p6YVdkdVpXUXRZMkV3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUMCtrVWZCaUlBTSsrU01maVpjaDVDeTh3WmpSbWpZd2ZZZWlhZGl3TU0KWXVIK1V0ckMwbkZqanN1ZzNjc3NXOUJTMVNFcUYrUjVQOGVBVHUwcEN0N3RvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVUZ1NE9tajl3TTM2OTI3UFNadVFRClBaUm0vODh3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnTUVOMW15WTBWNmV3R2hJaUJzbEZZN2Q0MFlsd3FudjEKcmswMGVBKys4Wm9DSUdKVVFTYlVQcjRsY0NpWTYzUDIzU2hWbUpHSzNXOHE3U1Z2eEZ0WGwvRjUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="), + }, + ) +} + func CreateKeystoneAPI(name types.NamespacedName, spec map[string]interface{}) client.Object { raw := map[string]interface{}{ diff --git a/tests/functional/keystoneapi_controller_test.go b/tests/functional/keystoneapi_controller_test.go index d78809ee..074c7955 100644 --- a/tests/functional/keystoneapi_controller_test.go +++ b/tests/functional/keystoneapi_controller_test.go @@ -594,4 +594,107 @@ var _ = Describe("Keystone controller", func() { ) }) }) + + When("A KeystoneAPI instance is configured with TLS and memcached and secrets are available", func() { + BeforeEach(func() { + DeferCleanup(th.DeleteInstance, CreateKeystoneAPI(keystoneApiName, GetDefaultKeystoneAPITLSSpec())) + DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(namespace, SecretName)) + DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPICert(namespace, CertName)) + DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPICaCert(namespace, CaCertName)) + DeferCleanup(infra.DeleteMemcached, infra.CreateMemcached(namespace, "memcached", memcachedSpec)) + infra.SimulateMemcachedReady(types.NamespacedName{ + Name: "memcached", + Namespace: namespace, + }) + }) + + It("should have memcached ready and service config ready", func() { + th.ExpectCondition( + keystoneApiName, + ConditionGetterFunc(KeystoneConditionGetter), + condition.MemcachedReadyCondition, + corev1.ConditionTrue, + ) + th.ExpectCondition( + keystoneApiName, + ConditionGetterFunc(KeystoneConditionGetter), + condition.InputReadyCondition, + corev1.ConditionTrue, + ) + th.ExpectCondition( + keystoneApiName, + ConditionGetterFunc(KeystoneConditionGetter), + condition.ServiceConfigReadyCondition, + corev1.ConditionTrue, + ) + }) + + It("should create a ConfigMap with TLS enabled for database access", func() { + cm := th.GetConfigMap(types.NamespacedName{ + Namespace: keystoneApiName.Namespace, + Name: fmt.Sprintf("%s-%s", keystoneApiName.Name, "config-data"), + }) + Expect(cm.Data["my.cnf"]).Should(ContainSubstring("ssl=1\n")) + Expect(cm.Data["my.cnf"]).Should(MatchRegexp("ssl-ca=[^\n]*\n")) + Expect(cm.Data["my.cnf"]).Should(MatchRegexp("ssl-cert=[^\n]*\n")) + }) + }) + + When("A KeystoneAPI instance is configured with TLS and keystone DB has been created", func() { + BeforeEach(func() { + DeferCleanup(th.DeleteInstance, CreateKeystoneAPI(keystoneApiName, GetDefaultKeystoneAPITLSSpec())) + DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(namespace, SecretName)) + DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPICert(namespace, CertName)) + DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPICaCert(namespace, CaCertName)) + DeferCleanup(infra.DeleteMemcached, infra.CreateMemcached(namespace, "memcached", memcachedSpec)) + infra.SimulateMemcachedReady(types.NamespacedName{ + Name: "memcached", + Namespace: namespace, + }) + DeferCleanup( + mariadb.DeleteDBService, + mariadb.CreateDBService( + namespace, + GetKeystoneAPI(keystoneApiName).Spec.DatabaseInstance, + corev1.ServiceSpec{ + Ports: []corev1.ServicePort{{Port: 3306}}, + }, + ), + ) + mariadb.SimulateMariaDBDatabaseCompleted(keystoneApiName) + th.SimulateJobSuccess(dbSyncJobName) + }) + + It("should have memcached and service config and database ready", func() { + th.ExpectCondition( + keystoneApiName, + ConditionGetterFunc(KeystoneConditionGetter), + condition.MemcachedReadyCondition, + corev1.ConditionTrue, + ) + th.ExpectCondition( + keystoneApiName, + ConditionGetterFunc(KeystoneConditionGetter), + condition.InputReadyCondition, + corev1.ConditionTrue, + ) + th.ExpectCondition( + keystoneApiName, + ConditionGetterFunc(KeystoneConditionGetter), + condition.ServiceConfigReadyCondition, + corev1.ConditionTrue, + ) + th.ExpectCondition( + keystoneApiName, + ConditionGetterFunc(KeystoneConditionGetter), + condition.DBReadyCondition, + corev1.ConditionTrue, + ) + }) + + It("should use a FQDN for the database hostname", func() { + Keystone := GetKeystoneAPI(keystoneApiName) + Expect(Keystone.Status.DatabaseHostname).To(MatchRegexp(`[a-zA-Z0-9\-]*(\.[a-zA-Z0-9\-]+)+`)) + }) + }) }) diff --git a/tests/functional/suite_test.go b/tests/functional/suite_test.go index 93b85d79..20a156be 100644 --- a/tests/functional/suite_test.go +++ b/tests/functional/suite_test.go @@ -58,6 +58,8 @@ const ( timeout = time.Second * 2 SecretName = "test-osp-secret" + CertName = "test-osp-cert" + CaCertName = "test-osp-ca-cert" interval = time.Millisecond * 200 )