Merge pull request #776 from stuggi/fix_duration

[tls] fix neutron, octavia and ovn default cert duration, renwebefore
openstack-k8s-operators · Apr 25, 2024 · b4b4aad · b4b4aad
2 parents c71f738 + f46bff9
commit b4b4aad
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 5 deletions.
diff --git a/pkg/openstack/neutron.go b/pkg/openstack/neutron.go
@@ -67,7 +67,6 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro
 		certRequest := certmanager.CertificateRequest{
 			IssuerName: instance.GetOvnIssuer(),
 			CertName:   fmt.Sprintf("%s-ovndbs", serviceName),
-			Duration:   nil,
 			Hostnames: []string{
 				fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
 				fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, "cluster.local"),
@@ -79,6 +78,12 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro
 				certmgrv1.UsageClientAuth,
 			},
 		}
+		if instance.Spec.TLS.PodLevel.Ovn.Cert.Duration != nil {
+			certRequest.Duration = &instance.Spec.TLS.PodLevel.Ovn.Cert.Duration.Duration
+		}
+		if instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore != nil {
+			certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore.Duration
+		}
 		certSecret, ctrlResult, err := certmanager.EnsureCert(
 			ctx,
 			helper,

diff --git a/pkg/openstack/octavia.go b/pkg/openstack/octavia.go
@@ -75,7 +75,6 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 		certRequest := certmanager.CertificateRequest{
 			IssuerName: instance.GetOvnIssuer(),
 			CertName:   fmt.Sprintf("%s-ovndbs", serviceName),
-			Duration:   nil,
 			Hostnames: []string{
 				fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
 				fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ClusterInternalDomain),
@@ -87,6 +86,12 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 				certmgrv1.UsageClientAuth,
 			},
 		}
+		if instance.Spec.TLS.PodLevel.Ovn.Cert.Duration != nil {
+			certRequest.Duration = &instance.Spec.TLS.PodLevel.Ovn.Cert.Duration.Duration
+		}
+		if instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore != nil {
+			certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore.Duration
+		}
 		certSecret, ctrlResult, err := certmanager.EnsureCert(
 			ctx,
 			helper,

diff --git a/pkg/openstack/ovn.go b/pkg/openstack/ovn.go
@@ -101,7 +101,6 @@ func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStack
 			certRequest := certmanager.CertificateRequest{
 				IssuerName: instance.GetOvnIssuer(),
 				CertName:   fmt.Sprintf("%s-ovndbs", name),
-				Duration:   nil,
 				// Cert needs to be valid for the individual pods in the statefulset so make this a wildcard cert
 				Hostnames: []string{
 					fmt.Sprintf("*.%s.svc", instance.Namespace),
@@ -115,6 +114,12 @@ func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStack
 					certmgrv1.UsageClientAuth,
 				},
 			}
+			if instance.Spec.TLS.PodLevel.Ovn.Cert.Duration != nil {
+				certRequest.Duration = &instance.Spec.TLS.PodLevel.Ovn.Cert.Duration.Duration
+			}
+			if instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore != nil {
+				certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore.Duration
+			}
 			certSecret, ctrlResult, err := certmanager.EnsureCert(
 				ctx,
 				helper,
@@ -210,7 +215,6 @@ func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackCont
 		certRequest := certmanager.CertificateRequest{
 			IssuerName: instance.GetOvnIssuer(),
 			CertName:   fmt.Sprintf("%s-ovndbs", "ovnnorthd"),
-			Duration:   nil,
 			Hostnames: []string{
 				fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
 				fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ovnv1.DNSSuffix),
@@ -223,6 +227,12 @@ func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackCont
 				certmgrv1.UsageClientAuth,
 			},
 		}
+		if instance.Spec.TLS.PodLevel.Ovn.Cert.Duration != nil {
+			certRequest.Duration = &instance.Spec.TLS.PodLevel.Ovn.Cert.Duration.Duration
+		}
+		if instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore != nil {
+			certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore.Duration
+		}
 		certSecret, ctrlResult, err := certmanager.EnsureCert(
 			ctx,
 			helper,
@@ -312,7 +322,6 @@ func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStack
 		certRequest := certmanager.CertificateRequest{
 			IssuerName: instance.GetOvnIssuer(),
 			CertName:   fmt.Sprintf("%s-ovndbs", "ovncontroller"),
-			Duration:   nil,
 			Hostnames: []string{
 				fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
 				fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ovnv1.DNSSuffix),
@@ -325,6 +334,12 @@ func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStack
 				certmgrv1.UsageClientAuth,
 			},
 		}
+		if instance.Spec.TLS.PodLevel.Ovn.Cert.Duration != nil {
+			certRequest.Duration = &instance.Spec.TLS.PodLevel.Ovn.Cert.Duration.Duration
+		}
+		if instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore != nil {
+			certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore.Duration
+		}
 		certSecret, ctrlResult, err := certmanager.EnsureCert(
 			ctx,
 			helper,