Create ONVDB client certificate for Octavia

The certificate is required by the Octavia OVN provider when TLS is
enabled at the Pod level.

It also bumps of the version of octavia-operator

Jira: OSPRH-6065

apis/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -10542,6 +10542,11 @@ spec:
                                 type: object
                               caBundleSecretName:
                                 type: string
+                              ovn:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
                             type: object
                           transportURLSecret:
                             type: string

apis/go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240411135034-a77c10351c47
 	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b
 	github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433
-	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d
+	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2
 	github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240412212308-52c4fc7de5a4
 	github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240404140050-69252e99daaf
 	github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240412224825-4de3d73ff582

apis/go.sum

@@ -105,8 +105,8 @@ github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-
 github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b/go.mod h1:iA/flM2a8U+wIT9QNC+mZxQsiebhOOlLv7qpCcHFrME=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433 h1:YACRumvGLOC4qxE9Ew8BcQfx9lrpFEOxJhLcR1k99BI=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433/go.mod h1:VypWxGnIf++Ch2lG9AQYK1TmMkaInYGN56g6FEiKFv8=
-github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d h1:LJsJxX4ukD/h8QIRQtDJ3f55Ic2Rnl9Wy6dzEwvwkA4=
-github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
+github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2 h1:VuFtvrkVPYztDwItMvo6K0pDBxXi2kSVMPiOD8nfC3E=
+github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240412212308-52c4fc7de5a4 h1:3/lBXj0vyqaca2EakQZ8tA1koIrPZZeoJ2jwRoNYE/c=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240412212308-52c4fc7de5a4/go.mod h1:geYtiRKn+GKR61YhAMsvPvLqVdMb4wtvMrj1kFG0SdU=
 github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240404140050-69252e99daaf h1:O7RzcKH3qRORucojkKZc1vIpQv5naYoWn34zhVzTs0E=

config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -10542,6 +10542,11 @@ spec:
                                 type: object
                               caBundleSecretName:
                                 type: string
+                              ovn:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
                             type: object
                           transportURLSecret:
                             type: string

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240411135034-a77c10351c47
 	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b
 	github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433
-	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d
+	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2
 	github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240410174327-61aaa39a5449
 	github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240415092655-7e783e887608
 	github.com/openstack-k8s-operators/openstack-operator/apis v0.0.0-00010101000000-000000000000

go.sum

@@ -134,8 +134,8 @@ github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-
 github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b/go.mod h1:iA/flM2a8U+wIT9QNC+mZxQsiebhOOlLv7qpCcHFrME=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433 h1:YACRumvGLOC4qxE9Ew8BcQfx9lrpFEOxJhLcR1k99BI=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433/go.mod h1:VypWxGnIf++Ch2lG9AQYK1TmMkaInYGN56g6FEiKFv8=
-github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d h1:LJsJxX4ukD/h8QIRQtDJ3f55Ic2Rnl9Wy6dzEwvwkA4=
-github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
+github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2 h1:VuFtvrkVPYztDwItMvo6K0pDBxXi2kSVMPiOD8nfC3E=
+github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
 github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240410174327-61aaa39a5449 h1:s1UHKf5rGfpthhoB2SdyjSEQsioWTzMkTDm6dFoDHN4=
 github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240410174327-61aaa39a5449/go.mod h1:YD7kgzFwVoedxEpttup/pKPxUCxo/c7y3GEGR1Ab708=
 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240415092655-7e783e887608 h1:wy7PYgPNE/oFP7Vddh/Z5kSo562EkW0ffGdmDP5aL4Y=

pkg/openstack/octavia.go

@@ -20,6 +20,8 @@ import (
 	"context"
 	"fmt"
 
+	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
@@ -67,6 +69,36 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 	// preserve any previously set TLS certs, set CA cert
 	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Octavia.Template.OctaviaAPI.TLS = octavia.Spec.OctaviaAPI.TLS
+
+		serviceName := "octavia"
+		// create ovndb client certificate for octavia
+		certRequest := certmanager.CertificateRequest{
+			IssuerName: instance.GetOvnIssuer(),
+			CertName:   fmt.Sprintf("%s-ovndbs", serviceName),
+			Duration:   nil,
+			Hostnames: []string{
+				fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
+				fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ClusterInternalDomain),
+			},
+			Ips: nil,
+			Usages: []certmgrv1.KeyUsage{
+				certmgrv1.UsageKeyEncipherment,
+				certmgrv1.UsageDigitalSignature,
+				certmgrv1.UsageClientAuth,
+			},
+		}
+		certSecret, ctrlResult, err := certmanager.EnsureCert(
+			ctx,
+			helper,
+			certRequest,
+			nil)
+		if err != nil {
+			return ctrl.Result{}, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			return ctrl.Result{}, nil
+		}
+
+		instance.Spec.Octavia.Template.OctaviaAPI.TLS.Ovn.SecretName = &certSecret.Name
 	}
 	instance.Spec.Octavia.Template.OctaviaAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName