Merge pull request #699 from olliewalsh/ovn_tls

[tlse] OVN TLS support
openstack-k8s-operators · Mar 9, 2024 · c73a218 · c73a218
2 parents 1e57116 + f355bc7
commit c73a218
Show file tree

Hide file tree

Showing 9 changed files with 199 additions and 17 deletions.
diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -8627,6 +8627,11 @@ spec:
                             type: object
                           caBundleSecretName:
                             type: string
+                          ovn:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
                         type: object
                     required:
                     - containerImage

diff --git a/apis/go.mod b/apis/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee
-	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67
+	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f
 	github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af
 	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240305155754-2dcd200b721a
 	github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240307150054-826f3260f9aa

diff --git a/apis/go.sum b/apis/go.sum
@@ -101,8 +101,8 @@ github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0
 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb/go.mod h1:WjZonBUlokd/WM3bzlGqW0KncogYyxUDmWmKvxSPlLE=
 github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee h1:UYxzWJ1HixHQ+jPoZ/PeTqCUxVr1+kha4YJpV/UwL64=
 github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee/go.mod h1:f9IIyWeoskWoeWaDFF3qmAJ2Kqyovfi0Ar/QUfk3qag=
-github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67 h1:7BPdD7bAuzcl08/EiGDOJNBtfVnwuxm7F2acbC+kpuc=
-github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67/go.mod h1:gOepjTKpq6rF0Lf69edviPOjFpjw4LHan/tWC4LB4Fs=
+github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f h1:/a/+8/2zx+GAr5urESTrxac71BDjeG6vYNEScUyytFg=
+github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f/go.mod h1:gOepjTKpq6rF0Lf69edviPOjFpjw4LHan/tWC4LB4Fs=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af h1:EuR34g9uahKG8YKp91FVvj5MNGR0Y+Q9aeu4Y3E8m+U=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af/go.mod h1:RCAltxGRZ+fJd1Ouo5gInELLubDg2BW9dacm7jw7pzk=
 github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240305155754-2dcd200b721a h1:lyrp4n/ao9oVCmvzfE8dIKIQvJnPlRlYi1nRguDyqMs=

diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -8627,6 +8627,11 @@ spec:
                             type: object
                           caBundleSecretName:
                             type: string
+                          ovn:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
                         type: object
                     required:
                     - containerImage

diff --git a/go.mod b/go.mod
@@ -4,7 +4,7 @@ go 1.20
 
 require (
 	github.com/blang/semver/v4 v4.0.0
-	github.com/cert-manager/cert-manager v1.11.5
+	github.com/cert-manager/cert-manager v1.13.4
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-logr/logr v1.4.1
 	github.com/google/uuid v1.6.0
@@ -27,7 +27,7 @@ require (
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee
-	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67
+	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f
 	github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af
 	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240305155754-2dcd200b721a
 	github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240305134542-42210080a43a
@@ -87,7 +87,7 @@ require (
 	github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.64.1-rhobs3 // indirect
 	github.com/rhobs/observability-operator v0.0.20 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
-	github.com/sirupsen/logrus v1.9.2 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/mod v0.15.0 // indirect
@@ -108,7 +108,7 @@ require (
 	k8s.io/component-base v0.28.7 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
-	sigs.k8s.io/gateway-api v0.6.0 // indirect
+	sigs.k8s.io/gateway-api v0.8.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect

diff --git a/go.sum b/go.sum
@@ -2,8 +2,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
-github.com/cert-manager/cert-manager v1.11.5 h1:K2LurvwIE4hIhODQZnkOW6ljYe3lVMAliS/to+gI05o=
-github.com/cert-manager/cert-manager v1.11.5/go.mod h1:zNOyoTEwdn9Rtj5Or2pjBY1Bqwtw4vBElP2fKSP8/g8=
+github.com/cert-manager/cert-manager v1.13.4 h1:4zJdlemXg84KFssuk4I781oBJo1CuAnD1m8ZF/zsRrY=
+github.com/cert-manager/cert-manager v1.13.4/go.mod h1:8F9nXyWuOP0Ziq77g0N5N/sTyfP1NBVs4C1GBjrDU1I=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -119,8 +119,8 @@ github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0
 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb/go.mod h1:WjZonBUlokd/WM3bzlGqW0KncogYyxUDmWmKvxSPlLE=
 github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee h1:UYxzWJ1HixHQ+jPoZ/PeTqCUxVr1+kha4YJpV/UwL64=
 github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee/go.mod h1:f9IIyWeoskWoeWaDFF3qmAJ2Kqyovfi0Ar/QUfk3qag=
-github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67 h1:7BPdD7bAuzcl08/EiGDOJNBtfVnwuxm7F2acbC+kpuc=
-github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67/go.mod h1:gOepjTKpq6rF0Lf69edviPOjFpjw4LHan/tWC4LB4Fs=
+github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f h1:/a/+8/2zx+GAr5urESTrxac71BDjeG6vYNEScUyytFg=
+github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f/go.mod h1:gOepjTKpq6rF0Lf69edviPOjFpjw4LHan/tWC4LB4Fs=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af h1:EuR34g9uahKG8YKp91FVvj5MNGR0Y+Q9aeu4Y3E8m+U=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af/go.mod h1:RCAltxGRZ+fJd1Ouo5gInELLubDg2BW9dacm7jw7pzk=
 github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240305155754-2dcd200b721a h1:lyrp4n/ao9oVCmvzfE8dIKIQvJnPlRlYi1nRguDyqMs=
@@ -160,8 +160,8 @@ github.com/rhobs/observability-operator v0.0.20/go.mod h1:F+exF/48C17xz9Ci9WK9Ri
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/sirupsen/logrus v1.9.2 h1:oxx1eChJGI6Uks2ZC4W1zpLlVgqB8ner4EuQwV4Ik1Y=
-github.com/sirupsen/logrus v1.9.2/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -275,8 +275,8 @@ k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCf
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/controller-runtime v0.16.5 h1:yr1cEJbX08xsTW6XEIzT13KHHmIyX8Umvme2cULvFZw=
 sigs.k8s.io/controller-runtime v0.16.5/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0=
-sigs.k8s.io/gateway-api v0.6.0 h1:v2FqrN2ROWZLrSnI2o91taHR8Sj3s+Eh3QU7gLNWIqA=
-sigs.k8s.io/gateway-api v0.6.0/go.mod h1:EYJT+jlPWTeNskjV0JTki/03WX1cyAnBhwBJfYHpV/0=
+sigs.k8s.io/gateway-api v0.8.0 h1:isQQ3Jx2qFP7vaA3ls0846F0Amp9Eq14P08xbSwVbQg=
+sigs.k8s.io/gateway-api v0.8.0/go.mod h1:okOnjPNBFbIS/Rw9kAhuIUaIkLhTKEu+ARIuXk2dgaM=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=

diff --git a/pkg/openstack/ca.go b/pkg/openstack/ca.go
@@ -27,6 +27,10 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 
+const (
+	OvnDbCaName = tls.DefaultCAPrefix + "ovn"
+)
+
 // ReconcileCAs -
 func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, helper *helper.Helper) (ctrl.Result, error) {
 	Log := GetLogger(ctx)
@@ -136,7 +140,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 		instance,
 		helper,
 		issuerReq,
-		tls.DefaultCAPrefix+"ovn",
+		OvnDbCaName,
 		map[string]string{certmanager.RootCAIssuerOvnDBLabel: ""},
 		bundle,
 		caOnlyBundle,

diff --git a/pkg/openstack/neutron.go b/pkg/openstack/neutron.go
@@ -4,9 +4,12 @@ import (
 	"context"
 	"fmt"
 
+	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
@@ -58,6 +61,35 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro
 	// preserve any previously set TLS certs,set CA cert
 	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
 		instance.Spec.Neutron.Template.TLS = neutronAPI.Spec.TLS
+
+		serviceName := "neutron"
+		// create ovndb client certificate for neutron
+		certRequest := certmanager.CertificateRequest{
+			IssuerName: OvnDbCaName,
+			CertName:   fmt.Sprintf("%s-ovndbs", serviceName),
+			Duration:   nil,
+			Hostnames: []string{
+				fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
+				fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, "cluster.local"),
+			},
+			Ips: nil,
+			Usages: []certmgrv1.KeyUsage{
+				certmgrv1.UsageKeyEncipherment,
+				certmgrv1.UsageDigitalSignature,
+				certmgrv1.UsageClientAuth,
+			},
+		}
+		certSecret, ctrlResult, err := certmanager.EnsureCert(
+			ctx,
+			helper,
+			certRequest)
+		if err != nil {
+			return ctrl.Result{}, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			return ctrl.Result{}, nil
+		}
+
+		instance.Spec.Neutron.Template.TLS.Ovn.SecretName = &certSecret.Name
 	}
 	instance.Spec.Neutron.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
 
@@ -83,7 +115,7 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro
 			instance.Spec.Neutron.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeNeutronReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
-			instance.Spec.Neutron.Template.TLS,
+			tls.API{API: instance.Spec.Neutron.Template.TLS.API},
 		)
 		if err != nil {
 			return ctrlResult, err

diff --git a/pkg/openstack/ovn.go b/pkg/openstack/ovn.go
@@ -4,14 +4,19 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
+	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
 	ovnv1 "github.com/openstack-k8s-operators/ovn-operator/api/v1beta1"
+	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 
@@ -76,6 +81,51 @@ func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStack
 			continue
 		}
 
+		// preserve any previously set TLS certs, set CA cert
+		if err := helper.GetClient().Get(ctx, types.NamespacedName{Name: name, Namespace: instance.Namespace}, OVNDBCluster); err != nil {
+			if !k8s_errors.IsNotFound(err) {
+				return false, err
+			}
+		}
+		if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+			dbcluster.TLS = OVNDBCluster.Spec.TLS
+		}
+		dbcluster.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+
+		if OVNDBCluster.Status.Conditions.IsTrue(condition.ExposeServiceReadyCondition) {
+			// create certificate for ovndbclusters
+			certRequest := certmanager.CertificateRequest{
+				IssuerName: OvnDbCaName,
+				CertName:   fmt.Sprintf("%s-ovndbs", name),
+				Duration:   nil,
+				// Cert needs to be valid for the individual pods in the statefulset so make this a wildcard cert
+				Hostnames: []string{
+					fmt.Sprintf("*.%s.svc", instance.Namespace),
+					fmt.Sprintf("*.%s.svc.%s", instance.Namespace, ovnv1.DNSSuffix),
+				},
+				Ips: nil,
+				Usages: []certmgrv1.KeyUsage{
+					certmgrv1.UsageKeyEncipherment,
+					certmgrv1.UsageDigitalSignature,
+					certmgrv1.UsageServerAuth,
+					certmgrv1.UsageClientAuth,
+				},
+			}
+			certSecret, ctrlResult, err := certmanager.EnsureCert(
+				ctx,
+				helper,
+				certRequest)
+			if err != nil {
+				return false, err
+			} else if (ctrlResult != ctrl.Result{}) {
+				return false, nil
+			}
+
+			if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+				dbcluster.TLS.SecretName = &certSecret.Name
+			}
+		}
+
 		Log.Info("Reconciling OVNDBCluster", "OVNDBCluster.Namespace", instance.Namespace, "OVNDBCluster.Name", name)
 		op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), OVNDBCluster, func() error {
 
@@ -123,6 +173,49 @@ func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackCont
 		return false, nil
 	}
 
+	ovnNorthdSpec := &instance.Spec.Ovn.Template.OVNNorthd
+
+	// preserve any previously set TLS certs, set CA cert
+	if err := helper.GetClient().Get(ctx, types.NamespacedName{Name: "ovnnorthd", Namespace: instance.Namespace}, OVNNorthd); err != nil {
+		if !k8s_errors.IsNotFound(err) {
+			return false, err
+		}
+	}
+	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+		ovnNorthdSpec.TLS = OVNNorthd.Spec.TLS
+
+		serviceName := ovnv1.ServiceNameOvnNorthd
+		// create certificate for ovnnorthd
+		certRequest := certmanager.CertificateRequest{
+			IssuerName: OvnDbCaName,
+			CertName:   fmt.Sprintf("%s-ovndbs", "ovnnorthd"),
+			Duration:   nil,
+			Hostnames: []string{
+				fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
+				fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ovnv1.DNSSuffix),
+			},
+			Ips: nil,
+			Usages: []certmgrv1.KeyUsage{
+				certmgrv1.UsageKeyEncipherment,
+				certmgrv1.UsageDigitalSignature,
+				certmgrv1.UsageServerAuth,
+				certmgrv1.UsageClientAuth,
+			},
+		}
+		certSecret, ctrlResult, err := certmanager.EnsureCert(
+			ctx,
+			helper,
+			certRequest)
+		if err != nil {
+			return false, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			return false, nil
+		}
+
+		ovnNorthdSpec.TLS.SecretName = &certSecret.Name
+	}
+	ovnNorthdSpec.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+
 	Log.Info("Reconciling OVNNorthd", "OVNNorthd.Namespace", instance.Namespace, "OVNNorthd.Name", "ovnnorthd")
 	op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), OVNNorthd, func() error {
 
@@ -171,6 +264,49 @@ func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStack
 		return false, nil
 	}
 
+	ovnControllerSpec := &instance.Spec.Ovn.Template.OVNController
+
+	// preserve any previously set TLS certs, set CA cert
+	if err := helper.GetClient().Get(ctx, types.NamespacedName{Name: "ovncontroller", Namespace: instance.Namespace}, OVNController); err != nil {
+		if !k8s_errors.IsNotFound(err) {
+			return false, err
+		}
+	}
+	if instance.Spec.TLS.Enabled(service.EndpointInternal) {
+		ovnControllerSpec.TLS = OVNController.Spec.TLS
+
+		serviceName := ovnv1.ServiceNameOvnController
+		// create certificate for ovncontroller
+		certRequest := certmanager.CertificateRequest{
+			IssuerName: OvnDbCaName,
+			CertName:   fmt.Sprintf("%s-ovndbs", "ovncontroller"),
+			Duration:   nil,
+			Hostnames: []string{
+				fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
+				fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ovnv1.DNSSuffix),
+			},
+			Ips: nil,
+			Usages: []certmgrv1.KeyUsage{
+				certmgrv1.UsageKeyEncipherment,
+				certmgrv1.UsageDigitalSignature,
+				certmgrv1.UsageServerAuth,
+				certmgrv1.UsageClientAuth,
+			},
+		}
+		certSecret, ctrlResult, err := certmanager.EnsureCert(
+			ctx,
+			helper,
+			certRequest)
+		if err != nil {
+			return false, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			return false, nil
+		}
+
+		ovnControllerSpec.TLS.SecretName = &certSecret.Name
+	}
+	ovnControllerSpec.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+
 	Log.Info("Reconciling OVNController", "OVNController.Namespace", instance.Namespace, "OVNController.Name", "ovncontroller")
 	op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), OVNController, func() error {