From f355bc7d85ef360da3738a502c8149f9624faab8 Mon Sep 17 00:00:00 2001 From: Oliver Walsh Date: Sat, 9 Mar 2024 02:03:21 +0000 Subject: [PATCH] OVN TLS support Create and configure ovndbs certs for ovncontroller and neutron if internal TLS is enabled. Jira: OSPRH-2191 --- ....openstack.org_openstackcontrolplanes.yaml | 5 + apis/go.mod | 2 +- apis/go.sum | 4 +- ....openstack.org_openstackcontrolplanes.yaml | 5 + go.mod | 8 +- go.sum | 16 +-- pkg/openstack/ca.go | 6 +- pkg/openstack/neutron.go | 34 ++++- pkg/openstack/ovn.go | 136 ++++++++++++++++++ 9 files changed, 199 insertions(+), 17 deletions(-) diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml index be2302691..f7ce222b0 100644 --- a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -8627,6 +8627,11 @@ spec: type: object caBundleSecretName: type: string + ovn: + properties: + secretName: + type: string + type: object type: object required: - containerImage diff --git a/apis/go.mod b/apis/go.mod index 344c9bffc..f43174670 100644 --- a/apis/go.mod +++ b/apis/go.mod @@ -18,7 +18,7 @@ require ( github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240306153230-dc65ab49ebc0 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee - github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67 + github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240305155754-2dcd200b721a github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240307150054-826f3260f9aa diff --git a/apis/go.sum b/apis/go.sum index 2db1570e6..0fbc9fd37 100644 --- a/apis/go.sum +++ b/apis/go.sum @@ -101,8 +101,8 @@ github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb/go.mod h1:WjZonBUlokd/WM3bzlGqW0KncogYyxUDmWmKvxSPlLE= github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee h1:UYxzWJ1HixHQ+jPoZ/PeTqCUxVr1+kha4YJpV/UwL64= github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee/go.mod h1:f9IIyWeoskWoeWaDFF3qmAJ2Kqyovfi0Ar/QUfk3qag= -github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67 h1:7BPdD7bAuzcl08/EiGDOJNBtfVnwuxm7F2acbC+kpuc= -github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67/go.mod h1:gOepjTKpq6rF0Lf69edviPOjFpjw4LHan/tWC4LB4Fs= +github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f h1:/a/+8/2zx+GAr5urESTrxac71BDjeG6vYNEScUyytFg= +github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f/go.mod h1:gOepjTKpq6rF0Lf69edviPOjFpjw4LHan/tWC4LB4Fs= github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af h1:EuR34g9uahKG8YKp91FVvj5MNGR0Y+Q9aeu4Y3E8m+U= github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af/go.mod h1:RCAltxGRZ+fJd1Ouo5gInELLubDg2BW9dacm7jw7pzk= github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240305155754-2dcd200b721a h1:lyrp4n/ao9oVCmvzfE8dIKIQvJnPlRlYi1nRguDyqMs= diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml index be2302691..f7ce222b0 100644 --- a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -8627,6 +8627,11 @@ spec: type: object caBundleSecretName: type: string + ovn: + properties: + secretName: + type: string + type: object type: object required: - containerImage diff --git a/go.mod b/go.mod index e34540b5c..262e5897e 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/blang/semver/v4 v4.0.0 - github.com/cert-manager/cert-manager v1.11.5 + github.com/cert-manager/cert-manager v1.13.4 github.com/ghodss/yaml v1.0.0 github.com/go-logr/logr v1.4.1 github.com/google/uuid v1.6.0 @@ -27,7 +27,7 @@ require ( github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240306153230-dc65ab49ebc0 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee - github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67 + github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240305155754-2dcd200b721a github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240305134542-42210080a43a @@ -87,7 +87,7 @@ require ( github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.64.1-rhobs3 // indirect github.com/rhobs/observability-operator v0.0.20 // indirect github.com/robfig/cron/v3 v3.0.1 // indirect - github.com/sirupsen/logrus v1.9.2 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/pflag v1.0.5 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.15.0 // indirect @@ -108,7 +108,7 @@ require ( k8s.io/component-base v0.28.7 // indirect k8s.io/klog/v2 v2.120.1 // indirect k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect - sigs.k8s.io/gateway-api v0.6.0 // indirect + sigs.k8s.io/gateway-api v0.8.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/go.sum b/go.sum index 46689880d..92d29da9c 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/cert-manager/cert-manager v1.11.5 h1:K2LurvwIE4hIhODQZnkOW6ljYe3lVMAliS/to+gI05o= -github.com/cert-manager/cert-manager v1.11.5/go.mod h1:zNOyoTEwdn9Rtj5Or2pjBY1Bqwtw4vBElP2fKSP8/g8= +github.com/cert-manager/cert-manager v1.13.4 h1:4zJdlemXg84KFssuk4I781oBJo1CuAnD1m8ZF/zsRrY= +github.com/cert-manager/cert-manager v1.13.4/go.mod h1:8F9nXyWuOP0Ziq77g0N5N/sTyfP1NBVs4C1GBjrDU1I= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -119,8 +119,8 @@ github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb/go.mod h1:WjZonBUlokd/WM3bzlGqW0KncogYyxUDmWmKvxSPlLE= github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee h1:UYxzWJ1HixHQ+jPoZ/PeTqCUxVr1+kha4YJpV/UwL64= github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee/go.mod h1:f9IIyWeoskWoeWaDFF3qmAJ2Kqyovfi0Ar/QUfk3qag= -github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67 h1:7BPdD7bAuzcl08/EiGDOJNBtfVnwuxm7F2acbC+kpuc= -github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67/go.mod h1:gOepjTKpq6rF0Lf69edviPOjFpjw4LHan/tWC4LB4Fs= +github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f h1:/a/+8/2zx+GAr5urESTrxac71BDjeG6vYNEScUyytFg= +github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240308065128-4ba88761f83f/go.mod h1:gOepjTKpq6rF0Lf69edviPOjFpjw4LHan/tWC4LB4Fs= github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af h1:EuR34g9uahKG8YKp91FVvj5MNGR0Y+Q9aeu4Y3E8m+U= github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af/go.mod h1:RCAltxGRZ+fJd1Ouo5gInELLubDg2BW9dacm7jw7pzk= github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240305155754-2dcd200b721a h1:lyrp4n/ao9oVCmvzfE8dIKIQvJnPlRlYi1nRguDyqMs= @@ -160,8 +160,8 @@ github.com/rhobs/observability-operator v0.0.20/go.mod h1:F+exF/48C17xz9Ci9WK9Ri github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs= github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= -github.com/sirupsen/logrus v1.9.2 h1:oxx1eChJGI6Uks2ZC4W1zpLlVgqB8ner4EuQwV4Ik1Y= -github.com/sirupsen/logrus v1.9.2/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -275,8 +275,8 @@ k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCf k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.16.5 h1:yr1cEJbX08xsTW6XEIzT13KHHmIyX8Umvme2cULvFZw= sigs.k8s.io/controller-runtime v0.16.5/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= -sigs.k8s.io/gateway-api v0.6.0 h1:v2FqrN2ROWZLrSnI2o91taHR8Sj3s+Eh3QU7gLNWIqA= -sigs.k8s.io/gateway-api v0.6.0/go.mod h1:EYJT+jlPWTeNskjV0JTki/03WX1cyAnBhwBJfYHpV/0= +sigs.k8s.io/gateway-api v0.8.0 h1:isQQ3Jx2qFP7vaA3ls0846F0Amp9Eq14P08xbSwVbQg= +sigs.k8s.io/gateway-api v0.8.0/go.mod h1:okOnjPNBFbIS/Rw9kAhuIUaIkLhTKEu+ARIuXk2dgaM= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/pkg/openstack/ca.go b/pkg/openstack/ca.go index 3c1872057..d2beedb48 100644 --- a/pkg/openstack/ca.go +++ b/pkg/openstack/ca.go @@ -27,6 +27,10 @@ import ( ctrl "sigs.k8s.io/controller-runtime" ) +const ( + OvnDbCaName = tls.DefaultCAPrefix + "ovn" +) + // ReconcileCAs - func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, helper *helper.Helper) (ctrl.Result, error) { Log := GetLogger(ctx) @@ -136,7 +140,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h instance, helper, issuerReq, - tls.DefaultCAPrefix+"ovn", + OvnDbCaName, map[string]string{certmanager.RootCAIssuerOvnDBLabel: ""}, bundle, caOnlyBundle, diff --git a/pkg/openstack/neutron.go b/pkg/openstack/neutron.go index ea22fcdc7..5a2b16c2a 100644 --- a/pkg/openstack/neutron.go +++ b/pkg/openstack/neutron.go @@ -4,9 +4,12 @@ import ( "context" "fmt" + certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + "github.com/openstack-k8s-operators/lib-common/modules/certmanager" "github.com/openstack-k8s-operators/lib-common/modules/common/condition" "github.com/openstack-k8s-operators/lib-common/modules/common/helper" "github.com/openstack-k8s-operators/lib-common/modules/common/service" + "github.com/openstack-k8s-operators/lib-common/modules/common/tls" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" @@ -58,6 +61,35 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro // preserve any previously set TLS certs,set CA cert if instance.Spec.TLS.Enabled(service.EndpointInternal) { instance.Spec.Neutron.Template.TLS = neutronAPI.Spec.TLS + + serviceName := "neutron" + // create ovndb client certificate for neutron + certRequest := certmanager.CertificateRequest{ + IssuerName: OvnDbCaName, + CertName: fmt.Sprintf("%s-ovndbs", serviceName), + Duration: nil, + Hostnames: []string{ + fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace), + fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, "cluster.local"), + }, + Ips: nil, + Usages: []certmgrv1.KeyUsage{ + certmgrv1.UsageKeyEncipherment, + certmgrv1.UsageDigitalSignature, + certmgrv1.UsageClientAuth, + }, + } + certSecret, ctrlResult, err := certmanager.EnsureCert( + ctx, + helper, + certRequest) + if err != nil { + return ctrl.Result{}, err + } else if (ctrlResult != ctrl.Result{}) { + return ctrl.Result{}, nil + } + + instance.Spec.Neutron.Template.TLS.Ovn.SecretName = &certSecret.Name } instance.Spec.Neutron.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName @@ -83,7 +115,7 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro instance.Spec.Neutron.APIOverride, corev1beta1.OpenStackControlPlaneExposeNeutronReadyCondition, false, // TODO (mschuppert) could be removed when all integrated service support TLS - instance.Spec.Neutron.Template.TLS, + tls.API{API: instance.Spec.Neutron.Template.TLS.API}, ) if err != nil { return ctrlResult, err diff --git a/pkg/openstack/ovn.go b/pkg/openstack/ovn.go index ac07abb19..9d87a9d30 100644 --- a/pkg/openstack/ovn.go +++ b/pkg/openstack/ovn.go @@ -4,14 +4,19 @@ import ( "context" "fmt" + "github.com/openstack-k8s-operators/lib-common/modules/certmanager" "github.com/openstack-k8s-operators/lib-common/modules/common/condition" "github.com/openstack-k8s-operators/lib-common/modules/common/helper" + "github.com/openstack-k8s-operators/lib-common/modules/common/service" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" + certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1" ovnv1 "github.com/openstack-k8s-operators/ovn-operator/api/v1beta1" + k8s_errors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" ) @@ -76,6 +81,51 @@ func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStack continue } + // preserve any previously set TLS certs, set CA cert + if err := helper.GetClient().Get(ctx, types.NamespacedName{Name: name, Namespace: instance.Namespace}, OVNDBCluster); err != nil { + if !k8s_errors.IsNotFound(err) { + return false, err + } + } + if instance.Spec.TLS.Enabled(service.EndpointInternal) { + dbcluster.TLS = OVNDBCluster.Spec.TLS + } + dbcluster.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + + if OVNDBCluster.Status.Conditions.IsTrue(condition.ExposeServiceReadyCondition) { + // create certificate for ovndbclusters + certRequest := certmanager.CertificateRequest{ + IssuerName: OvnDbCaName, + CertName: fmt.Sprintf("%s-ovndbs", name), + Duration: nil, + // Cert needs to be valid for the individual pods in the statefulset so make this a wildcard cert + Hostnames: []string{ + fmt.Sprintf("*.%s.svc", instance.Namespace), + fmt.Sprintf("*.%s.svc.%s", instance.Namespace, ovnv1.DNSSuffix), + }, + Ips: nil, + Usages: []certmgrv1.KeyUsage{ + certmgrv1.UsageKeyEncipherment, + certmgrv1.UsageDigitalSignature, + certmgrv1.UsageServerAuth, + certmgrv1.UsageClientAuth, + }, + } + certSecret, ctrlResult, err := certmanager.EnsureCert( + ctx, + helper, + certRequest) + if err != nil { + return false, err + } else if (ctrlResult != ctrl.Result{}) { + return false, nil + } + + if instance.Spec.TLS.Enabled(service.EndpointInternal) { + dbcluster.TLS.SecretName = &certSecret.Name + } + } + Log.Info("Reconciling OVNDBCluster", "OVNDBCluster.Namespace", instance.Namespace, "OVNDBCluster.Name", name) op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), OVNDBCluster, func() error { @@ -123,6 +173,49 @@ func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackCont return false, nil } + ovnNorthdSpec := &instance.Spec.Ovn.Template.OVNNorthd + + // preserve any previously set TLS certs, set CA cert + if err := helper.GetClient().Get(ctx, types.NamespacedName{Name: "ovnnorthd", Namespace: instance.Namespace}, OVNNorthd); err != nil { + if !k8s_errors.IsNotFound(err) { + return false, err + } + } + if instance.Spec.TLS.Enabled(service.EndpointInternal) { + ovnNorthdSpec.TLS = OVNNorthd.Spec.TLS + + serviceName := ovnv1.ServiceNameOvnNorthd + // create certificate for ovnnorthd + certRequest := certmanager.CertificateRequest{ + IssuerName: OvnDbCaName, + CertName: fmt.Sprintf("%s-ovndbs", "ovnnorthd"), + Duration: nil, + Hostnames: []string{ + fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace), + fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ovnv1.DNSSuffix), + }, + Ips: nil, + Usages: []certmgrv1.KeyUsage{ + certmgrv1.UsageKeyEncipherment, + certmgrv1.UsageDigitalSignature, + certmgrv1.UsageServerAuth, + certmgrv1.UsageClientAuth, + }, + } + certSecret, ctrlResult, err := certmanager.EnsureCert( + ctx, + helper, + certRequest) + if err != nil { + return false, err + } else if (ctrlResult != ctrl.Result{}) { + return false, nil + } + + ovnNorthdSpec.TLS.SecretName = &certSecret.Name + } + ovnNorthdSpec.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + Log.Info("Reconciling OVNNorthd", "OVNNorthd.Namespace", instance.Namespace, "OVNNorthd.Name", "ovnnorthd") op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), OVNNorthd, func() error { @@ -171,6 +264,49 @@ func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStack return false, nil } + ovnControllerSpec := &instance.Spec.Ovn.Template.OVNController + + // preserve any previously set TLS certs, set CA cert + if err := helper.GetClient().Get(ctx, types.NamespacedName{Name: "ovncontroller", Namespace: instance.Namespace}, OVNController); err != nil { + if !k8s_errors.IsNotFound(err) { + return false, err + } + } + if instance.Spec.TLS.Enabled(service.EndpointInternal) { + ovnControllerSpec.TLS = OVNController.Spec.TLS + + serviceName := ovnv1.ServiceNameOvnController + // create certificate for ovncontroller + certRequest := certmanager.CertificateRequest{ + IssuerName: OvnDbCaName, + CertName: fmt.Sprintf("%s-ovndbs", "ovncontroller"), + Duration: nil, + Hostnames: []string{ + fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace), + fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ovnv1.DNSSuffix), + }, + Ips: nil, + Usages: []certmgrv1.KeyUsage{ + certmgrv1.UsageKeyEncipherment, + certmgrv1.UsageDigitalSignature, + certmgrv1.UsageServerAuth, + certmgrv1.UsageClientAuth, + }, + } + certSecret, ctrlResult, err := certmanager.EnsureCert( + ctx, + helper, + certRequest) + if err != nil { + return false, err + } else if (ctrlResult != ctrl.Result{}) { + return false, nil + } + + ovnControllerSpec.TLS.SecretName = &certSecret.Name + } + ovnControllerSpec.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + Log.Info("Reconciling OVNController", "OVNController.Namespace", instance.Namespace, "OVNController.Name", "ovncontroller") op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), OVNController, func() error {