From d0b28c32b28c05af7b0f800b506b273a5ff579e6 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Tue, 9 Apr 2024 16:22:31 +0200 Subject: [PATCH] [tls] set organization on galera certificate From comment on https://github.com/openstack-k8s-operators/openstack-operator/pull/678#issuecomment-1952459166 ~~~ The certificate created for galera should populate the 'organization' field, otherwise this trip the SST transfer setup done by wsrep_sst_rsync. This will not show at the initial deployment because there is no SST involved when the DB is bootstrapped as there are no data to be transferred yet. ~~~ Jira: OSPRH-2440 --- go.mod | 2 +- go.sum | 4 ++-- pkg/openstack/galera.go | 8 ++++++++ 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 9b2d1451c..83210b64d 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,7 @@ require ( github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240403153038-cacd7b514718 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240407224322-0ac0a3eea830 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240402154848-e5f862707f49 - github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240404123425-54f145c97484 + github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240409150851-9a336392d3b2 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240404123425-54f145c97484 github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240404123425-54f145c97484 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240403143013-74e2f3cc4015 diff --git a/go.sum b/go.sum index 10bb031f3..cfb04a72a 100644 --- a/go.sum +++ b/go.sum @@ -116,8 +116,8 @@ github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240407224322-0 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240407224322-0ac0a3eea830/go.mod h1:x1Hya2LM5fP3iD89Es9YDrG4vj+GIULLAdgxmv3NIvY= github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240402154848-e5f862707f49 h1:LSbLg+6iwX2jkVKe0ba6GqSO2mpoJlUZyWIWZA6jv6M= github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240402154848-e5f862707f49/go.mod h1:opUQY0YZNCyA11FKLToVhaVZTTEMfbnf0ozOLmkKfGs= -github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240404123425-54f145c97484 h1:4PS7ywfixWWDM+UyjWblXInNOb4IwjryvPsTrbnN1bE= -github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240404123425-54f145c97484/go.mod h1:MkhvdDYL/CI7aQdKGHLVmUwnBGTnWhcUQMdCB9ZE4BI= +github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240409150851-9a336392d3b2 h1:mdgMdEMJdHwV3iLVNSgRZTdYC7anWGC7yMzv6PidvsU= +github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240409150851-9a336392d3b2/go.mod h1:MkhvdDYL/CI7aQdKGHLVmUwnBGTnWhcUQMdCB9ZE4BI= github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240404123425-54f145c97484 h1:P3I3QBjZql8M5XXB/XBUdeM//e3XHtLv4yu7e+QlYQ8= github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240404123425-54f145c97484/go.mod h1:gqByVGUdKQB/NkhKV4eD+8NWYkHq961nC96rTCB3ywE= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240404123425-54f145c97484 h1:0Wmtd+xyvPvU1O6xd2G27XwZfYY2ewhTrbd9ELHlHwg= diff --git a/pkg/openstack/galera.go b/pkg/openstack/galera.go index 9aa1eac85..ed19be934 100644 --- a/pkg/openstack/galera.go +++ b/pkg/openstack/galera.go @@ -53,6 +53,14 @@ func ReconcileGaleras( hostname, fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain), }, + // Note (dciabrin) from https://github.com/openstack-k8s-operators/openstack-operator/pull/678#issuecomment-1952459166 + // the certificate created for galera should populate the 'organization' field, + // otherwise this trip the SST transfer setup done by wsrep_sst_rsync. This will not show + // at the initial deployment because there is no SST involved when the DB is bootstrapped + // as there are no data to be transferred yet. + Subject: &certmgrv1.X509Subject{ + Organizations: []string{fmt.Sprintf("%s.cluster.local", instance.Namespace)}, + }, Usages: []certmgrv1.KeyUsage{ "key encipherment", "digital signature",