Merge pull request #728 from olliewalsh/tls_custom_ca_fixes

Fix TLS custom CA for rabbitmq and nova
openstack-k8s-operators · Apr 3, 2024 · d31f580 · d31f580
2 parents f3e2f3a + bf479b9
commit d31f580
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 5 deletions.
diff --git a/pkg/openstack/common.go b/pkg/openstack/common.go
@@ -685,3 +685,22 @@ func SetupServiceOperatorDefaults() {
 	//  Barbican
 	barbicanv1.SetupDefaults()
 }
+
+func GetIssuerCertSecret(
+	ctx context.Context,
+	helper *helper.Helper,
+	name string,
+	namespace string,
+) (string, error) {
+	// get  issuer
+	issuer, err := certmanager.GetIssuerByName(
+		ctx,
+		helper,
+		name,
+		namespace,
+	)
+	if err != nil {
+		return "", err
+	}
+	return issuer.Spec.CA.SecretName, nil
+}
diff --git a/pkg/openstack/nova.go b/pkg/openstack/nova.go
@@ -173,7 +173,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 			helper,
 			nova.Namespace,
 			instance.Spec.Nova.Template.MetadataServiceTemplate.Override.Service.Labels,
-			tls.DefaultCAPrefix+string(service.EndpointInternal),
+			instance.GetInternalIssuer(),
 			nil)
 		if err != nil && !k8s_errors.IsNotFound(err) {
 			return ctrlResult, err
@@ -196,7 +196,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 				helper,
 				nova.Namespace,
 				cellTemplate.MetadataServiceTemplate.Override.Service.Labels,
-				tls.DefaultCAPrefix+string(service.EndpointInternal),
+				instance.GetInternalIssuer(),
 				nil)
 			if err != nil && !k8s_errors.IsNotFound(err) {
 				return ctrlResult, err

diff --git a/pkg/openstack/rabbitmq.go b/pkg/openstack/rabbitmq.go
@@ -10,8 +10,6 @@ import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/ocp"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	rabbitmqv2 "github.com/rabbitmq/cluster-operator/v2/api/v1beta1"
 
@@ -195,6 +193,7 @@ func reconcileRabbitMQ(
 
 	hostname := fmt.Sprintf("%s.%s.svc", name, instance.Namespace)
 	tlsCert := ""
+	tlsCaCert := ""
 
 	if instance.Spec.TLS.PodLevel.Enabled {
 		certRequest := certmanager.CertificateRequest{
@@ -220,6 +219,11 @@ func reconcileRabbitMQ(
 		}
 
 		tlsCert = certSecret.Name
+
+		tlsCaCert, err = GetIssuerCertSecret(ctx, helper, instance.GetInternalIssuer(), instance.Namespace)
+		if err != nil {
+			return mqFailed, ctrlResult, err
+		}
 	}
 
 	op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), rabbitmq, func() error {
@@ -258,7 +262,7 @@ func reconcileRabbitMQ(
 		}
 
 		if tlsCert != "" {
-			rabbitmq.Spec.TLS.CaSecretName = tls.DefaultCAPrefix + string(service.EndpointInternal)
+			rabbitmq.Spec.TLS.CaSecretName = tlsCaCert
 			rabbitmq.Spec.TLS.SecretName = tlsCert
 			// disable non tls listeners
 			rabbitmq.Spec.TLS.DisableNonTLSListeners = true