From bfd3eede4d826e8ea76eddb96ce2d910a3810b90 Mon Sep 17 00:00:00 2001
From: Gregory Thiemonge <gthiemon@redhat.com>
Date: Tue, 2 Apr 2024 03:06:58 -0400
Subject: [PATCH] Create ONVDB client certificate for Octavia

The certificate is required by the Octavia OVN provider when TLS is
enabled at the Pod level.

It also bumps of the version of octavia-operator

Jira: OSPRH-6065
---
 ....openstack.org_openstackcontrolplanes.yaml |  5 +++
 apis/go.mod                                   |  2 +-
 apis/go.sum                                   |  4 +--
 ....openstack.org_openstackcontrolplanes.yaml |  5 +++
 go.mod                                        |  2 +-
 go.sum                                        |  4 +--
 pkg/openstack/octavia.go                      | 32 +++++++++++++++++++
 7 files changed, 48 insertions(+), 6 deletions(-)

diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml
index e51b9d9e5..f2a6244f3 100644
--- a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml
+++ b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -10542,6 +10542,11 @@ spec:
                                 type: object
                               caBundleSecretName:
                                 type: string
+                              ovn:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
                             type: object
                           transportURLSecret:
                             type: string
diff --git a/apis/go.mod b/apis/go.mod
index 9bfbee846..01ee5ae99 100644
--- a/apis/go.mod
+++ b/apis/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240411135034-a77c10351c47
 	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b
 	github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433
-	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d
+	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2
 	github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240412212308-52c4fc7de5a4
 	github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240404140050-69252e99daaf
 	github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240412224825-4de3d73ff582
diff --git a/apis/go.sum b/apis/go.sum
index 9844e29f6..0af701568 100644
--- a/apis/go.sum
+++ b/apis/go.sum
@@ -105,8 +105,8 @@ github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-
 github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b/go.mod h1:iA/flM2a8U+wIT9QNC+mZxQsiebhOOlLv7qpCcHFrME=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433 h1:YACRumvGLOC4qxE9Ew8BcQfx9lrpFEOxJhLcR1k99BI=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433/go.mod h1:VypWxGnIf++Ch2lG9AQYK1TmMkaInYGN56g6FEiKFv8=
-github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d h1:LJsJxX4ukD/h8QIRQtDJ3f55Ic2Rnl9Wy6dzEwvwkA4=
-github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
+github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2 h1:VuFtvrkVPYztDwItMvo6K0pDBxXi2kSVMPiOD8nfC3E=
+github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240412212308-52c4fc7de5a4 h1:3/lBXj0vyqaca2EakQZ8tA1koIrPZZeoJ2jwRoNYE/c=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240412212308-52c4fc7de5a4/go.mod h1:geYtiRKn+GKR61YhAMsvPvLqVdMb4wtvMrj1kFG0SdU=
 github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240404140050-69252e99daaf h1:O7RzcKH3qRORucojkKZc1vIpQv5naYoWn34zhVzTs0E=
diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml
index e51b9d9e5..f2a6244f3 100644
--- a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml
+++ b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -10542,6 +10542,11 @@ spec:
                                 type: object
                               caBundleSecretName:
                                 type: string
+                              ovn:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
                             type: object
                           transportURLSecret:
                             type: string
diff --git a/go.mod b/go.mod
index c988999fc..e92821f73 100644
--- a/go.mod
+++ b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240411135034-a77c10351c47
 	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b
 	github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433
-	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d
+	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2
 	github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240410174327-61aaa39a5449
 	github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240415092655-7e783e887608
 	github.com/openstack-k8s-operators/openstack-operator/apis v0.0.0-00010101000000-000000000000
diff --git a/go.sum b/go.sum
index 328fc7069..e9410341a 100644
--- a/go.sum
+++ b/go.sum
@@ -134,8 +134,8 @@ github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-
 github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b/go.mod h1:iA/flM2a8U+wIT9QNC+mZxQsiebhOOlLv7qpCcHFrME=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433 h1:YACRumvGLOC4qxE9Ew8BcQfx9lrpFEOxJhLcR1k99BI=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433/go.mod h1:VypWxGnIf++Ch2lG9AQYK1TmMkaInYGN56g6FEiKFv8=
-github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d h1:LJsJxX4ukD/h8QIRQtDJ3f55Ic2Rnl9Wy6dzEwvwkA4=
-github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
+github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2 h1:VuFtvrkVPYztDwItMvo6K0pDBxXi2kSVMPiOD8nfC3E=
+github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
 github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240410174327-61aaa39a5449 h1:s1UHKf5rGfpthhoB2SdyjSEQsioWTzMkTDm6dFoDHN4=
 github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240410174327-61aaa39a5449/go.mod h1:YD7kgzFwVoedxEpttup/pKPxUCxo/c7y3GEGR1Ab708=
 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240415092655-7e783e887608 h1:wy7PYgPNE/oFP7Vddh/Z5kSo562EkW0ffGdmDP5aL4Y=
diff --git a/pkg/openstack/octavia.go b/pkg/openstack/octavia.go
index 89866a18e..fe4af24bb 100644
--- a/pkg/openstack/octavia.go
+++ b/pkg/openstack/octavia.go
@@ -20,6 +20,8 @@ import (
 	"context"
 	"fmt"
 
+	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
@@ -67,6 +69,36 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 	// preserve any previously set TLS certs, set CA cert
 	if instance.Spec.TLS.PodLevel.Enabled {
 		instance.Spec.Octavia.Template.OctaviaAPI.TLS = octavia.Spec.OctaviaAPI.TLS
+
+		serviceName := "octavia"
+		// create ovndb client certificate for octavia
+		certRequest := certmanager.CertificateRequest{
+			IssuerName: instance.GetOvnIssuer(),
+			CertName:   fmt.Sprintf("%s-ovndbs", serviceName),
+			Duration:   nil,
+			Hostnames: []string{
+				fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
+				fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ClusterInternalDomain),
+			},
+			Ips: nil,
+			Usages: []certmgrv1.KeyUsage{
+				certmgrv1.UsageKeyEncipherment,
+				certmgrv1.UsageDigitalSignature,
+				certmgrv1.UsageClientAuth,
+			},
+		}
+		certSecret, ctrlResult, err := certmanager.EnsureCert(
+			ctx,
+			helper,
+			certRequest,
+			nil)
+		if err != nil {
+			return ctrl.Result{}, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			return ctrl.Result{}, nil
+		}
+
+		instance.Spec.Octavia.Template.OctaviaAPI.TLS.Ovn.SecretName = &certSecret.Name
 	}
 	instance.Spec.Octavia.Template.OctaviaAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName