Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create ONVDB client certificate for Octavia #730

Merged
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Create ONVDB client certificate for Octavia
The certificate is required by the Octavia OVN provider when TLS is
enabled at the Pod level.

It also bumps of the version of octavia-operator

Jira: OSPRH-6065
gthiemonge committed Apr 16, 2024
commit bfd3eede4d826e8ea76eddb96ce2d910a3810b90
5 changes: 5 additions & 0 deletions apis/bases/core.openstack.org_openstackcontrolplanes.yaml
Original file line number Diff line number Diff line change
@@ -10542,6 +10542,11 @@ spec:
type: object
caBundleSecretName:
type: string
ovn:
properties:
secretName:
type: string
type: object
type: object
transportURLSecret:
type: string
2 changes: 1 addition & 1 deletion apis/go.mod
Original file line number Diff line number Diff line change
@@ -20,7 +20,7 @@ require (
github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240411135034-a77c10351c47
github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b
github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2
github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240412212308-52c4fc7de5a4
github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240404140050-69252e99daaf
github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240412224825-4de3d73ff582
4 changes: 2 additions & 2 deletions apis/go.sum
Original file line number Diff line number Diff line change
@@ -105,8 +105,8 @@ github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-
github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b/go.mod h1:iA/flM2a8U+wIT9QNC+mZxQsiebhOOlLv7qpCcHFrME=
github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433 h1:YACRumvGLOC4qxE9Ew8BcQfx9lrpFEOxJhLcR1k99BI=
github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433/go.mod h1:VypWxGnIf++Ch2lG9AQYK1TmMkaInYGN56g6FEiKFv8=
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d h1:LJsJxX4ukD/h8QIRQtDJ3f55Ic2Rnl9Wy6dzEwvwkA4=
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2 h1:VuFtvrkVPYztDwItMvo6K0pDBxXi2kSVMPiOD8nfC3E=
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240412212308-52c4fc7de5a4 h1:3/lBXj0vyqaca2EakQZ8tA1koIrPZZeoJ2jwRoNYE/c=
github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240412212308-52c4fc7de5a4/go.mod h1:geYtiRKn+GKR61YhAMsvPvLqVdMb4wtvMrj1kFG0SdU=
github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240404140050-69252e99daaf h1:O7RzcKH3qRORucojkKZc1vIpQv5naYoWn34zhVzTs0E=
Original file line number Diff line number Diff line change
@@ -10542,6 +10542,11 @@ spec:
type: object
caBundleSecretName:
type: string
ovn:
properties:
secretName:
type: string
type: object
type: object
transportURLSecret:
type: string
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
@@ -29,7 +29,7 @@ require (
github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240411135034-a77c10351c47
github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b
github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2
github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240410174327-61aaa39a5449
github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240415092655-7e783e887608
github.com/openstack-k8s-operators/openstack-operator/apis v0.0.0-00010101000000-000000000000
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
@@ -134,8 +134,8 @@ github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-
github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240411120933-2fa11969312b/go.mod h1:iA/flM2a8U+wIT9QNC+mZxQsiebhOOlLv7qpCcHFrME=
github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433 h1:YACRumvGLOC4qxE9Ew8BcQfx9lrpFEOxJhLcR1k99BI=
github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240415072306-b848abde3433/go.mod h1:VypWxGnIf++Ch2lG9AQYK1TmMkaInYGN56g6FEiKFv8=
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d h1:LJsJxX4ukD/h8QIRQtDJ3f55Ic2Rnl9Wy6dzEwvwkA4=
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240408184306-f4d50944f99d/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2 h1:VuFtvrkVPYztDwItMvo6K0pDBxXi2kSVMPiOD8nfC3E=
github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240416115956-468bde1c9db2/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240410174327-61aaa39a5449 h1:s1UHKf5rGfpthhoB2SdyjSEQsioWTzMkTDm6dFoDHN4=
github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240410174327-61aaa39a5449/go.mod h1:YD7kgzFwVoedxEpttup/pKPxUCxo/c7y3GEGR1Ab708=
github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240415092655-7e783e887608 h1:wy7PYgPNE/oFP7Vddh/Z5kSo562EkW0ffGdmDP5aL4Y=
32 changes: 32 additions & 0 deletions pkg/openstack/octavia.go
Original file line number Diff line number Diff line change
@@ -20,6 +20,8 @@ import (
"context"
"fmt"

certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
@@ -67,6 +69,36 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
// preserve any previously set TLS certs, set CA cert
if instance.Spec.TLS.PodLevel.Enabled {
instance.Spec.Octavia.Template.OctaviaAPI.TLS = octavia.Spec.OctaviaAPI.TLS

serviceName := "octavia"
// create ovndb client certificate for octavia
certRequest := certmanager.CertificateRequest{
IssuerName: instance.GetOvnIssuer(),
CertName: fmt.Sprintf("%s-ovndbs", serviceName),
Duration: nil,
Hostnames: []string{
fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be a wildcard cert since the pod dns names are not predictable.

Copy link
Contributor Author

@gthiemonge gthiemonge Apr 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see some services like neutron not using the wildcard: https://github.com/openstack-k8s-operators/openstack-operator/blob/main/pkg/openstack/neutron.go#L73 (I based my code on it)
is it really useful here?

fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, ClusterInternalDomain),
},
Ips: nil,
Usages: []certmgrv1.KeyUsage{
certmgrv1.UsageKeyEncipherment,
certmgrv1.UsageDigitalSignature,
certmgrv1.UsageClientAuth,
},
}
certSecret, ctrlResult, err := certmanager.EnsureCert(
ctx,
helper,
certRequest,
nil)
if err != nil {
return ctrl.Result{}, err
} else if (ctrlResult != ctrl.Result{}) {
return ctrl.Result{}, nil
}

instance.Spec.Octavia.Template.OctaviaAPI.TLS.Ovn.SecretName = &certSecret.Name
}
instance.Spec.Octavia.Template.OctaviaAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName