[tlse] TLS database connection

moves requesting the DB before rendering the service configuration. The my.cnf file gets added to the secret holding the service configs. The content of my.cnf is centrally managed in the mariadb-operator and retrieved calling db.GetDatabaseClientConfig(tlsCfg) Depends-On: openstack-k8s-operators/mariadb-operator#190 Depends-On: openstack-k8s-operators/mariadb-operator#191 Jira: OSPRH-4547
stuggi · Feb 19, 2024 · 2f0b786 · 2f0b786
1 parent 3d349f2
commit 2f0b786
Show file tree

Hide file tree

Showing 5 changed files with 117 additions and 41 deletions.
diff --git a/controllers/placementapi_controller.go b/controllers/placementapi_controller.go
@@ -349,6 +349,13 @@ func (r *PlacementAPIReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	// all our input checks out so report InputReady
 	instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
 
+	result, err = r.ensureDB(ctx, h, instance)
+	if err != nil {
+		return ctrl.Result{}, err
+	} else if (result != ctrl.Result{}) {
+		return result, nil
+	}
+
 	err = r.generateServiceConfigMaps(ctx, h, instance, secret, &configMapVars)
 	if err != nil {
 		instance.Status.Conditions.Set(condition.FalseCondition(
@@ -425,11 +432,6 @@ func (r *PlacementAPIReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		return result, err
 	}
 
-	result, err = r.ensureDB(ctx, h, instance)
-	if err != nil {
-		return ctrl.Result{}, err
-	}
-
 	apiEndpoints, result, err := r.ensureServiceExposed(ctx, h, instance)
 
 	if (err != nil || result != ctrl.Result{}) {
@@ -1184,10 +1186,24 @@ func (r *PlacementAPIReconciler) generateServiceConfigMaps(
 
 	cmLabels := labels.GetLabels(instance, labels.GetGroupLabel(placement.ServiceName), map[string]string{})
 
+	db, err := mariadbv1.GetDatabaseByName(ctx, h, placement.DatabaseName)
+	if err != nil {
+		return err
+	}
+
+	tlsCfg, err := instance.Spec.TLS.API.Internal.ToService()
+	if err != nil {
+		return err
+	}
+
 	// customData hold any customization for the service.
 	// custom.conf is going to /etc/<service>/<service>.conf.d
+	// my.cnf is going to /etc/my.cnf
 	// all other files get placed into /etc/<service> to allow overwrite of e.g. policy.json
-	customData := map[string]string{common.CustomServiceConfigFileName: instance.Spec.CustomServiceConfig}
+	customData := map[string]string{
+		common.CustomServiceConfigFileName: instance.Spec.CustomServiceConfig,
+		"my.cnf":                           db.GetDatabaseClientConfig(tlsCfg),
+	}
 	for key, data := range instance.Spec.DefaultConfigOverwrite {
 		customData[key] = data
 	}
@@ -1209,11 +1225,13 @@ func (r *PlacementAPIReconciler) generateServiceConfigMaps(
 		"KeystoneInternalURL": keystoneInternalURL,
 		"KeystonePublicURL":   keystonePublicURL,
 		"PlacementPassword":   string(ospSecret.Data[instance.Spec.PasswordSelectors.Service]),
-		"DBUser":              instance.Spec.DatabaseUser,
-		"DBPassword":          string(ospSecret.Data[instance.Spec.PasswordSelectors.Database]),
-		"DBAddress":           instance.Status.DatabaseHostname,
-		"DBName":              placement.DatabaseName,
 		"log_file":            "/var/log/placement/placement-api.log",
+		"DatabaseConnection": fmt.Sprintf("mysql+pymysql://%s:%s@%s/%s?read_default_file=/etc/my.cnf",
+			instance.Spec.DatabaseUser,
+			string(ospSecret.Data[instance.Spec.PasswordSelectors.Database]),
+			db.GetDatabaseHostname(),
+			placement.DatabaseName,
+		),
 	}
 
 	// create httpd  vhost template parameters

diff --git a/templates/placementapi/config/placement-api-config.json b/templates/placementapi/config/placement-api-config.json
@@ -47,6 +47,12 @@
             "owner": "placement",
             "perm": "0600",
             "optional": true
+        },
+        {
+            "source": "/var/lib/openstack/config/my.cnf",
+            "dest": "/etc/my.cnf",
+            "owner": "placement",
+            "perm": "0600"
         }
     ],
     "permissions": [

diff --git a/templates/placementapi/config/placement-dbsync-config.json b/templates/placementapi/config/placement-dbsync-config.json
@@ -12,6 +12,12 @@
             "dest": "/etc/placement/placement.conf.d/custom.conf",
             "owner": "placement",
             "perm": "0600"
+        },
+        {
+            "source": "/var/lib/openstack/config/my.cnf",
+            "dest": "/etc/my.cnf",
+            "owner": "placement",
+            "perm": "0600"
         }
     ]
 }
diff --git a/templates/placementapi/config/placement.conf b/templates/placementapi/config/placement.conf
@@ -9,7 +9,7 @@ log_file = {{ .log_file }}
 debug = true
 
 [placement_database]
-connection = mysql+pymysql://{{ .DBUser }}:{{ .DBPassword }}@{{ .DBAddress }}/{{ .DBName }}
+connection = {{ .DatabaseConnection }}
 
 [api]
 auth_strategy = keystone

diff --git a/tests/functional/placementapi_controller_test.go b/tests/functional/placementapi_controller_test.go
@@ -200,6 +200,17 @@ var _ = Describe("PlacementAPI controller", func() {
 			)
 			DeferCleanup(
 				k8sClient.Delete, ctx, CreatePlacementAPISecret(namespace, SecretName))
+
+			serviceSpec := corev1.ServiceSpec{Ports: []corev1.ServicePort{{Port: 3306}}}
+			DeferCleanup(
+				mariadb.DeleteDBService,
+				mariadb.CreateDBService(namespace, "openstack", serviceSpec),
+			)
+			db := mariadb.GetMariaDBDatabase(names.MariaDBDatabaseName)
+			Expect(db.Spec.Name).To(Equal(names.MariaDBDatabaseName.Name))
+
+			mariadb.SimulateMariaDBDatabaseCompleted(names.MariaDBDatabaseName)
+			mariadb.SimulateMariaDBAccountCompleted(names.MariaDBDatabaseName)
 		})
 
 		It("should have input ready", func() {
@@ -239,15 +250,62 @@ var _ = Describe("PlacementAPI controller", func() {
 			DeferCleanup(keystone.DeleteKeystoneAPI, keystoneAPIName)
 		})
 
+		It("creates MariaDB database", func() {
+			th.ExpectCondition(
+				names.PlacementAPIName,
+				ConditionGetterFunc(PlacementConditionGetter),
+				condition.DBReadyCondition,
+				corev1.ConditionFalse,
+			)
+
+			serviceSpec := corev1.ServiceSpec{Ports: []corev1.ServicePort{{Port: 3306}}}
+			DeferCleanup(
+				mariadb.DeleteDBService,
+				mariadb.CreateDBService(namespace, "openstack", serviceSpec),
+			)
+			db := mariadb.GetMariaDBDatabase(names.MariaDBDatabaseName)
+			Expect(db.Spec.Name).To(Equal(names.MariaDBDatabaseName.Name))
+
+			mariadb.SimulateMariaDBDatabaseCompleted(names.MariaDBDatabaseName)
+			mariadb.SimulateMariaDBAccountCompleted(names.MariaDBDatabaseName)
+
+			th.ExpectCondition(
+				names.PlacementAPIName,
+				ConditionGetterFunc(PlacementConditionGetter),
+				condition.DBReadyCondition,
+				corev1.ConditionTrue,
+			)
+		})
+
 		It("should have config ready", func() {
+			serviceSpec := corev1.ServiceSpec{Ports: []corev1.ServicePort{{Port: 3306}}}
+			DeferCleanup(
+				mariadb.DeleteDBService,
+				mariadb.CreateDBService(namespace, "openstack", serviceSpec),
+			)
+			db := mariadb.GetMariaDBDatabase(names.MariaDBDatabaseName)
+			Expect(db.Spec.Name).To(Equal(names.MariaDBDatabaseName.Name))
+
+			mariadb.SimulateMariaDBDatabaseCompleted(names.MariaDBDatabaseName)
+			mariadb.SimulateMariaDBAccountCompleted(names.MariaDBDatabaseName)
+
 			th.ExpectCondition(
 				names.PlacementAPIName,
 				ConditionGetterFunc(PlacementConditionGetter),
 				condition.ServiceConfigReadyCondition,
 				corev1.ConditionTrue,
 			)
 		})
+
 		It("should create a configuration Secret", func() {
+			serviceSpec := corev1.ServiceSpec{Ports: []corev1.ServicePort{{Port: 3306}}}
+			DeferCleanup(
+				mariadb.DeleteDBService,
+				mariadb.CreateDBService(namespace, "openstack", serviceSpec),
+			)
+			mariadb.SimulateMariaDBDatabaseCompleted(names.MariaDBDatabaseName)
+			mariadb.SimulateMariaDBAccountCompleted(names.MariaDBDatabaseName)
+
 			cm := th.GetSecret(names.ConfigMapName)
 
 			conf := cm.Data["placement.conf"]
@@ -260,7 +318,7 @@ var _ = Describe("PlacementAPI controller", func() {
 			Expect(conf).Should(
 				ContainSubstring("password = 12345678"))
 			Expect(conf).Should(
-				ContainSubstring("connection = mysql+pymysql://placement:12345678@/placement"))
+				ContainSubstring("connection = mysql+pymysql://placement:12345678@/placement?read_default_file=/etc/my.cnf"))
 
 			custom := cm.Data["custom.conf"]
 			Expect(custom).Should(ContainSubstring("foo = bar"))
@@ -269,9 +327,20 @@ var _ = Describe("PlacementAPI controller", func() {
 			Expect(policy).Should(
 				ContainSubstring("\"placement:resource_providers:list\": \"!\""))
 
+			myCnf := cm.Data["my.cnf"]
+			Expect(myCnf).To(
+				ContainSubstring("[client]\nssl=0"))
 		})
 
 		It("creates service account, role and rolebindig", func() {
+			serviceSpec := corev1.ServiceSpec{Ports: []corev1.ServicePort{{Port: 3306}}}
+			DeferCleanup(
+				mariadb.DeleteDBService,
+				mariadb.CreateDBService(namespace, "openstack", serviceSpec),
+			)
+			mariadb.SimulateMariaDBDatabaseCompleted(names.MariaDBDatabaseName)
+			mariadb.SimulateMariaDBAccountCompleted(names.MariaDBDatabaseName)
+
 			th.ExpectCondition(
 				names.PlacementAPIName,
 				ConditionGetterFunc(PlacementConditionGetter),
@@ -302,33 +371,6 @@ var _ = Describe("PlacementAPI controller", func() {
 			Expect(binding.Subjects).To(HaveLen(1))
 			Expect(binding.Subjects[0].Name).To(Equal(sa.Name))
 		})
-
-		It("creates MariaDB database", func() {
-			th.ExpectCondition(
-				names.PlacementAPIName,
-				ConditionGetterFunc(PlacementConditionGetter),
-				condition.DBReadyCondition,
-				corev1.ConditionFalse,
-			)
-
-			serviceSpec := corev1.ServiceSpec{Ports: []corev1.ServicePort{{Port: 3306}}}
-			DeferCleanup(
-				mariadb.DeleteDBService,
-				mariadb.CreateDBService(namespace, "openstack", serviceSpec),
-			)
-			db := mariadb.GetMariaDBDatabase(names.MariaDBDatabaseName)
-			Expect(db.Spec.Name).To(Equal(names.MariaDBDatabaseName.Name))
-
-			mariadb.SimulateMariaDBDatabaseCompleted(names.MariaDBDatabaseName)
-			mariadb.SimulateMariaDBAccountCompleted(names.MariaDBDatabaseName)
-
-			th.ExpectCondition(
-				names.PlacementAPIName,
-				ConditionGetterFunc(PlacementConditionGetter),
-				condition.DBReadyCondition,
-				corev1.ConditionTrue,
-			)
-		})
 		It("creates keystone service", func() {
 			th.ExpectCondition(
 				names.PlacementAPIName,
@@ -757,7 +799,7 @@ var _ = Describe("PlacementAPI controller", func() {
 				mariadb.DeleteDBService,
 				mariadb.CreateDBService(namespace, "openstack", serviceSpec),
 			)
-			mariadb.SimulateMariaDBDatabaseCompleted(names.MariaDBDatabaseName)
+			mariadb.SimulateMariaDBTLSDatabaseCompleted(names.MariaDBDatabaseName)
 			mariadb.SimulateMariaDBAccountCompleted(names.MariaDBDatabaseName)
 			keystone.SimulateKeystoneServiceReady(names.KeystoneServiceName)
 			keystone.SimulateKeystoneEndpointReady(names.KeystoneEndpointName)
@@ -795,6 +837,10 @@ var _ = Describe("PlacementAPI controller", func() {
 			Expect(configData).Should(ContainSubstring("SSLCertificateKeyFile   \"/etc/pki/tls/private/internal.key\""))
 			Expect(configData).Should(ContainSubstring("SSLCertificateFile      \"/etc/pki/tls/certs/public.crt\""))
 			Expect(configData).Should(ContainSubstring("SSLCertificateKeyFile   \"/etc/pki/tls/private/public.key\""))
+
+			configData = string(configDataMap.Data["my.cnf"])
+			Expect(configData).To(
+				ContainSubstring("[client]\nssl-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem\nssl=1"))
 		})
 	})
 })
@@ -823,7 +869,7 @@ var _ = Describe("PlacementAPI reconfiguration", func() {
 				mariadb.DeleteDBService,
 				mariadb.CreateDBService(namespace, "openstack", serviceSpec),
 			)
-			mariadb.SimulateMariaDBDatabaseCompleted(names.MariaDBDatabaseName)
+			mariadb.SimulateMariaDBTLSDatabaseCompleted(names.MariaDBDatabaseName)
 			mariadb.SimulateMariaDBAccountCompleted(names.MariaDBDatabaseName)
 			keystone.SimulateKeystoneServiceReady(names.KeystoneServiceName)
 			keystone.SimulateKeystoneEndpointReady(names.KeystoneEndpointName)