Skip to content

Commit

Permalink
[TLS] TLS for public endpoints terminated at a route
Browse files Browse the repository at this point in the history
Changes openstacklient
* CRD to allows to pass in CA secret
* mounts the ca bundle under /etc/pki

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* via the apiOverride.TLS of a service, a secret with cert, key and
  CA cert can be provided to use instead of the default self signed
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled (default) a Cert for the
  route gets automatically created and added to the route CR.
* the openstack-operator creates a full tls-ca-bundle.pem using
  the operator image ca-bundle as base and adds the public, internal
  and user provided CAs to it. This allows to mount a full tls-ca-bundle.pem
  into the deployment pod and don't have to rely on kolla to run
  update-ca-trust which requires container to run as root.

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
  • Loading branch information
stuggi committed Oct 25, 2023
1 parent c1ac26e commit 551d222
Show file tree
Hide file tree
Showing 38 changed files with 1,456 additions and 240 deletions.
4 changes: 4 additions & 0 deletions apis/bases/client.openstack.org_openstackclients.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,15 +36,19 @@ spec:
type: object
spec:
properties:
caSecretName:
type: string
containerImage:
type: string
nodeSelector:
additionalProperties:
type: string
type: object
openStackConfigMap:
default: openstack-config
type: string
openStackConfigSecret:
default: openstack-config-secret
type: string
required:
- containerImage
Expand Down
117 changes: 117 additions & 0 deletions apis/bases/core.openstack.org_openstackcontrolplanes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
enabled:
default: true
Expand Down Expand Up @@ -2348,6 +2353,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
enabled:
default: true
Expand Down Expand Up @@ -3537,6 +3547,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
cnfAPIOverride:
properties:
Expand Down Expand Up @@ -3638,6 +3653,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
enabled:
default: false
Expand Down Expand Up @@ -4089,6 +4109,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
enabled:
default: false
Expand Down Expand Up @@ -4316,6 +4341,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
enabled:
default: false
Expand Down Expand Up @@ -4420,6 +4450,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
template:
properties:
Expand Down Expand Up @@ -5034,6 +5069,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
enabled:
default: true
Expand Down Expand Up @@ -5308,6 +5348,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
enabled:
default: false
Expand Down Expand Up @@ -6534,6 +6579,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
enabled:
default: true
Expand Down Expand Up @@ -7557,6 +7607,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
cellOverride:
additionalProperties:
Expand Down Expand Up @@ -7661,6 +7716,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
type: object
type: object
Expand Down Expand Up @@ -8470,6 +8530,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
enabled:
default: false
Expand Down Expand Up @@ -8969,6 +9034,30 @@ spec:
- secret
type: object
type: object
openstackclient:
properties:
template:
properties:
caSecretName:
type: string
containerImage:
type: string
nodeSelector:
additionalProperties:
type: string
type: object
openStackConfigMap:
default: openstack-config
type: string
openStackConfigSecret:
default: openstack-config-secret
type: string
required:
- containerImage
- openStackConfigMap
- openStackConfigSecret
type: object
type: object
ovn:
properties:
enabled:
Expand Down Expand Up @@ -9297,6 +9386,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
enabled:
default: true
Expand Down Expand Up @@ -13620,6 +13714,11 @@ spec:
type: string
type: object
type: object
tls:
properties:
secretName:
type: string
type: object
type: object
template:
properties:
Expand Down Expand Up @@ -13778,6 +13877,24 @@ spec:
- swiftStorage
type: object
type: object
tls:
default:
endpoint:
internal:
enabled: false
public:
enabled: true
properties:
caSecretName:
type: string
endpoint:
additionalProperties:
properties:
enabled:
type: boolean
type: object
type: object
type: object
required:
- secret
- storageClass
Expand Down
14 changes: 12 additions & 2 deletions apis/client/v1beta1/openstackclient_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ package v1beta1

import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand All @@ -31,16 +32,25 @@ type OpenStackClientSpec struct {
// +kubebuilder:validation:Required
// ContainerImage for the the OpenstackClient container (will be set to environmental default if empty)
ContainerImage string `json:"containerImage"`

// +kubebuilder:validation:Required
// +kubebuilder:default=openstack-config
// OpenStackConfigMap is the name of the ConfigMap containing the clouds.yaml
OpenStackConfigMap string `json:"openStackConfigMap"`
OpenStackConfigMap *string `json:"openStackConfigMap"`

// +kubebuilder:validation:Required
// +kubebuilder:default=openstack-config-secret
// OpenStackConfigSecret is the name of the Secret containing the secure.yaml
OpenStackConfigSecret string `json:"openStackConfigSecret"`
OpenStackConfigSecret *string `json:"openStackConfigSecret"`

// +kubebuilder:validation:Optional
// NodeSelector to target subset of worker nodes running control plane services (currently only applies to KeystoneAPI and PlacementAPI)
NodeSelector map[string]string `json:"nodeSelector,omitempty"`

// +kubebuilder:validation:Optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
// Secret containing any CA certificates which should be added to deployment pods
tls.Ca `json:",inline"`
}

// OpenStackClientStatus defines the observed state of OpenStackClient
Expand Down
11 changes: 11 additions & 0 deletions apis/client/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions apis/core/v1beta1/conditions.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,9 @@ const (
// OpenStackControlPlaneDNSReadyCondition Status=True condition which indicates if DNSMasq is configured and operational
OpenStackControlPlaneDNSReadyCondition condition.Type = "OpenStackControlPlaneDNSReadyCondition"

// OpenStackControlPlaneCAReadyCondition Status=True condition which indicates if the CAs are configured and operational
OpenStackControlPlaneCAReadyCondition condition.Type = "OpenStackControlPlaneCAReadyCondition"

// OpenStackControlPlaneCeilometerReadyCondition Status=True condition which indicates if OpenStack Ceilometer service is configured and operational
OpenStackControlPlaneCeilometerReadyCondition condition.Type = "OpenStackControlPlaneCeilometerReady"

Expand Down Expand Up @@ -384,4 +387,16 @@ const (

// OpenStackControlPlaneExposeServiceReadyMessage
OpenStackControlPlaneExposeServiceReadyMessage = "OpenStackControlPlane %s service exposed"

// OpenStackControlPlaneCAReadyInitMessage
OpenStackControlPlaneCAReadyInitMessage = "OpenStackControlPlane CAs not started"

// OpenStackControlPlaneCAReadyMessage
OpenStackControlPlaneCAReadyMessage = "OpenStackControlPlane CAs completed"

// OpenStackControlPlaneCAReadyRunningMessage
OpenStackControlPlaneCAReadyRunningMessage = "OpenStackControlPlane CAs in progress"

// OpenStackControlPlaneCAReadyErrorMessage
OpenStackControlPlaneCAReadyErrorMessage = "OpenStackControlPlane CAs %s %s error occured %s"
)
Loading

0 comments on commit 551d222

Please sign in to comment.