Skip to content

Commit

Permalink
[TLS] TLS for public endpoints terminated at a route
Browse files Browse the repository at this point in the history
Changes openstacklient
* CRD to allows to pass in CA secret
* use kolla to run the openstackclient and update the environment
  CA on start with passed in CA secret to validate endpoint certs.

Adds CRD parameters to configure TLS for public and internal TLS.
* per default self signed root CA + issuer get created for
  public and internal certs
* public issuer can be provided by the user by referencing a named
  issuer in the namespace. Then this one is used.
* user can provide a CA secret for certs to be added to the combined
  CA secret the openstack-operator creates to pass into services /
  openstackclient
* refactors the current route create for followup on TLS-E to create
  certs for each service endpoint.
* when TLS for public endpoint is enabled a Cert for the route gets
  automatically created and added to the route CR.

TODO:
* adding envtest coverage

Jira: OSP-26299

Depends-On: openstack-k8s-operators/lib-common#351
Depends-On: openstack-k8s-operators/keystone-operator#318
Depends-On: openstack-k8s-operators/tcib#82
  • Loading branch information
stuggi committed Oct 5, 2023
1 parent 2fdb2fb commit bb5f504
Show file tree
Hide file tree
Showing 40 changed files with 1,154 additions and 212 deletions.
8 changes: 7 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ RUN if [ ! -f $CACHITO_ENV_FILE ]; then go mod download ; fi
# Build manager
RUN if [ -f $CACHITO_ENV_FILE ] ; then source $CACHITO_ENV_FILE ; fi ; CGO_ENABLED=0 GO111MODULE=on go build ${GO_BUILD_EXTRA_ARGS} -a -o ${DEST_ROOT}/manager main.go

RUN cp -r templates ${DEST_ROOT}/templates

# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM $OPERATOR_BASE_IMAGE
Expand Down Expand Up @@ -55,13 +57,17 @@ LABEL com.redhat.component="${IMAGE_COMPONENT}" \
io.openshift.tags="${IMAGE_TAGS}"
### DO NOT EDIT LINES ABOVE

ENV USER_UID=$USER_ID
ENV USER_UID=$USER_ID \
OPERATOR_TEMPLATES=/usr/share/openstack-operator/templates/

WORKDIR /

# Install operator binary to WORKDIR
COPY --from=builder ${DEST_ROOT}/manager .

# Install templates
COPY --from=builder ${DEST_ROOT}/templates ${OPERATOR_TEMPLATES}

USER $USER_ID

ENV PATH="/:${PATH}"
Expand Down
4 changes: 4 additions & 0 deletions apis/bases/client.openstack.org_openstackclients.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,15 +36,19 @@ spec:
type: object
spec:
properties:
caSecretName:
type: string
containerImage:
type: string
nodeSelector:
additionalProperties:
type: string
type: object
openStackConfigMap:
default: openstack-config
type: string
openStackConfigSecret:
default: openstack-config-secret
type: string
required:
- containerImage
Expand Down
43 changes: 43 additions & 0 deletions apis/bases/core.openstack.org_openstackcontrolplanes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8952,6 +8952,30 @@ spec:
- secret
type: object
type: object
openstackclient:
properties:
template:
properties:
caSecretName:
type: string
containerImage:
type: string
nodeSelector:
additionalProperties:
type: string
type: object
openStackConfigMap:
default: openstack-config
type: string
openStackConfigSecret:
default: openstack-config-secret
type: string
required:
- containerImage
- openStackConfigMap
- openStackConfigSecret
type: object
type: object
ovn:
properties:
enabled:
Expand Down Expand Up @@ -13761,6 +13785,25 @@ spec:
- swiftStorage
type: object
type: object
tls:
properties:
caSecretName:
type: string
internalEndpoints:
properties:
enabled:
default: true
type: boolean
type: object
publicEndpoints:
properties:
enabled:
default: true
type: boolean
issuer:
type: string
type: object
type: object
required:
- secret
- storageClass
Expand Down
14 changes: 12 additions & 2 deletions apis/client/v1beta1/openstackclient_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ package v1beta1

import (
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand All @@ -31,16 +32,25 @@ type OpenStackClientSpec struct {
// +kubebuilder:validation:Required
// ContainerImage for the the OpenstackClient container (will be set to environmental default if empty)
ContainerImage string `json:"containerImage"`

// +kubebuilder:validation:Required
// +kubebuilder:default=openstack-config
// OpenStackConfigMap is the name of the ConfigMap containing the clouds.yaml
OpenStackConfigMap string `json:"openStackConfigMap"`
OpenStackConfigMap *string `json:"openStackConfigMap"`

// +kubebuilder:validation:Required
// +kubebuilder:default=openstack-config-secret
// OpenStackConfigSecret is the name of the Secret containing the secure.yaml
OpenStackConfigSecret string `json:"openStackConfigSecret"`
OpenStackConfigSecret *string `json:"openStackConfigSecret"`

// +kubebuilder:validation:Optional
// NodeSelector to target subset of worker nodes running control plane services (currently only applies to KeystoneAPI and PlacementAPI)
NodeSelector map[string]string `json:"nodeSelector,omitempty"`

// +kubebuilder:validation:Optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
// Secret containing any CA certificates which should be added to deployment pods
tls.Ca `json:",inline"`
}

// OpenStackClientStatus defines the observed state of OpenStackClient
Expand Down
11 changes: 11 additions & 0 deletions apis/client/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions apis/core/v1beta1/conditions.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,9 @@ const (
// OpenStackControlPlaneDNSReadyCondition Status=True condition which indicates if DNSMasq is configured and operational
OpenStackControlPlaneDNSReadyCondition condition.Type = "OpenStackControlPlaneDNSReadyCondition"

// OpenStackControlPlaneCAReadyCondition Status=True condition which indicates if the CAs are configured and operational
OpenStackControlPlaneCAReadyCondition condition.Type = "OpenStackControlPlaneCAReadyCondition"

// OpenStackControlPlaneCeilometerReadyCondition Status=True condition which indicates if OpenStack Ceilometer service is configured and operational
OpenStackControlPlaneCeilometerReadyCondition condition.Type = "OpenStackControlPlaneCeilometerReady"

Expand Down Expand Up @@ -384,4 +387,16 @@ const (

// OpenStackControlPlaneExposeServiceReadyMessage
OpenStackControlPlaneExposeServiceReadyMessage = "OpenStackControlPlane %s service exposed"

// OpenStackControlPlaneCAReadyInitMessage
OpenStackControlPlaneCAReadyInitMessage = "OpenStackControlPlane CAs not started"

// OpenStackControlPlaneCAReadyMessage
OpenStackControlPlaneCAReadyMessage = "OpenStackControlPlane CAs completed"

// OpenStackControlPlaneCAReadyRunningMessage
OpenStackControlPlaneCAReadyRunningMessage = "OpenStackControlPlane CAs in progress"

// OpenStackControlPlaneCAReadyErrorMessage
OpenStackControlPlaneCAReadyErrorMessage = "OpenStackControlPlane CAs %s %s error occured %s"
)
64 changes: 63 additions & 1 deletion apis/core/v1beta1/openstackcontrolplane_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,23 +23,25 @@ import (
horizonv1 "github.com/openstack-k8s-operators/horizon-operator/api/v1beta1"
memcachedv1 "github.com/openstack-k8s-operators/infra-operator/apis/memcached/v1beta1"
networkv1 "github.com/openstack-k8s-operators/infra-operator/apis/network/v1beta1"
redisv1 "github.com/openstack-k8s-operators/infra-operator/apis/redis/v1beta1"
ironicv1 "github.com/openstack-k8s-operators/ironic-operator/api/v1beta1"
keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
"github.com/openstack-k8s-operators/lib-common/modules/common/route"
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
"github.com/openstack-k8s-operators/lib-common/modules/storage"
manilav1 "github.com/openstack-k8s-operators/manila-operator/api/v1beta1"
mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
neutronv1 "github.com/openstack-k8s-operators/neutron-operator/api/v1beta1"
novav1 "github.com/openstack-k8s-operators/nova-operator/api/v1beta1"
octaviav1 "github.com/openstack-k8s-operators/octavia-operator/api/v1beta1"
"github.com/openstack-k8s-operators/openstack-operator/apis/client/v1beta1"
ovnv1 "github.com/openstack-k8s-operators/ovn-operator/api/v1beta1"
placementv1 "github.com/openstack-k8s-operators/placement-operator/api/v1beta1"
swiftv1 "github.com/openstack-k8s-operators/swift-operator/api/v1beta1"
telemetryv1 "github.com/openstack-k8s-operators/telemetry-operator/api/v1beta1"
rabbitmqv2 "github.com/rabbitmq/cluster-operator/v2/api/v1beta1"
redisv1 "github.com/openstack-k8s-operators/infra-operator/apis/redis/v1beta1"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -69,6 +71,11 @@ type OpenStackControlPlaneSpec struct {
// NodeSelector to target subset of worker nodes running control plane services (currently only applies to KeystoneAPI and PlacementAPI)
NodeSelector map[string]string `json:"nodeSelector,omitempty"`

// +kubebuilder:validation:Optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS TLSSection `json:"tls,omitempty"`

// +kubebuilder:validation:Optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
// DNS - Parameters related to the DNSMasq service
Expand Down Expand Up @@ -158,6 +165,11 @@ type OpenStackControlPlaneSpec struct {
// Redis - Parameters related to the Redis service
Redis RedisSection `json:"redis,omitempty"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// OpenStackClient - Parameters related to the OpenStackClient
OpenStackClient OpenStackClientSection `json:"openstackclient,omitempty"`

// ExtraMounts containing conf files and credentials that should be provided
// to the underlying operators.
// This struct can be defined in the top level CR and propagated to the
Expand All @@ -168,6 +180,47 @@ type OpenStackControlPlaneSpec struct {
ExtraMounts []OpenStackExtraVolMounts `json:"extraMounts,omitempty"`
}

// TLSSection defines the desired state of TLS configuration
type TLSSection struct {
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// PublicEndpoints tls configuration
PublicEndpoints TLSPublicEndpointSection `json:"publicEndpoints,omitempty"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// InternalEndpoints tls configuration
InternalEndpoints TLSInternalEndpointSection `json:"internalEndpoints,omitempty"`

// +kubebuilder:validation:optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
// Secret containing any additional CA certificates, which should be added to deployment pods
tls.Ca `json:",inline"`
}

// TLSPublicEndpointSection defines the desired state of public TLSEndpoint configuration
type TLSPublicEndpointSection struct {
// +kubebuilder:validation:Optional
// +kubebuilder:default=true
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
// Enabled - Whether TLS should be enabled for endpoint type
Enabled bool `json:"enabled"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// Issuer - cert-manager issuer to be used for the endpoint type. If not specified a self signed will be created.
Issuer *string `json:"issuer,omitempty"`
}

// TLSInternalEndpointSection defines the desired state of internal TLSEndpoint configuration
type TLSInternalEndpointSection struct {
// +kubebuilder:validation:Optional
// +kubebuilder:default=true
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
// Enabled - Whether TLS should be enabled for endpoint type
Enabled bool `json:"enabled"`
}

// DNSMasqSection defines the desired state of DNSMasq service
type DNSMasqSection struct {
// +kubebuilder:validation:Optional
Expand Down Expand Up @@ -561,6 +614,14 @@ type RedisSection struct {
Templates map[string]redisv1.RedisSpec `json:"templates,omitempty"`
}

// OpenStackClientSection defines the desired state of the OpenStackClient
type OpenStackClientSection struct {
// +kubebuilder:validation:Optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
// Template - Overrides to use when creating the OpenStackClient Resource
Template v1beta1.OpenStackClientSpec `json:"template,omitempty"`
}

// OpenStackControlPlaneStatus defines the observed state of OpenStackControlPlane
type OpenStackControlPlaneStatus struct {
//+operator-sdk:csv:customresourcedefinitions:type=status,xDescriptors={"urn:alm:descriptor:io.kubernetes.conditions"}
Expand Down Expand Up @@ -642,6 +703,7 @@ func (instance *OpenStackControlPlane) InitConditions() {
condition.UnknownCondition(OpenStackControlPlaneSwiftReadyCondition, condition.InitReason, OpenStackControlPlaneSwiftReadyInitMessage),
condition.UnknownCondition(OpenStackControlPlaneOctaviaReadyCondition, condition.InitReason, OpenStackControlPlaneOctaviaReadyInitMessage),
condition.UnknownCondition(OpenStackControlPlaneRedisReadyCondition, condition.InitReason, OpenStackControlPlaneRedisReadyInitMessage),
condition.UnknownCondition(OpenStackControlPlaneCAReadyCondition, condition.InitReason, OpenStackControlPlaneCAReadyInitMessage),

// Also add the overall status condition as Unknown
condition.UnknownCondition(condition.ReadyCondition, condition.InitReason, condition.ReadyInitMessage),
Expand Down
Loading

0 comments on commit bb5f504

Please sign in to comment.