[tlse] add TLS status config, func to return server list and tls support

stuggi · stuggi · commit 741de4cea046 · 2024-03-07T08:06:13.000+01:00
Adds a TLSSupport to the memcached status which reflects
if the instance got configured with TLS. Same flag was also
introduced to mariadbdatabase a while back.
Also
* adds functions to return the memcached server list and the
status of tls support, which can be used for clients for easy
consumption
* creates the service list for memcached fqdn svc hostnames to
be able to use fqdn hostnames in tls certs.

Jira: OSPRH-5283
diff --git a/apis/bases/memcached.openstack.org_memcacheds.yaml b/apis/bases/memcached.openstack.org_memcacheds.yaml
@@ -134,6 +134,9 @@ spec:
                 items:
                   type: string
                 type: array
+              tlsSupport:
+                description: Whether TLS is supported by the memcached instance
+                type: boolean
             type: object
         type: object
     served: true
diff --git a/apis/memcached/v1beta1/memcached_types.go b/apis/memcached/v1beta1/memcached_types.go
@@ -17,6 +17,8 @@ limitations under the License.
 package v1beta1
 
 import (
+	"strings"
+
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
@@ -69,6 +71,9 @@ type MemcachedStatus struct {
 
 	// ServerListWithInet - List of memcached endpoints with inet(6) prefix
 	ServerListWithInet []string `json:"serverListWithInet,omitempty" optional:"true"`
+
+	// Whether TLS is supported by the memcached instance
+	TLSSupport bool `json:"tlsSupport,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -127,3 +132,14 @@ func SetupDefaults() {
 
 	SetupMemcachedDefaults(memcachedDefaults)
 }
+
+// GetMemcachedServerListString - return the memcached servers as comma separated list
+// to be used in OpenStack config.
+func (s *MemcachedStatus) GetMemcachedServerListString() string {
+	return strings.Join(s.ServerList, ",")
+}
+
+// GetMemcachedTLSSupport - return the TLS support of the memcached instance
+func (s *MemcachedStatus) GetMemcachedTLSSupport() bool {
+	return s.TLSSupport
+}
diff --git a/config/crd/bases/memcached.openstack.org_memcacheds.yaml b/config/crd/bases/memcached.openstack.org_memcacheds.yaml
@@ -134,6 +134,9 @@ spec:
                 items:
                   type: string
                 type: array
+              tlsSupport:
+                description: Whether TLS is supported by the memcached instance
+                type: boolean
             type: object
         type: object
     served: true
diff --git a/controllers/memcached/memcached_controller.go b/controllers/memcached/memcached_controller.go
@@ -341,8 +341,10 @@ func (r *Reconciler) generateConfigMaps(
 			"-o ssl_chain_cert=/etc/pki/tls/certs/memcached.crt " +
 			"-o ssl_key=/etc/pki/tls/private/memcached.key " +
 			"-o ssl_ca_cert=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
+		instance.Status.TLSSupport = true
 	} else {
 		memcachedTLSConfig = ""
+		instance.Status.TLSSupport = false
 	}
 	templateParameters := map[string]interface{}{
 		"memcachedTLSConfig": memcachedTLSConfig,
@@ -460,7 +462,7 @@ func (r *Reconciler) GetServerLists(
 	}
 
 	for i := int32(0); i < *(instance.Spec.Replicas); i++ {
-		server := fmt.Sprintf("%s-%d.%s", instance.Name, i, instance.Name)
+		server := fmt.Sprintf("%s-%d.%s.%s.svc", instance.Name, i, instance.Name, instance.Namespace)
 		serverList = append(serverList, fmt.Sprintf("%s:%d", server, memcached.MemcachedPort))
 
 		// python-memcached requires inet(6) prefix according to the IP version
diff --git a/tests/kuttl/tests/memcached/01-assert.yaml b/tests/kuttl/tests/memcached/01-assert.yaml
@@ -12,7 +12,41 @@ spec:
   replicas: 1
 status:
   readyCount: 1
-  serverList:
-  - 'memcached-0.memcached:11211'
-  serverListWithInet:
-  - 'inet:[memcached-0.memcached]:11211'
+---
+# the namespace of the fqdn of the serverList is namespace
+# dependent, so we can't rely on kuttl asserts to check them. This short script
+# gathers the first entry and checks that it matches the regex
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+commands:
+  - script: |
+      # get the first memcached from serverList and validate
+      template='{{ (index .status.serverList 0) }}'
+      regex="memcached-0.memcached.$NAMESPACE.svc:11211"
+      memcached=$(oc get -n $NAMESPACE memcached memcached -o go-template="$template")
+      matches=$(echo "$memcached" | sed -e "s?$regex??")
+      if [ -z "$matches" ]; then
+        exit 0
+      else
+        echo "Memcached Server: $memcached do not match regex"
+        exit 1
+      fi
+---
+# the namespace of the fqdn of the serverListWithInet is namespace
+# dependent, so we can't rely on kuttl asserts to check them. This short script
+# gathers the first entry and checks that it matches the regex
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+commands:
+  - script: |
+      # get the first memcached from serverListWithInet and validate
+      template='{{ (index .status.serverListWithInet 0) }}'
+      regex="inet:\[memcached-0.memcached.$NAMESPACE.svc\]:11211"
+      memcached=$(oc get -n $NAMESPACE memcached memcached -o go-template="$template")
+      matches=$(echo "$memcached" | sed -e "s?$regex??")
+      if [ -z "$matches" ]; then
+        exit 0
+      else
+        echo "Memcached ServerListWithInet: $memcached do not match regex"
+        exit 1
+      fi
