Fix Memcached MTLS certs mountpaths for jobs not using kolla

lmiccini · lmiccini · commit 96da1f7e8ee2 · 2025-09-04T09:04:29.000+02:00
Keystone cronjob and bootstrap job do not use kolla to copy configuration files and other necessary bits to the proper places, so the mtls ca/key/certs are left under /var/lib and the boostrap or token flush commands would fail. With this commit we now mount certificates directly to the proper places. Jira: https://issues.redhat.com/browse/OSPRH-19648
diff --git a/controllers/keystoneapi_controller.go b/controllers/keystoneapi_controller.go
@@ -514,6 +514,7 @@ func (r *KeystoneAPIReconciler) reconcileInit(
 	helper *helper.Helper,
 	serviceLabels map[string]string,
 	serviceAnnotations map[string]string,
+	memcached *memcachedv1.Memcached,
 ) (ctrl.Result, error) {
 	Log := r.GetLogger(ctx)
 	Log.Info("Reconciling Service init")
@@ -702,7 +703,7 @@ func (r *KeystoneAPIReconciler) reconcileInit(
 	//
 	// BootStrap Job
 	//
-	jobDef = keystone.BootstrapJob(instance, serviceLabels, serviceAnnotations, instance.Status.APIEndpoints)
+	jobDef = keystone.BootstrapJob(instance, serviceLabels, serviceAnnotations, instance.Status.APIEndpoints, memcached)
 	bootstrapjob := job.NewJob(
 		jobDef,
 		keystonev1.BootstrapHash,
@@ -1070,7 +1071,7 @@ func (r *KeystoneAPIReconciler) reconcileNormal(
 	}
 
 	// Handle service init
-	ctrlResult, err := r.reconcileInit(ctx, instance, helper, serviceLabels, serviceAnnotations)
+	ctrlResult, err := r.reconcileInit(ctx, instance, helper, serviceLabels, serviceAnnotations, memcached)
 	if err != nil {
 		return ctrlResult, err
 	} else if (ctrlResult != ctrl.Result{}) {
diff --git a/pkg/keystone/bootstrap.go b/pkg/keystone/bootstrap.go
@@ -16,9 +16,11 @@ limitations under the License.
 package keystone
 
 import (
+	memcachedv1 "github.com/openstack-k8s-operators/infra-operator/apis/memcached/v1beta1"
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -36,6 +38,7 @@ func BootstrapJob(
 	labels map[string]string,
 	annotations map[string]string,
 	endpoints map[string]string,
+	memcached *memcachedv1.Memcached,
 ) *batchv1.Job {
 	runAsUser := int64(0)
 
@@ -70,6 +73,27 @@ func BootstrapJob(
 		volumeMounts = append(volumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
 	}
 
+	// add MTLS cert if defined
+	if memcached.GetMemcachedMTLSSecret() != "" {
+		volumes = append(volumes, memcached.CreateMTLSVolume())
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      *memcached.Spec.TLS.MTLS.AuthCertSecret.SecretName,
+			MountPath: "/etc/pki/tls/certs/mtls.crt",
+			SubPath:   tls.CertKey,
+			ReadOnly:  true,
+		}, corev1.VolumeMount{
+			Name:      *memcached.Spec.TLS.MTLS.AuthCertSecret.SecretName,
+			MountPath: "/etc/pki/tls/private/mtls.key",
+			SubPath:   tls.PrivateKey,
+			ReadOnly:  true,
+		}, corev1.VolumeMount{
+			Name:      *memcached.Spec.TLS.MTLS.AuthCertSecret.SecretName,
+			MountPath: "/etc/pki/tls/certs/mtls-ca.crt",
+			SubPath:   tls.CAKey,
+			ReadOnly:  true,
+		})
+	}
+
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      ServiceName + "-bootstrap",
diff --git a/pkg/keystone/cronjob.go b/pkg/keystone/cronjob.go
@@ -19,6 +19,7 @@ import (
 	memcachedv1 "github.com/openstack-k8s-operators/infra-operator/apis/memcached/v1beta1"
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -59,8 +60,26 @@ func CronJob(
 
 	// add MTLS cert if defined
 	if memcached.GetMemcachedMTLSSecret() != "" {
-		volumes = append(volumes, memcached.CreateMTLSVolume())
-		volumeMounts = append(volumeMounts, memcached.CreateMTLSVolumeMounts(nil, nil)...)
+		mtlsVolume := memcached.CreateMTLSVolume()
+		// Set file permissions to 0440
+		mtlsVolume.Secret.DefaultMode = func() *int32 { mode := int32(0440); return &mode }()
+		volumes = append(volumes, mtlsVolume)
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      *memcached.Spec.TLS.MTLS.AuthCertSecret.SecretName,
+			MountPath: "/etc/pki/tls/certs/mtls.crt",
+			SubPath:   tls.CertKey,
+			ReadOnly:  true,
+		}, corev1.VolumeMount{
+			Name:      *memcached.Spec.TLS.MTLS.AuthCertSecret.SecretName,
+			MountPath: "/etc/pki/tls/private/mtls.key",
+			SubPath:   tls.PrivateKey,
+			ReadOnly:  true,
+		}, corev1.VolumeMount{
+			Name:      *memcached.Spec.TLS.MTLS.AuthCertSecret.SecretName,
+			MountPath: "/etc/pki/tls/certs/mtls-ca.crt",
+			SubPath:   tls.CAKey,
+			ReadOnly:  true,
+		})
 	}
 
 	cronjob := &batchv1.CronJob{
@@ -98,6 +117,9 @@ func CronJob(
 							Volumes:            volumes,
 							RestartPolicy:      corev1.RestartPolicyNever,
 							ServiceAccountName: instance.RbacResourceName(),
+							SecurityContext: &corev1.PodSecurityContext{
+								FSGroup: func() *int64 { gid := int64(42425); return &gid }(), // keystone group
+							},
 						},
 					},
 				},
