improvement(neutronapi): Enhance readiness probe to verify SSL certificate presence

- Updated the existing readiness probe in the Neutron API deployment to check for the presence of the internal.crt SSL certificate before marking the pod as ready.
- Applied the SSL certificate check to the HTTPD container as well, ensuring secure traffic handling.
- Improved the deployment reliability by ensuring that pods are only marked as ready when they have the necessary SSL certificates in place.

Author: son-vyas

pkg/neutronapi/deployment.go

@@ -41,12 +41,12 @@ func Deployment(
 	labels map[string]string,
 	annotations map[string]string,
 ) (*appsv1.Deployment, error) {
-	// TODO(lucasagomes): Look into how to implement separated probes
-	// for the httpd and neutron-api containers. Right now the code uses
-	// the same liveness and readiness probes for both containers which
-	// only checks the port 9696 (NeutronPublicPort) which is the port
-	// that httpd is listening to. Ideally, we should also include a
-	// probe on port 9697 which is the port that neutron-api binds to
+        // TODO(lucasagomes): Look into how to implement separated probes
+	    // for the httpd and neutron-api containers. Right now the code uses
+	    // the same liveness and readiness probes for both containers which
+	    // only checks the port 9696 (NeutronPublicPort) which is the port
+	    // that httpd is listening to. Ideally, we should also include a
+	    // probe on port 9697 which is the port that neutron-api binds to
 	livenessProbe := &corev1.Probe{
 		TimeoutSeconds:      30,
 		PeriodSeconds:       30,
@@ -56,8 +56,14 @@ func Deployment(
 		TimeoutSeconds:      30,
 		PeriodSeconds:       30,
 		InitialDelaySeconds: 5,
+		Exec: &corev1.ExecAction{
+			Command: []string{
+				"cat",
+				"/etc/pki/tls/certs/internal.crt",
+			},
+		},
 	}
-	args := []string{"-c", ServiceCommand}
+    args := []string{"-c", ServiceCommand}
 	httpdArgs := []string{"-DFOREGROUND"}
 
 	//
@@ -71,7 +77,7 @@ func Deployment(
 		Path: "/",
 		Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(NeutronPublicPort)},
 	}
-
+	// Use HTTPS if TLS is enabled
 	if instance.Spec.TLS.API.Enabled(service.EndpointPublic) {
 		livenessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS
 		readinessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS
@@ -93,6 +99,7 @@ func Deployment(
 		httpdVolumeMounts = append(httpdVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
 	}
 
+	// handle TLS certificates for HTTPD
 	for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
 		if instance.Spec.TLS.API.Enabled(endpt) {
 			var tlsEndptCfg tls.GenericService
@@ -134,8 +141,7 @@ func Deployment(
 			Selector: &metav1.LabelSelector{
 				MatchLabels: labels,
 			},
-			PodManagementPolicy: appsv1.ParallelPodManagement,
-			Replicas:            instance.Spec.Replicas,
+			Replicas: instance.Spec.Replicas,
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations: annotations,
@@ -154,6 +160,7 @@ func Deployment(
 							VolumeMounts:             apiVolumeMounts,
 							Resources:                instance.Spec.Resources,
 							LivenessProbe:            livenessProbe,
+							ReadinessProbe:           readinessProbe,
 							TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 						},
 						{
@@ -175,14 +182,13 @@ func Deployment(
 			},
 		},
 	}
-
-	// If possible two pods of the same service should not
-	// run on the same worker node. If this is not possible
-	// the get still created on the same worker node.
+    // If possible two pods of the same service should not
+    // run on the same worker node. If this is not possible
+    // the get still created on the same worker node.
 	deployment.Spec.Template.Spec.Affinity = affinity.DistributePods(
 		common.AppSelector,
 		[]string{
-			ServiceName,
+			    ServiceName,
 		},
 		corev1.LabelHostname,
 	)