Merge pull request #678 from stuggi/tlse_galera

openshift-merge-bot[bot] · web-flow · commit 528d9fada645 · 2024-02-19T12:54:33.000Z
[tlse] enable galera tls for internal TLS
diff --git a/pkg/openstack/galera.go b/pkg/openstack/galera.go
@@ -5,14 +5,19 @@ import (
 	"fmt"
 	"strings"
 
+	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 
@@ -38,6 +43,34 @@ func ReconcileGaleras(
 	var inprogress []string = []string{}
 
 	for name, spec := range instance.Spec.Galera.Templates {
+		hostname := fmt.Sprintf("%s.%s.svc", name, instance.Namespace)
+
+		// Galera gets always configured to support TLS connections.
+		// If TLS can/must be used is a per user configuration.
+		certRequest := certmanager.CertificateRequest{
+			IssuerName: tls.DefaultCAPrefix + string(service.EndpointInternal),
+			CertName:   fmt.Sprintf("galera-%s-svc", name),
+			Hostnames:  []string{hostname},
+			Usages: []certmgrv1.KeyUsage{
+				"key encipherment",
+				"digital signature",
+				"server auth",
+				"client auth",
+			},
+		}
+		certSecret, ctrlResult, err := certmanager.EnsureCert(
+			ctx,
+			helper,
+			certRequest)
+		if err != nil {
+			return ctrlResult, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			return ctrlResult, nil
+		}
+
+		spec.TLS.Ca.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+		spec.TLS.SecretName = ptr.To(certSecret.Name)
+
 		status, err := reconcileGalera(ctx, instance, helper, name, &spec)
 
 		switch status {
@@ -106,6 +139,7 @@ func reconcileGalera(
 	Log.Info("Reconciling Galera", "Galera.Namespace", instance.Namespace, "Galera.Name", name)
 	op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), galera, func() error {
 		spec.DeepCopyInto(&galera.Spec)
+
 		err := controllerutil.SetControllerReference(helper.GetBeforeObject(), galera, helper.GetScheme())
 		if err != nil {
 			return err
diff --git a/tests/functional/base_test.go b/tests/functional/base_test.go
@@ -94,15 +94,15 @@ func CreateNames(openstackControlplaneName types.NamespacedName) Names {
 		},
 		DBCertName: types.NamespacedName{
 			Namespace: openstackControlplaneName.Namespace,
-			Name:      "cert-openstack-svc",
+			Name:      "cert-galera-openstack-svc",
 		},
 		DBCell1Name: types.NamespacedName{
 			Namespace: openstackControlplaneName.Namespace,
 			Name:      "openstack-cell1",
 		},
 		DBCell1CertName: types.NamespacedName{
 			Namespace: openstackControlplaneName.Namespace,
-			Name:      "cert-openstack-cell1-svc",
+			Name:      "cert-galera-openstack-cell1-svc",
 		},
 		RabbitMQName: types.NamespacedName{
 			Namespace: openstackControlplaneName.Namespace,
