[tlse] Allow using custom tlsConfig.API.Public.SecretName when no ingress used

stuggi · olliewalsh · commit 69c33b946b78 · 2024-03-08T22:44:04.000Z
When also using LoadBalancer (MetalLB) for public endpoints
this change allows to use the service configs tls.API.Public.SecretName
to reference a secret holding a custom TLS cert. The secret
must contain at least tls.key and tls.crt. The custom CA should
be added to the bundle using the secret reference in the osctlplane
crd.
diff --git a/pkg/openstack/barbican.go b/pkg/openstack/barbican.go
@@ -81,6 +81,7 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr
 			instance.Spec.Barbican.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeBarbicanReadyCondition,
 			false, // TODO: (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Barbican.Template.BarbicanAPI.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err
diff --git a/pkg/openstack/cinder.go b/pkg/openstack/cinder.go
@@ -83,6 +83,7 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Cinder.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeCinderReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Cinder.Template.CinderAPI.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err
diff --git a/pkg/openstack/common.go b/pkg/openstack/common.go
@@ -191,6 +191,7 @@ func EnsureEndpointConfig(
 	ingressOverride corev1.Override,
 	condType condition.Type,
 	serviceTLSDisabled bool,
+	tlsConfig tls.API,
 ) (Endpoints, ctrl.Result, error) {
 	endpoints := Endpoints{
 		EndpointDetails: map[service.Endpoint]EndpointDetail{},
@@ -257,10 +258,8 @@ func EnsureEndpointConfig(
 				// we'll use this for the service, otherwise issue a cert. This is for
 				// use case where you deploy without ingress/routes and also use
 				// a LoadBalancer (MetalLB) for the public endpoints.
-				// TODO: (mschuppert) it should not be the cert secret from ingressOverride
-				// instead should be the one from template.TLS.API.Public.SecretName.
-				if !ed.Route.Create && (ingressOverride.TLS != nil && ingressOverride.TLS.SecretName != "") {
-					ed.Service.TLS.SecretName = ptr.To(ingressOverride.TLS.SecretName)
+				if !ed.Route.Create && (tlsConfig.API.Public.SecretName != nil && *tlsConfig.API.Public.SecretName != "") {
+					ed.Service.TLS.SecretName = tlsConfig.API.Public.SecretName
 					_, ctrlResult, err := ed.Service.TLS.GenericService.ValidateCertSecret(ctx, helper, instance.GetNamespace())
 					if err != nil {
 						return endpoints, ctrlResult, err
diff --git a/pkg/openstack/designate.go b/pkg/openstack/designate.go
@@ -7,6 +7,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
@@ -76,6 +77,7 @@ func ReconcileDesignate(ctx context.Context, instance *corev1beta1.OpenStackCont
 			instance.Spec.Designate.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeDesignateReadyCondition,
 			true, // TODO: (mschuppert) disable TLS for now until implemented
+			tls.API{},
 		)
 		if err != nil {
 			return ctrlResult, err
diff --git a/pkg/openstack/glance.go b/pkg/openstack/glance.go
@@ -115,6 +115,7 @@ func ReconcileGlance(ctx context.Context, instance *corev1beta1.OpenStackControl
 				instance.Spec.Glance.APIOverride[name],
 				corev1beta1.OpenStackControlPlaneExposeGlanceReadyCondition,
 				false, // TODO (mschuppert) could be removed when all integrated service support TLS
+				glanceAPI.TLS,
 			)
 			if err != nil {
 				return ctrlResult, err
diff --git a/pkg/openstack/heat.go b/pkg/openstack/heat.go
@@ -96,6 +96,7 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 			instance.Spec.Heat.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeHeatReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Heat.Template.HeatAPI.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err
@@ -131,6 +132,7 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 			instance.Spec.Heat.CnfAPIOverride,
 			corev1beta1.OpenStackControlPlaneExposeHeatReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Heat.Template.HeatCfnAPI.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err
diff --git a/pkg/openstack/horizon.go b/pkg/openstack/horizon.go
@@ -7,6 +7,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
@@ -84,6 +85,13 @@ func ReconcileHorizon(ctx context.Context, instance *corev1beta1.OpenStackContro
 			instance.Spec.Horizon.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeHorizonReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
+			tls.API{
+				API: tls.APIService{
+					Public: tls.GenericService{
+						SecretName: instance.Spec.Horizon.Template.TLS.SecretName,
+					},
+				},
+			},
 		)
 		if err != nil {
 			return ctrlResult, err
diff --git a/pkg/openstack/ironic.go b/pkg/openstack/ironic.go
@@ -94,6 +94,7 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Ironic.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeIronicReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Ironic.Template.IronicAPI.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err
@@ -130,6 +131,7 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Ironic.InspectorOverride,
 			corev1beta1.OpenStackControlPlaneExposeIronicReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Ironic.Template.IronicInspector.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err
diff --git a/pkg/openstack/keystone.go b/pkg/openstack/keystone.go
@@ -84,6 +84,7 @@ func ReconcileKeystoneAPI(ctx context.Context, instance *corev1beta1.OpenStackCo
 			instance.Spec.Keystone.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeKeystoneAPIReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Keystone.Template.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err
diff --git a/pkg/openstack/manila.go b/pkg/openstack/manila.go
@@ -84,6 +84,7 @@ func ReconcileManila(ctx context.Context, instance *corev1beta1.OpenStackControl
 			instance.Spec.Manila.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeManilaReadyCondition,
 			false, // TODO: (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Manila.Template.ManilaAPI.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err
diff --git a/pkg/openstack/neutron.go b/pkg/openstack/neutron.go
@@ -83,6 +83,7 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro
 			instance.Spec.Neutron.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeNeutronReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Neutron.Template.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err
diff --git a/pkg/openstack/nova.go b/pkg/openstack/nova.go
@@ -149,6 +149,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 			instance.Spec.Nova.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeNovaReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Nova.Template.APIServiceTemplate.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err
@@ -234,6 +235,13 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 					instance.Spec.Nova.CellOverride[cellName].NoVNCProxy,
 					corev1beta1.OpenStackControlPlaneExposeNovaReadyCondition,
 					false, // TODO (mschuppert) could be removed when all integrated service support TLS
+					tls.API{
+						API: tls.APIService{
+							Public: tls.GenericService{
+								SecretName: cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName,
+							},
+						},
+					},
 				)
 				if err != nil {
 					return ctrlResult, err
diff --git a/pkg/openstack/octavia.go b/pkg/openstack/octavia.go
@@ -23,6 +23,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
@@ -92,6 +93,7 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 			instance.Spec.Octavia.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeOctaviaReadyCondition,
 			true, // TODO: (mschuppert) disable TLS for now until implemented
+			tls.API{},
 		)
 		if err != nil {
 			return ctrlResult, err
diff --git a/pkg/openstack/placement.go b/pkg/openstack/placement.go
@@ -82,6 +82,7 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC
 			instance.Spec.Placement.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposePlacementAPIReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Placement.Template.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err
diff --git a/pkg/openstack/swift.go b/pkg/openstack/swift.go
@@ -84,6 +84,7 @@ func ReconcileSwift(ctx context.Context, instance *corev1beta1.OpenStackControlP
 			instance.Spec.Swift.ProxyOverride,
 			corev1beta1.OpenStackControlPlaneExposeSwiftReadyCondition,
 			false, // TODO (mschuppert) could be removed when all integrated service support TLS
+			instance.Spec.Swift.Template.SwiftProxy.TLS,
 		)
 		if err != nil {
 			return ctrlResult, err

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,7 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr`
`81`	`81`	`instance.Spec.Barbican.APIOverride,`
`82`	`82`	`corev1beta1.OpenStackControlPlaneExposeBarbicanReadyCondition,`
`83`	`83`	`false, // TODO: (mschuppert) could be removed when all integrated service support TLS`
	`84`	`+ instance.Spec.Barbican.Template.BarbicanAPI.TLS,`
`84`	`85`	`)`
`85`	`86`	`if err != nil {`
`86`	`87`	`return ctrlResult, err`
Original file line number	Diff line number	Diff line change
`@@ -83,6 +83,7 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl`
`83`	`83`	`instance.Spec.Cinder.APIOverride,`
`84`	`84`	`corev1beta1.OpenStackControlPlaneExposeCinderReadyCondition,`
`85`	`85`	`false, // TODO (mschuppert) could be removed when all integrated service support TLS`
	`86`	`+ instance.Spec.Cinder.Template.CinderAPI.TLS,`
`86`	`87`	`)`
`87`	`88`	`if err != nil {`
`88`	`89`	`return ctrlResult, err`
Original file line number	Diff line number	Diff line change
`@@ -115,6 +115,7 @@ func ReconcileGlance(ctx context.Context, instance *corev1beta1.OpenStackControl`
`115`	`115`	`instance.Spec.Glance.APIOverride[name],`
`116`	`116`	`corev1beta1.OpenStackControlPlaneExposeGlanceReadyCondition,`
`117`	`117`	`false, // TODO (mschuppert) could be removed when all integrated service support TLS`
	`118`	`+ glanceAPI.TLS,`
`118`	`119`	`)`
`119`	`120`	`if err != nil {`
`120`	`121`	`return ctrlResult, err`
Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,7 @@ func ReconcileKeystoneAPI(ctx context.Context, instance *corev1beta1.OpenStackCo`
`84`	`84`	`instance.Spec.Keystone.APIOverride,`
`85`	`85`	`corev1beta1.OpenStackControlPlaneExposeKeystoneAPIReadyCondition,`
`86`	`86`	`false, // TODO (mschuppert) could be removed when all integrated service support TLS`
	`87`	`+ instance.Spec.Keystone.Template.TLS,`
`87`	`88`	`)`
`88`	`89`	`if err != nil {`
`89`	`90`	`return ctrlResult, err`
Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,7 @@ func ReconcileManila(ctx context.Context, instance *corev1beta1.OpenStackControl`
`84`	`84`	`instance.Spec.Manila.APIOverride,`
`85`	`85`	`corev1beta1.OpenStackControlPlaneExposeManilaReadyCondition,`
`86`	`86`	`false, // TODO: (mschuppert) could be removed when all integrated service support TLS`
	`87`	`+ instance.Spec.Manila.Template.ManilaAPI.TLS,`
`87`	`88`	`)`
`88`	`89`	`if err != nil {`
`89`	`90`	`return ctrlResult, err`