Skip to content

Commit 6e3dcbb

Browse files
stuggiolliewalsh
stuggi
authored and
olliewalsh
committed
[tlse] update TLS/CA config
changes top level tls config section to reflect ingress and podlevel tls termination and allows to customize the duration and renewBefore for each of the CAs and Certs issued for a CA. Also: * creates CA for OVN * fixes an issue where service cert was not created when tls on ingress was disabled. Depends-On: openstack-k8s-operators/lib-common#471 Jira: OSPRH-5342
1 parent c311bb0 commit 6e3dcbb

17 files changed

+556
-158
lines changed

apis/bases/core.openstack.org_openstackcontrolplanes.yaml

Lines changed: 75 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -16182,20 +16182,84 @@ spec:
1618216182
type: object
1618316183
tls:
1618416184
default:
16185-
endpoint:
16186-
internal:
16187-
enabled: false
16188-
public:
16189-
enabled: true
16185+
ingress:
16186+
ca:
16187+
duration: 43800h
16188+
cert:
16189+
duration: 8760h
16190+
enabled: true
16191+
podLevel:
16192+
default:
16193+
ca:
16194+
duration: 43800h
16195+
cert:
16196+
duration: 8760h
16197+
enabled: false
16198+
ovn:
16199+
ca:
16200+
duration: 43800h
16201+
cert:
16202+
duration: 8760h
1619016203
properties:
1619116204
caBundleSecretName:
1619216205
type: string
16193-
endpoint:
16194-
additionalProperties:
16195-
properties:
16196-
enabled:
16197-
type: boolean
16198-
type: object
16206+
ingress:
16207+
properties:
16208+
ca:
16209+
properties:
16210+
duration:
16211+
type: string
16212+
renewBefore:
16213+
type: string
16214+
type: object
16215+
cert:
16216+
properties:
16217+
duration:
16218+
type: string
16219+
renewBefore:
16220+
type: string
16221+
type: object
16222+
enabled:
16223+
type: boolean
16224+
type: object
16225+
podLevel:
16226+
properties:
16227+
default:
16228+
properties:
16229+
ca:
16230+
properties:
16231+
duration:
16232+
type: string
16233+
renewBefore:
16234+
type: string
16235+
type: object
16236+
cert:
16237+
properties:
16238+
duration:
16239+
type: string
16240+
renewBefore:
16241+
type: string
16242+
type: object
16243+
type: object
16244+
enabled:
16245+
type: boolean
16246+
ovn:
16247+
properties:
16248+
ca:
16249+
properties:
16250+
duration:
16251+
type: string
16252+
renewBefore:
16253+
type: string
16254+
type: object
16255+
cert:
16256+
properties:
16257+
duration:
16258+
type: string
16259+
renewBefore:
16260+
type: string
16261+
type: object
16262+
type: object
1619916263
type: object
1620016264
type: object
1620116265
required:

apis/core/v1beta1/openstackcontrolplane_types.go

Lines changed: 70 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -75,8 +75,8 @@ type OpenStackControlPlaneSpec struct {
7575
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
7676

7777
// +kubebuilder:validation:Optional
78-
// +kubebuilder:default={endpoint: {public: {enabled: true}, internal: {enabled: false}}}
79-
//+operator-sdk:csv:customresourcedefinitions:type=spec
78+
// +operator-sdk:csv:customresourcedefinitions:type=spec
79+
// +kubebuilder:default={ingress: {enabled: true, ca: {duration: "43800h"}, cert: {duration: "8760h"}}, podLevel: {enabled: false, default:{ca: {duration: "43800h"}, cert: {duration: "8760h"}}, ovn: {ca: {duration: "43800h"}, cert: {duration: "8760h"}}}}
8080
// TLS - Parameters related to the TLS
8181
TLS TLSSection `json:"tls"`
8282

@@ -189,8 +189,11 @@ type OpenStackControlPlaneSpec struct {
189189
type TLSSection struct {
190190
// +kubebuilder:validation:optional
191191
//+operator-sdk:csv:customresourcedefinitions:type=spec
192-
// The key must be the endpoint type (public, internal)
193-
Endpoint map[service.Endpoint]TLSEndpointConfig `json:"endpoint,omitempty"`
192+
Ingress TLSIngressConfig `json:"ingress,omitempty"`
193+
194+
// +kubebuilder:validation:optional
195+
//+operator-sdk:csv:customresourcedefinitions:type=spec
196+
PodLevel TLSPodLevelConfig `json:"podLevel,omitempty"`
194197

195198
// +kubebuilder:validation:optional
196199
//+operator-sdk:csv:customresourcedefinitions:type=spec
@@ -200,12 +203,67 @@ type TLSSection struct {
200203
tls.Ca `json:",inline"`
201204
}
202205

203-
// TLSEndpointConfig defines the desired state of TLSEndpoint configuration
204-
type TLSEndpointConfig struct {
206+
// TLSIngressConfig defines the desired state of the TLS configuration for the ingress configuration (route)
207+
type TLSIngressConfig struct {
205208
// +kubebuilder:validation:Optional
206209
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
207210
// Enabled - Whether TLS should be enabled for endpoint type
208211
Enabled bool `json:"enabled"`
212+
213+
// +kubebuilder:validation:optional
214+
//+operator-sdk:csv:customresourcedefinitions:type=spec
215+
CertSection `json:",inline"`
216+
}
217+
218+
// TLSPodLevelConfig defines the desired state of the TLS configuration for TLS termination at the pod level
219+
type TLSPodLevelConfig struct {
220+
// +kubebuilder:validation:Optional
221+
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
222+
// Enabled - Whether TLS should be enabled for endpoint type
223+
Enabled bool `json:"enabled"`
224+
225+
// +kubebuilder:validation:Optional
226+
// +operator-sdk:csv:customresourcedefinitions:type=spec
227+
// Default - CA used for all OpenStackControlPlane and OpenStackDataplane endpoints,
228+
// except OVN related CA and certs
229+
Default CertSection `json:"default,omitempty"`
230+
231+
// +kubebuilder:validation:Optional
232+
// +operator-sdk:csv:customresourcedefinitions:type=spec
233+
// Ovn - CA used for all OVN services on OpenStackControlPlane and OpenStackDataplane
234+
Ovn CertSection `json:"ovn,omitempty"`
235+
}
236+
237+
// CertSection defines details for CA config and its certs
238+
type CertSection struct {
239+
// +kubebuilder:validation:Optional
240+
// +operator-sdk:csv:customresourcedefinitions:type=spec
241+
// Cert - defines details for cert config
242+
Cert CertConfig `json:"cert,omitempty"`
243+
244+
// +kubebuilder:validation:Optional
245+
// +operator-sdk:csv:customresourcedefinitions:type=spec
246+
// Ca - defines details for CA cert config
247+
Ca CertConfig `json:"ca,omitempty"`
248+
}
249+
250+
// CertConfig defines details for cert configs
251+
type CertConfig struct {
252+
// The requested 'duration' (i.e. lifetime) of the Certificate.
253+
// The Certificate will be renewed either 2/3 through its duration or
254+
// `renewBefore` period before its expiry, whichever is later. Minimum
255+
// accepted duration is 1 hour. Value must be in units accepted by Go
256+
// time.ParseDuration https://golang.org/pkg/time/#ParseDuration
257+
// +optional
258+
Duration *metav1.Duration `json:"duration,omitempty"`
259+
260+
// How long before the currently issued certificate's expiry
261+
// cert-manager should renew the certificate. The default is 2/3 of the
262+
// issued certificate's duration. Minimum accepted value is 5 minutes.
263+
// Value must be in units accepted by Go time.ParseDuration
264+
// https://golang.org/pkg/time/#ParseDuration
265+
// +optional
266+
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
209267
}
210268

211269
// DNSMasqSection defines the desired state of DNSMasq service
@@ -768,8 +826,12 @@ func SetupDefaults() {
768826
// Enabled - returns status of tls configuration for the passed in endpoint type
769827
func (t *TLSSection) Enabled(endpt service.Endpoint) bool {
770828
if t != nil {
771-
if cfg, ok := t.Endpoint[endpt]; ok && cfg.Enabled {
772-
return true
829+
switch endpt {
830+
case service.EndpointPublic:
831+
return t.Ingress.Enabled
832+
833+
case service.EndpointInternal:
834+
return t.PodLevel.Enabled
773835
}
774836
}
775837
return false

apis/core/v1beta1/zz_generated.deepcopy.go

Lines changed: 67 additions & 12 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)