Merge pull request #1058 from vakwetu/fix_cacert_mounting

Mount cacerts on computes if tls-e not enabled

Author: openshift-merge-bot[bot]

pkg/dataplane/deployment.go

@@ -118,11 +118,9 @@ func (d *Deployer) Deploy(services []string) (*ctrl.Result, error) {
 			return &ctrl.Result{}, err
 		}
 
-		// Add certMounts if TLS is enabled
-		if d.NodeSet.Spec.TLSEnabled {
-			if foundService.Spec.AddCertMounts {
-				d.AeeSpec, err = d.addCertMounts(services)
-			}
+		// Add certMounts
+		if foundService.Spec.AddCertMounts {
+			d.AeeSpec, err = d.addCertMounts(services)
 			if err != nil {
 				nsConditions.Set(condition.FalseCondition(
 					readyCondition,
@@ -276,7 +274,7 @@ func (d *Deployer) addCertMounts(
 			}
 		}
 
-		if service.Spec.TLSCerts != nil {
+		if service.Spec.TLSCerts != nil && d.NodeSet.Spec.TLSEnabled {
 			// sort cert list to ensure mount list is consistent
 			certKeyList := make([]string, 0, len(service.Spec.TLSCerts))
 			for ckey := range service.Spec.TLSCerts {
@@ -342,7 +340,7 @@ func (d *Deployer) addCertMounts(
 			}
 		}
 
-		// add mount for cacert bundle
+		// add mount for cacert bundle, even if TLS-E is not enabled
 		if len(service.Spec.CACerts) > 0 {
 			log.Info("Mounting CA cert bundle for service", "service", svc)
 			volMounts := storage.VolMounts{}

tests/kuttl/tests/dataplane-deploy-global-service-test/00-dataplane-create.yaml

@@ -1,5 +1,15 @@
 apiVersion: v1
 kind: Secret
+type: Opaque
+metadata:
+  name: combined-ca-bundle
+  labels:
+    combined-ca-bundle: ""
+data:
+  tls-ca-bundle.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNlZ0F3SUJBZ0lSQU5TYWxJeHdEclZ5TVBLS3RHK0lLbzB3Q2dZSUtvWkl6ajBFQXdJd0lERWUKTUJ3R0ExVUVBeE1WY205dmRHTmhMV3QxZEhSc0xXbHVkR1Z5Ym1Gc01CNFhEVEkwTURJeU1qRTBNRGcwTTFvWApEVE0wTURJeE9URTBNRGcwTTFvd0lERWVNQndHQTFVRUF4TVZjbTl2ZEdOaExXdDFkSFJzTFdsdWRHVnlibUZzCk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTQzd2xOK05BQzhYZnkzSk43S1VaSVMvMjE2OTIKNXpWdHVyYnlpNllmZ3hXbFFONGV4ZU5IcVpGT3ZRcUVoZUVVSFR5K2lpWEVpWDVGcytCeit1eUZWYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZDRHJnYkhICjh4WmlKbnBKY2gzaEZyZEJLL3lKTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUNTY3A2QlE3eldQdnlobW9uK00KcTlvbk1PNlRYSVArczdtZjJGaXkvWkVsQWlFQXRxbkF3VE40UXRKQzIrMUZGVUNNd3dpSTZJTmM5blBDVHc1dgo5M1ZWR2ZNPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
+---
+apiVersion: v1
+kind: Secret
 metadata:
   name: nova-cell1-compute-config
 data:

tests/kuttl/tests/dataplane-deploy-global-service-test/01-assert.yaml

@@ -791,6 +791,20 @@ spec:
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         volumeMounts:
+        - mountPath: /var/lib/openstack/cacerts/ovn
+          name: ovn-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/neutron-metadata
+          name: neutron-metadata-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/neutron-ovn
+          name: neutron-ovn-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/neutron-sriov
+          name: neutron-sriov-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/neutron-dhcp
+          name: neutron-dhcp-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/libvirt
+          name: libvirt-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/nova
+          name: nova-combined-ca-bundle
         - mountPath: /runner/env/ssh_key
           name: ssh-key
           subPath: ssh_key
@@ -804,6 +818,34 @@ spec:
       serviceAccountName: edpm-compute-global
       terminationGracePeriodSeconds: 30
       volumes:
+      - name: ovn-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: neutron-metadata-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: neutron-ovn-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: neutron-sriov-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: neutron-dhcp-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: libvirt-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: nova-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
       - name: ssh-key
         secret:
           defaultMode: 420

tests/kuttl/tests/dataplane-deploy-no-nodes-test/01-assert.yaml

@@ -682,6 +682,20 @@ spec:
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         volumeMounts:
+        - mountPath: /var/lib/openstack/cacerts/ovn
+          name: ovn-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/neutron-metadata
+          name: neutron-metadata-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/neutron-ovn
+          name: neutron-ovn-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/neutron-sriov
+          name: neutron-sriov-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/neutron-dhcp
+          name: neutron-dhcp-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/libvirt
+          name: libvirt-combined-ca-bundle
+        - mountPath: /var/lib/openstack/cacerts/nova
+          name: nova-combined-ca-bundle
         - mountPath: /runner/env/ssh_key
           name: ssh-key
           subPath: ssh_key
@@ -695,6 +709,34 @@ spec:
       serviceAccountName: edpm-compute-no-nodes
       terminationGracePeriodSeconds: 30
       volumes:
+      - name: ovn-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: neutron-metadata-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: neutron-ovn-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: neutron-sriov-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: neutron-dhcp-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: libvirt-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
+      - name: nova-combined-ca-bundle
+        secret:
+          defaultMode: 420
+          secretName: combined-ca-bundle
       - name: ssh-key
         secret:
           defaultMode: 420