Skip to content

Commit c4ece80

Browse files
Deydra71Deydra71
committed
[tls] Support for telemetry
Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs get direct mounted to the appropriate place in etc/pki/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . Job deployments for bootstrap/cron get the CA bundle added if configured. Signed-off-by: Veronika Fisarova <[email protected]> Depends-On: openstack-k8s-operators/lib-common#428
1 parent cce4d37 commit c4ece80

19 files changed

+579
-12
lines changed

api/bases/telemetry.openstack.org_autoscalings.yaml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -316,6 +316,36 @@ spec:
316316
maximum: 65535
317317
minimum: 1
318318
type: integer
319+
tls:
320+
description: TLS - Parameters related to the TLS
321+
properties:
322+
api:
323+
description: API tls type which encapsulates for API services
324+
properties:
325+
internal:
326+
description: Internal GenericService - holds the secret for
327+
the internal endpoint
328+
properties:
329+
secretName:
330+
description: SecretName - holding the cert, key for the
331+
service
332+
type: string
333+
type: object
334+
public:
335+
description: Public GenericService - holds the secret for
336+
the public endpoint
337+
properties:
338+
secretName:
339+
description: SecretName - holding the cert, key for the
340+
service
341+
type: string
342+
type: object
343+
type: object
344+
caBundleSecretName:
345+
description: CaBundleSecretName - holding the CA certs in a pre-created
346+
bundle file
347+
type: string
348+
type: object
319349
required:
320350
- heatInstance
321351
type: object

api/bases/telemetry.openstack.org_ceilometers.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,17 @@ spec:
105105
type: string
106106
sgCoreImage:
107107
type: string
108+
tls:
109+
description: TLS - Parameters related to the TLS
110+
properties:
111+
caBundleSecretName:
112+
description: CaBundleSecretName - holding the CA certs in a pre-created
113+
bundle file
114+
type: string
115+
secretName:
116+
description: SecretName - holding the cert, key for the service
117+
type: string
118+
type: object
108119
required:
109120
- centralImage
110121
- computeImage

api/bases/telemetry.openstack.org_telemetries.yaml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -335,6 +335,36 @@ spec:
335335
maximum: 65535
336336
minimum: 1
337337
type: integer
338+
tls:
339+
description: TLS - Parameters related to the TLS
340+
properties:
341+
api:
342+
description: API tls type which encapsulates for API services
343+
properties:
344+
internal:
345+
description: Internal GenericService - holds the secret
346+
for the internal endpoint
347+
properties:
348+
secretName:
349+
description: SecretName - holding the cert, key for
350+
the service
351+
type: string
352+
type: object
353+
public:
354+
description: Public GenericService - holds the secret
355+
for the public endpoint
356+
properties:
357+
secretName:
358+
description: SecretName - holding the cert, key for
359+
the service
360+
type: string
361+
type: object
362+
type: object
363+
caBundleSecretName:
364+
description: CaBundleSecretName - holding the CA certs in
365+
a pre-created bundle file
366+
type: string
367+
type: object
338368
required:
339369
- heatInstance
340370
type: object
@@ -416,6 +446,17 @@ spec:
416446
type: string
417447
sgCoreImage:
418448
type: string
449+
tls:
450+
description: TLS - Parameters related to the TLS
451+
properties:
452+
caBundleSecretName:
453+
description: CaBundleSecretName - holding the CA certs in
454+
a pre-created bundle file
455+
type: string
456+
secretName:
457+
description: SecretName - holding the cert, key for the service
458+
type: string
459+
type: object
419460
required:
420461
- centralImage
421462
- computeImage

api/v1beta1/autoscaling_types.go

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,10 +18,11 @@ package v1beta1
1818

1919
import (
2020
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
21+
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
2122
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2223

23-
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
2424
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
25+
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
2526
)
2627

2728
const (
@@ -37,7 +38,6 @@ const (
3738
DbSyncHash = "dbsync"
3839
)
3940

40-
4141
// Aodh defines the aodh component spec
4242
type Aodh struct {
4343
// RabbitMQ instance name
@@ -135,6 +135,11 @@ type AutoscalingSpec struct {
135135
// Heat instance name.
136136
// +kubebuilder:default=heat
137137
HeatInstance string `json:"heatInstance"`
138+
139+
// +kubebuilder:validation:Optional
140+
// +operator-sdk:csv:customresourcedefinitions:type=spec
141+
// TLS - Parameters related to the TLS
142+
TLS tls.API `json:"tls,omitempty"`
138143
}
139144

140145
// AutoscalingStatus defines the observed state of Autoscaling

api/v1beta1/ceilometer_types.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ package v1beta1
1818

1919
import (
2020
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
21+
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
2122
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2223

2324
"github.com/openstack-k8s-operators/lib-common/modules/common/util"
@@ -90,6 +91,11 @@ type CeilometerSpec struct {
9091

9192
// +kubebuilder:validation:Required
9293
NodeExporterImage string `json:"nodeExporterImage"`
94+
95+
// +kubebuilder:validation:Optional
96+
// +operator-sdk:csv:customresourcedefinitions:type=spec
97+
// TLS - Parameters related to the TLS
98+
TLS tls.SimpleService `json:"tls,omitempty"`
9399
}
94100

95101
// CeilometerStatus defines the observed state of Ceilometer

api/v1beta1/zz_generated.deepcopy.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/crd/bases/telemetry.openstack.org_autoscalings.yaml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -316,6 +316,36 @@ spec:
316316
maximum: 65535
317317
minimum: 1
318318
type: integer
319+
tls:
320+
description: TLS - Parameters related to the TLS
321+
properties:
322+
api:
323+
description: API tls type which encapsulates for API services
324+
properties:
325+
internal:
326+
description: Internal GenericService - holds the secret for
327+
the internal endpoint
328+
properties:
329+
secretName:
330+
description: SecretName - holding the cert, key for the
331+
service
332+
type: string
333+
type: object
334+
public:
335+
description: Public GenericService - holds the secret for
336+
the public endpoint
337+
properties:
338+
secretName:
339+
description: SecretName - holding the cert, key for the
340+
service
341+
type: string
342+
type: object
343+
type: object
344+
caBundleSecretName:
345+
description: CaBundleSecretName - holding the CA certs in a pre-created
346+
bundle file
347+
type: string
348+
type: object
319349
required:
320350
- heatInstance
321351
type: object

config/crd/bases/telemetry.openstack.org_ceilometers.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,17 @@ spec:
105105
type: string
106106
sgCoreImage:
107107
type: string
108+
tls:
109+
description: TLS - Parameters related to the TLS
110+
properties:
111+
caBundleSecretName:
112+
description: CaBundleSecretName - holding the CA certs in a pre-created
113+
bundle file
114+
type: string
115+
secretName:
116+
description: SecretName - holding the cert, key for the service
117+
type: string
118+
type: object
108119
required:
109120
- centralImage
110121
- computeImage

config/crd/bases/telemetry.openstack.org_telemetries.yaml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -335,6 +335,36 @@ spec:
335335
maximum: 65535
336336
minimum: 1
337337
type: integer
338+
tls:
339+
description: TLS - Parameters related to the TLS
340+
properties:
341+
api:
342+
description: API tls type which encapsulates for API services
343+
properties:
344+
internal:
345+
description: Internal GenericService - holds the secret
346+
for the internal endpoint
347+
properties:
348+
secretName:
349+
description: SecretName - holding the cert, key for
350+
the service
351+
type: string
352+
type: object
353+
public:
354+
description: Public GenericService - holds the secret
355+
for the public endpoint
356+
properties:
357+
secretName:
358+
description: SecretName - holding the cert, key for
359+
the service
360+
type: string
361+
type: object
362+
type: object
363+
caBundleSecretName:
364+
description: CaBundleSecretName - holding the CA certs in
365+
a pre-created bundle file
366+
type: string
367+
type: object
338368
required:
339369
- heatInstance
340370
type: object
@@ -416,6 +446,17 @@ spec:
416446
type: string
417447
sgCoreImage:
418448
type: string
449+
tls:
450+
description: TLS - Parameters related to the TLS
451+
properties:
452+
caBundleSecretName:
453+
description: CaBundleSecretName - holding the CA certs in
454+
a pre-created bundle file
455+
type: string
456+
secretName:
457+
description: SecretName - holding the cert, key for the service
458+
type: string
459+
type: object
419460
required:
420461
- centralImage
421462
- computeImage

controllers/aodh_controller.go

Lines changed: 68 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,17 +23,21 @@ import (
2323

2424
corev1 "k8s.io/api/core/v1"
2525
k8s_errors "k8s.io/apimachinery/pkg/api/errors"
26+
"k8s.io/apimachinery/pkg/types"
27+
"k8s.io/utils/ptr"
2628
ctrl "sigs.k8s.io/controller-runtime"
2729
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
2830

2931
common "github.com/openstack-k8s-operators/lib-common/modules/common"
3032
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
3133
endpoint "github.com/openstack-k8s-operators/lib-common/modules/common/endpoint"
34+
env "github.com/openstack-k8s-operators/lib-common/modules/common/env"
3235
helper "github.com/openstack-k8s-operators/lib-common/modules/common/helper"
3336
job "github.com/openstack-k8s-operators/lib-common/modules/common/job"
3437
secret "github.com/openstack-k8s-operators/lib-common/modules/common/secret"
3538
service "github.com/openstack-k8s-operators/lib-common/modules/common/service"
3639
statefulset "github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
40+
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
3741
util "github.com/openstack-k8s-operators/lib-common/modules/common/util"
3842
mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
3943

@@ -264,8 +268,17 @@ func (r *AutoscalingReconciler) reconcileNormalAodh(
264268
common.AppSelector: autoscaling.ServiceName,
265269
}
266270

271+
// ConfigVars
272+
configVars := make(map[string]env.Setter)
273+
267274
sfsetDef, err := autoscaling.AodhStatefulSet(instance, inputHash, serviceLabels)
268275
if err != nil {
276+
instance.Status.Conditions.Set(condition.FalseCondition(
277+
condition.DeploymentReadyCondition,
278+
condition.ErrorReason,
279+
condition.SeverityWarning,
280+
condition.DeploymentReadyErrorMessage,
281+
err.Error()))
269282
return ctrl.Result{}, err
270283
}
271284
sfset := statefulset.NewStatefulSet(
@@ -401,7 +414,12 @@ func (r *AutoscalingReconciler) reconcileNormalAodh(
401414
}
402415
// create service - end
403416

404-
// TODO: TLS, pass in https as protocol, create TLS cert
417+
// if TLS is enabled
418+
if instance.Spec.TLS.API.Enabled(endpointType) {
419+
// set endpoint protocol to https
420+
data.Protocol = ptr.To(service.ProtocolHTTPS)
421+
}
422+
405423
apiEndpoints[string(endpointType)], err = svc.GetAPIEndpoint(
406424
svcOverride.EndpointURL, data.Protocol, data.Path)
407425
if err != nil {
@@ -440,6 +458,55 @@ func (r *AutoscalingReconciler) reconcileNormalAodh(
440458
return ctrlResult, nil
441459
}
442460

461+
//
462+
// TLS input validation
463+
//
464+
// Validate the CA cert secret if provided
465+
if instance.Spec.TLS.CaBundleSecretName != "" {
466+
hash, ctrlResult, err := tls.ValidateCACertSecret(
467+
ctx,
468+
helper.GetClient(),
469+
types.NamespacedName{
470+
Name: instance.Spec.TLS.CaBundleSecretName,
471+
Namespace: instance.Namespace,
472+
},
473+
)
474+
if err != nil {
475+
instance.Status.Conditions.Set(condition.FalseCondition(
476+
condition.TLSInputReadyCondition,
477+
condition.ErrorReason,
478+
condition.SeverityWarning,
479+
condition.TLSInputErrorMessage,
480+
err.Error()))
481+
return ctrlResult, err
482+
} else if (ctrlResult != ctrl.Result{}) {
483+
return ctrlResult, nil
484+
}
485+
486+
if hash != "" {
487+
configVars[tls.CABundleKey] = env.SetValue(hash)
488+
}
489+
490+
// Validate API service certs secrets
491+
certsHash, ctrlResult, err := instance.Spec.TLS.API.ValidateCertSecrets(ctx, helper, instance.Namespace)
492+
if err != nil {
493+
instance.Status.Conditions.Set(condition.FalseCondition(
494+
condition.TLSInputReadyCondition,
495+
condition.ErrorReason,
496+
condition.SeverityWarning,
497+
condition.TLSInputErrorMessage,
498+
err.Error()))
499+
return ctrlResult, err
500+
} else if (ctrlResult != ctrl.Result{}) {
501+
return ctrlResult, nil
502+
}
503+
504+
configVars[tls.TLSHashName] = env.SetValue(certsHash)
505+
}
506+
507+
// all cert input checks out so report InputReady
508+
instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage)
509+
443510
Log.Info("Reconciled Service Aodh successfully")
444511
return ctrl.Result{}, nil
445512
}

0 commit comments

Comments
 (0)