Skip to content

Commit f8c5780

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #697 from lmiccini/mtls
Enable MTLS memcached auth
2 parents 35529f1 + 41111c2 commit f8c5780

File tree

8 files changed

+93
-4
lines changed

8 files changed

+93
-4
lines changed

controllers/aodh_controller.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ import (
2828
ctrl "sigs.k8s.io/controller-runtime"
2929
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
3030

31+
memcachedv1 "github.com/openstack-k8s-operators/infra-operator/apis/memcached/v1beta1"
3132
common "github.com/openstack-k8s-operators/lib-common/modules/common"
3233
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
3334
endpoint "github.com/openstack-k8s-operators/lib-common/modules/common/endpoint"
@@ -294,6 +295,7 @@ func (r *AutoscalingReconciler) reconcileNormalAodh(
294295
instance *telemetryv1.Autoscaling,
295296
helper *helper.Helper,
296297
inputHash string,
298+
memcached *memcachedv1.Memcached,
297299
) (ctrl.Result, error) {
298300
Log := r.GetLogger(ctx)
299301
Log.Info(fmt.Sprintf("Reconciling Service Aodh '%s'", autoscaling.ServiceName))
@@ -325,7 +327,7 @@ func (r *AutoscalingReconciler) reconcileNormalAodh(
325327
return ctrl.Result{}, fmt.Errorf("waiting for Topology requirements: %w", err)
326328
}
327329

328-
sfsetDef, err := autoscaling.AodhStatefulSet(instance, inputHash, serviceLabels, topology)
330+
sfsetDef, err := autoscaling.AodhStatefulSet(instance, inputHash, serviceLabels, topology, memcached)
329331
if err != nil {
330332
instance.Status.Conditions.Set(condition.FalseCondition(
331333
condition.DeploymentReadyCondition,

controllers/autoscaling_controller.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -543,7 +543,7 @@ func (r *AutoscalingReconciler) reconcileNormal(
543543
if err != nil {
544544
return ctrlResult, err
545545
}
546-
ctrlResult, err = r.reconcileNormalAodh(ctx, instance, helper, inputHash)
546+
ctrlResult, err = r.reconcileNormalAodh(ctx, instance, helper, inputHash, memcached)
547547
if (ctrlResult != ctrl.Result{}) {
548548
return ctrlResult, nil
549549
}
@@ -670,6 +670,13 @@ func (r *AutoscalingReconciler) generateServiceConfig(
670670
}
671671
templateParameters["VHosts"] = httpdVhostConfig
672672

673+
// MTLS
674+
if mc.GetMemcachedMTLSSecret() != "" {
675+
templateParameters["MemcachedAuthCert"] = fmt.Sprint(memcachedv1.CertMountPath())
676+
templateParameters["MemcachedAuthKey"] = fmt.Sprint(memcachedv1.KeyMountPath())
677+
templateParameters["MemcachedAuthCa"] = fmt.Sprint(memcachedv1.CaMountPath())
678+
}
679+
673680
cms := []util.Template{
674681
// ScriptsSecret
675682
{

pkg/autoscaling/aodh_statefulset.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ import (
3030
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3131
"k8s.io/apimachinery/pkg/util/intstr"
3232

33+
memcachedv1 "github.com/openstack-k8s-operators/infra-operator/apis/memcached/v1beta1"
3334
topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
3435
telemetryv1 "github.com/openstack-k8s-operators/telemetry-operator/api/v1beta1"
3536
)
@@ -45,6 +46,7 @@ func AodhStatefulSet(
4546
configHash string,
4647
labels map[string]string,
4748
topology *topologyv1.Topology,
49+
memcached *memcachedv1.Memcached,
4850
) (*appsv1.StatefulSet, error) {
4951
runAsUser := int64(0)
5052

@@ -100,6 +102,12 @@ func AodhStatefulSet(
100102
evaluatorVolumeMounts = append(evaluatorVolumeMounts, getCustomPrometheusCaVolumeMount(instance.Spec.PrometheusTLSCaCertSecret.Key))
101103
}
102104

105+
// add MTLS cert if defined
106+
if memcached.GetMemcachedMTLSSecret() != "" {
107+
volumes = append(volumes, memcached.CreateMTLSVolume())
108+
apiVolumeMounts = append(apiVolumeMounts, memcached.CreateMTLSVolumeMounts(nil, nil)...)
109+
}
110+
103111
for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
104112
if instance.Spec.Aodh.TLS.API.Enabled(endpt) {
105113
var tlsEndptCfg tls.GenericService

templates/autoscaling/config/aodh-api-config.json

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,22 @@
5353
"dest": "/etc/my.cnf",
5454
"owner": "aodh",
5555
"perm": "0644"
56+
},
57+
{
58+
"source": "/var/lib/config-data/mtls/certs/*",
59+
"dest": "/etc/pki/tls/certs/",
60+
"owner": "aodh:aodh",
61+
"perm": "0640",
62+
"optional": true,
63+
"merge": true
64+
},
65+
{
66+
"source": "/var/lib/config-data/mtls/private/*",
67+
"dest": "/etc/pki/tls/private/",
68+
"owner": "aodh:aodh",
69+
"perm": "0640",
70+
"optional": true,
71+
"merge": true
5672
}
57-
]
73+
]
5874
}

templates/autoscaling/config/aodh-evaluator-config.json

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,22 @@
2525
"dest": "/etc/my.cnf",
2626
"owner": "aodh",
2727
"perm": "0644"
28+
},
29+
{
30+
"source": "/var/lib/config-data/mtls/certs/*",
31+
"dest": "/etc/pki/tls/certs/",
32+
"owner": "aodh:aodh",
33+
"perm": "0640",
34+
"optional": true,
35+
"merge": true
36+
},
37+
{
38+
"source": "/var/lib/config-data/mtls/private/*",
39+
"dest": "/etc/pki/tls/private/",
40+
"owner": "aodh:aodh",
41+
"perm": "0640",
42+
"optional": true,
43+
"merge": true
2844
}
2945
]
3046
}

templates/autoscaling/config/aodh-listener-config.json

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,22 @@
1919
"dest": "/etc/my.cnf",
2020
"owner": "aodh",
2121
"perm": "0644"
22+
},
23+
{
24+
"source": "/var/lib/config-data/mtls/certs/*",
25+
"dest": "/etc/pki/tls/certs/",
26+
"owner": "aodh:aodh",
27+
"perm": "0640",
28+
"optional": true,
29+
"merge": true
30+
},
31+
{
32+
"source": "/var/lib/config-data/mtls/private/*",
33+
"dest": "/etc/pki/tls/private/",
34+
"owner": "aodh:aodh",
35+
"perm": "0640",
36+
"optional": true,
37+
"merge": true
2238
}
2339
]
2440
}

templates/autoscaling/config/aodh-notifier-config.json

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,22 @@
1919
"dest": "/etc/my.cnf",
2020
"owner": "aodh",
2121
"perm": "0644"
22+
},
23+
{
24+
"source": "/var/lib/config-data/mtls/certs/*",
25+
"dest": "/etc/pki/tls/certs/",
26+
"owner": "aodh:aodh",
27+
"perm": "0640",
28+
"optional": true,
29+
"merge": true
30+
},
31+
{
32+
"source": "/var/lib/config-data/mtls/private/*",
33+
"dest": "/etc/pki/tls/private/",
34+
"owner": "aodh:aodh",
35+
"perm": "0640",
36+
"optional": true,
37+
"merge": true
2238
}
2339
]
2440
}

templates/autoscaling/config/aodh.conf

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,8 +31,16 @@ transport_url = {{ .TransportURL }}
3131
[keystone_authtoken]
3232
www_authenticate_uri = {{ .KeystoneInternalURL }}
3333
interface=internal
34-
memcached_servers={{ .MemcachedServersWithInet }}
34+
memcached_servers={{ .MemcachedServers }}
35+
{{- if (index . "MemcachedAuthCert")}}
36+
memcache_tls_certfile = {{ .MemcachedAuthCert }}
37+
memcache_tls_keyfile = {{ .MemcachedAuthKey }}
38+
memcache_tls_cafile = {{ .MemcachedAuthCa }}
39+
memcache_tls_enabled = true
40+
memcache_use_advanced_pool = false
41+
{{- else }}
3542
memcache_use_advanced_pool=True
43+
{{- end }}
3644
auth_type = password
3745
auth_url = {{ .KeystoneInternalURL }}
3846
username = {{ .AodhUser }}

0 commit comments

Comments
 (0)