openstack-k8s-operators · openshift-merge-bot · Mar 5, 2024 · Feb 15, 2024
diff --git a/api/bases/telemetry.openstack.org_autoscalings.yaml b/api/bases/telemetry.openstack.org_autoscalings.yaml
@@ -294,6 +294,36 @@ spec:
                     description: ServiceUser - optional username used for this service
                       to register in keystone
                     type: string
+                  tls:
+                    description: TLS - Parameters related to the TLS
+                    properties:
+                      api:
+                        description: API tls type which encapsulates for API services
+                        properties:
+                          internal:
+                            description: Internal GenericService - holds the secret
+                              for the internal endpoint
+                            properties:
+                              secretName:
+                                description: SecretName - holding the cert, key for
+                                  the service
+                                type: string
+                            type: object
+                          public:
+                            description: Public GenericService - holds the secret
+                              for the public endpoint
+                            properties:
+                              secretName:
+                                description: SecretName - holding the cert, key for
+                                  the service
+                                type: string
+                            type: object
+                        type: object
+                      caBundleSecretName:
+                        description: CaBundleSecretName - holding the CA certs in
+                          a pre-created bundle file
+                        type: string
+                    type: object
                 required:
                 - apiImage
                 - databaseInstance

diff --git a/api/bases/telemetry.openstack.org_telemetries.yaml b/api/bases/telemetry.openstack.org_telemetries.yaml
@@ -308,6 +308,36 @@ spec:
                         description: ServiceUser - optional username used for this
                           service to register in keystone
                         type: string
+                      tls:
+                        description: TLS - Parameters related to the TLS
+                        properties:
+                          api:
+                            description: API tls type which encapsulates for API services
+                            properties:
+                              internal:
+                                description: Internal GenericService - holds the secret
+                                  for the internal endpoint
+                                properties:
+                                  secretName:
+                                    description: SecretName - holding the cert, key
+                                      for the service
+                                    type: string
+                                type: object
+                              public:
+                                description: Public GenericService - holds the secret
+                                  for the public endpoint
+                                properties:
+                                  secretName:
+                                    description: SecretName - holding the cert, key
+                                      for the service
+                                    type: string
+                                type: object
+                            type: object
+                          caBundleSecretName:
+                            description: CaBundleSecretName - holding the CA certs
+                              in a pre-created bundle file
+                            type: string
+                        type: object
                     required:
                     - apiImage
                     - databaseInstance

diff --git a/api/v1beta1/autoscaling_types.go b/api/v1beta1/autoscaling_types.go
@@ -18,10 +18,11 @@ package v1beta1
 
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 )
 
 const (
@@ -37,7 +38,6 @@ const (
 	DbSyncHash = "dbsync"
 )
 
-
 // Aodh defines the aodh component spec
 type Aodh struct {
 	// RabbitMQ instance name
@@ -109,6 +109,11 @@ type Aodh struct {
 
 	// +kubebuilder:validation:Required
 	ListenerImage string `json:"listenerImage"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.API `json:"tls,omitempty"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/telemetry.openstack.org_autoscalings.yaml b/config/crd/bases/telemetry.openstack.org_autoscalings.yaml
@@ -294,6 +294,36 @@ spec:
                     description: ServiceUser - optional username used for this service
                       to register in keystone
                     type: string
+                  tls:
+                    description: TLS - Parameters related to the TLS
+                    properties:
+                      api:
+                        description: API tls type which encapsulates for API services
+                        properties:
+                          internal:
+                            description: Internal GenericService - holds the secret
+                              for the internal endpoint
+                            properties:
+                              secretName:
+                                description: SecretName - holding the cert, key for
+                                  the service
+                                type: string
+                            type: object
+                          public:
+                            description: Public GenericService - holds the secret
+                              for the public endpoint
+                            properties:
+                              secretName:
+                                description: SecretName - holding the cert, key for
+                                  the service
+                                type: string
+                            type: object
+                        type: object
+                      caBundleSecretName:
+                        description: CaBundleSecretName - holding the CA certs in
+                          a pre-created bundle file
+                        type: string
+                    type: object
                 required:
                 - apiImage
                 - databaseInstance

diff --git a/config/crd/bases/telemetry.openstack.org_telemetries.yaml b/config/crd/bases/telemetry.openstack.org_telemetries.yaml
@@ -308,6 +308,36 @@ spec:
                         description: ServiceUser - optional username used for this
                           service to register in keystone
                         type: string
+                      tls:
+                        description: TLS - Parameters related to the TLS
+                        properties:
+                          api:
+                            description: API tls type which encapsulates for API services
+                            properties:
+                              internal:
+                                description: Internal GenericService - holds the secret
+                                  for the internal endpoint
+                                properties:
+                                  secretName:
+                                    description: SecretName - holding the cert, key
+                                      for the service
+                                    type: string
+                                type: object
+                              public:
+                                description: Public GenericService - holds the secret
+                                  for the public endpoint
+                                properties:
+                                  secretName:
+                                    description: SecretName - holding the cert, key
+                                      for the service
+                                    type: string
+                                type: object
+                            type: object
+                          caBundleSecretName:
+                            description: CaBundleSecretName - holding the CA certs
+                              in a pre-created bundle file
+                            type: string
+                        type: object
                     required:
                     - apiImage
                     - databaseInstance

diff --git a/config/samples/telemetry_v1beta1_autoscaling_tls.yaml b/config/samples/telemetry_v1beta1_autoscaling_tls.yaml
@@ -0,0 +1,24 @@
+apiVersion: telemetry.openstack.org/v1beta1
+kind: Autoscaling
+metadata:
+  labels:
+    app.kubernetes.io/name: autoscaling
+    app.kubernetes.io/instance: autoscaling-sample
+    app.kubernetes.io/part-of: telemetry-operator
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: telemetry-operator
+  name: autoscaling
+spec:
+  aodh:
+    secret: osp-secret
+    passwordSelectors:
+    databaseUser: aodh
+    databaseInstance: openstack
+    memcachedInstance: memcached
+    tls:
+      api:
+        internal:
+          secretName: cert-aodh-internal-svc
+        public:
+          secretName: cert-aodh-public-svc
+      caBundleSecretName: combined-ca-bundle
diff --git a/controllers/aodh_controller.go b/controllers/aodh_controller.go
@@ -23,17 +23,21 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	common "github.com/openstack-k8s-operators/lib-common/modules/common"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	endpoint "github.com/openstack-k8s-operators/lib-common/modules/common/endpoint"
+	env "github.com/openstack-k8s-operators/lib-common/modules/common/env"
 	helper "github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	job "github.com/openstack-k8s-operators/lib-common/modules/common/job"
 	secret "github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	service "github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	statefulset "github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	util "github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 
@@ -264,8 +268,17 @@ func (r *AutoscalingReconciler) reconcileNormalAodh(
 		common.AppSelector: autoscaling.ServiceName,
 	}
 
+	// ConfigVars
+	configVars := make(map[string]env.Setter)
+
 	sfsetDef, err := autoscaling.AodhStatefulSet(instance, inputHash, serviceLabels)
 	if err != nil {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.DeploymentReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			condition.DeploymentReadyErrorMessage,
+			err.Error()))
 		return ctrl.Result{}, err
 	}
 	sfset := statefulset.NewStatefulSet(
@@ -401,7 +414,12 @@ func (r *AutoscalingReconciler) reconcileNormalAodh(
 		}
 		// create service - end
 
-		// TODO: TLS, pass in https as protocol, create TLS cert
+		// if TLS is enabled
+		if instance.Spec.Aodh.TLS.API.Enabled(endpointType) {
+			// set endpoint protocol to https
+			data.Protocol = ptr.To(service.ProtocolHTTPS)
+		}
+
 		apiEndpoints[string(endpointType)], err = svc.GetAPIEndpoint(
 			svcOverride.EndpointURL, data.Protocol, data.Path)
 		if err != nil {
@@ -440,6 +458,55 @@ func (r *AutoscalingReconciler) reconcileNormalAodh(
 		return ctrlResult, nil
 	}
 
+	//
+	// TLS input validation
+	//
+	// Validate the CA cert secret if provided
+	if instance.Spec.Aodh.TLS.CaBundleSecretName != "" {
+		hash, ctrlResult, err := tls.ValidateCACertSecret(
+			ctx,
+			helper.GetClient(),
+			types.NamespacedName{
+				Name:      instance.Spec.Aodh.TLS.CaBundleSecretName,
+				Namespace: instance.Namespace,
+			},
+		)
+		if err != nil {
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				condition.TLSInputReadyCondition,
+				condition.ErrorReason,
+				condition.SeverityWarning,
+				condition.TLSInputErrorMessage,
+				err.Error()))
+			return ctrlResult, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			return ctrlResult, nil
+		}
+
+		if hash != "" {
+			configVars[tls.CABundleKey] = env.SetValue(hash)
+		}
+
+		// Validate API service certs secrets
+		certsHash, ctrlResult, err := instance.Spec.Aodh.TLS.API.ValidateCertSecrets(ctx, helper, instance.Namespace)
+		if err != nil {
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				condition.TLSInputReadyCondition,
+				condition.ErrorReason,
+				condition.SeverityWarning,
+				condition.TLSInputErrorMessage,
+				err.Error()))
+			return ctrlResult, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			return ctrlResult, nil
+		}
+
+		configVars[tls.TLSHashName] = env.SetValue(certsHash)
+	}
+
+	// all cert input checks out so report InputReady
+	instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage)
+
 	Log.Info("Reconciled Service Aodh successfully")
 	return ctrl.Result{}, nil
 }