Merge pull request openstack-k8s-operators#308 from stuggi/tls_db

[tlse] TLS database connection

Author: openshift-merge-bot[bot]

controllers/neutronapi_controller.go

@@ -397,72 +397,20 @@ func (r *NeutronAPIReconciler) reconcileInit(
 	Log := r.GetLogger(ctx)
 	Log.Info("Reconciling Service init")
 
-	// create neutron DB instance
-	//
-	db := mariadbv1.NewDatabaseWithNamespace(
-		neutronapi.Database,
-		instance.Spec.DatabaseUser,
-		instance.Spec.Secret,
-		map[string]string{
-			"dbName": instance.Spec.DatabaseInstance,
-		},
-		neutronapi.Database,
-		instance.Namespace,
-	)
-	// create or patch the DB
-	ctrlResult, err := db.CreateOrPatchDBByName(
-		ctx,
-		helper,
-		instance.Spec.DatabaseInstance,
-	)
+	db, result, err := r.ensureDB(ctx, helper, instance)
 	if err != nil {
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			condition.DBReadyCondition,
-			condition.ErrorReason,
-			condition.SeverityWarning,
-			condition.DBReadyErrorMessage,
-			err.Error()))
 		return ctrl.Result{}, err
+	} else if (result != ctrl.Result{}) {
+		return result, nil
 	}
-	if (ctrlResult != ctrl.Result{}) {
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			condition.DBReadyCondition,
-			condition.RequestedReason,
-			condition.SeverityInfo,
-			condition.DBReadyRunningMessage))
-		return ctrlResult, nil
-	}
-	// wait for the DB to be setup
-	ctrlResult, err = db.WaitForDBCreatedWithTimeout(ctx, helper, time.Second*5)
-	if err != nil {
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			condition.DBReadyCondition,
-			condition.ErrorReason,
-			condition.SeverityWarning,
-			condition.DBReadyErrorMessage,
-			err.Error()))
-		return ctrlResult, err
-	}
-	if (ctrlResult != ctrl.Result{}) {
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			condition.DBReadyCondition,
-			condition.RequestedReason,
-			condition.SeverityInfo,
-			condition.DBReadyRunningMessage))
-		return ctrlResult, nil
-	}
-	// update Status.DatabaseHostname, used to bootstrap/config the service
-	instance.Status.DatabaseHostname = db.GetDatabaseHostname()
-	instance.Status.Conditions.MarkTrue(condition.DBReadyCondition, condition.DBReadyMessage)
-	// create neutron DB - end
 
 	// Create Secrets required as input for the Service and calculate an overall hash of hashes
 	//
 
 	//
 	// create Secret required for neutronapi and dbsync input. It contains minimal neutron config required
 	// to get the service up, user can add additional files to be added to the service.
-	err = r.generateServiceSecrets(ctx, helper, instance, ospSecret, &secretVars)
+	err = r.generateServiceSecrets(ctx, helper, instance, ospSecret, &secretVars, db)
 	if err != nil {
 		instance.Status.Conditions.Set(condition.FalseCondition(
 			condition.ServiceConfigReadyCondition,
@@ -1404,6 +1352,7 @@ func (r *NeutronAPIReconciler) generateServiceSecrets(
 	instance *neutronv1beta1.NeutronAPI,
 	ospSecret *corev1.Secret,
 	envVars *map[string]env.Setter,
+	db *mariadbv1.Database,
 ) error {
 	// Create/update secrets from templates
 	cmLabels := labels.GetLabels(instance, labels.GetGroupLabel(neutronapi.ServiceName), map[string]string{})
@@ -1425,13 +1374,19 @@ func (r *NeutronAPIReconciler) generateServiceSecrets(
 	if err != nil {
 		return err
 	}
-
+	var tlsCfg *tls.Service
+	if instance.Spec.TLS.Ca.CaBundleSecretName != "" {
+		tlsCfg = &tls.Service{}
+	}
 	// customData hold any customization for the service.
 	// 02-neutron-custom.conf is going to /etc/<service>.conf.d
 	// 01-neutron.conf is going to /etc/<service>.conf.d such that it gets loaded before custom one
 	// all other files get placed into /etc/<service> to allow overwrite of e.g. logging.conf or policy.json
 	// TODO: make sure custom.conf can not be overwritten
-	customData := map[string]string{"02-neutron-custom.conf": instance.Spec.CustomServiceConfig}
+	customData := map[string]string{
+		"02-neutron-custom.conf": instance.Spec.CustomServiceConfig,
+		"my.cnf":                 db.GetDatabaseClientConfig(tlsCfg), //(mschuppert) for now just get the default my.cnf
+	}
 	for key, data := range instance.Spec.DefaultConfigOverwrite {
 		customData[key] = data
 	}
@@ -1602,3 +1557,68 @@ func (r *NeutronAPIReconciler) getNeutronMemcached(
 	}
 	return memcached, err
 }
+
+// ensureDB - create neutron DB instance
+func (r *NeutronAPIReconciler) ensureDB(
+	ctx context.Context,
+	h *helper.Helper,
+	instance *neutronv1beta1.NeutronAPI,
+) (*mariadbv1.Database, ctrl.Result, error) {
+	db := mariadbv1.NewDatabaseWithNamespace(
+		neutronapi.Database,
+		instance.Spec.DatabaseUser,
+		instance.Spec.Secret,
+		map[string]string{
+			"dbName": instance.Spec.DatabaseInstance,
+		},
+		neutronapi.Database,
+		instance.Namespace,
+	)
+	// create or patch the DB
+	ctrlResult, err := db.CreateOrPatchDBByName(
+		ctx,
+		h,
+		instance.Spec.DatabaseInstance,
+	)
+	if err != nil {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.DBReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			condition.DBReadyErrorMessage,
+			err.Error()))
+		return db, ctrl.Result{}, err
+	}
+	if (ctrlResult != ctrl.Result{}) {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.DBReadyCondition,
+			condition.RequestedReason,
+			condition.SeverityInfo,
+			condition.DBReadyRunningMessage))
+		return db, ctrlResult, nil
+	}
+	// wait for the DB to be setup
+	ctrlResult, err = db.WaitForDBCreatedWithTimeout(ctx, h, time.Second*5)
+	if err != nil {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.DBReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			condition.DBReadyErrorMessage,
+			err.Error()))
+		return db, ctrlResult, err
+	}
+	if (ctrlResult != ctrl.Result{}) {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.DBReadyCondition,
+			condition.RequestedReason,
+			condition.SeverityInfo,
+			condition.DBReadyRunningMessage))
+		return db, ctrlResult, nil
+	}
+	// update Status.DatabaseHostname, used to bootstrap/config the service
+	instance.Status.DatabaseHostname = db.GetDatabaseHostname()
+	instance.Status.Conditions.MarkTrue(condition.DBReadyCondition, condition.DBReadyMessage)
+
+	return db, ctrlResult, nil
+}

templates/neutronapi/config/01-neutron.conf

@@ -13,7 +13,7 @@ api_workers = 2
 rpc_workers = 1
 
 [database]
-connection=mysql+pymysql://{{ .DbUser }}:{{ .DbPassword }}@{{ .DbHost }}/{{ .Db }}
+connection=mysql+pymysql://{{ .DbUser }}:{{ .DbPassword }}@{{ .DbHost }}/{{ .Db }}?read_default_file=/etc/my.cnf
 # NOTE(ykarel): It is required to be set for multi master galera, without it set
 # there can be reads from not up to date db instance and that leads to various issues.
 mysql_wsrep_sync_wait = 1

templates/neutronapi/config/db-sync-config.json

@@ -12,6 +12,12 @@
       "dest": "/etc/neutron/neutron.conf.d/02-neutron-custom.conf",
       "owner": "root:neutron",
       "perm": "0640"
+    },
+    {
+      "source": "/var/lib/config-data/my.cnf",
+      "dest": "/etc/my.cnf",
+      "owner": "neutron",
+      "perm": "0644"
     }
   ]
 }

templates/neutronapi/config/neutron-api-config.json

@@ -12,6 +12,12 @@
       "dest": "/etc/neutron/neutron.conf.d/02-neutron-custom.conf",
       "owner": "root:neutron",
       "perm": "0640"
+    },
+    {
+      "source": "/var/lib/config-data/my.cnf",
+      "dest": "/etc/my.cnf",
+      "owner": "neutron",
+      "perm": "0644"
     }
   ]
 }

test/functional/base_test.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/google/uuid"
 	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
 	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -165,3 +166,14 @@ func GetOVNDBCluster(name types.NamespacedName) *ovnv1.OVNDBCluster {
 	}, timeout, interval).Should(Succeed())
 	return instance
 }
+
+func CreateNeutronAPISecret(namespace string, name string) *corev1.Secret {
+	return th.CreateSecret(
+		types.NamespacedName{Namespace: namespace, Name: name},
+		map[string][]byte{
+			"NeutronPassword":         []byte("12345678"),
+			"NeutronDatabasePassword": []byte("12345678"),
+			"transport_url":           []byte("rabbit://user@svc:1234"),
+		},
+	)
+}