Skip to content

Commit 7cefa5a

Browse files
stuggistuggi
committed
[tlse] memcached tls setup
If spec.TLS.PodLevel.Enabled is true, setup memcached for TLS usage. Jira: OSPRH-5283
1 parent 19cb9a3 commit 7cefa5a

File tree

1 file changed

+52
-9
lines changed

1 file changed

+52
-9
lines changed

pkg/openstack/memcached.go

Lines changed: 52 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,17 @@ import (
66
"strings"
77

88
memcachedv1 "github.com/openstack-k8s-operators/infra-operator/apis/memcached/v1beta1"
9+
"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
910
"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
1011
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
12+
"github.com/openstack-k8s-operators/lib-common/modules/common/service"
13+
"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
1114

1215
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
1316

1417
corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
1518
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
19+
"k8s.io/utils/ptr"
1620
ctrl "sigs.k8s.io/controller-runtime"
1721
"sigs.k8s.io/controller-runtime/pkg/client"
1822
)
@@ -81,8 +85,11 @@ func ReconcileMemcacheds(
8185
}
8286

8387
// then reconcile ones listed in spec
88+
var ctrlResult ctrl.Result
89+
var err error
90+
var status memcachedStatus
8491
for name, spec := range instance.Spec.Memcached.Templates {
85-
status, err := reconcileMemcached(ctx, instance, helper, name, &spec)
92+
status, ctrlResult, err = reconcileMemcached(ctx, instance, helper, name, &spec)
8693

8794
switch status {
8895
case memcachedFailed:
@@ -105,7 +112,7 @@ func ReconcileMemcacheds(
105112
corev1beta1.OpenStackControlPlaneMemcachedReadyErrorMessage,
106113
errors))
107114

108-
return ctrl.Result{}, fmt.Errorf(errors)
115+
return ctrlResult, fmt.Errorf(errors)
109116

110117
} else if len(inprogress) > 0 {
111118
instance.Status.Conditions.Set(condition.FalseCondition(
@@ -120,7 +127,7 @@ func ReconcileMemcacheds(
120127
)
121128
}
122129

123-
return ctrl.Result{}, nil
130+
return ctrlResult, nil
124131
}
125132

126133
// reconcileMemcached -
@@ -130,7 +137,7 @@ func reconcileMemcached(
130137
helper *helper.Helper,
131138
name string,
132139
spec *memcachedv1.MemcachedSpec,
133-
) (memcachedStatus, error) {
140+
) (memcachedStatus, ctrl.Result, error) {
134141
memcached := &memcachedv1.Memcached{
135142
ObjectMeta: metav1.ObjectMeta{
136143
Name: name,
@@ -142,15 +149,51 @@ func reconcileMemcached(
142149

143150
if !instance.Spec.Memcached.Enabled {
144151
if _, err := EnsureDeleted(ctx, helper, memcached); err != nil {
145-
return memcachedFailed, err
152+
return memcachedFailed, ctrl.Result{}, err
146153
}
147154
instance.Status.Conditions.Remove(corev1beta1.OpenStackControlPlaneMemcachedReadyCondition)
148-
return memcachedReady, nil
155+
return memcachedReady, ctrl.Result{}, nil
149156
}
150157

151158
Log.Info("Reconciling Memcached", "Memcached.Namespace", instance.Namespace, "Memcached.Name", name)
159+
160+
tlsCert := ""
161+
if instance.Spec.TLS.Enabled(service.EndpointInternal) {
162+
certRequest := certmanager.CertificateRequest{
163+
IssuerName: tls.DefaultCAPrefix + string(service.EndpointInternal),
164+
CertName: fmt.Sprintf("%s-svc", memcached.Name),
165+
Hostnames: []string{
166+
fmt.Sprintf("%s.%s.svc", name, instance.Namespace),
167+
fmt.Sprintf("*.%s.%s.svc", name, instance.Namespace),
168+
},
169+
}
170+
if instance.Spec.TLS.PodLevel.Internal.Cert.Duration != nil {
171+
certRequest.Duration = &instance.Spec.TLS.PodLevel.Internal.Cert.Duration.Duration
172+
}
173+
if instance.Spec.TLS.PodLevel.Internal.Cert.RenewBefore != nil {
174+
certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Internal.Cert.RenewBefore.Duration
175+
}
176+
certSecret, ctrlResult, err := certmanager.EnsureCert(
177+
ctx,
178+
helper,
179+
certRequest)
180+
if err != nil {
181+
return memcachedFailed, ctrlResult, err
182+
} else if (ctrlResult != ctrl.Result{}) {
183+
return memcachedCreating, ctrlResult, nil
184+
}
185+
186+
tlsCert = certSecret.Name
187+
}
188+
152189
op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), memcached, func() error {
153190
spec.DeepCopyInto(&memcached.Spec)
191+
192+
if tlsCert != "" {
193+
memcached.Spec.TLS.CaBundleSecretName = tls.CABundleSecret
194+
memcached.Spec.TLS.SecretName = ptr.To(tlsCert)
195+
}
196+
154197
err := controllerutil.SetControllerReference(helper.GetBeforeObject(), memcached, helper.GetScheme())
155198
if err != nil {
156199
return err
@@ -160,15 +203,15 @@ func reconcileMemcached(
160203
})
161204

162205
if err != nil {
163-
return memcachedFailed, err
206+
return memcachedFailed, ctrl.Result{}, err
164207
}
165208
if op != controllerutil.OperationResultNone {
166209
Log.Info(fmt.Sprintf("Memcached %s - %s", memcached.Name, op))
167210
}
168211

169212
if memcached.IsReady() {
170-
return memcachedReady, nil
213+
return memcachedReady, ctrl.Result{}, nil
171214
}
172215

173-
return memcachedCreating, nil
216+
return memcachedCreating, ctrl.Result{}, nil
174217
}

0 commit comments

Comments
 (0)