[tlse] internal TLS support for octavia

Creates certs for k8s service of the service operator when spec.tls.endpoint.internal.enabled: true For a service like nova which talks to multiple service internal endpoints, this has to be set for each of them for, like: customServiceConfig: | [keystone_authtoken] insecure = true [placement] insecure = true [neutron] insecure = true [glance] insecure = true [cinder] insecure = true Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: openstack-k8s-operators#620 Depends-On: openstack-k8s-operators/octavia-operator#265 Signed-off-by: Veronika Fisarova <[email protected]>
Deydra71 · Mar 20, 2024 · 476e9f5 · 476e9f5
1 parent a5d2738
commit 476e9f5
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/pkg/openstack/octavia.go b/pkg/openstack/octavia.go
@@ -64,6 +64,12 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 				octavia.Name)
 	}
 
+	// preserve any previously set TLS certs, set CA cert
+	if instance.Spec.TLS.PodLevel.Enabled {
+		instance.Spec.Octavia.Template.OctaviaAPI.TLS = octavia.Spec.OctaviaAPI.TLS
+	}
+	instance.Spec.Octavia.Template.OctaviaAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+
 	// When component services got created check if there is the need to create a route
 	if err := helper.GetClient().Get(ctx, types.NamespacedName{Name: "octavia", Namespace: instance.Namespace}, octavia); err != nil {
 		if !k8s_errors.IsNotFound(err) {
@@ -92,7 +98,7 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 			instance.Spec.Octavia.Template.OctaviaAPI.Override.Service,
 			instance.Spec.Octavia.APIOverride,
 			corev1beta1.OpenStackControlPlaneExposeOctaviaReadyCondition,
-			true, // TODO: (mschuppert) disable TLS for now until implemented
+			false, // TODO: (mschuppert) could be removed when all integrated service support TLS
 			tls.API{},
 		)
 		if err != nil {
@@ -104,6 +110,10 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 		instance.Spec.Octavia.Template.OctaviaAPI.Override.Service = endpointDetails.GetEndpointServiceOverrides()
 	}
 
+	// update TLS settings with cert secret
+	instance.Spec.Octavia.Template.OctaviaAPI.TLS.API.Public.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointPublic)
+	instance.Spec.Octavia.Template.OctaviaAPI.TLS.API.Internal.SecretName = endpointDetails.GetEndptCertSecret(service.EndpointInternal)
+
 	helper.GetLogger().Info("Reconciling Octavia", "Octavia.Namespace", instance.Namespace, "Octavia.Name", octavia.Name)
 	op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), octavia, func() error {
 		instance.Spec.Octavia.Template.DeepCopyInto(&octavia.Spec)