[tlse] tls for PlacementAPI pod configuration

Public/Internal service cert secrets and the CA bundle secret can be passed to configure httpd virtual hosts for tls termination. The certs are mounted to in var/lib/config-data/tls/certs/%s.crt|key and a CA bundle to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. Server cert and key are intended to be moved by kolla to /etc/pki/tls/certs|private. Depends-On: openstack-k8s-operators/lib-common#428 Depends-On: openstack-k8s-operators/openstack-operator#625 Signed-off-by: Veronika Fisarova <[email protected]>
openstack-k8s-operators · Jan 17, 2024 · e154ca6 · e154ca6
1 parent 42fcce4
commit e154ca6
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 19 deletions.
diff --git a/pkg/placement/deployment.go b/pkg/placement/deployment.go
@@ -139,11 +139,6 @@ func Deployment(
 				Spec: corev1.PodSpec{
 					ServiceAccountName: instance.RbacResourceName(),
 					Volumes:            volumes,
-					SecurityContext: &corev1.PodSecurityContext{
-						// since we run as PlacementUserID, e.g. certs need to be
-						// readable by the placement user, instead of root
-						FSGroup: ptr.To(PlacementUserID),
-					},
 					Containers: []corev1.Container{
 						{
 							Name: instance.Name + "-log",

diff --git a/templates/placementapi/config/placement-api-config.json b/templates/placementapi/config/placement-api-config.json
@@ -26,18 +26,20 @@
             "perm": "0644"
         },
         {
-            "source": "/var/lib/config-data/tls/certs",
-            "dest": "/etc/pki/tls/certs",
+            "source": "/var/lib/config-data/tls/certs/*",
+            "dest": "/etc/pki/tls/certs/",
             "owner": "placement",
             "perm": "0440",
-            "optional": true
+            "optional": true,
+            "merge": true
         },
         {
-            "source": "/var/lib/config-data/tls/private",
-            "dest": "/etc/pki/tls/private",
+            "source": "/var/lib/config-data/tls/private/*",
+            "dest": "/etc/pki/tls/private/",
             "owner": "placement",
             "perm": "0400",
-            "optional": true
+            "optional": true,
+            "merge": true
         }
 
     ],

diff --git a/tests/kuttl/tests/placement_deploy_tls/03-assert.yaml b/tests/kuttl/tests/placement_deploy_tls/03-assert.yaml
@@ -156,26 +156,26 @@ spec:
           subPath: placement-api-config.json
         - mountPath: /var/log/placement
           name: logs
-        - mountPath: /var/lib/config-data/tls/certs
+        - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+          name: combined-ca-bundle
+          readOnly: true
+          subPath: tls-ca-bundle.pem
+        - mountPath: /var/lib/config-data/tls/certs/internal.crt
           name: internal-tls-certs
           readOnly: true
           subPath: tls.crt
-        - mountPath: /var/lib/config-data/tls/private
+        - mountPath: /var/lib/config-data/tls/private/internal.key
           name: internal-tls-certs
           readOnly: true
           subPath: tls.key
-        - mountPath: /var/lib/config-data/tls/certs
+        - mountPath: /var/lib/config-data/tls/certs/public.crt
           name: public-tls-certs
           readOnly: true
           subPath: tls.crt
-        - mountPath: /var/lib/config-data/tls/private
+        - mountPath: /var/lib/config-data/tls/private/public.key
           name: public-tls-certs
           readOnly: true
           subPath: tls.key
-        - mountPath: /etc/pki/ca-trust/extracted/pem
-          name: combined-ca-bundle
-          readOnly: true
-          subPath: tls-ca-bundle.pem
       - args:
         - -c
         - /usr/local/bin/kolla_start

diff --git a/...acement_deploy_tls/04-errors_cleanup.yaml → ...tests/placement_deploy_tls/04-errors.yaml b/...acement_deploy_tls/04-errors_cleanup.yaml → ...tests/placement_deploy_tls/04-errors.yaml