Skip to content

Commit

Permalink
[tlse] tls for KeystoneAPI pod configuration
Browse files Browse the repository at this point in the history 
Public/Internal service cert secrets and the CA bundle secret
can be passed to configure httpd virtual hosts for tls termination.
The CA cert get direct mounted as the environment bundle to
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem .
The service certificates like config files and copied via kolla
to /etc/pki/tls/certs/%s.crt|/etc/pki/tls/private/%s.key .
Job deployments for bootstrap/cron get the CA bundle added if
configured.

Also indexes the named input resources for password, CA bundle,
and endpoint secrets to be able to watch them for a change and
reconcile.

Depends-On: openstack-k8s-operators/lib-common#428

Jira: OSPRH-2183
  • Loading branch information
@stuggi
stuggi committed Jan 10, 2024
1 parent 5355d93 commit 643df32
Show file tree
Hide file tree
Showing 21 changed files with 905 additions and 163 deletions.
31 changes: 31 additions & 0 deletions api/bases/keystone.openstack.org_keystoneapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -386,6 +386,36 @@ spec:
description: Secret containing OpenStack password information for
keystone KeystoneDatabasePassword, AdminPassword
type: string
tls:
description: TLS - Parameters related to the TLS
properties:
api:
description: API tls type which encapsulates for API services
properties:
internal:
description: Internal GenericService - holds the secret for
the internal endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
public:
description: Public GenericService - holds the secret for
the public endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
type: object
caBundleSecretName:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
type: object
trustFlushArgs:
default: ""
description: TrustFlushArgs - Arguments added to keystone-manage trust_flush
Expand All @@ -404,6 +434,7 @@ spec:
- containerImage
- databaseInstance
- memcachedInstance
- rabbitMqClusterName
- secret
type: object
status:
Expand Down
31 changes: 15 additions & 16 deletions api/go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,18 @@ go 1.19

require (
github.com/go-logr/logr v1.4.1
github.com/google/uuid v1.3.1
github.com/onsi/gomega v1.28.0
github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20231011150636-e8a0540a3c32
github.com/openstack-k8s-operators/lib-common/modules/openstack v0.1.1-0.20231001084618-12369665b166
github.com/openstack-k8s-operators/lib-common/modules/test v0.1.2-0.20231001084618-12369665b166
github.com/google/uuid v1.5.0
github.com/onsi/gomega v1.30.0
github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240110131857-e70e1dec4d14
github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20231230095328-700482794743
github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20231230095328-700482794743
k8s.io/api v0.26.12
k8s.io/apimachinery v0.26.12
sigs.k8s.io/controller-runtime v0.14.6
sigs.k8s.io/controller-runtime v0.14.7
)

require github.com/stretchr/testify v1.8.3 // indirect

require (
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
Expand All @@ -28,9 +30,9 @@ require (
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/gnostic v0.6.9 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/gophercloud/gophercloud v1.7.0
github.com/gophercloud/gophercloud v1.8.0
github.com/imdario/mergo v0.3.16 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
Expand All @@ -47,11 +49,11 @@ require (
github.com/prometheus/common v0.37.0 // indirect
github.com/prometheus/procfs v0.8.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
golang.org/x/exp v0.0.0-20230905200255-921286631fa9
golang.org/x/net v0.17.0 // indirect
golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc
golang.org/x/net v0.19.0 // indirect
golang.org/x/oauth2 v0.7.0 // indirect
golang.org/x/sys v0.14.0 // indirect
golang.org/x/term v0.14.0 // indirect
golang.org/x/sys v0.15.0 // indirect
golang.org/x/term v0.15.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.3.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
Expand All @@ -65,15 +67,12 @@ require (
k8s.io/component-base v0.26.12 // indirect; indirect // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a // indirect; indirect // indirect
k8s.io/utils v0.0.0-20231127182322-b307cd553661 // indirect; indirect // indirect
k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect; indirect // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect; indirect // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
)

// Bump golang.org/x/net to avoid Rapid Reset CVE
replace golang.org/x/net => golang.org/x/net v0.18.0 //allow-merging

// mschuppert: map to latest commit from release-4.13 tag
// must consistent within modules and service operators
replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
Loading

0 comments on commit 643df32

Please sign in to comment.