Skip to content

Commit

Permalink
[tlse] internal TLS support for keystone, glance, cinder and neutron
Browse files Browse the repository at this point in the history 
- creates internal CA when internal TLS enabled
- creates TLS certs via cert-manager and passes the cert secret
  information to the services, right now keystone, glance, cinder and
  neutron

For services which at this point don't support TLS, cert validation
could be disabled using customService config like e.g.:

~~~
  customServiceConfig: |
    [keystone_authtoken]
    insecure = true
~~~

For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:

~~~
  customServiceConfig: |
    [keystone_authtoken]
    insecure = true
    [placement]
    insecure = true
    [neutron]
    insecure = true
    [glance]
    insecure = true
    [cinder]
    insecure = true
~~~

Depends-On:
openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators/keystone-operator#348
Depends-On: openstack-k8s-operators/neutron-operator#263
Depends-On: openstack-k8s-operators/glance-operator#386
Depends-On: openstack-k8s-operators/cinder-operator#306

Jira: OSPRH-2183
Jira: OSPRH-1233
Jira: OSPRH-1592
Jira: OSPRH-2197
  • Loading branch information
@stuggi
stuggi committed Jan 10, 2024
1 parent 1a59de3 commit ac03b0a
Show file tree
Hide file tree
Showing 28 changed files with 1,230 additions and 257 deletions.
156 changes: 138 additions & 18 deletions apis/bases/core.openstack.org_openstackcontrolplanes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -684,6 +684,24 @@ spec:
x-kubernetes-int-or-string: true
type: object
type: object
tls:
properties:
api:
properties:
internal:
properties:
secretName:
type: string
type: object
public:
properties:
secretName:
type: string
type: object
type: object
caBundleSecretName:
type: string
type: object
required:
- containerImage
type: object
Expand Down Expand Up @@ -4568,6 +4586,24 @@ spec:
type: string
storageRequest:
type: string
tls:
properties:
api:
properties:
internal:
properties:
secretName:
type: string
type: object
public:
properties:
secretName:
type: string
type: object
type: object
caBundleSecretName:
type: string
type: object
type:
default: split
enum:
Expand Down Expand Up @@ -6436,28 +6472,19 @@ spec:
properties:
api:
properties:
disabled:
type: boolean
endpoint:
additionalProperties:
properties:
secretName:
type: string
type: object
internal:
properties:
secretName:
type: string
type: object
public:
properties:
secretName:
type: string
type: object
type: object
caBundleSecretName:
type: string
db:
properties:
disabled:
type: boolean
type: object
messaging:
properties:
disabled:
type: boolean
type: object
type: object
trustFlushArgs:
default: ""
Expand All @@ -6472,6 +6499,7 @@ spec:
- containerImage
- databaseInstance
- memcachedInstance
- rabbitMqClusterName
- secret
type: object
type: object
Expand Down Expand Up @@ -8690,6 +8718,24 @@ spec:
serviceUser:
default: neutron
type: string
tls:
properties:
api:
properties:
internal:
properties:
secretName:
type: string
type: object
public:
properties:
secretName:
type: string
type: object
type: object
caBundleSecretName:
type: string
type: object
required:
- containerImage
- databaseInstance
Expand Down Expand Up @@ -9043,6 +9089,24 @@ spec:
x-kubernetes-int-or-string: true
type: object
type: object
tls:
properties:
api:
properties:
internal:
properties:
secretName:
type: string
type: object
public:
properties:
secretName:
type: string
type: object
type: object
caBundleSecretName:
type: string
type: object
type: object
cellTemplates:
additionalProperties:
Expand Down Expand Up @@ -9217,6 +9281,13 @@ spec:
x-kubernetes-int-or-string: true
type: object
type: object
tls:
properties:
caBundleSecretName:
type: string
secretName:
type: string
type: object
type: object
noVNCProxyServiceTemplate:
properties:
Expand Down Expand Up @@ -9324,6 +9395,13 @@ spec:
x-kubernetes-int-or-string: true
type: object
type: object
tls:
properties:
caBundleSecretName:
type: string
secretName:
type: string
type: object
type: object
nodeSelector:
additionalProperties:
Expand Down Expand Up @@ -9537,6 +9615,13 @@ spec:
x-kubernetes-int-or-string: true
type: object
type: object
tls:
properties:
caBundleSecretName:
type: string
secretName:
type: string
type: object
type: object
nodeSelector:
additionalProperties:
Expand Down Expand Up @@ -10785,6 +10870,24 @@ spec:
serviceUser:
default: placement
type: string
tls:
properties:
api:
properties:
internal:
properties:
secretName:
type: string
type: object
public:
properties:
secretName:
type: string
type: object
type: object
caBundleSecretName:
type: string
type: object
required:
- containerImage
- databaseInstance
Expand Down Expand Up @@ -15980,6 +16083,23 @@ spec:
- type
type: object
type: array
tls:
properties:
caBundleSecretName:
type: string
endpoint:
additionalProperties:
properties:
expires:
type: string
name:
type: string
required:
- expires
- name
type: object
type: object
type: object
type: object
type: object
served: true
Expand Down
26 changes: 26 additions & 0 deletions apis/core/v1beta1/openstackcontrolplane_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -652,6 +652,22 @@ type OpenStackControlPlaneStatus struct {
//+operator-sdk:csv:customresourcedefinitions:type=status,xDescriptors={"urn:alm:descriptor:io.kubernetes.conditions"}
// Conditions
Conditions condition.Conditions `json:"conditions,omitempty" optional:"true"`

//+operator-sdk:csv:customresourcedefinitions:type=spec
// TLS
TLS TLSStatus `json:"tls,omitempty" optional:"true"`
}

// TLSStatus defines the observed state of TLS
type TLSStatus struct {
Endpoint map[service.Endpoint]TLSCAStatus `json:"endpoint,omitempty"`
tls.Ca `json:",inline"`
}

// TLSCAStatus defines the observed state of TLS
type TLSCAStatus struct {
Name string `json:"name"`
Expires string `json:"expires"`
}

//+kubebuilder:object:root=true
Expand Down Expand Up @@ -748,3 +764,13 @@ func SetupDefaults() {

SetupOpenStackControlPlaneDefaults(openstackControlPlaneDefaults)
}

// Enabled - returns status of tls configuration for the passed in endpoint type
func (t *TLSSection) Enabled(endpt service.Endpoint) bool {
if t != nil {
if cfg, ok := t.Endpoint[service.EndpointInternal]; ok && cfg.Enabled {
return true
}
}
return false
}
39 changes: 39 additions & 0 deletions apis/core/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit ac03b0a

Please sign in to comment.