[tlse] internal TLS support for keystone, glance, cinder and neutron

- creates internal CA when internal TLS enabled
- creates TLS certs via cert-manager and passes the cert secret
  information to the services, right now keystone, glance, cinder and
  neutron

For services which at this point don't support TLS, cert validation
could be disabled using customService config like e.g.:

~~~
  customServiceConfig: |
    [keystone_authtoken]
    insecure = true
~~~

For a service like nova which talks to multiple service internal
endpoints, this has to be set for each of them for, like:

~~~
  customServiceConfig: |
    [keystone_authtoken]
    insecure = true
    [placement]
    insecure = true
    [neutron]
    insecure = true
    [glance]
    insecure = true
    [cinder]
    insecure = true
~~~

Depends-On:
openstack-k8s-operators/lib-common#428
Depends-On: openstack-k8s-operators/keystone-operator#348
Depends-On: openstack-k8s-operators/neutron-operator#263
Depends-On: openstack-k8s-operators/glance-operator#386
Depends-On: openstack-k8s-operators/cinder-operator#306

Jira: OSPRH-2183
Jira: OSPRH-1233
Jira: OSPRH-1592
Jira: OSPRH-2197

apis/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -684,6 +684,24 @@ spec:
                                   x-kubernetes-int-or-string: true
                                 type: object
                             type: object
+                          tls:
+                            properties:
+                              api:
+                                properties:
+                                  internal:
+                                    properties:
+                                      secretName:
+                                        type: string
+                                    type: object
+                                  public:
+                                    properties:
+                                      secretName:
+                                        type: string
+                                    type: object
+                                type: object
+                              caBundleSecretName:
+                                type: string
+                            type: object
                         required:
                         - containerImage
                         type: object
@@ -4568,6 +4586,24 @@ spec:
                               type: string
                             storageRequest:
                               type: string
+                            tls:
+                              properties:
+                                api:
+                                  properties:
+                                    internal:
+                                      properties:
+                                        secretName:
+                                          type: string
+                                      type: object
+                                    public:
+                                      properties:
+                                        secretName:
+                                          type: string
+                                      type: object
+                                  type: object
+                                caBundleSecretName:
+                                  type: string
+                              type: object
                             type:
                               default: split
                               enum:
@@ -6436,28 +6472,19 @@ spec:
                         properties:
                           api:
                             properties:
-                              disabled:
-                                type: boolean
-                              endpoint:
-                                additionalProperties:
-                                  properties:
-                                    secretName:
-                                      type: string
-                                  type: object
+                              internal:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                              public:
+                                properties:
+                                  secretName:
+                                    type: string
                                 type: object
                             type: object
                           caBundleSecretName:
                             type: string
-                          db:
-                            properties:
-                              disabled:
-                                type: boolean
-                            type: object
-                          messaging:
-                            properties:
-                              disabled:
-                                type: boolean
-                            type: object
                         type: object
                       trustFlushArgs:
                         default: ""
@@ -6472,6 +6499,7 @@ spec:
                     - containerImage
                     - databaseInstance
                     - memcachedInstance
+                    - rabbitMqClusterName
                     - secret
                     type: object
                 type: object
@@ -8690,6 +8718,24 @@ spec:
                       serviceUser:
                         default: neutron
                         type: string
+                      tls:
+                        properties:
+                          api:
+                            properties:
+                              internal:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                              public:
+                                properties:
+                                  secretName:
+                                    type: string
+                                type: object
+                            type: object
+                          caBundleSecretName:
+                            type: string
+                        type: object
                     required:
                     - containerImage
                     - databaseInstance
@@ -15980,6 +16026,23 @@ spec:
                   - type
                   type: object
                 type: array
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                  endpoint:
+                    additionalProperties:
+                      properties:
+                        expires:
+                          type: string
+                        name:
+                          type: string
+                      required:
+                      - expires
+                      - name
+                      type: object
+                    type: object
+                type: object
             type: object
         type: object
     served: true

apis/core/v1beta1/openstackcontrolplane_types.go

@@ -652,6 +652,22 @@ type OpenStackControlPlaneStatus struct {
 	//+operator-sdk:csv:customresourcedefinitions:type=status,xDescriptors={"urn:alm:descriptor:io.kubernetes.conditions"}
 	// Conditions
 	Conditions condition.Conditions `json:"conditions,omitempty" optional:"true"`
+
+	//+operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS
+	TLS TLSStatus `json:"tls,omitempty" optional:"true"`
+}
+
+// TLSStatus defines the observed state of TLS
+type TLSStatus struct {
+	Endpoint map[service.Endpoint]TLSCAStatus `json:"endpoint,omitempty"`
+	tls.Ca   `json:",inline"`
+}
+
+// TLSCAStatus defines the observed state of TLS
+type TLSCAStatus struct {
+	Name    string `json:"name"`
+	Expires string `json:"expires"`
 }
 
 //+kubebuilder:object:root=true
@@ -748,3 +764,13 @@ func SetupDefaults() {
 
 	SetupOpenStackControlPlaneDefaults(openstackControlPlaneDefaults)
 }
+
+// Enabled - returns status of tls configuration for the passed in endpoint type
+func (t *TLSSection) Enabled(endpt service.Endpoint) bool {
+	if t != nil {
+		if cfg, ok := t.Endpoint[service.EndpointInternal]; ok && cfg.Enabled {
+			return true
+		}
+	}
+	return false
+}

apis/go.mod

@@ -25,13 +25,14 @@ require (
 	github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240104130506-42419651f900
 	github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240103003254-97178240dd81
 	github.com/rabbitmq/cluster-operator/v2 v2.5.0
-	k8s.io/apimachinery v0.27.7
+	k8s.io/apimachinery v0.28.1
 	sigs.k8s.io/controller-runtime v0.15.1
 )
 
 require (
 	github.com/go-logr/zapr v1.2.4 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 // indirect
 	github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.64.1-rhobs3 // indirect
 	github.com/rhobs/observability-operator v0.0.20 // indirect
@@ -78,7 +79,7 @@ require (
 	github.com/prometheus/procfs v0.11.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	golang.org/x/net v0.19.0 // indirect
-	golang.org/x/oauth2 v0.10.0 // indirect
+	golang.org/x/oauth2 v0.12.0 // indirect
 	golang.org/x/sys v0.15.0 // indirect
 	golang.org/x/term v0.15.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
@@ -89,26 +90,35 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.27.7
-	k8s.io/apiextensions-apiserver v0.27.7 //indirect
-	k8s.io/client-go v0.27.7
-	k8s.io/component-base v0.27.7 //indirect
+	k8s.io/api v0.28.1
+	k8s.io/apiextensions-apiserver v0.28.1 //indirect
+	k8s.io/client-go v0.28.1
+	k8s.io/component-base v0.28.1 //indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230525220651-2546d827e515 //indirect
+	k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f //indirect
 	k8s.io/utils v0.0.0-20240102154912-e7106e64919e //indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd //indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
 replace ( //allow-merging
+	github.com/google/gnostic => github.com/google/gnostic v0.6.9
 	// pin to k8s 0.26.x for now
-	k8s.io/api => k8s.io/api v0.26.9
-	k8s.io/apimachinery => k8s.io/apimachinery v0.26.9
-	k8s.io/client-go => k8s.io/client-go v0.26.9
-	sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.14.6
+	k8s.io/api => k8s.io/api v0.26.11
+	k8s.io/apimachinery => k8s.io/apimachinery v0.26.11
+	k8s.io/client-go => k8s.io/client-go v0.26.11
+	sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.14.7
 )
 
 // mschuppert: map to latest commit from release-4.13 tag
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
+
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/stuggi/keystone-operator/api v0.0.0-20240110132207-643df3216ef6
+
+replace github.com/openstack-k8s-operators/neutron-operator/api => github.com/stuggi/neutron-operator/api v0.0.0-20240110132446-b7dd116f719a
+
+replace github.com/openstack-k8s-operators/glance-operator/api => github.com/stuggi/glance-operator/api v0.0.0-20240110132620-5095f52f92f2
+
+replace github.com/openstack-k8s-operators/cinder-operator/api => github.com/stuggi/cinder-operator/api v0.0.0-20240110132541-fed2378a8cb1