WIP: neutron ovndb TLS

olliewalsh · Feb 13, 2024 · 201912e · 201912e
1 parent ca38cd1
commit 201912e
Show file tree

Hide file tree

Showing 11 changed files with 81 additions and 6 deletions.
diff --git a/api/bases/neutron.openstack.org_neutronapis.yaml b/api/bases/neutron.openstack.org_neutronapis.yaml
@@ -2234,6 +2234,15 @@ spec:
                               service
                             type: string
                         type: object
+                      ovndb:
+                        description: OVNDb GenericService - holds the secret for the
+                          OVNDb client cert
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
                       public:
                         description: Public GenericService - holds the secret for
                           the public endpoint

diff --git a/api/go.mod b/api/go.mod
@@ -69,3 +69,7 @@ require (
 // mschuppert: map to latest commit from release-4.13 tag
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
+
+replace github.com/openstack-k8s-operators/ovn-operator/api => github.com/olliewalsh/ovn-operator/api v0.0.0-20240213100422-507bd67ab52e
+
+replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/olliewalsh/lib-common/modules/common v0.0.0-20240213115012-0551314fccfc
diff --git a/api/go.sum b/api/go.sum
@@ -218,10 +218,10 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/olliewalsh/lib-common/modules/common v0.0.0-20240213115012-0551314fccfc h1:6NKSOcZPQXt444Mz65hsuT7lc9pP0Rgp2T52yU88i0Y=
+github.com/olliewalsh/lib-common/modules/common v0.0.0-20240213115012-0551314fccfc/go.mod h1:F2490pi067Cc3tU3b1nCJPfZ5bLpm+rwldEdMUPA0d4=
 github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY=
 github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240129151020-c9467a8fbbfc h1:f9E8qbACH7l9gEdZZJmOBRlUD1m5COcvNw3gW4+Ezmw=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240129151020-c9467a8fbbfc/go.mod h1:F2490pi067Cc3tU3b1nCJPfZ5bLpm+rwldEdMUPA0d4=
 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240129151020-c9467a8fbbfc h1:At0RB1SfDAR50H4R+SGykczEmYz8XkEJllVM5YUujAE=
 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240129151020-c9467a8fbbfc/go.mod h1:lf4VSkNgy2mPyf4tR5xBXs8wQU9TJ9BYfY/Ay9/JkP0=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

diff --git a/config/crd/bases/neutron.openstack.org_neutronapis.yaml b/config/crd/bases/neutron.openstack.org_neutronapis.yaml
@@ -2234,6 +2234,15 @@ spec:
                               service
                             type: string
                         type: object
+                      ovndb:
+                        description: OVNDb GenericService - holds the secret for the
+                          OVNDb client cert
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
                       public:
                         description: Public GenericService - holds the secret for
                           the public endpoint

diff --git a/controllers/neutronapi_controller.go b/controllers/neutronapi_controller.go
@@ -211,6 +211,7 @@ const (
 	caBundleSecretNameField = ".spec.tls.caBundleSecretName"
 	tlsAPIInternalField     = ".spec.tls.api.internal.secretName"
 	tlsAPIPublicField       = ".spec.tls.api.public.secretName"
+	tlsAPIOvnDbField        = ".spec.tls.api.ovndb.secretName"
 )
 
 var (
@@ -219,6 +220,7 @@ var (
 		caBundleSecretNameField,
 		tlsAPIInternalField,
 		tlsAPIPublicField,
+		tlsAPIOvnDbField,
 	}
 )
 
@@ -273,6 +275,18 @@ func (r *NeutronAPIReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Ma
 		return err
 	}
 
+	// index tlsAPIOvnDbField
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &neutronv1beta1.NeutronAPI{}, tlsAPIOvnDbField, func(rawObj client.Object) []string {
+		// Extract the secret name from the spec, if one is provided
+		cr := rawObj.(*neutronv1beta1.NeutronAPI)
+		if cr.Spec.TLS.API.OvnDb.SecretName == nil {
+			return nil
+		}
+		return []string{*cr.Spec.TLS.API.OvnDb.SecretName}
+	}); err != nil {
+		return err
+	}
+
 	crs := &neutronv1beta1.NeutronAPIList{}
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&neutronv1beta1.NeutronAPI{}).
@@ -1337,6 +1351,7 @@ func (r *NeutronAPIReconciler) ensureExternalMetadataAgentSecret(
 	}
 	templateParameters := make(map[string]interface{})
 	templateParameters["SBConnection"] = sbEndpoint
+	templateParameters["OVNDB_TLS"] = instance.Spec.TLS.API.OvnDb.Enabled()
 
 	secretName := getMetadataAgentSecretName(instance)
 	return r.ensureExternalSecret(ctx, h, instance, secretName, templates, templateParameters, envVars)
@@ -1356,6 +1371,7 @@ func (r *NeutronAPIReconciler) ensureExternalOvnAgentSecret(
 	templateParameters := make(map[string]interface{})
 	templateParameters["NBConnection"] = nbEndpoint
 	templateParameters["SBConnection"] = sbEndpoint
+	templateParameters["OVNDB_TLS"] = instance.Spec.TLS.API.OvnDb.Enabled()
 
 	secretName := getOvnAgentSecretName(instance)
 	return r.ensureExternalSecret(ctx, h, instance, secretName, templates, templateParameters, envVars)
@@ -1482,6 +1498,7 @@ func (r *NeutronAPIReconciler) generateServiceSecrets(
 	// OVN
 	templateParameters["NBConnection"] = nbEndpoint
 	templateParameters["SBConnection"] = sbEndpoint
+	templateParameters["OVNDB_TLS"] = instance.Spec.TLS.API.OvnDb.Enabled()
 
 	// create httpd  vhost template parameters
 	httpdVhostConfig := map[string]interface{}{}

diff --git a/go.mod b/go.mod
@@ -90,3 +90,7 @@ replace github.com/openstack-k8s-operators/neutron-operator/api => ./api
 // mschuppert: map to latest commit from release-4.13 tag
 // must consistent within modules and service operators
 replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging
+
+replace github.com/openstack-k8s-operators/ovn-operator/api => github.com/olliewalsh/ovn-operator/api v0.0.0-20240213100422-507bd67ab52e
+
+replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/olliewalsh/lib-common/modules/common v0.0.0-20240213115012-0551314fccfc
diff --git a/go.sum b/go.sum
@@ -228,6 +228,10 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/olliewalsh/lib-common/modules/common v0.0.0-20240213115012-0551314fccfc h1:6NKSOcZPQXt444Mz65hsuT7lc9pP0Rgp2T52yU88i0Y=
+github.com/olliewalsh/lib-common/modules/common v0.0.0-20240213115012-0551314fccfc/go.mod h1:F2490pi067Cc3tU3b1nCJPfZ5bLpm+rwldEdMUPA0d4=
+github.com/olliewalsh/ovn-operator/api v0.0.0-20240213100422-507bd67ab52e h1:BJsLWbQ6efZUoAPIbMlbZm8ioGK1ewufLXwXigGrRQE=
+github.com/olliewalsh/ovn-operator/api v0.0.0-20240213100422-507bd67ab52e/go.mod h1:SvzwKJej1rqud9jpqkwhxytI+kk217yRPGzmevDeT8E=
 github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY=
 github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw=
 github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
@@ -238,8 +242,6 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240130110214-b
 github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240130110214-b385d2cf75fc/go.mod h1:M3859LWhTb+9zahzU3nhkrwUBvAgTmLPaG10haK9djM=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240125201204-a18a1e700034 h1:aEtjPHkCsANdkB8pirv7r9p7DE0KOBwxUvaVA5LPua8=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240125201204-a18a1e700034/go.mod h1:bgVKIMNoFsK3roq5DA8BBn3Cpxh8PRTqYhBgnlRhWvk=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240129151020-c9467a8fbbfc h1:f9E8qbACH7l9gEdZZJmOBRlUD1m5COcvNw3gW4+Ezmw=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240129151020-c9467a8fbbfc/go.mod h1:F2490pi067Cc3tU3b1nCJPfZ5bLpm+rwldEdMUPA0d4=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240129151020-c9467a8fbbfc h1:jOhkoofw3PsVJD0plX7ys2hbbUB4jMnFhDpJC2RmlgE=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240129151020-c9467a8fbbfc/go.mod h1:GammFyM5i2OY0lBEAcyEi9Gk46jXFIlD+z+JqBikfoY=
 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240129151020-c9467a8fbbfc h1:At0RB1SfDAR50H4R+SGykczEmYz8XkEJllVM5YUujAE=
@@ -248,8 +250,6 @@ github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.202401291510
 github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240129151020-c9467a8fbbfc/go.mod h1:ni4mvKeubWsTjKmcToJ+hIo7pJipM9hwiUv8qhm1R6Y=
 github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240124160436-36095347284f h1:01HrDX32rjFdvbSOMfz0fBCfxK6Kqthv0BgvimWL7Vc=
 github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240124160436-36095347284f/go.mod h1:gAIo5SMvTTgUomxGC51T3PHIyremhe8xUvz2xpbuCsI=
-github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240129231730-d76ba56d1e14 h1:myQoacgZNtKCOQlpGYTXEStt+zvxw79DtiCGM987Fc4=
-github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240129231730-d76ba56d1e14/go.mod h1:STNUzUkKShzw3QbVFMajJYN+AZUME8ULoOIm1qccJxM=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=

diff --git a/pkg/neutronapi/deployment.go b/pkg/neutronapi/deployment.go
@@ -112,6 +112,17 @@ func Deployment(
 		}
 	}
 
+	if instance.Spec.TLS.API.OvnDb.Enabled() {
+		svc := tls.Service{
+			SecretName: *instance.Spec.TLS.API.OvnDb.SecretName,
+			CertMount:  ptr.To("/etc/pki/tls/certs/ovn_dbs.crt"),
+			KeyMount:   ptr.To("/etc/pki/tls/private/ovn_dbs.key"),
+			CaMount:    ptr.To("/etc/pki/tls/certs/ovn_dbs_ca.crt"),
+		}
+		volumes = append(volumes, svc.CreateVolume(string(service.OvnDbCA)))
+		apiVolumeMounts = append(apiVolumeMounts, svc.CreateVolumeMounts(string(service.OvnDbCA))...)
+	}
+
 	deployment := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      ServiceName,

diff --git a/templates/neutronapi/config/01-neutron.conf b/templates/neutronapi/config/01-neutron.conf
@@ -44,6 +44,14 @@ ovn_sb_connection = {{ .SBConnection }}
 ovn_l3_scheduler = leastloaded
 ovn_metadata_enabled = True
 enable_distributed_floating_ip=True
+{{- if .OVNDB_TLS }}
+ovn_nb_private_key = /etc/pki/tls/private/ovn_dbs.key
+ovn_nb_certificate = /etc/pki/tls/certs/ovn_dbs.crt
+ovn_nb_ca_cert = /etc/pki/tls/certs/ovn_dbs_ca.crt
+ovn_sb_private_key = /etc/pki/tls/private/ovn_dbs.key
+ovn_sb_certificate = /etc/pki/tls/certs/ovn_dbs.crt
+ovn_sb_ca_cert = /etc/pki/tls/certs/ovn_dbs_ca.crt
+{{- end }}
 
 [keystone_authtoken]
 www_authenticate_uri = {{ .KeystonePublicURL }}

diff --git a/templates/ovn-agent.conf b/templates/ovn-agent.conf
@@ -1,3 +1,11 @@
 [ovn]
 ovn_nb_connection = {{ .NBConnection }}
 ovn_sb_connection = {{ .SBConnection }}
+{{- if .OVNDB_TLS }}
+ovn_nb_private_key = /etc/pki/tls/private/ovn_dbs.key
+ovn_nb_certificate = /etc/pki/tls/certs/ovn_dbs.crt
+ovn_nb_ca_cert = /etc/pki/tls/certs/ovn_dbs_ca.crt
+ovn_sb_private_key = /etc/pki/tls/private/ovn_dbs.key
+ovn_sb_certificate = /etc/pki/tls/certs/ovn_dbs.crt
+ovn_sb_ca_cert = /etc/pki/tls/certs/ovn_dbs_ca.crt
+{{- end }}
diff --git a/templates/ovn-metadata-agent.conf b/templates/ovn-metadata-agent.conf
@@ -6,3 +6,8 @@
 
 [ovn]
 ovn_sb_connection = {{ .SBConnection }}
+{{- if .OVNDB_TLS }}
+ovn_sb_private_key = /etc/pki/tls/private/ovn_dbs.key
+ovn_sb_certificate = /etc/pki/tls/certs/ovn_dbs.crt
+ovn_sb_ca_cert = /etc/pki/tls/certs/ovn_dbs_ca.crt
+{{- end }}