[tlse] TLS database connection

The my.cnf file gets added to the secret holding the service configs. The content of my.cnf is centrally managed in the mariadb-operator and retrieved calling db.GetDatabaseClientConfig(tlsCfg) Depends-On: openstack-k8s-operators/mariadb-operator#190 Depends-On: openstack-k8s-operators/mariadb-operator#191 Jira: OSPRH-4547
openstack-k8s-operators · Feb 26, 2024 · c1c8160 · c1c8160
1 parent 7cfb934
commit c1c8160
Show file tree

Hide file tree

Showing 28 changed files with 306 additions and 41 deletions.
diff --git a/controllers/nova_controller.go b/controllers/nova_controller.go
@@ -47,6 +47,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/labels"
 	common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	util "github.com/openstack-k8s-operators/lib-common/modules/common/util"
 
 	novav1 "github.com/openstack-k8s-operators/nova-operator/api/v1beta1"
@@ -656,6 +657,7 @@ func (r *NovaReconciler) ensureNovaManageJobSecret(
 	cellTemplate novav1.NovaCellTemplate,
 	apiDBHostname string,
 	cellTransportURL string,
+	db *mariadbv1.Database,
 ) (map[string]env.Setter, string, string, error) {
 	configName := fmt.Sprintf("%s-config-data", cell.Name+"-manage")
 	scriptName := fmt.Sprintf("%s-scripts", cell.Name+"-manage")
@@ -664,6 +666,15 @@ func (r *NovaReconciler) ensureNovaManageJobSecret(
 		instance, labels.GetGroupLabel(NovaLabelPrefix), map[string]string{},
 	)
 
+	var tlsCfg *tls.Service
+	if instance.Spec.APIServiceTemplate.TLS.Ca.CaBundleSecretName != "" {
+		tlsCfg = &tls.Service{}
+	}
+
+	extraData := map[string]string{
+		"my.cnf": db.GetDatabaseClientConfig(tlsCfg), //(mschuppert) for now just get the default my.cnf
+	}
+
 	extraTemplates := map[string]string{
 		"01-nova.conf":    "/nova.conf",
 		"nova-blank.conf": "/nova-blank.conf",
@@ -719,7 +730,7 @@ func (r *NovaReconciler) ensureNovaManageJobSecret(
 			InstanceType:       "nova-manage",
 			ConfigOptions:      templateParameters,
 			Labels:             cmLabels,
-			CustomData:         map[string]string{},
+			CustomData:         extraData,
 			Annotations:        map[string]string{},
 			AdditionalTemplate: extraTemplates,
 		},
@@ -895,7 +906,7 @@ func (r *NovaReconciler) ensureCell(
 		return cell, nova.CellDeploying, err
 	}
 	configHash, scriptName, configName, err := r.ensureNovaManageJobSecret(ctx, h, instance,
-		cell, secret, cellTemplate, apiDB.GetDatabaseHostname(), cellTransportURL)
+		cell, secret, cellTemplate, apiDB.GetDatabaseHostname(), cellTransportURL, cellDB)
 	if err != nil {
 		return cell, nova.CellFailed, err
 	}

diff --git a/controllers/novaapi_controller.go b/controllers/novaapi_controller.go
@@ -47,6 +47,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	util "github.com/openstack-k8s-operators/lib-common/modules/common/util"
+	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 	novav1 "github.com/openstack-k8s-operators/nova-operator/api/v1beta1"
@@ -409,7 +410,6 @@ func (r *NovaAPIReconciler) generateConfigs(
 		"cell_db_password":       string(secret.Data[CellDatabasePasswordSelector]),
 		"cell_db_address":        instance.Spec.Cell0DatabaseHostname,
 		"cell_db_port":           3306,
-		"openstack_cacert":       "",          // fixme
 		"openstack_region_name":  "regionOne", // fixme
 		"default_project_domain": "Default",   // fixme
 		"default_user_domain":    "Default",   // fixme
@@ -432,7 +432,21 @@ func (r *NovaAPIReconciler) generateConfigs(
 		httpdVhostConfig[endpt.String()] = endptConfig
 	}
 	templateParameters["VHosts"] = httpdVhostConfig
-	extraData := map[string]string{}
+
+	db, err := mariadbv1.GetDatabaseByName(ctx, h, "nova-api")
+	if err != nil {
+		return err
+	}
+
+	var tlsCfg *tls.Service
+	if instance.Spec.TLS.Ca.CaBundleSecretName != "" {
+		tlsCfg = &tls.Service{}
+	}
+
+	extraData := map[string]string{
+		"my.cnf": db.GetDatabaseClientConfig(tlsCfg), //(mschuppert) for now just get the default my.cnf
+	}
+
 	if instance.Spec.CustomServiceConfig != "" {
 		extraData["02-nova-override.conf"] = instance.Spec.CustomServiceConfig
 	}
@@ -444,7 +458,7 @@ func (r *NovaAPIReconciler) generateConfigs(
 		instance, labels.GetGroupLabel(NovaAPILabelPrefix), map[string]string{},
 	)
 
-	err := r.GenerateConfigs(
+	err = r.GenerateConfigs(
 		ctx, h, instance, nova.GetServiceConfigSecretName(instance.GetName()),
 		hashes, templateParameters, extraData, cmLabels, map[string]string{},
 	)

diff --git a/controllers/novacell_controller.go b/controllers/novacell_controller.go
@@ -770,7 +770,6 @@ func (r *NovaCellReconciler) generateComputeConfigs(
 		"keystone_internal_url":  instance.Spec.KeystoneAuthURL,
 		"nova_keystone_user":     instance.Spec.ServiceUser,
 		"nova_keystone_password": string(secret.Data[ServicePasswordSelector]),
-		"openstack_cacert":       "",          // fixme
 		"openstack_region_name":  "regionOne", // fixme
 		"default_project_domain": "Default",   // fixme
 		"default_user_domain":    "Default",   // fixme

diff --git a/controllers/novacompute_controller.go b/controllers/novacompute_controller.go
@@ -314,7 +314,6 @@ func (r *NovaComputeReconciler) generateConfigs(
 		"keystone_internal_url":  instance.Spec.KeystoneAuthURL,
 		"nova_keystone_user":     instance.Spec.ServiceUser,
 		"nova_keystone_password": string(secret.Data[ServicePasswordSelector]),
-		"openstack_cacert":       "",          // fixme
 		"openstack_region_name":  "regionOne", // fixme
 		"default_project_domain": "Default",   // fixme
 		"default_user_domain":    "Default",   // fixme

diff --git a/controllers/novaconductor_controller.go b/controllers/novaconductor_controller.go
@@ -45,6 +45,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	util "github.com/openstack-k8s-operators/lib-common/modules/common/util"
+	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 	novav1 "github.com/openstack-k8s-operators/nova-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/nova-operator/pkg/novaconductor"
 )
@@ -344,7 +345,6 @@ func (r *NovaConductorReconciler) generateConfigs(
 		"cell_db_password":       string(secret.Data[CellDatabasePasswordSelector]),
 		"cell_db_address":        instance.Spec.CellDatabaseHostname,
 		"cell_db_port":           3306,
-		"openstack_cacert":       "",          // fixme
 		"openstack_region_name":  "regionOne", // fixme
 		"default_project_domain": "Default",   // fixme
 		"default_user_domain":    "Default",   // fixme
@@ -358,7 +358,17 @@ func (r *NovaConductorReconciler) generateConfigs(
 		templateParameters["api_db_port"] = 3306
 	}
 
-	extraData := map[string]string{}
+	db, err := mariadbv1.GetDatabaseByName(ctx, h, "nova-"+instance.Spec.CellName)
+	if err != nil {
+		return err
+	}
+	var tlsCfg *tls.Service
+	if instance.Spec.TLS.CaBundleSecretName != "" {
+		tlsCfg = &tls.Service{}
+	}
+	extraData := map[string]string{
+		"my.cnf": db.GetDatabaseClientConfig(tlsCfg), //(mschuppert) for now just get the default my.cnf
+	}
 	if instance.Spec.CustomServiceConfig != "" {
 		extraData["02-nova-override.conf"] = instance.Spec.CustomServiceConfig
 	}

diff --git a/controllers/novametadata_controller.go b/controllers/novametadata_controller.go
@@ -46,6 +46,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	util "github.com/openstack-k8s-operators/lib-common/modules/common/util"
+	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 	novav1 "github.com/openstack-k8s-operators/nova-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/nova-operator/pkg/nova"
 	"github.com/openstack-k8s-operators/nova-operator/pkg/novametadata"
@@ -382,7 +383,6 @@ func (r *NovaMetadataReconciler) generateConfigs(
 		"cell_db_password":       string(secret.Data[CellDatabasePasswordSelector]),
 		"cell_db_address":        instance.Spec.CellDatabaseHostname,
 		"cell_db_port":           3306,
-		"openstack_cacert":       "",          // fixme
 		"openstack_region_name":  "regionOne", // fixme
 		"default_project_domain": "Default",   // fixme
 		"default_user_domain":    "Default",   // fixme
@@ -393,16 +393,28 @@ func (r *NovaMetadataReconciler) generateConfigs(
 		"ServerName":             fmt.Sprintf("%s.%s.svc", novametadata.ServiceName, instance.Namespace),
 	}
 
+	var err error
+	var db *mariadbv1.Database
 	if instance.Spec.CellName == "" {
 		templateParameters["api_db_name"] = NovaAPIDatabaseName
 		templateParameters["api_db_user"] = instance.Spec.APIDatabaseUser // fixme
 		templateParameters["api_db_password"] = string(secret.Data[APIDatabasePasswordSelector])
 		templateParameters["api_db_address"] = instance.Spec.APIDatabaseHostname
 		templateParameters["api_db_port"] = 3306
 		templateParameters["local_metadata_per_cell"] = false
+
+		db, err = mariadbv1.GetDatabaseByName(ctx, h, "nova-api")
+		if err != nil {
+			return err
+		}
 	} else {
 		templateParameters["local_metadata_per_cell"] = true
 		templateParameters["cell_db_name"] = getCellDatabaseName(instance.Spec.CellName)
+
+		db, err = mariadbv1.GetDatabaseByName(ctx, h, "nova-"+instance.Spec.CellName)
+		if err != nil {
+			return err
+		}
 	}
 
 	// create httpd tls template parameters
@@ -412,7 +424,13 @@ func (r *NovaMetadataReconciler) generateConfigs(
 		templateParameters["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", novametadata.ServiceName)
 	}
 
-	extraData := map[string]string{}
+	var tlsCfg *tls.Service
+	if instance.Spec.TLS.CaBundleSecretName != "" {
+		tlsCfg = &tls.Service{}
+	}
+	extraData := map[string]string{
+		"my.cnf": db.GetDatabaseClientConfig(tlsCfg), //(mschuppert) for now just get the default my.cnf
+	}
 	if instance.Spec.CustomServiceConfig != "" {
 		extraData["02-nova-override.conf"] = instance.Spec.CustomServiceConfig
 	}
@@ -424,7 +442,7 @@ func (r *NovaMetadataReconciler) generateConfigs(
 		instance, labels.GetGroupLabel(NovaMetadataLabelPrefix), map[string]string{},
 	)
 
-	err := r.GenerateConfigs(
+	err = r.GenerateConfigs(
 		ctx, h, instance, nova.GetServiceConfigSecretName(instance.GetName()),
 		hashes, templateParameters, extraData, cmLabels, map[string]string{},
 	)

diff --git a/controllers/novanovncproxy_controller.go b/controllers/novanovncproxy_controller.go
@@ -43,6 +43,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	util "github.com/openstack-k8s-operators/lib-common/modules/common/util"
+	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 	novav1 "github.com/openstack-k8s-operators/nova-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/nova-operator/pkg/nova"
 	"github.com/openstack-k8s-operators/nova-operator/pkg/novncproxy"
@@ -358,7 +359,17 @@ func (r *NovaNoVNCProxyReconciler) generateConfigs(
 		templateParameters["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", novncproxy.ServiceName)
 		templateParameters["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", novncproxy.ServiceName)
 	}
-	extraData := map[string]string{}
+	db, err := mariadbv1.GetDatabaseByName(ctx, h, "nova-"+instance.Spec.CellName)
+	if err != nil {
+		return err
+	}
+	var tlsCfg *tls.Service
+	if instance.Spec.TLS.CaBundleSecretName != "" {
+		tlsCfg = &tls.Service{}
+	}
+	extraData := map[string]string{
+		"my.cnf": db.GetDatabaseClientConfig(tlsCfg), //(mschuppert) for now just get the default my.cnf
+	}
 	if instance.Spec.CustomServiceConfig != "" {
 		extraData["02-nova-override.conf"] = instance.Spec.CustomServiceConfig
 	}
@@ -367,7 +378,7 @@ func (r *NovaNoVNCProxyReconciler) generateConfigs(
 		instance, labels.GetGroupLabel(NovaNoVNCProxyLabelPrefix), map[string]string{},
 	)
 
-	err := r.GenerateConfigs(
+	err = r.GenerateConfigs(
 		ctx, h, instance, nova.GetServiceConfigSecretName(instance.GetName()),
 		hashes, templateParameters, extraData, cmLabels, map[string]string{},
 	)

diff --git a/controllers/novascheduler_controller.go b/controllers/novascheduler_controller.go
@@ -43,6 +43,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	util "github.com/openstack-k8s-operators/lib-common/modules/common/util"
+	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 
 	novav1 "github.com/openstack-k8s-operators/nova-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/nova-operator/pkg/nova"
@@ -423,13 +424,23 @@ func (r *NovaSchedulerReconciler) generateConfigs(
 		"cell_db_password":       string(secret.Data[CellDatabasePasswordSelector]),
 		"cell_db_address":        instance.Spec.Cell0DatabaseHostname,
 		"cell_db_port":           3306,
-		"openstack_cacert":       "",          // fixme
 		"openstack_region_name":  "regionOne", // fixme
 		"default_project_domain": "Default",   // fixme
 		"default_user_domain":    "Default",   // fixme
 		"transport_url":          string(secret.Data[TransportURLSelector]),
 	}
-	extraData := map[string]string{}
+
+	db, err := mariadbv1.GetDatabaseByName(ctx, h, "nova-api")
+	if err != nil {
+		return err
+	}
+	var tlsCfg *tls.Service
+	if instance.Spec.TLS.CaBundleSecretName != "" {
+		tlsCfg = &tls.Service{}
+	}
+	extraData := map[string]string{
+		"my.cnf": db.GetDatabaseClientConfig(tlsCfg), //(mschuppert) for now just get the default my.cnf
+	}
 	if instance.Spec.CustomServiceConfig != "" {
 		extraData["02-nova-override.conf"] = instance.Spec.CustomServiceConfig
 	}

diff --git a/go.mod b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240216173409-86913e6d5885
 	github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240216173409-86913e6d5885
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240216173409-86913e6d5885
-	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240219072536-62f6b4dc7798
+	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240220132409-f96d4d040f4e
 	github.com/openstack-k8s-operators/nova-operator/api v0.0.0-20221209164002-f9e6b9363961
 	go.uber.org/zap v1.26.0
 	golang.org/x/exp v0.0.0-20240213143201-ec583247a57a

diff --git a/go.sum b/go.sum
@@ -101,8 +101,8 @@ github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.2024021
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240216173409-86913e6d5885/go.mod h1:8QsCFttAm+X6A8I8EQThGjNjeMAYt2hK7ivbvnR3434=
 github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240216173409-86913e6d5885 h1:ioJ2MO3vAcBkLM+0UBu5IuKW/DPXcyiNSOLq0Xvn+Nw=
 github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240216173409-86913e6d5885/go.mod h1:82nzS+DbBe1tzaMvNHH8FctmZzQ14ZAJysFGsMJiivo=
-github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240219072536-62f6b4dc7798 h1:zL4DdQ5HPXCLHeRMAWC2zI7ypbkZVYg3UkyEFSnzeow=
-github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240219072536-62f6b4dc7798/go.mod h1:PDqfLbP4ZWqQHAu1OtbjfpOGQUKSzLqRJChvE/9pcyQ=
+github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240220132409-f96d4d040f4e h1:6vqp5HZwcGvPH0MII/23iCd97T3/1HJZlONKW6LyNio=
+github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240220132409-f96d4d040f4e/go.mod h1:PDqfLbP4ZWqQHAu1OtbjfpOGQUKSzLqRJChvE/9pcyQ=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

diff --git a/templates/nova-manage/config/cell-mapping-config.json b/templates/nova-manage/config/cell-mapping-config.json
@@ -25,6 +25,12 @@
             "dest": "/bin/",
             "owner": "nova",
             "perm": "0700"
+        },
+        {
+            "source": "/var/lib/openstack/config/my.cnf",
+            "dest": "/etc/my.cnf",
+            "owner": "nova",
+            "perm": "0644"
         }
     ]
 }
diff --git a/templates/nova-manage/config/host-discover-config.json b/templates/nova-manage/config/host-discover-config.json
@@ -25,6 +25,12 @@
             "dest": "/bin/",
             "owner": "nova",
             "perm": "0700"
+        },
+        {
+            "source": "/var/lib/openstack/config/my.cnf",
+            "dest": "/etc/my.cnf",
+            "owner": "nova",
+            "perm": "0644"
         }
     ]
 }
diff --git a/templates/nova.conf b/templates/nova.conf
@@ -200,13 +200,13 @@ live_migration_uri = qemu+ssh://nova@%s/system?keyfile=/var/lib/nova/.ssh/ssh-pr
 
 {{if (index . "cell_db_address")}}
 [database]
-connection = mysql+pymysql://{{ .cell_db_user }}:{{ .cell_db_password}}@{{ .cell_db_address }}/{{ .cell_db_name }}
+connection = mysql+pymysql://{{ .cell_db_user }}:{{ .cell_db_password}}@{{ .cell_db_address }}/{{ .cell_db_name }}?read_default_file=/etc/my.cnf
 {{end}}
 
 
 {{if (index . "api_db_address")}}
 [api_database]
-connection = mysql+pymysql://{{ .api_db_user }}:{{ .api_db_password }}@{{ .api_db_address }}/{{ .api_db_name }}
+connection = mysql+pymysql://{{ .api_db_user }}:{{ .api_db_password }}@{{ .api_db_address }}/{{ .api_db_name }}?read_default_file=/etc/my.cnf
 {{end}}
 
 [keystone_authtoken]

diff --git a/templates/novaapi/config/nova-api-config.json b/templates/novaapi/config/nova-api-config.json
@@ -61,6 +61,12 @@
             "owner": "nova",
             "perm": "0600",
             "optional": true
+        },
+        {
+            "source": "/var/lib/openstack/config/my.cnf",
+            "dest": "/etc/my.cnf",
+            "owner": "nova",
+            "perm": "0644"
         }
     ],
     "permissions": [

diff --git a/templates/novaconductor/config/nova-conductor-config.json b/templates/novaconductor/config/nova-conductor-config.json
@@ -19,6 +19,12 @@
             "owner": "nova",
             "perm": "0600",
             "optional": true
+        },
+        {
+            "source": "/var/lib/openstack/config/my.cnf",
+            "dest": "/etc/my.cnf",
+            "owner": "nova",
+            "perm": "0644"
         }
     ],
     "permissions": [

diff --git a/templates/novaconductor/config/nova-conductor-dbsync-config.json b/templates/novaconductor/config/nova-conductor-dbsync-config.json
@@ -25,6 +25,12 @@
             "dest": "/bin/",
             "owner": "nova",
             "perm": "0700"
+        },
+        {
+            "source": "/var/lib/openstack/config/my.cnf",
+            "dest": "/etc/my.cnf",
+            "owner": "nova",
+            "perm": "0644"
         }
     ],
     "permissions": [