Skip to content

Commit

Permalink
Merge pull request #15 from openstack-k8s-operators/lpiwowar/fix/tls-…
Browse files Browse the repository at this point in the history 
…certificates

Mount TLS certificates to tempest container
  • Loading branch information
@kopecmartin
kopecmartin authored Dec 11, 2023
2 parents 640cbbf + 6ab25c8 commit a0b2658
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 8 deletions.
13 changes: 12 additions & 1 deletion controllers/tempest_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,16 @@ func (r *TempestReconciler) GetScheme() *runtime.Scheme {
return r.Scheme
}

func SecretExists(r *TempestReconciler, ctx context.Context, instance *testv1beta1.Tempest, SecretName string) bool {
secret := &corev1.Secret{}
err := r.Get(ctx, client.ObjectKey{Namespace: instance.Namespace, Name: SecretName}, secret)
if err != nil && k8s_errors.IsNotFound(err) {
return false
} else {
return true
}
}

// +kubebuilder:rbac:groups=test.openstack.org,resources=tempests,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=test.openstack.org,resources=tempests/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=test.openstack.org,resources=tempests/finalizers,verbs=update
Expand Down Expand Up @@ -340,8 +350,9 @@ func (r *TempestReconciler) reconcileNormal(ctx context.Context, instance *testv
return ctrl.Result{}, err
}

mountCerts := SecretExists(r, ctx, instance, "combined-ca-bundle")
// Define a new Job object
jobDef := tempest.Job(instance, serviceLabels)
jobDef := tempest.Job(instance, serviceLabels, mountCerts)
tempestJob := job.NewJob(
jobDef,
testv1beta1.ConfigHash,
Expand Down
5 changes: 3 additions & 2 deletions pkg/tempest/job.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
func Job(
instance *testv1beta1.Tempest,
labels map[string]string,
mountCerts bool,
) *batchv1.Job {

envVars := map[string]env.Setter{}
Expand Down Expand Up @@ -42,7 +43,7 @@ func Job(
Image: instance.Spec.ContainerImage,
Args: []string{},
Env: env.MergeEnvs([]corev1.EnvVar{}, envVars),
VolumeMounts: GetVolumeMounts(),
VolumeMounts: GetVolumeMounts(mountCerts),
EnvFrom: []corev1.EnvFromSource{
{
ConfigMapRef: &corev1.ConfigMapEnvSource{
Expand All @@ -61,7 +62,7 @@ func Job(
},
},
},
Volumes: GetVolumes(instance),
Volumes: GetVolumes(mountCerts, instance),
},
},
},
Expand Down
39 changes: 34 additions & 5 deletions pkg/tempest/volumes.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,14 @@ import (
)

// GetVolumes -
func GetVolumes(instance *testv1beta1.Tempest) []corev1.Volume {
func GetVolumes(mountCerts bool, instance *testv1beta1.Tempest) []corev1.Volume {

var scriptsVolumeDefaultMode int32 = 0755
var scriptsVolumeConfidentialMode int32 = 0420
var tlsCertificateMode int32 = 0444

//source_type := corev1.HostPathDirectoryOrCreate
return []corev1.Volume{
volumes := []corev1.Volume{
{
Name: "etc-machine-id",
VolumeSource: corev1.VolumeSource{
Expand Down Expand Up @@ -66,18 +67,33 @@ func GetVolumes(instance *testv1beta1.Tempest) []corev1.Volume {
Name: "openstack-config-secret",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
DefaultMode: &scriptsVolumeConfidentialMode,
DefaultMode: &tlsCertificateMode,
SecretName: "openstack-config-secret",
},
},
},
}

if mountCerts {
caCertsVolume := corev1.Volume{
Name: "ca-certs",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
DefaultMode: &scriptsVolumeConfidentialMode,
SecretName: "combined-ca-bundle",
},
},
}

volumes = append(volumes, caCertsVolume)
}

return volumes
}

// GetVolumeMounts -
func GetVolumeMounts() []corev1.VolumeMount {
return []corev1.VolumeMount{
func GetVolumeMounts(mountCerts bool) []corev1.VolumeMount {
volumeMounts := []corev1.VolumeMount{
{
Name: "etc-machine-id",
MountPath: "/etc/machine-id",
Expand Down Expand Up @@ -111,4 +127,17 @@ func GetVolumeMounts() []corev1.VolumeMount {
SubPath: "secure.yaml",
},
}

if mountCerts {
caCertVolumeMount := corev1.VolumeMount{
Name: "ca-certs",
MountPath: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem",
ReadOnly: true,
SubPath: "tls-ca-bundle.pem",
}

volumeMounts = append(volumeMounts, caCertVolumeMount)
}

return volumeMounts
}

0 comments on commit a0b2658

Please sign in to comment.