Skip to content

Commit

Permalink
WIP: neutron ovndb TLS
Browse files Browse the repository at this point in the history
  • Loading branch information
olliewalsh committed Feb 22, 2024
1 parent 393ec47 commit c0bb553
Show file tree
Hide file tree
Showing 15 changed files with 114 additions and 13 deletions.
8 changes: 8 additions & 0 deletions api/bases/neutron.openstack.org_neutronapis.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2250,6 +2250,14 @@ spec:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
ovndb:
description: OvnDb GenericService - holds the secret for the OvnDb
client cert
properties:
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
type: object
required:
- containerImage
Expand Down
4 changes: 3 additions & 1 deletion api/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ require (
github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240216173409-86913e6d5885
k8s.io/api v0.28.3
k8s.io/apimachinery v0.28.3
sigs.k8s.io/controller-runtime v0.16.4
sigs.k8s.io/controller-runtime v0.16.5
)

require (
Expand Down Expand Up @@ -69,3 +69,5 @@ require (
// mschuppert: map to latest commit from release-4.13 tag
// must consistent within modules and service operators
replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging

replace github.com/openstack-k8s-operators/ovn-operator/api => github.com/olliewalsh/ovn-operator/api v0.0.0-20240222124732-399c6e87921f
4 changes: 2 additions & 2 deletions api/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -179,8 +179,8 @@ k8s.io/kube-openapi v0.0.0-20240209001042-7a0d5b415232 h1:MMq4iF9pHuAz/9dLnHwBQK
k8s.io/kube-openapi v0.0.0-20240209001042-7a0d5b415232/go.mod h1:Pa1PvrP7ACSkuX6I7KYomY6cmMA0Tx86waBhDUgoKPw=
k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/controller-runtime v0.16.4 h1:XMh7dF19MlyvMfQCHvH929YGg2WFrIuJ4N5sx3G7U+k=
sigs.k8s.io/controller-runtime v0.16.4/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0=
sigs.k8s.io/controller-runtime v0.16.5 h1:yr1cEJbX08xsTW6XEIzT13KHHmIyX8Umvme2cULvFZw=
sigs.k8s.io/controller-runtime v0.16.5/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
Expand Down
18 changes: 18 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions config/crd/bases/neutron.openstack.org_neutronapis.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2250,6 +2250,14 @@ spec:
description: CaBundleSecretName - holding the CA certs in a pre-created
bundle file
type: string
ovndb:
description: OvnDb GenericService - holds the secret for the OvnDb
client cert
properties:
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
type: object
required:
- containerImage
Expand Down
17 changes: 17 additions & 0 deletions controllers/neutronapi_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -212,13 +212,15 @@ const (
caBundleSecretNameField = ".spec.tls.caBundleSecretName"
tlsAPIInternalField = ".spec.tls.api.internal.secretName"
tlsAPIPublicField = ".spec.tls.api.public.secretName"
tlsAPIOvnDbField = ".spec.tls.api.ovndb.secretName"
)

var allWatchFields = []string{
passwordSecretField,
caBundleSecretNameField,
tlsAPIInternalField,
tlsAPIPublicField,
tlsAPIOvnDbField,
}

// SetupWithManager -
Expand Down Expand Up @@ -271,6 +273,18 @@ func (r *NeutronAPIReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Ma
return err
}

// index tlsAPIOvnDbField
if err := mgr.GetFieldIndexer().IndexField(context.Background(), &neutronv1beta1.NeutronAPI{}, tlsAPIOvnDbField, func(rawObj client.Object) []string {
// Extract the secret name from the spec, if one is provided
cr := rawObj.(*neutronv1beta1.NeutronAPI)
if cr.Spec.TLS.OvnDb.SecretName == nil {
return nil
}
return []string{*cr.Spec.TLS.OvnDb.SecretName}
}); err != nil {
return err
}

crs := &neutronv1beta1.NeutronAPIList{}
return ctrl.NewControllerManagedBy(mgr).
For(&neutronv1beta1.NeutronAPI{}).
Expand Down Expand Up @@ -1336,6 +1350,7 @@ func (r *NeutronAPIReconciler) ensureExternalMetadataAgentSecret(
}
templateParameters := make(map[string]interface{})
templateParameters["SBConnection"] = sbEndpoint
templateParameters["OVNDB_TLS"] = instance.Spec.TLS.OvnDb.Enabled()

secretName := getMetadataAgentSecretName(instance)
return r.ensureExternalSecret(ctx, h, instance, secretName, templates, templateParameters, envVars)
Expand All @@ -1355,6 +1370,7 @@ func (r *NeutronAPIReconciler) ensureExternalOvnAgentSecret(
templateParameters := make(map[string]interface{})
templateParameters["NBConnection"] = nbEndpoint
templateParameters["SBConnection"] = sbEndpoint
templateParameters["OVNDB_TLS"] = instance.Spec.TLS.OvnDb.Enabled()

secretName := getOvnAgentSecretName(instance)
return r.ensureExternalSecret(ctx, h, instance, secretName, templates, templateParameters, envVars)
Expand Down Expand Up @@ -1481,6 +1497,7 @@ func (r *NeutronAPIReconciler) generateServiceSecrets(
// OVN
templateParameters["NBConnection"] = nbEndpoint
templateParameters["SBConnection"] = sbEndpoint
templateParameters["OVNDB_TLS"] = instance.Spec.TLS.OvnDb.Enabled()

// create httpd vhost template parameters
httpdVhostConfig := map[string]interface{}{}
Expand Down
4 changes: 3 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ require (
k8s.io/apimachinery v0.28.3
k8s.io/client-go v0.28.3
k8s.io/utils v0.0.0-20240102154912-e7106e64919e
sigs.k8s.io/controller-runtime v0.16.4
sigs.k8s.io/controller-runtime v0.16.5
)

require (
Expand Down Expand Up @@ -89,3 +89,5 @@ replace github.com/openstack-k8s-operators/neutron-operator/api => ./api
// mschuppert: map to latest commit from release-4.13 tag
// must consistent within modules and service operators
replace github.com/openshift/api => github.com/openshift/api v0.0.0-20230414143018-3367bc7e6ac7 //allow-merging

replace github.com/openstack-k8s-operators/ovn-operator/api => github.com/olliewalsh/ovn-operator/api v0.0.0-20240222124732-399c6e87921f
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/olliewalsh/ovn-operator/api v0.0.0-20240222124732-399c6e87921f h1:byErqc1HAq7IIw8s+sjYTEbCX+BKrVc5UeGRRx3rCao=
github.com/olliewalsh/ovn-operator/api v0.0.0-20240222124732-399c6e87921f/go.mod h1:m/5jovuZ3Y1/Uy2af8RqxWhe3+bWn7QIFXH4amKBdmY=
github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY=
github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw=
github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
Expand All @@ -92,8 +94,6 @@ github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.202402161734
github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240216173409-86913e6d5885/go.mod h1:82nzS+DbBe1tzaMvNHH8FctmZzQ14ZAJysFGsMJiivo=
github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240215091212-cbf2ad281f43 h1:azblrnuVV8sLWihuqS7lJMrwpo1dtB1K5vvkug0agw4=
github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240215091212-cbf2ad281f43/go.mod h1:52Ja/B4RrrytMmKh+Kf+/BPe7Fq40Pi77vcFH4yJeoU=
github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240216200042-7835df58ed0c h1:cwJ5rW8umVVYi9PXOIW2G2w7FO9G0yXwKQlcRt+hqwA=
github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240216200042-7835df58ed0c/go.mod h1:h0tc1Gz7eXL9A9VgY4yUjtufGrIg/L/7Ckinat3nca8=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
Expand Down Expand Up @@ -217,8 +217,8 @@ k8s.io/kube-openapi v0.0.0-20240209001042-7a0d5b415232 h1:MMq4iF9pHuAz/9dLnHwBQK
k8s.io/kube-openapi v0.0.0-20240209001042-7a0d5b415232/go.mod h1:Pa1PvrP7ACSkuX6I7KYomY6cmMA0Tx86waBhDUgoKPw=
k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/controller-runtime v0.16.4 h1:XMh7dF19MlyvMfQCHvH929YGg2WFrIuJ4N5sx3G7U+k=
sigs.k8s.io/controller-runtime v0.16.4/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0=
sigs.k8s.io/controller-runtime v0.16.5 h1:yr1cEJbX08xsTW6XEIzT13KHHmIyX8Umvme2cULvFZw=
sigs.k8s.io/controller-runtime v0.16.5/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
Expand Down
9 changes: 9 additions & 0 deletions pkg/neutronapi/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,15 @@ func Deployment(
}
}

if instance.Spec.TLS.OvnDb.Enabled() {
svc := tls.Service{
SecretName: *instance.Spec.TLS.OvnDb.SecretName,
CaMount: ptr.To("/var/lib/config-data/tls/certs/ovndbca.crt"),
}
volumes = append(volumes, svc.CreateVolume("ovndb"))
apiVolumeMounts = append(apiVolumeMounts, svc.CreateVolumeMounts("ovndb")...)
}

deployment := &appsv1.Deployment{
ObjectMeta: metav1.ObjectMeta{
Name: ServiceName,
Expand Down
2 changes: 1 addition & 1 deletion pkg/neutronapi/volumes.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ func GetVolumeMounts(serviceName string, extraVol []neutronv1beta1.NeutronExtraV
res := []corev1.VolumeMount{
{
Name: "config",
MountPath: "/var/lib/config-data",
MountPath: "/var/lib/config-data/default",
ReadOnly: true,
},
{
Expand Down
8 changes: 8 additions & 0 deletions templates/neutronapi/config/01-neutron.conf
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,14 @@ ovn_sb_connection = {{ .SBConnection }}
ovn_l3_scheduler = leastloaded
ovn_metadata_enabled = True
enable_distributed_floating_ip=True
{{- if .OVNDB_TLS }}
ovn_nb_private_key = /etc/pki/tls/private/ovndb.key
ovn_nb_certificate = /etc/pki/tls/certs/ovndb.crt
ovn_nb_ca_cert = /etc/pki/tls/certs/ovndbca.crt
ovn_sb_private_key = /etc/pki/tls/private/ovndb.key
ovn_sb_certificate = /etc/pki/tls/certs/ovndb.crt
ovn_sb_ca_cert = /etc/pki/tls/certs/ovndbca.crt
{{- end }}

[keystone_authtoken]
www_authenticate_uri = {{ .KeystonePublicURL }}
Expand Down
4 changes: 2 additions & 2 deletions templates/neutronapi/config/db-sync-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,13 @@
"command": "neutron-db-manage --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-dir /etc/neutron/neutron.conf.d upgrade heads",
"config_files": [
{
"source": "/var/lib/config-data/01-neutron.conf",
"source": "/var/lib/config-data/default/01-neutron.conf",
"dest": "/etc/neutron/neutron.conf.d/01-neutron.conf",
"owner": "root:neutron",
"perm": "0640"
},
{
"source": "/var/lib/config-data/02-neutron-custom.conf",
"source": "/var/lib/config-data/default/02-neutron-custom.conf",
"dest": "/etc/neutron/neutron.conf.d/02-neutron-custom.conf",
"owner": "root:neutron",
"perm": "0640"
Expand Down
20 changes: 18 additions & 2 deletions templates/neutronapi/config/neutron-api-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,32 @@
"command": "/usr/bin/neutron-server --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-dir /etc/neutron/neutron.conf.d",
"config_files": [
{
"source": "/var/lib/config-data/01-neutron.conf",
"source": "/var/lib/config-data/default/01-neutron.conf",
"dest": "/etc/neutron/neutron.conf.d/01-neutron.conf",
"owner": "root:neutron",
"perm": "0640"
},
{
"source": "/var/lib/config-data/02-neutron-custom.conf",
"source": "/var/lib/config-data/default/02-neutron-custom.conf",
"dest": "/etc/neutron/neutron.conf.d/02-neutron-custom.conf",
"owner": "root:neutron",
"perm": "0640"
},
{
"source": "/var/lib/config-data/tls/certs/*",
"dest": "/etc/pki/tls/certs/",
"owner": "root:neutron",
"perm": "0640",
"optional": true,
"merge": true
},
{
"source": "/var/lib/config-data/tls/private/*",
"dest": "/etc/pki/tls/private/",
"owner": "root:neutron",
"perm": "0640",
"optional": true,
"merge": true
}
]
}
8 changes: 8 additions & 0 deletions templates/ovn-agent.conf
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
[ovn]
ovn_nb_connection = {{ .NBConnection }}
ovn_sb_connection = {{ .SBConnection }}
{{- if .OVNDB_TLS }}
ovn_nb_private_key = /etc/pki/tls/private/ovndb.key
ovn_nb_certificate = /etc/pki/tls/certs/ovndb.crt
ovn_nb_ca_cert = /etc/pki/tls/certs/ovndbca.crt
ovn_sb_private_key = /etc/pki/tls/private/ovndb.key
ovn_sb_certificate = /etc/pki/tls/certs/ovndb.crt
ovn_sb_ca_cert = /etc/pki/tls/certs/ovndbca.crt
{{- end }}
5 changes: 5 additions & 0 deletions templates/ovn-metadata-agent.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,8 @@

[ovn]
ovn_sb_connection = {{ .SBConnection }}
{{- if .OVNDB_TLS }}
ovn_sb_private_key = /etc/pki/tls/private/ovndb.key
ovn_sb_certificate = /etc/pki/tls/certs/ovndb.crt
ovn_sb_ca_cert = /etc/pki/tls/certs/ovndbca.crt
{{- end }}

0 comments on commit c0bb553

Please sign in to comment.