Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[tls] nova novncproxy to support vencrypt #748

Merged
merged 2 commits into from
Apr 26, 2024
Merged

[tls] nova novncproxy to support vencrypt #748

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f4cb777
[tls] nova novncproxy to support vencrypt
stuggi Apr 24, 2024
b06b9bc
[tls] deprecate tls.secretName for novncproxy
stuggi Apr 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions api/bases/nova.openstack.org_nova.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1086,9 +1086,33 @@ spec:
in a pre-created bundle file
type: string
secretName:
description: SecretName - holding the cert, key for
the service
description: 'SecretName - holding the cert, key for
the service Deprecated: will be removed in a follow
up'
type: string
service:
description: Service - Cert secret used for the nova
novnc service endpoint
properties:
secretName:
description: SecretName - holding the cert, key
for the service
type: string
type: object
vencrypt:
description: Vencrypt - cert secret containing the x509
certificate to be presented to the VNC server. The
CommonName field should match the primary hostname
of the controller node. If using a HA deployment,
the Organization field can also be configured to a
value that is common across all console proxy instances
in the deployment. https://docs.openstack.org/nova/latest/admin/remote-console-access.html#novnc-proxy-server-configuration
properties:
secretName:
description: SecretName - holding the cert, key
for the service
type: string
type: object
type: object
type: object
nodeSelector:
Expand Down
25 changes: 24 additions & 1 deletion api/bases/nova.openstack.org_novacells.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -732,8 +732,31 @@ spec:
a pre-created bundle file
type: string
secretName:
description: SecretName - holding the cert, key for the service
description: 'SecretName - holding the cert, key for the service
Deprecated: will be removed in a follow up'
type: string
service:
description: Service - Cert secret used for the nova novnc
service endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
vencrypt:
description: Vencrypt - cert secret containing the x509 certificate
to be presented to the VNC server. The CommonName field
should match the primary hostname of the controller node.
If using a HA deployment, the Organization field can also
be configured to a value that is common across all console
proxy instances in the deployment. https://docs.openstack.org/nova/latest/admin/remote-console-access.html#novnc-proxy-server-configuration
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
type: object
type: object
nodeSelector:
Expand Down
23 changes: 22 additions & 1 deletion api/bases/nova.openstack.org_novanovncproxies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -337,8 +337,29 @@ spec:
bundle file
type: string
secretName:
description: SecretName - holding the cert, key for the service
description: 'SecretName - holding the cert, key for the service
Deprecated: will be removed in a follow up'
type: string
service:
description: Service - Cert secret used for the nova novnc service
endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
vencrypt:
description: Vencrypt - cert secret containing the x509 certificate
to be presented to the VNC server. The CommonName field should
match the primary hostname of the controller node. If using
a HA deployment, the Organization field can also be configured
to a value that is common across all console proxy instances
in the deployment. https://docs.openstack.org/nova/latest/admin/remote-console-access.html#novnc-proxy-server-configuration
properties:
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
type: object
required:
- cellDatabaseHostname
Expand Down
30 changes: 28 additions & 2 deletions api/v1beta1/novanovncproxy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,33 @@ type NovaNoVNCProxyTemplate struct {
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.SimpleService `json:"tls,omitempty"`
TLS TLSSection `json:"tls"`
}

// TLSSection defines the desired state of TLS configuration
type TLSSection struct {
// +kubebuilder:validation:Optional
// SecretName - holding the cert, key for the service
// Deprecated: will be removed in a follow up
SecretName *string `json:"secretName,omitempty"`

// +kubebuilder:validation:optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
// Service - Cert secret used for the nova novnc service endpoint
Service tls.GenericService `json:"service,omitempty"`

// +kubebuilder:validation:optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
// Vencrypt - cert secret containing the x509 certificate to be presented to the VNC server.
// The CommonName field should match the primary hostname of the controller node. If using a HA deployment,
// the Organization field can also be configured to a value that is common across all console proxy instances in the deployment.
// https://docs.openstack.org/nova/latest/admin/remote-console-access.html#novnc-proxy-server-configuration
Vencrypt tls.GenericService `json:"vencrypt,omitempty"`

// +kubebuilder:validation:optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// Secret containing CA bundle
tls.Ca `json:",inline"`
}

// VNCProxyOverrideSpec to override the generated manifest of several child resources.
Expand Down Expand Up @@ -135,7 +161,7 @@ type NovaNoVNCProxySpec struct {
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.SimpleService `json:"tls,omitempty"`
TLS TLSSection `json:"tls"`

// +kubebuilder:validation:Required
// MemcachedInstance is the name of the Memcached CR that all nova service will use.
Expand Down
23 changes: 23 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 26 additions & 2 deletions config/crd/bases/nova.openstack.org_nova.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1086,9 +1086,33 @@ spec:
in a pre-created bundle file
type: string
secretName:
description: SecretName - holding the cert, key for
the service
description: 'SecretName - holding the cert, key for
the service Deprecated: will be removed in a follow
up'
type: string
service:
description: Service - Cert secret used for the nova
novnc service endpoint
properties:
secretName:
description: SecretName - holding the cert, key
for the service
type: string
type: object
vencrypt:
description: Vencrypt - cert secret containing the x509
certificate to be presented to the VNC server. The
CommonName field should match the primary hostname
of the controller node. If using a HA deployment,
the Organization field can also be configured to a
value that is common across all console proxy instances
in the deployment. https://docs.openstack.org/nova/latest/admin/remote-console-access.html#novnc-proxy-server-configuration
properties:
secretName:
description: SecretName - holding the cert, key
for the service
type: string
type: object
type: object
type: object
nodeSelector:
Expand Down
25 changes: 24 additions & 1 deletion config/crd/bases/nova.openstack.org_novacells.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -732,8 +732,31 @@ spec:
a pre-created bundle file
type: string
secretName:
description: SecretName - holding the cert, key for the service
description: 'SecretName - holding the cert, key for the service
Deprecated: will be removed in a follow up'
type: string
service:
description: Service - Cert secret used for the nova novnc
service endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
vencrypt:
description: Vencrypt - cert secret containing the x509 certificate
to be presented to the VNC server. The CommonName field
should match the primary hostname of the controller node.
If using a HA deployment, the Organization field can also
be configured to a value that is common across all console
proxy instances in the deployment. https://docs.openstack.org/nova/latest/admin/remote-console-access.html#novnc-proxy-server-configuration
properties:
secretName:
description: SecretName - holding the cert, key for the
service
type: string
type: object
type: object
type: object
nodeSelector:
Expand Down
23 changes: 22 additions & 1 deletion config/crd/bases/nova.openstack.org_novanovncproxies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -337,8 +337,29 @@ spec:
bundle file
type: string
secretName:
description: SecretName - holding the cert, key for the service
description: 'SecretName - holding the cert, key for the service
Deprecated: will be removed in a follow up'
type: string
service:
description: Service - Cert secret used for the nova novnc service
endpoint
properties:
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
vencrypt:
description: Vencrypt - cert secret containing the x509 certificate
to be presented to the VNC server. The CommonName field should
match the primary hostname of the controller node. If using
a HA deployment, the Organization field can also be configured
to a value that is common across all console proxy instances
in the deployment. https://docs.openstack.org/nova/latest/admin/remote-console-access.html#novnc-proxy-server-configuration
properties:
secretName:
description: SecretName - holding the cert, key for the service
type: string
type: object
type: object
required:
- cellDatabaseHostname
Expand Down
8 changes: 6 additions & 2 deletions config/samples/nova_v1beta1_nova-multi-cell-metadata_tls.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,5 +38,9 @@ spec:
tls:
# secret holding the tls-ca-bundle.pem to be used as a deploymend env CA bundle
caBundleSecretName: combined-ca-bundle
# secret holding tls.crt and tls.key for the novncproxy k8s service
secretName: cert-nova-novncproxy-cell1-public-svc
service:
# secret holding tls.crt and tls.key for the novncproxy k8s service
secretName: cert-nova-novncproxy-cell1-public-svc
vencrypt:
# secret holding tls.crt and tls.key used for vencrypt to authenticate to the vnc server
secretName: cert-nova-novncproxy-cell1-vencrypt
8 changes: 6 additions & 2 deletions config/samples/nova_v1beta1_nova-multi-cell-tls.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,5 +36,9 @@ spec:
tls:
# secret holding the tls-ca-bundle.pem to be used as a deploymend env CA bundle
caBundleSecretName: combined-ca-bundle
# secret holding tls.crt and tls.key for the novncproxy k8s service
secretName: cert-nova-novncproxy-cell1-public-svc
service:
# secret holding tls.crt and tls.key for the novncproxy k8s service
secretName: cert-nova-novncproxy-cell1-public-svc
vencrypt:
# secret holding tls.crt and tls.key used for vencrypt to authenticate to the vnc server
secretName: cert-nova-novncproxy-cell1-vencrypt
13 changes: 7 additions & 6 deletions controllers/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,12 +89,13 @@ const (
TransportURLSelector = "transport_url"

// fields to index to reconcile when change
passwordSecretField = ".spec.secret"
caBundleSecretNameField = ".spec.tls.caBundleSecretName"
tlsAPIInternalField = ".spec.tls.api.internal.secretName"
tlsAPIPublicField = ".spec.tls.api.public.secretName"
tlsMetadataField = ".spec.tls.secretName"
tlsNoVNCProxyField = ".spec.tls.secretName"
passwordSecretField = ".spec.secret"
caBundleSecretNameField = ".spec.tls.caBundleSecretName"
tlsAPIInternalField = ".spec.tls.api.internal.secretName"
tlsAPIPublicField = ".spec.tls.api.public.secretName"
tlsMetadataField = ".spec.tls.secretName"
tlsNoVNCProxyServiceField = ".spec.tls.service.secretName"
tlsNoVNCProxyVencryptField = ".spec.tls.vencrypt.secretName"

// NovaAPIDatabaseName is the name of the DB schema created for the
// top level nova DB
Expand Down
Loading
Loading