[tls] nova novncproxy vencrypt support

Issues a certificate for nova novncproxy if PodLevel tls is enabled
and configures it as vencrypt secret on the novnc proxy.

Depends-On: openstack-k8s-operators#779
Depends-On: openstack-k8s-operators/nova-operator#748
Depends-On: openstack-k8s-operators/dataplane-operator#862

JIRA: OSPRH-6552

apis/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -9921,6 +9921,16 @@ spec:
                                       type: string
                                     secretName:
                                       type: string
+                                    service:
+                                      properties:
+                                        secretName:
+                                          type: string
+                                      type: object
+                                    vencrypt:
+                                      properties:
+                                        secretName:
+                                          type: string
+                                      type: object
                                   type: object
                               type: object
                             nodeSelector:

apis/go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240424092810-87ed196e2fec
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240423084440-ce9687c332d9
 	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240423000317-4ab0461c4f4c
-	github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426074346-678d5ccf0cb8
+	github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426142557-58dd2ab359c3
 	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240425132514-782502386dce
 	github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240425195417-eba51128fa54
 	github.com/openstack-k8s-operators/placement-operator/api v0.3.1-0.20240425062216-cb62011778f8

apis/go.sum

@@ -103,8 +103,8 @@ github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240423084440-
 github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240423084440-ce9687c332d9/go.mod h1:2wiOEd5wTbKQ00Js5pZx1ePwMM6xBkuZE+G4J38aYi0=
 github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240423000317-4ab0461c4f4c h1:sIYwo5JcIQ4023IAV+jgzY58dKQb+fIsN0bYWE6EsRM=
 github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240423000317-4ab0461c4f4c/go.mod h1:G7LfIV+CFmhmuWv+auNBs3hiPAWR5o9EY8dunWlCSQQ=
-github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426074346-678d5ccf0cb8 h1:30BOoT92k5YxeRNQmDenGZKzibsshnLMrcmXC5gSAAo=
-github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426074346-678d5ccf0cb8/go.mod h1:UZAnwFc1uxJLDYNUIzhyGqvLrd28PP+j9ZtoMbdH0CA=
+github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426142557-58dd2ab359c3 h1:fhlylDNkFV3ZUnd5t1vEFQf/09pnq3EEQkjJXDvAeNA=
+github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426142557-58dd2ab359c3/go.mod h1:UZAnwFc1uxJLDYNUIzhyGqvLrd28PP+j9ZtoMbdH0CA=
 github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240425132514-782502386dce h1:c/8rvmnd6jYpE9w7Ic72fD+eCqn5Sem98hACBR6vMBc=
 github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240425132514-782502386dce/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
 github.com/openstack-k8s-operators/ovn-operator/api v0.3.1-0.20240425195417-eba51128fa54 h1:4gJQ6d3vP9t/NVfYOAOZP8MFx3W1FK0H9yyGpEIhNlY=

config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -9921,6 +9921,16 @@ spec:
                                       type: string
                                     secretName:
                                       type: string
+                                    service:
+                                      properties:
+                                        secretName:
+                                          type: string
+                                      type: object
+                                    vencrypt:
+                                      properties:
+                                        secretName:
+                                          type: string
+                                      type: object
                                   type: object
                               type: object
                             nodeSelector:

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/openshift/api v3.9.0+incompatible
 	github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240423101259-62edc96e695f
 	github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240425145843-86b883b8bb8f
-	github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240426064845-1441cbce5e69
+	github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240426183301-986a97870890
 	github.com/openstack-k8s-operators/designate-operator/api v0.0.0-20240425112656-c92ba51ac5b9
 	github.com/openstack-k8s-operators/glance-operator/api v0.3.1-0.20240424153927-5b4c1b78d319
 	github.com/openstack-k8s-operators/heat-operator/api v0.3.1-0.20240425130031-db26fbb566c2
@@ -28,7 +28,7 @@ require (
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240424092810-87ed196e2fec
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240423084440-ce9687c332d9
 	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240423000317-4ab0461c4f4c
-	github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426074346-678d5ccf0cb8
+	github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426142557-58dd2ab359c3
 	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240425132514-782502386dce
 	github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240424152826-ca1ade1c04a5
 	github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.3.1-0.20240422041901-293e48aceb9b

go.sum

@@ -100,8 +100,8 @@ github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240423101259-6
 github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240423101259-62edc96e695f/go.mod h1:d4lFj3oT9ZReHGT/ngbF8ViVnv3vnHs/nemKVubkBGA=
 github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240425145843-86b883b8bb8f h1:Uy3ilfnNlSCQrwRxgqu+BnSBrnNSiUml6J3Ccrgn/as=
 github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240425145843-86b883b8bb8f/go.mod h1:p0UgdOEWu80NP7dzi2s134ojTcMtz2zAgiMbkshw66w=
-github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240426064845-1441cbce5e69 h1:K3Ick9K8MMuNfPJGwY8ZcArEIimbbezHyMf7pv7dXZw=
-github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240426064845-1441cbce5e69/go.mod h1:qjz8cSVQEDiZOTpOeMHu+vg9Zuvasenrjo7+KtNQwhk=
+github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240426183301-986a97870890 h1:1/QGbjldjBGhzMXtihiOCBImXDUBEIMpRLk0fVPue30=
+github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240426183301-986a97870890/go.mod h1:qjz8cSVQEDiZOTpOeMHu+vg9Zuvasenrjo7+KtNQwhk=
 github.com/openstack-k8s-operators/designate-operator/api v0.0.0-20240425112656-c92ba51ac5b9 h1:Q97c7T0PyHdxYMx8navS0bvNEljwjUuSQ5or6mXES+8=
 github.com/openstack-k8s-operators/designate-operator/api v0.0.0-20240425112656-c92ba51ac5b9/go.mod h1:SHv9v0wscyVv0yT3VD2UuPvw+kwRAEX/x/8fbnfZVpo=
 github.com/openstack-k8s-operators/glance-operator/api v0.3.1-0.20240424153927-5b4c1b78d319 h1:Z+8p3+ZYjbRoy7BecJA+a9NBua4FIFHFrW06T4+554Y=
@@ -132,8 +132,8 @@ github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240423084440-
 github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240423084440-ce9687c332d9/go.mod h1:2wiOEd5wTbKQ00Js5pZx1ePwMM6xBkuZE+G4J38aYi0=
 github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240423000317-4ab0461c4f4c h1:sIYwo5JcIQ4023IAV+jgzY58dKQb+fIsN0bYWE6EsRM=
 github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240423000317-4ab0461c4f4c/go.mod h1:G7LfIV+CFmhmuWv+auNBs3hiPAWR5o9EY8dunWlCSQQ=
-github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426074346-678d5ccf0cb8 h1:30BOoT92k5YxeRNQmDenGZKzibsshnLMrcmXC5gSAAo=
-github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426074346-678d5ccf0cb8/go.mod h1:UZAnwFc1uxJLDYNUIzhyGqvLrd28PP+j9ZtoMbdH0CA=
+github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426142557-58dd2ab359c3 h1:fhlylDNkFV3ZUnd5t1vEFQf/09pnq3EEQkjJXDvAeNA=
+github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240426142557-58dd2ab359c3/go.mod h1:UZAnwFc1uxJLDYNUIzhyGqvLrd28PP+j9ZtoMbdH0CA=
 github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240425132514-782502386dce h1:c/8rvmnd6jYpE9w7Ic72fD+eCqn5Sem98hACBR6vMBc=
 github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240425132514-782502386dce/go.mod h1:EZymlUAhQzGNIAGrpGZ5P6oqfq2IhqY2lNPKLG9iKh8=
 github.com/openstack-k8s-operators/openstack-ansibleee-operator/api v0.3.1-0.20240424152826-ca1ade1c04a5 h1:hh0Ob81OSzP7lR14oGPzzLbbCHfTWDphlosuoQBnJTk=

pkg/openstack/nova.go

@@ -29,6 +29,7 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
+	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	novav1 "github.com/openstack-k8s-operators/nova-operator/api/v1beta1"
 	corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
 	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
@@ -240,7 +241,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 					tls.API{
 						API: tls.APIService{
 							Public: tls.GenericService{
-								SecretName: cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName,
+								SecretName: cellTemplate.NoVNCProxyServiceTemplate.TLS.Service.SecretName,
 							},
 						},
 					},
@@ -254,8 +255,44 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 				routedOverrideSpec := endpointDetails.GetEndpointServiceOverrides()
 				cellTemplate.NoVNCProxyServiceTemplate.Override.Service = ptr.To(routedOverrideSpec[service.EndpointPublic])
 				// update NoVNCProxy cert secret
-				cellTemplate.NoVNCProxyServiceTemplate.TLS.SecretName =
+				cellTemplate.NoVNCProxyServiceTemplate.TLS.Service.SecretName =
 					endpointDetails.GetEndptCertSecret(service.EndpointPublic)
+
+				// create novncproxy vencrypt cert
+				if instance.Spec.TLS.PodLevel.Enabled {
+					serviceName := endpointDetails.EndpointDetails[service.EndpointPublic].Service.Spec.Name
+					certRequest := certmanager.CertificateRequest{
+						IssuerName: instance.GetLibvirtIssuer(),
+						CertName:   nova.Name + "-novncproxy-" + cellName + "-vencrypt",
+						CommonName: ptr.To(fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace)),
+						Subject: &certmgrv1.X509Subject{
+							Organizations: []string{fmt.Sprintf("%s.%s", instance.Namespace, ClusterInternalDomain)},
+						},
+						Usages: []certmgrv1.KeyUsage{
+							certmgrv1.UsageKeyEncipherment,
+							certmgrv1.UsageDigitalSignature,
+							certmgrv1.UsageServerAuth,
+							certmgrv1.UsageClientAuth,
+						},
+					}
+					if instance.Spec.TLS.PodLevel.Libvirt.Cert.Duration != nil {
+						certRequest.Duration = &instance.Spec.TLS.PodLevel.Libvirt.Cert.Duration.Duration
+					}
+					if instance.Spec.TLS.PodLevel.Libvirt.Cert.RenewBefore != nil {
+						certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Libvirt.Cert.RenewBefore.Duration
+					}
+					certSecret, ctrlResult, err := certmanager.EnsureCert(
+						ctx,
+						helper,
+						certRequest,
+						nil)
+					if err != nil {
+						return ctrlResult, err
+					} else if (ctrlResult != ctrl.Result{}) {
+						return ctrlResult, nil
+					}
+					cellTemplate.NoVNCProxyServiceTemplate.TLS.Vencrypt.SecretName = &certSecret.Name
+				}
 			}
 		}