[tls] set organization on galera certificate

From comment on openstack-k8s-operators#678 (comment) ~~~ The certificate created for galera should populate the 'organization' field, otherwise this trip the SST transfer setup done by wsrep_sst_rsync. This will not show at the initial deployment because there is no SST involved when the DB is bootstrapped as there are no data to be transferred yet. ~~~ Jira: OSPRH-2440
stuggi · Apr 10, 2024 · 9de0b6e · 9de0b6e
1 parent 1e33d49
commit 9de0b6e
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/go.mod b/go.mod
@@ -22,7 +22,7 @@ require (
 	github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240403153038-cacd7b514718
 	github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240407224322-0ac0a3eea830
 	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240402154848-e5f862707f49
-	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240404123425-54f145c97484
+	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240409150851-9a336392d3b2
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240404123425-54f145c97484
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240404123425-54f145c97484
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240403143013-74e2f3cc4015

diff --git a/go.sum b/go.sum
@@ -116,8 +116,8 @@ github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240407224322-0
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240407224322-0ac0a3eea830/go.mod h1:x1Hya2LM5fP3iD89Es9YDrG4vj+GIULLAdgxmv3NIvY=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240402154848-e5f862707f49 h1:LSbLg+6iwX2jkVKe0ba6GqSO2mpoJlUZyWIWZA6jv6M=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240402154848-e5f862707f49/go.mod h1:opUQY0YZNCyA11FKLToVhaVZTTEMfbnf0ozOLmkKfGs=
-github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240404123425-54f145c97484 h1:4PS7ywfixWWDM+UyjWblXInNOb4IwjryvPsTrbnN1bE=
-github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240404123425-54f145c97484/go.mod h1:MkhvdDYL/CI7aQdKGHLVmUwnBGTnWhcUQMdCB9ZE4BI=
+github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240409150851-9a336392d3b2 h1:mdgMdEMJdHwV3iLVNSgRZTdYC7anWGC7yMzv6PidvsU=
+github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240409150851-9a336392d3b2/go.mod h1:MkhvdDYL/CI7aQdKGHLVmUwnBGTnWhcUQMdCB9ZE4BI=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240404123425-54f145c97484 h1:P3I3QBjZql8M5XXB/XBUdeM//e3XHtLv4yu7e+QlYQ8=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240404123425-54f145c97484/go.mod h1:gqByVGUdKQB/NkhKV4eD+8NWYkHq961nC96rTCB3ywE=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240404123425-54f145c97484 h1:0Wmtd+xyvPvU1O6xd2G27XwZfYY2ewhTrbd9ELHlHwg=

diff --git a/pkg/openstack/galera.go b/pkg/openstack/galera.go
@@ -50,6 +50,14 @@ func ReconcileGaleras(
 			IssuerName: instance.GetInternalIssuer(),
 			CertName:   fmt.Sprintf("galera-%s-svc", name),
 			Hostnames:  []string{hostname},
+			// Note (dciabrin) from https://github.com/openstack-k8s-operators/openstack-operator/pull/678#issuecomment-1952459166
+			// the certificate created for galera should populate the 'organization' field,
+			// otherwise this trip the SST transfer setup done by wsrep_sst_rsync. This will not show
+			// at the initial deployment because there is no SST involved when the DB is bootstrapped
+			// as there are no data to be transferred yet.
+			Subject: &certmgrv1.X509Subject{
+				Organizations: []string{fmt.Sprintf("%s.cluster.local", instance.Namespace)},
+			},
 			Usages: []certmgrv1.KeyUsage{
 				"key encipherment",
 				"digital signature",