Skip to content

Commit

Permalink
[TLS] Improve cert defaulting and envtest coverage
Browse files Browse the repository at this point in the history 
Improves defaulting for tls global config to be able to customize
only specific parameters and still have the others defaulted.

Jira: OSPRH-6749
  • Loading branch information
@stuggi
stuggi committed May 7, 2024
1 parent d2703d3 commit c2e3b8b
Show file tree
Hide file tree
Showing 11 changed files with 530 additions and 72 deletions.
70 changes: 67 additions & 3 deletions apis/bases/core.openstack.org_openstackcontrolplanes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17113,15 +17113,15 @@ spec:
ca:
duration: 87600h
cert:
duration: 10950h
duration: 43800h
enabled: true
podLevel:
enabled: true
internal:
ca:
duration: 87600h
cert:
duration: 10950h
duration: 43800h
libvirt:
ca:
duration: 87600h
Expand All @@ -17131,87 +17131,151 @@ spec:
ca:
duration: 87600h
cert:
duration: 10950h
duration: 43800h
properties:
caBundleSecretName:
type: string
ingress:
default:
ca:
duration: 87600h
cert:
duration: 43800h
enabled: true
properties:
ca:
default:
duration: 87600h
properties:
customIssuer:
type: string
duration:
default: 87600h
type: string
renewBefore:
type: string
type: object
cert:
default:
duration: 43800h
properties:
duration:
default: 43800h
type: string
renewBefore:
type: string
type: object
enabled:
default: true
type: boolean
type: object
podLevel:
default:
enabled: true
internal:
ca:
duration: 87600h
cert:
duration: 43800h
libvirt:
ca:
duration: 87600h
cert:
duration: 43800h
ovn:
ca:
duration: 87600h
cert:
duration: 43800h
properties:
enabled:
default: true
type: boolean
internal:
default:
ca:
duration: 87600h
cert:
duration: 43800h
properties:
ca:
default:
duration: 87600h
properties:
customIssuer:
type: string
duration:
default: 87600h
type: string
renewBefore:
type: string
type: object
cert:
default:
duration: 43800h
properties:
duration:
default: 43800h
type: string
renewBefore:
type: string
type: object
type: object
libvirt:
default:
ca:
duration: 87600h
cert:
duration: 43800h
properties:
ca:
default:
duration: 87600h
properties:
customIssuer:
type: string
duration:
default: 87600h
type: string
renewBefore:
type: string
type: object
cert:
default:
duration: 43800h
properties:
duration:
default: 43800h
type: string
renewBefore:
type: string
type: object
type: object
ovn:
default:
ca:
duration: 87600h
cert:
duration: 43800h
properties:
ca:
default:
duration: 87600h
properties:
customIssuer:
type: string
duration:
default: 87600h
type: string
renewBefore:
type: string
type: object
cert:
default:
duration: 43800h
properties:
duration:
default: 43800h
type: string
renewBefore:
type: string
Expand Down
35 changes: 29 additions & 6 deletions apis/core/v1beta1/openstackcontrolplane_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ type OpenStackControlPlaneSpec struct {

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// +kubebuilder:default={ingress: {enabled: true, ca: {duration: "87600h"}, cert: {duration: "10950h"}}, podLevel: {enabled: true, internal:{ca: {duration: "87600h"}, cert: {duration: "10950h"}}, libvirt: {ca: {duration: "87600h"}, cert: {duration: "43800h"}}, ovn: {ca: {duration: "87600h"}, cert: {duration: "10950h"}}}}
// +kubebuilder:default={ingress: {enabled: true, ca: {duration: "87600h"}, cert: {duration: "43800h"}}, podLevel: {enabled: true, internal:{ca: {duration: "87600h"}, cert: {duration: "43800h"}}, libvirt: {ca: {duration: "87600h"}, cert: {duration: "43800h"}}, ovn: {ca: {duration: "87600h"}, cert: {duration: "43800h"}}}}
// TLS - Parameters related to the TLS
TLS TLSSection `json:"tls"`

Expand Down Expand Up @@ -190,10 +190,12 @@ type OpenStackControlPlaneSpec struct {
type TLSSection struct {
// +kubebuilder:validation:optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
// +kubebuilder:default={enabled: true, ca: {duration: "87600h"}, cert: {duration: "43800h"}}
Ingress TLSIngressConfig `json:"ingress,omitempty"`

// +kubebuilder:validation:optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
// +kubebuilder:default={enabled: true, internal:{ca: {duration: "87600h"}, cert: {duration: "43800h"}}, libvirt: {ca: {duration: "87600h"}, cert: {duration: "43800h"}}, ovn: {ca: {duration: "87600h"}, cert: {duration: "43800h"}}}
PodLevel TLSPodLevelConfig `json:"podLevel,omitempty"`

// +kubebuilder:validation:optional
Expand All @@ -209,6 +211,7 @@ type TLSIngressConfig struct {
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
// Enabled - Whether TLS should be enabled for endpoint type
// +kubebuilder:default=true
Enabled bool `json:"enabled"`

// +kubebuilder:validation:optional
Expand All @@ -221,21 +224,25 @@ type TLSPodLevelConfig struct {
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
// Enabled - Whether TLS should be enabled for endpoint type
// +kubebuilder:default=true
Enabled bool `json:"enabled"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// +kubebuilder:default={ca: {duration: "87600h"}, cert: {duration: "43800h"}}
// Internal - default CA used for all OpenStackControlPlane and OpenStackDataplane endpoints,
// except OVN related CA and certs
Internal CertSection `json:"internal,omitempty"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// +kubebuilder:default={ca: {duration: "87600h"}, cert: {duration: "43800h"}}
// Libvirt - CA used for libvirt/qemu services on OpenStackControlPlane and OpenStackDataplane
Libvirt CertSection `json:"libvirt,omitempty"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// +kubebuilder:default={ca: {duration: "87600h"}, cert: {duration: "43800h"}}
// Ovn - CA used for all OVN services on OpenStackControlPlane and OpenStackDataplane
Ovn CertSection `json:"ovn,omitempty"`
}
Expand All @@ -244,20 +251,35 @@ type TLSPodLevelConfig struct {
type CertSection struct {
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// +kubebuilder:default={duration: "43800h"}
// Cert - defines details for cert config
Cert CertConfig `json:"cert,omitempty"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// +kubebuilder:default={duration: "87600h"}
// Ca - defines details for CA cert config
Ca CACertConfig `json:"ca,omitempty"`
}

// CACertConfig defines details for ca cert configs
type CACertConfig struct {
// +kubebuilder:validation:optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
CertConfig `json:",inline"`
// +kubebuilder:validation:Optional
// +kubebuilder:default="87600h"
// The requested 'duration' (i.e. lifetime) of the Certificate.
// The Certificate will be renewed either 2/3 through its duration or
// `renewBefore` period before its expiry, whichever is later. Minimum
// accepted duration is 1 hour. Value must be in units accepted by Go
// time.ParseDuration https://golang.org/pkg/time/#ParseDuration
Duration *metav1.Duration `json:"duration,omitempty"`

// +kubebuilder:validation:Optional
// How long before the currently issued certificate's expiry
// cert-manager should renew the certificate. The default is 2/3 of the
// issued certificate's duration. Minimum accepted value is 5 minutes.
// Value must be in units accepted by Go time.ParseDuration
// https://golang.org/pkg/time/#ParseDuration
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`

// +kubebuilder:validation:Optional
// CustomIssuer - use pre-created issue for this CA. No CA and issure is being created
Expand All @@ -267,20 +289,21 @@ type CACertConfig struct {

// CertConfig defines details for cert configs
type CertConfig struct {
// +kubebuilder:validation:Optional
// +kubebuilder:default="43800h"
// The requested 'duration' (i.e. lifetime) of the Certificate.
// The Certificate will be renewed either 2/3 through its duration or
// `renewBefore` period before its expiry, whichever is later. Minimum
// accepted duration is 1 hour. Value must be in units accepted by Go
// time.ParseDuration https://golang.org/pkg/time/#ParseDuration
// +optional
Duration *metav1.Duration `json:"duration,omitempty"`

// +kubebuilder:validation:Optional
// How long before the currently issued certificate's expiry
// cert-manager should renew the certificate. The default is 2/3 of the
// issued certificate's duration. Minimum accepted value is 5 minutes.
// Value must be in units accepted by Go time.ParseDuration
// https://golang.org/pkg/time/#ParseDuration
// +optional
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
}

Expand Down
11 changes: 10 additions & 1 deletion apis/core/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit c2e3b8b

Please sign in to comment.