[tls][wip] nova novncproxy vencrypt

stuggi · Apr 25, 2024 · d0c4447 · d0c4447
1 parent 1b84832
commit d0c4447
Show file tree

Hide file tree

Showing 13 changed files with 207 additions and 19 deletions.
diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -17107,6 +17107,11 @@ spec:
                         duration: 43800h
                       cert:
                         duration: 8760h
+                    libvirt:
+                      ca:
+                        duration: 43800h
+                      cert:
+                        duration: 17520h
                     ovn:
                       ca:
                         duration: 43800h
@@ -17159,6 +17164,25 @@ spec:
                                 type: string
                             type: object
                         type: object
+                      libvirt:
+                        properties:
+                          ca:
+                            properties:
+                              customIssuer:
+                                type: string
+                              duration:
+                                type: string
+                              renewBefore:
+                                type: string
+                            type: object
+                          cert:
+                            properties:
+                              duration:
+                                type: string
+                              renewBefore:
+                                type: string
+                            type: object
+                        type: object
                       ovn:
                         properties:
                           ca:

diff --git a/apis/core/v1beta1/openstackcontrolplane_types.go b/apis/core/v1beta1/openstackcontrolplane_types.go
@@ -56,6 +56,8 @@ const (
 
 	// OvnDbCaName -
 	OvnDbCaName = tls.DefaultCAPrefix + "ovn"
+	// LibvirtCaName -
+	LibvirtCaName = tls.DefaultCAPrefix + "libvirt"
 )
 
 // OpenStackControlPlaneSpec defines the desired state of OpenStackControlPlane
@@ -78,7 +80,7 @@ type OpenStackControlPlaneSpec struct {
 
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
-	// +kubebuilder:default={ingress: {enabled: true, ca: {duration: "43800h"}, cert: {duration: "8760h"}}, podLevel: {enabled: true, internal:{ca: {duration: "43800h"}, cert: {duration: "8760h"}}, ovn: {ca: {duration: "43800h"}, cert: {duration: "8760h"}}}}
+	// +kubebuilder:default={ingress: {enabled: true, ca: {duration: "43800h"}, cert: {duration: "8760h"}}, podLevel: {enabled: true, internal:{ca: {duration: "43800h"}, cert: {duration: "8760h"}}, libvirt: {ca: {duration: "43800h"}, cert: {duration: "17520h"}}, ovn: {ca: {duration: "43800h"}, cert: {duration: "8760h"}}}}
 	// TLS - Parameters related to the TLS
 	TLS TLSSection `json:"tls"`
 
@@ -227,6 +229,11 @@ type TLSPodLevelConfig struct {
 	// except OVN related CA and certs
 	Internal CertSection `json:"internal,omitempty"`
 
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// Libvirt - CA used for libvirt/qemu services on OpenStackControlPlane and OpenStackDataplane
+	Libvirt CertSection `json:"libvirt,omitempty"`
+
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// Ovn - CA used for all OVN services on OpenStackControlPlane and OpenStackDataplane
@@ -882,3 +889,13 @@ func (instance OpenStackControlPlane) GetOvnIssuer() string {
 
 	return OvnDbCaName
 }
+
+// GetLibvirtIssuer - returns the libvirt CA issuer name or custom if configured
+func (instance OpenStackControlPlane) GetLibvirtIssuer() string {
+	// use custom issuer if set
+	if instance.Spec.TLS.PodLevel.Libvirt.Ca.IsCustomIssuer() {
+		return *instance.Spec.TLS.PodLevel.Libvirt.Ca.CustomIssuer
+	}
+
+	return LibvirtCaName
+}
diff --git a/apis/core/v1beta1/zz_generated.deepcopy.go b/apis/core/v1beta1/zz_generated.deepcopy.go
diff --git a/apis/go.mod b/apis/go.mod
@@ -105,4 +105,6 @@ replace github.com/openshift/api => github.com/openshift/api v0.0.0-202304141430
 // custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.6.0_patches_tag)
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20240313124519-961a0ee8bf7f //allow-merging
 
-replace github.com/openstack-k8s-operators/nova-operator/api => github.com/stuggi/nova-operator/api v0.0.0-20240424144216-76289136a3c8
+replace github.com/openstack-k8s-operators/nova-operator/api => github.com/stuggi/nova-operator/api v0.0.0-20240425151212-5fae55c0a457
+
+replace github.com/openstack-k8s-operators/dataplane-operator/api => github.com/stuggi/dataplane-operator/api v0.0.0-20240425085030-ad36c4415ab3
diff --git a/apis/go.sum b/apis/go.sum
@@ -140,8 +140,8 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stuggi/nova-operator/api v0.0.0-20240424144216-76289136a3c8 h1:0TAaZ5qlcsGkuYsFBjQU4LJtAGNOD2q9UDw+V4Jp4w8=
-github.com/stuggi/nova-operator/api v0.0.0-20240424144216-76289136a3c8/go.mod h1:UZAnwFc1uxJLDYNUIzhyGqvLrd28PP+j9ZtoMbdH0CA=
+github.com/stuggi/nova-operator/api v0.0.0-20240425151212-5fae55c0a457 h1:ZwqjygM1H8EHL5ZLAwiymqSX6b+188XWrWJPTahNeXM=
+github.com/stuggi/nova-operator/api v0.0.0-20240425151212-5fae55c0a457/go.mod h1:UZAnwFc1uxJLDYNUIzhyGqvLrd28PP+j9ZtoMbdH0CA=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -17107,6 +17107,11 @@ spec:
                         duration: 43800h
                       cert:
                         duration: 8760h
+                    libvirt:
+                      ca:
+                        duration: 43800h
+                      cert:
+                        duration: 17520h
                     ovn:
                       ca:
                         duration: 43800h
@@ -17159,6 +17164,25 @@ spec:
                                 type: string
                             type: object
                         type: object
+                      libvirt:
+                        properties:
+                          ca:
+                            properties:
+                              customIssuer:
+                                type: string
+                              duration:
+                                type: string
+                              renewBefore:
+                                type: string
+                            type: object
+                          cert:
+                            properties:
+                              duration:
+                                type: string
+                              renewBefore:
+                                type: string
+                            type: object
+                        type: object
                       ovn:
                         properties:
                           ca:

diff --git a/config/manifests/bases/openstack-operator.clusterserviceversion.yaml b/config/manifests/bases/openstack-operator.clusterserviceversion.yaml
@@ -435,6 +435,16 @@ spec:
       - description: Cert - defines details for cert config
         displayName: Cert
         path: tls.podLevel.internal.cert
+      - description: Libvirt - CA used for libvirt/qemu services on OpenStackControlPlane
+          and OpenStackDataplane
+        displayName: Libvirt
+        path: tls.podLevel.libvirt
+      - description: Ca - defines details for CA cert config
+        displayName: Ca
+        path: tls.podLevel.libvirt.ca
+      - description: Cert - defines details for cert config
+        displayName: Cert
+        path: tls.podLevel.libvirt.cert
       - description: Ovn - CA used for all OVN services on OpenStackControlPlane and
           OpenStackDataplane
         displayName: Ovn

diff --git a/go.mod b/go.mod
@@ -22,7 +22,7 @@ require (
 	github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240419144952-326611519a8c
 	github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240424095825-a74eb96bf1f3
 	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240422083029-9546ece5eb4f
-	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240424104132-3744dd0f8a48
+	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240425065931-fcb08823a660
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240424104132-3744dd0f8a48
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240424104132-3744dd0f8a48
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240424092810-87ed196e2fec
@@ -129,4 +129,6 @@ replace github.com/openshift/api => github.com/openshift/api v0.0.0-202304141430
 // custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.6.0_patches_tag)
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20240313124519-961a0ee8bf7f //allow-merging
 
-replace github.com/openstack-k8s-operators/nova-operator/api => github.com/stuggi/nova-operator/api v0.0.0-20240424144216-76289136a3c8
+replace github.com/openstack-k8s-operators/nova-operator/api => github.com/stuggi/nova-operator/api v0.0.0-20240425151212-5fae55c0a457
+
+replace github.com/openstack-k8s-operators/dataplane-operator/api => github.com/stuggi/dataplane-operator/api v0.0.0-20240425085030-ad36c4415ab3
diff --git a/go.sum b/go.sum
@@ -100,8 +100,6 @@ github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240423101259-6
 github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-20240423101259-62edc96e695f/go.mod h1:d4lFj3oT9ZReHGT/ngbF8ViVnv3vnHs/nemKVubkBGA=
 github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240423174908-47d7fa0e0fd6 h1:ug7goj/WKZrTXO44tSQCsPwgw0RsyV5KxLTheD4bewI=
 github.com/openstack-k8s-operators/cinder-operator/api v0.3.1-0.20240423174908-47d7fa0e0fd6/go.mod h1:ayvrE0oMzyA/AQDKpCqNT9uupRT0TqrSFXb1sjmvWqE=
-github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240423190323-451f7f631d64 h1:bK+R3gFk+7JvJDWC86kEEjT5OT5QyZ6U/L6XLjvr0xo=
-github.com/openstack-k8s-operators/dataplane-operator/api v0.3.1-0.20240423190323-451f7f631d64/go.mod h1:qjz8cSVQEDiZOTpOeMHu+vg9Zuvasenrjo7+KtNQwhk=
 github.com/openstack-k8s-operators/designate-operator/api v0.0.0-20240403153039-29d27af23767 h1:He5McazPpzOM00VkSpwK85oUq5JMHdjT8o26HxwQamc=
 github.com/openstack-k8s-operators/designate-operator/api v0.0.0-20240403153039-29d27af23767/go.mod h1:SHv9v0wscyVv0yT3VD2UuPvw+kwRAEX/x/8fbnfZVpo=
 github.com/openstack-k8s-operators/glance-operator/api v0.3.1-0.20240424102557-03378857fdc3 h1:ndJmOYRa3VMEgXawihpt19EOQKY4lm+uKQ4DCuy8ncY=
@@ -116,8 +114,8 @@ github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240424095825-a
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240424095825-a74eb96bf1f3/go.mod h1:qu/Kuk0zZNbdyAPCF1m+Amp9mU37ol2LyB+1Rvws948=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240422083029-9546ece5eb4f h1:bvqpsLsC8MHY+lMOQjaRtCKFvpH1d8SPq4o2ETzECY8=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240422083029-9546ece5eb4f/go.mod h1:ZaTdOGkpgKZpJWynyaFsUNO0s61hr3+swC6qdb7jp0g=
-github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240424104132-3744dd0f8a48 h1:Ac+KWOc08XkhvSckK5dSPbc8SYjv+uYKJrTmx7hvHCo=
-github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240424104132-3744dd0f8a48/go.mod h1:5RH93gBVDFzUNYCYkmb1eiXfBWMi2GPMljTdJvTWwJU=
+github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240425065931-fcb08823a660 h1:OUK7Z9D2HD60Ocpnf14HVLri+u8SX7Nj4XUaH87MTVM=
+github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240425065931-fcb08823a660/go.mod h1:5RH93gBVDFzUNYCYkmb1eiXfBWMi2GPMljTdJvTWwJU=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240424104132-3744dd0f8a48 h1:JBTPkk7Aw6Us/BcEx1hioIt2WAJF6gy7vommEfmZoHo=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240424104132-3744dd0f8a48/go.mod h1:q5StfkpuapXb11Llj0cLuLQifWARSQYGQ5KWpBy3eMQ=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240424104132-3744dd0f8a48 h1:aIdtXDamHrtyk2MraE2mOoHMUxl95Z85J97BduhDfsw=
@@ -178,8 +176,10 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stuggi/nova-operator/api v0.0.0-20240424144216-76289136a3c8 h1:0TAaZ5qlcsGkuYsFBjQU4LJtAGNOD2q9UDw+V4Jp4w8=
-github.com/stuggi/nova-operator/api v0.0.0-20240424144216-76289136a3c8/go.mod h1:UZAnwFc1uxJLDYNUIzhyGqvLrd28PP+j9ZtoMbdH0CA=
+github.com/stuggi/dataplane-operator/api v0.0.0-20240425085030-ad36c4415ab3 h1:VXT5pHLy5H/rciS0PR0miaWJkxBdVUyhYDsJKDgakcQ=
+github.com/stuggi/dataplane-operator/api v0.0.0-20240425085030-ad36c4415ab3/go.mod h1:qjz8cSVQEDiZOTpOeMHu+vg9Zuvasenrjo7+KtNQwhk=
+github.com/stuggi/nova-operator/api v0.0.0-20240425151212-5fae55c0a457 h1:ZwqjygM1H8EHL5ZLAwiymqSX6b+188XWrWJPTahNeXM=
+github.com/stuggi/nova-operator/api v0.0.0-20240425151212-5fae55c0a457/go.mod h1:UZAnwFc1uxJLDYNUIzhyGqvLrd28PP+j9ZtoMbdH0CA=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

diff --git a/pkg/openstack/ca.go b/pkg/openstack/ca.go
@@ -225,14 +225,15 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 	}
 
 	// create CA for ovn
+	issuerLabels = map[string]string{certmanager.RootCAIssuerOvnDBLabel: ""}
 	if !instance.Spec.TLS.PodLevel.Ovn.Ca.IsCustomIssuer() {
 		ctrlResult, err = ensureRootCA(
 			ctx,
 			instance,
 			helper,
 			issuerReq,
 			corev1.OvnDbCaName,
-			map[string]string{certmanager.RootCAIssuerOvnDBLabel: ""},
+			issuerLabels,
 			bundle,
 			caOnlyBundle,
 			instance.Spec.TLS.PodLevel.Ovn.Ca.CertConfig,
@@ -287,6 +288,64 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 
 	}
 
+	// create CA for libvirt
+	issuerLabels = map[string]string{certmanager.RootCAIssuerLibvirtLabel: ""}
+	if !instance.Spec.TLS.PodLevel.Libvirt.Ca.IsCustomIssuer() {
+		ctrlResult, err = ensureRootCA(
+			ctx,
+			instance,
+			helper,
+			issuerReq,
+			corev1.LibvirtCaName,
+			issuerLabels,
+			bundle,
+			caOnlyBundle,
+			instance.Spec.TLS.PodLevel.Libvirt.Ca.CertConfig,
+		)
+		if err != nil {
+			return ctrlResult, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			return ctrlResult, nil
+		}
+	} else {
+		customIssuer := *instance.Spec.TLS.PodLevel.Libvirt.Ca.CustomIssuer
+		// add CA labelselector to issuer
+		caCertSecretName, err := addIssuerLabel(ctx, helper, customIssuer, instance.Namespace, issuerLabels)
+		if err != nil {
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				corev1.OpenStackControlPlaneCAReadyCondition,
+				condition.ErrorReason,
+				condition.SeverityWarning,
+				corev1.OpenStackControlPlaneCAReadyErrorMessage,
+				"issuer",
+				customIssuer,
+				err.Error()))
+			if k8s_errors.IsNotFound(err) {
+				timeout := time.Second * 10
+				Log.Info(fmt.Sprintf("Custom Issuer %s not found, reconcile in %s", customIssuer, timeout.String()))
+
+				return ctrl.Result{RequeueAfter: timeout}, nil
+			}
+
+			return ctrlResult, err
+		}
+
+		caCert, ctrlResult, err := getCAFromSecret(ctx, instance, helper, caCertSecretName)
+		if err != nil {
+			return ctrl.Result{}, err
+		} else if (ctrlResult != ctrl.Result{}) {
+			return ctrlResult, nil
+		}
+
+		ctrlResult, err = ensureCaBundles(
+			instance,
+			customIssuer,
+			caCert,
+			bundle,
+			caOnlyBundle,
+		)
+	}
+
 	instance.Status.Conditions.MarkTrue(corev1.OpenStackControlPlaneCAReadyCondition, corev1.OpenStackControlPlaneCAReadyMessage)
 
 	// create/update combined CA secret

diff --git a/pkg/openstack/nova.go b/pkg/openstack/nova.go
@@ -259,16 +259,11 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 					endpointDetails.GetEndptCertSecret(service.EndpointPublic)
 
 				// create novncproxy vencrypt cert
-
 				if instance.Spec.TLS.PodLevel.Enabled {
 					serviceName := endpointDetails.EndpointDetails[service.EndpointPublic].Service.Spec.Name
-
-					// create certificate for ovncontroller
 					certRequest := certmanager.CertificateRequest{
-						// TODO libvirt issuer!!
-						IssuerName: instance.GetOvnIssuer(),
+						IssuerName: instance.GetLibvirtIssuer(),
 						CertName:   nova.Name + "-novncproxy-" + cellName + "-vencrypt",
-						Duration:   nil,
 						CommonName: ptr.To(fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace)),
 						Subject: &certmgrv1.X509Subject{
 							Organizations: []string{fmt.Sprintf("%s.%s", instance.Namespace, ClusterInternalDomain)},
@@ -280,6 +275,12 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 							certmgrv1.UsageClientAuth,
 						},
 					}
+					if instance.Spec.TLS.PodLevel.Libvirt.Cert.Duration != nil {
+						certRequest.Duration = &instance.Spec.TLS.PodLevel.Libvirt.Cert.Duration.Duration
+					}
+					if instance.Spec.TLS.PodLevel.Libvirt.Cert.RenewBefore != nil {
+						certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Libvirt.Cert.RenewBefore.Duration
+					}
 					certSecret, ctrlResult, err := certmanager.EnsureCert(
 						ctx,
 						helper,

diff --git a/tests/functional/base_test.go b/tests/functional/base_test.go
@@ -53,6 +53,7 @@ type Names struct {
 	RootCAPublicName            types.NamespacedName
 	RootCAInternalName          types.NamespacedName
 	RootCAOvnName               types.NamespacedName
+	RootCALibvirtName           types.NamespacedName
 	SelfSignedIssuerName        types.NamespacedName
 	CustomIssuerName            types.NamespacedName
 	CustomServiceCertSecretName types.NamespacedName
@@ -83,6 +84,9 @@ func CreateNames(openstackControlplaneName types.NamespacedName) Names {
 		RootCAOvnName: types.NamespacedName{
 			Namespace: openstackControlplaneName.Namespace,
 			Name:      "rootca-ovn"},
+		RootCALibvirtName: types.NamespacedName{
+			Namespace: openstackControlplaneName.Namespace,
+			Name:      "rootca-libvirt"},
 		SelfSignedIssuerName: types.NamespacedName{
 			Namespace: openstackControlplaneName.Namespace,
 			Name:      "selfsigned-issuer"},