openstack-k8s-operators · openshift-merge-bot · Mar 9, 2024 · Mar 1, 2024 · Mar 5, 2024 · Mar 5, 2024
diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -16182,20 +16182,84 @@ spec:
                 type: object
               tls:
                 default:
-                  endpoint:
+                  ingress:
+                    ca:
+                      duration: 43800h
+                    cert:
+                      duration: 8760h
+                    enabled: true
+                  podLevel:
+                    enabled: false
                     internal:
-                      enabled: false
-                    public:
-                      enabled: true
+                      ca:
+                        duration: 43800h
+                      cert:
+                        duration: 8760h
+                    ovn:
+                      ca:
+                        duration: 43800h
+                      cert:
+                        duration: 8760h
                 properties:
                   caBundleSecretName:
                     type: string
-                  endpoint:
-                    additionalProperties:
-                      properties:
-                        enabled:
-                          type: boolean
-                      type: object
+                  ingress:
+                    properties:
+                      ca:
+                        properties:
+                          duration:
+                            type: string
+                          renewBefore:
+                            type: string
+                        type: object
+                      cert:
+                        properties:
+                          duration:
+                            type: string
+                          renewBefore:
+                            type: string
+                        type: object
+                      enabled:
+                        type: boolean
+                    type: object
+                  podLevel:
+                    properties:
+                      enabled:
+                        type: boolean
+                      internal:
+                        properties:
+                          ca:
+                            properties:
+                              duration:
+                                type: string
+                              renewBefore:
+                                type: string
+                            type: object
+                          cert:
+                            properties:
+                              duration:
+                                type: string
+                              renewBefore:
+                                type: string
+                            type: object
+                        type: object
+                      ovn:
+                        properties:
+                          ca:
+                            properties:
+                              duration:
+                                type: string
+                              renewBefore:
+                                type: string
+                            type: object
+                          cert:
+                            properties:
+                              duration:
+                                type: string
+                              renewBefore:
+                                type: string
+                            type: object
+                        type: object
                     type: object
                 type: object
             required:

diff --git a/apis/core/v1beta1/openstackcontrolplane_types.go b/apis/core/v1beta1/openstackcontrolplane_types.go
@@ -75,8 +75,8 @@ type OpenStackControlPlaneSpec struct {
 	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
 
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:default={endpoint: {public: {enabled: true}, internal: {enabled: false}}}
-	//+operator-sdk:csv:customresourcedefinitions:type=spec
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:default={ingress: {enabled: true, ca: {duration: "43800h"}, cert: {duration: "8760h"}}, podLevel: {enabled: false, internal:{ca: {duration: "43800h"}, cert: {duration: "8760h"}}, ovn: {ca: {duration: "43800h"}, cert: {duration: "8760h"}}}}
 	// TLS - Parameters related to the TLS
 	TLS TLSSection `json:"tls"`
 
@@ -189,8 +189,11 @@ type OpenStackControlPlaneSpec struct {
 type TLSSection struct {
 	// +kubebuilder:validation:optional
 	//+operator-sdk:csv:customresourcedefinitions:type=spec
-	// The key must be the endpoint type (public, internal)
-	Endpoint map[service.Endpoint]TLSEndpointConfig `json:"endpoint,omitempty"`
+	Ingress TLSIngressConfig `json:"ingress,omitempty"`
+
+	// +kubebuilder:validation:optional
+	//+operator-sdk:csv:customresourcedefinitions:type=spec
+	PodLevel TLSPodLevelConfig `json:"podLevel,omitempty"`
 
 	// +kubebuilder:validation:optional
 	//+operator-sdk:csv:customresourcedefinitions:type=spec
@@ -200,12 +203,67 @@ type TLSSection struct {
 	tls.Ca `json:",inline"`
 }
 
-// TLSEndpointConfig defines the desired state of TLSEndpoint configuration
-type TLSEndpointConfig struct {
+// TLSIngressConfig defines the desired state of the TLS configuration for the ingress configuration (route)
+type TLSIngressConfig struct {
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
 	// Enabled - Whether TLS should be enabled for endpoint type
 	Enabled bool `json:"enabled"`
+
+	// +kubebuilder:validation:optional
+	//+operator-sdk:csv:customresourcedefinitions:type=spec
+	CertSection `json:",inline"`
+}
+
+// TLSPodLevelConfig defines the desired state of the TLS configuration for TLS termination at the pod level
+type TLSPodLevelConfig struct {
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
+	// Enabled - Whether TLS should be enabled for endpoint type
+	Enabled bool `json:"enabled"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// Internal - default CA used for all OpenStackControlPlane and OpenStackDataplane endpoints,
+	// except OVN related CA and certs
+	Internal CertSection `json:"internal,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// Ovn - CA used for all OVN services on OpenStackControlPlane and OpenStackDataplane
+	Ovn CertSection `json:"ovn,omitempty"`
+}
+
+// CertSection defines details for CA config and its certs
+type CertSection struct {
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// Cert - defines details for cert config
+	Cert CertConfig `json:"cert,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// Ca - defines details for CA cert config
+	Ca CertConfig `json:"ca,omitempty"`
+}
+
+// CertConfig defines details for cert configs
+type CertConfig struct {
+	// The requested 'duration' (i.e. lifetime) of the Certificate.
+	// The Certificate will be renewed either 2/3 through its duration or
+	// `renewBefore` period before its expiry, whichever is later. Minimum
+	// accepted duration is 1 hour. Value must be in units accepted by Go
+	// time.ParseDuration https://golang.org/pkg/time/#ParseDuration
+	// +optional
+	Duration *metav1.Duration `json:"duration,omitempty"`
+
+	// How long before the currently issued certificate's expiry
+	// cert-manager should renew the certificate. The default is 2/3 of the
+	// issued certificate's duration. Minimum accepted value is 5 minutes.
+	// Value must be in units accepted by Go time.ParseDuration
+	// https://golang.org/pkg/time/#ParseDuration
+	// +optional
+	RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
 }
 
 // DNSMasqSection defines the desired state of DNSMasq service
@@ -768,8 +826,12 @@ func SetupDefaults() {
 // Enabled - returns status of tls configuration for the passed in endpoint type
 func (t *TLSSection) Enabled(endpt service.Endpoint) bool {
 	if t != nil {
-		if cfg, ok := t.Endpoint[endpt]; ok && cfg.Enabled {
-			return true
+		switch endpt {
+		case service.EndpointPublic:
+			return t.Ingress.Enabled
+
+		case service.EndpointInternal:
+			return t.PodLevel.Enabled
 		}
 	}
 	return false

diff --git a/apis/core/v1beta1/zz_generated.deepcopy.go b/apis/core/v1beta1/zz_generated.deepcopy.go
diff --git a/apis/go.mod b/apis/go.mod
@@ -11,13 +11,13 @@ require (
 	github.com/openstack-k8s-operators/glance-operator/api v0.3.1-0.20240306142853-6b5d6005953d
 	github.com/openstack-k8s-operators/heat-operator/api v0.3.1-0.20240307055016-f66e43861199
 	github.com/openstack-k8s-operators/horizon-operator/api v0.3.1-0.20240304130922-946bc7dd0996
-	github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240304123904-038a5ec77a70
+	github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240308113717-eaf5876d69c3
 	github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91
 	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240307113114-033a606862c3
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb
-	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308154211-31e51e9ec6b4
+	github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee
 	github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67
 	github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af
 	github.com/openstack-k8s-operators/octavia-operator/api v0.3.1-0.20240305155754-2dcd200b721a

diff --git a/apis/go.sum b/apis/go.sum
@@ -85,8 +85,8 @@ github.com/openstack-k8s-operators/heat-operator/api v0.3.1-0.20240307055016-f66
 github.com/openstack-k8s-operators/heat-operator/api v0.3.1-0.20240307055016-f66e43861199/go.mod h1:63UcRnUoHAyeXwUJa/6tmphZf4ScoY2+s7ItDV+m3BQ=
 github.com/openstack-k8s-operators/horizon-operator/api v0.3.1-0.20240304130922-946bc7dd0996 h1:+wkmeYGCYfbA+hoAIdShomyptqoqyJ33VYUxUaJoAVA=
 github.com/openstack-k8s-operators/horizon-operator/api v0.3.1-0.20240304130922-946bc7dd0996/go.mod h1:Hzq/OQJ/CC2HeohMw7jh3eqQpIf3FEC2kQSw48bWV+s=
-github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240304123904-038a5ec77a70 h1:aLQuVEQKwV2nM4n232/7TnA50t5DD05deEvKyl6Gd5Y=
-github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240304123904-038a5ec77a70/go.mod h1:yPqJ+WU8jApuDXNUjpTxMafihuZpX3Yik9ZXqGaxYBQ=
+github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240308113717-eaf5876d69c3 h1:GJgS/TApDzvNj6lyEr1du6twi539QT2LOu5pqU0dZdA=
+github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240308113717-eaf5876d69c3/go.mod h1:yPqJ+WU8jApuDXNUjpTxMafihuZpX3Yik9ZXqGaxYBQ=
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91 h1:3yvrS33IOQibrXJJlVs/fDxLi5RCZlN5oDrR2c8aShk=
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91/go.mod h1:Yac7wRClzl1/a7uBso4w8wq6Rjm+JLIouEsLre7VSDE=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240307113114-033a606862c3 h1:jMxdglPqLMuIM+s1aC1tYXz/NihB/BaMyutReg2fXpg=
@@ -99,8 +99,8 @@ github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.202403061
 github.com/openstack-k8s-operators/lib-common/modules/storage v0.3.1-0.20240306153230-dc65ab49ebc0/go.mod h1:hKoDyLpp/Hc6fE1rYhlgXw8pYUPyRDKLgBrkAda5IPA=
 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb h1:CdhjKduaBLkpXfpg9CfVssrewBYnsfTztIC7WlurAWk=
 github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb/go.mod h1:WjZonBUlokd/WM3bzlGqW0KncogYyxUDmWmKvxSPlLE=
-github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308154211-31e51e9ec6b4 h1:SJT4etdZrncTpCDRyLG9oV9+dWVpngzxrSpcJeWzVuM=
-github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308154211-31e51e9ec6b4/go.mod h1:f9IIyWeoskWoeWaDFF3qmAJ2Kqyovfi0Ar/QUfk3qag=
+github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee h1:UYxzWJ1HixHQ+jPoZ/PeTqCUxVr1+kha4YJpV/UwL64=
+github.com/openstack-k8s-operators/mariadb-operator/api v0.3.1-0.20240308170012-6b04e3e9b9ee/go.mod h1:f9IIyWeoskWoeWaDFF3qmAJ2Kqyovfi0Ar/QUfk3qag=
 github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67 h1:7BPdD7bAuzcl08/EiGDOJNBtfVnwuxm7F2acbC+kpuc=
 github.com/openstack-k8s-operators/neutron-operator/api v0.3.1-0.20240305155525-acb164bd7d67/go.mod h1:gOepjTKpq6rF0Lf69edviPOjFpjw4LHan/tWC4LB4Fs=
 github.com/openstack-k8s-operators/nova-operator/api v0.3.1-0.20240307151724-2fc1351673af h1:EuR34g9uahKG8YKp91FVvj5MNGR0Y+Q9aeu4Y3E8m+U=