Skip to content

Commit

Permalink
[tlse] update TLS/CA config
Browse files Browse the repository at this point in the history 
changes top level tls config section to reflect ingress and podlevel
tls termination and allows to customize the duration and renewBefore
for each of the CAs and Certs issued for a CA.

Also:
* creates CA for OVN
* fixes an issue where service cert was not created when tls on ingress
  was disabled.

Depends-On: openstack-k8s-operators/lib-common#471

Jira: OSPRH-5342
  • Loading branch information
@stuggi
stuggi committed Mar 5, 2024
1 parent 7edf581 commit 2d45ca6
Show file tree
Hide file tree
Showing 19 changed files with 559 additions and 161 deletions.
86 changes: 75 additions & 11 deletions apis/bases/core.openstack.org_openstackcontrolplanes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16499,20 +16499,84 @@ spec:
type: object
tls:
default:
endpoint:
internal:
enabled: false
public:
enabled: true
ingress:
ca:
duration: 43800h
cert:
duration: 8760h
enabled: true
podLevel:
default:
ca:
duration: 43800h
cert:
duration: 8760h
enabled: false
ovn:
ca:
duration: 43800h
cert:
duration: 8760h
properties:
caBundleSecretName:
type: string
endpoint:
additionalProperties:
properties:
enabled:
type: boolean
type: object
ingress:
properties:
ca:
properties:
duration:
type: string
renewBefore:
type: string
type: object
cert:
properties:
duration:
type: string
renewBefore:
type: string
type: object
enabled:
type: boolean
type: object
podLevel:
properties:
default:
properties:
ca:
properties:
duration:
type: string
renewBefore:
type: string
type: object
cert:
properties:
duration:
type: string
renewBefore:
type: string
type: object
type: object
enabled:
type: boolean
ovn:
properties:
ca:
properties:
duration:
type: string
renewBefore:
type: string
type: object
cert:
properties:
duration:
type: string
renewBefore:
type: string
type: object
type: object
type: object
type: object
required:
Expand Down
78 changes: 70 additions & 8 deletions apis/core/v1beta1/openstackcontrolplane_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,8 @@ type OpenStackControlPlaneSpec struct {
NodeSelector map[string]string `json:"nodeSelector,omitempty"`

// +kubebuilder:validation:Optional
// +kubebuilder:default={endpoint: {public: {enabled: true}, internal: {enabled: false}}}
//+operator-sdk:csv:customresourcedefinitions:type=spec
// +operator-sdk:csv:customresourcedefinitions:type=spec
// +kubebuilder:default={ingress: {enabled: true, ca: {duration: "43800h"}, cert: {duration: "8760h"}}, podLevel: {enabled: false, default:{ca: {duration: "43800h"}, cert: {duration: "8760h"}}, ovn: {ca: {duration: "43800h"}, cert: {duration: "8760h"}}}}
// TLS - Parameters related to the TLS
TLS TLSSection `json:"tls"`

Expand Down Expand Up @@ -189,8 +189,11 @@ type OpenStackControlPlaneSpec struct {
type TLSSection struct {
// +kubebuilder:validation:optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
// The key must be the endpoint type (public, internal)
Endpoint map[service.Endpoint]TLSEndpointConfig `json:"endpoint,omitempty"`
Ingress TLSIngressConfig `json:"ingress,omitempty"`

// +kubebuilder:validation:optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
PodLevel TLSPodLevelConfig `json:"podLevel,omitempty"`

// +kubebuilder:validation:optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
Expand All @@ -200,12 +203,67 @@ type TLSSection struct {
tls.Ca `json:",inline"`
}

// TLSEndpointConfig defines the desired state of TLSEndpoint configuration
type TLSEndpointConfig struct {
// TLSIngressConfig defines the desired state of the TLS configuration for the ingress configuration (route)
type TLSIngressConfig struct {
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
// Enabled - Whether TLS should be enabled for endpoint type
Enabled bool `json:"enabled"`

// +kubebuilder:validation:optional
//+operator-sdk:csv:customresourcedefinitions:type=spec
CertSection `json:",inline"`
}

// TLSPodLevelConfig defines the desired state of the TLS configuration for TLS termination at the pod level
type TLSPodLevelConfig struct {
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"}
// Enabled - Whether TLS should be enabled for endpoint type
Enabled bool `json:"enabled"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// Default - CA used for all OpenStackControlPlane and OpenStackDataplane endpoints,
// except OVN related CA and certs
Default CertSection `json:"default,omitempty"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// Ovn - CA used for all OVN services on OpenStackControlPlane and OpenStackDataplane
Ovn CertSection `json:"ovn,omitempty"`
}

// CertSection defines details for CA config and its certs
type CertSection struct {
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// Cert - defines details for cert config
Cert CertConfig `json:"cert,omitempty"`

// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec
// Ca - defines details for CA cert config
Ca CertConfig `json:"ca,omitempty"`
}

// CertConfig defines details for cert configs
type CertConfig struct {
// The requested 'duration' (i.e. lifetime) of the Certificate.
// The Certificate will be renewed either 2/3 through its duration or
// `renewBefore` period before its expiry, whichever is later. Minimum
// accepted duration is 1 hour. Value must be in units accepted by Go
// time.ParseDuration https://golang.org/pkg/time/#ParseDuration
// +optional
Duration *metav1.Duration `json:"duration,omitempty"`

// How long before the currently issued certificate's expiry
// cert-manager should renew the certificate. The default is 2/3 of the
// issued certificate's duration. Minimum accepted value is 5 minutes.
// Value must be in units accepted by Go time.ParseDuration
// https://golang.org/pkg/time/#ParseDuration
// +optional
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
}

// DNSMasqSection defines the desired state of DNSMasq service
Expand Down Expand Up @@ -768,8 +826,12 @@ func SetupDefaults() {
// Enabled - returns status of tls configuration for the passed in endpoint type
func (t *TLSSection) Enabled(endpt service.Endpoint) bool {
if t != nil {
if cfg, ok := t.Endpoint[endpt]; ok && cfg.Enabled {
return true
switch endpt {
case service.EndpointPublic:
return t.Ingress.Enabled

case service.EndpointInternal:
return t.PodLevel.Enabled
}
}
return false
Expand Down
79 changes: 67 additions & 12 deletions apis/core/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 2d45ca6

Please sign in to comment.