Merge pull request #306 from stuggi/tlse_secret_update

[tlse] tls for Cinder pod configuration
openstack-k8s-operators · Feb 7, 2024 · 6572d1b · 6572d1b
2 parents c6b6a21 + fb28bd7
commit 6572d1b
Show file tree

Hide file tree

Showing 49 changed files with 1,743 additions and 58 deletions.
diff --git a/api/bases/cinder.openstack.org_cinderapis.yaml b/api/bases/cinder.openstack.org_cinderapis.yaml
@@ -929,6 +929,24 @@ spec:
               serviceUser:
                 default: cinder
                 type: string
+              tls:
+                properties:
+                  api:
+                    properties:
+                      internal:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                      public:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/api/bases/cinder.openstack.org_cinderbackups.yaml b/api/bases/cinder.openstack.org_cinderbackups.yaml
@@ -878,6 +878,11 @@ spec:
               serviceUser:
                 default: cinder
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/api/bases/cinder.openstack.org_cinders.yaml b/api/bases/cinder.openstack.org_cinders.yaml
@@ -147,6 +147,24 @@ spec:
                           x-kubernetes-int-or-string: true
                         type: object
                     type: object
+                  tls:
+                    properties:
+                      api:
+                        properties:
+                          internal:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                          public:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                        type: object
+                      caBundleSecretName:
+                        type: string
+                    type: object
                 required:
                 - containerImage
                 type: object

diff --git a/api/bases/cinder.openstack.org_cinderschedulers.yaml b/api/bases/cinder.openstack.org_cinderschedulers.yaml
@@ -878,6 +878,11 @@ spec:
               serviceUser:
                 default: cinder
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/api/bases/cinder.openstack.org_cindervolumes.yaml b/api/bases/cinder.openstack.org_cindervolumes.yaml
@@ -879,6 +879,11 @@ spec:
               serviceUser:
                 default: cinder
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/api/v1beta1/cinderapi_types.go b/api/v1beta1/cinderapi_types.go
@@ -19,6 +19,7 @@ package v1beta1
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -36,6 +37,11 @@ type CinderAPITemplate struct {
 	// +kubebuilder:validation:Optional
 	// Override, provides the ability to override the generated manifest of several child resources.
 	Override APIOverrideSpec `json:"override,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.API `json:"tls,omitempty"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.

diff --git a/api/v1beta1/cinderbackup_types.go b/api/v1beta1/cinderbackup_types.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -56,6 +57,11 @@ type CinderBackupSpec struct {
 	// +kubebuilder:validation:Required
 	// ServiceAccount - service account name used internally to provide Cinder services the default SA name
 	ServiceAccount string `json:"serviceAccount"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.Ca `json:"tls,omitempty"`
 }
 
 // CinderBackupStatus defines the observed state of CinderBackup

diff --git a/api/v1beta1/cinderscheduler_types.go b/api/v1beta1/cinderscheduler_types.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -56,6 +57,11 @@ type CinderSchedulerSpec struct {
 	// +kubebuilder:validation:Required
 	// ServiceAccount - service account name used internally to provide Cinder services the default SA name
 	ServiceAccount string `json:"serviceAccount"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.Ca `json:"tls,omitempty"`
 }
 
 // CinderSchedulerStatus defines the observed state of CinderScheduler

diff --git a/api/v1beta1/cindervolume_types.go b/api/v1beta1/cindervolume_types.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -57,6 +58,11 @@ type CinderVolumeSpec struct {
 	// +kubebuilder:validation:Required
 	// ServiceAccount - service account name used internally to provide Cinder services the default SA name
 	ServiceAccount string `json:"serviceAccount"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.Ca `json:"tls,omitempty"`
 }
 
 // CinderVolumeStatus defines the observed state of CinderVolume

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/cinder.openstack.org_cinderapis.yaml b/config/crd/bases/cinder.openstack.org_cinderapis.yaml
@@ -929,6 +929,24 @@ spec:
               serviceUser:
                 default: cinder
                 type: string
+              tls:
+                properties:
+                  api:
+                    properties:
+                      internal:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                      public:
+                        properties:
+                          secretName:
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/config/crd/bases/cinder.openstack.org_cinderbackups.yaml b/config/crd/bases/cinder.openstack.org_cinderbackups.yaml
@@ -878,6 +878,11 @@ spec:
               serviceUser:
                 default: cinder
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/config/crd/bases/cinder.openstack.org_cinders.yaml b/config/crd/bases/cinder.openstack.org_cinders.yaml
@@ -147,6 +147,24 @@ spec:
                           x-kubernetes-int-or-string: true
                         type: object
                     type: object
+                  tls:
+                    properties:
+                      api:
+                        properties:
+                          internal:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                          public:
+                            properties:
+                              secretName:
+                                type: string
+                            type: object
+                        type: object
+                      caBundleSecretName:
+                        type: string
+                    type: object
                 required:
                 - containerImage
                 type: object

diff --git a/config/crd/bases/cinder.openstack.org_cinderschedulers.yaml b/config/crd/bases/cinder.openstack.org_cinderschedulers.yaml
@@ -878,6 +878,11 @@ spec:
               serviceUser:
                 default: cinder
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/config/crd/bases/cinder.openstack.org_cindervolumes.yaml b/config/crd/bases/cinder.openstack.org_cindervolumes.yaml
@@ -879,6 +879,11 @@ spec:
               serviceUser:
                 default: cinder
                 type: string
+              tls:
+                properties:
+                  caBundleSecretName:
+                    type: string
+                type: object
               transportURLSecret:
                 type: string
             required:

diff --git a/config/samples/cinder_v1beta1_cinder_tls.yaml b/config/samples/cinder_v1beta1_cinder_tls.yaml
@@ -0,0 +1,26 @@
+apiVersion: cinder.openstack.org/v1beta1
+kind: Cinder
+metadata:
+  name: cinder
+  namespace: openstack
+spec:
+  serviceUser: cinder
+  customServiceConfig: |
+    [DEFAULT]
+    debug = true
+  databaseInstance: openstack
+  databaseUser: cinder
+  rabbitMqClusterName: rabbitmq
+  cinderAPI:
+    tls:
+      api:
+        internal:
+          secretName: cert-cinder-internal-svc
+        public:
+          secretName: cert-cinder-public-svc
+      caBundleSecretName: combined-ca-bundle
+  cinderScheduler: {}
+  cinderBackup: {}
+  cinderVolumes:
+    volume1: {}
+  secret: cinder-secret
diff --git a/config/samples/cinder_v1beta1_cinderapi.yaml b/config/samples/cinder_v1beta1_cinderapi.yaml
@@ -4,3 +4,13 @@ metadata:
   name: cinderapi-sample
 spec:
   # TODO(user): Add fields here
+  #tls:
+  #  api:
+  #    # secret holding tls.crt and tls.key for the APIs internal k8s service
+  #    internal:
+  #      secretName: cert-internal-svc
+  #    # secret holding tls.crt and tls.key for the APIs public k8s service
+  #    public:
+  #      secretName: cert-public-svc
+  #  # secret holding the tls-ca-bundle.pem to be used as a deploymend env CA bundle
+  #  caBundleSecretName: combined-ca-bundle