Merge pull request openstack-k8s-operators#648 from stuggi/tls_fix

[TLS] Fix enable/disable of tls configuration
bshephar · Feb 1, 2024 · 24378d9 · 24378d9
2 parents f90f351 + 10a03d9
commit 24378d9
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 11 deletions.
diff --git a/apis/core/v1beta1/openstackcontrolplane_types.go b/apis/core/v1beta1/openstackcontrolplane_types.go
@@ -769,7 +769,7 @@ func SetupDefaults() {
 // Enabled - returns status of tls configuration for the passed in endpoint type
 func (t *TLSSection) Enabled(endpt service.Endpoint) bool {
 	if t != nil {
-		if cfg, ok := t.Endpoint[service.EndpointInternal]; ok && cfg.Enabled {
+		if cfg, ok := t.Endpoint[endpt]; ok && cfg.Enabled {
 			return true
 		}
 	}

diff --git a/pkg/openstack/ca.go b/pkg/openstack/ca.go
@@ -35,17 +35,16 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 		instance.GetNamespace(),
 		map[string]string{},
 	)
-	/*
-		// Cleanuo?
-		if !instance.Spec.TLS.Enabled {
-			if err := cert.Delete(ctx, helper); err != nil {
-				return ctrl.Result{}, err
-			}
-			instance.Status.Conditions.Remove(corev1beta1.OpenStackControlPlaneCAsReadyCondition)
 
-			return ctrl.Result{}, nil
-		}
-	*/
+	// Note (mschuppert) - right now additional custom CA certs can only be passed to the services if
+	// tls is enabled, otherwise CA bundle creation will be skipped and no bundle will be passed to the
+	// service CAs.
+	if !instance.Spec.TLS.Enabled(service.EndpointInternal) && !instance.Spec.TLS.Enabled(service.EndpointPublic) {
+		// we are not deleting certificates if tls gets disabled
+		instance.Status.Conditions.Remove(corev1.OpenStackControlPlaneCAReadyCondition)
+
+		return ctrl.Result{}, nil
+	}
 
 	helper.GetLogger().Info("Reconciling CAs", "Namespace", instance.Namespace, "Name", issuerReq.Name)