Merge pull request #216 from weinimo/cert-management-update

Cert management update

api/bases/octavia.openstack.org_octaviaamphoracontrollers.yaml

@@ -56,7 +56,6 @@ spec:
                   keys
                 type: string
               certssecret:
-                default: octavia-certs-secret
                 description: LoadBalancerCerts - Secret containing certs for securing
                   communication with amphora based Load Balancers
                 type: string
@@ -213,7 +212,6 @@ spec:
                 description: TransportURLSecret - Secret containing RabbitMQ transportURL
                 type: string
             required:
-            - certssecret
             - databaseInstance
             - role
             - secret

api/bases/octavia.openstack.org_octavias.yaml

@@ -44,6 +44,11 @@ spec:
           spec:
             description: OctaviaSpec defines the desired state of Octavia
             properties:
+              certssecret:
+                default: octavia-certs-secret
+                description: LoadBalancerCerts - Secret containing certs for securing
+                  communication with amphora based Load Balancers
+                type: string
               customServiceConfig:
                 default: '# add your customization here'
                 description: CustomServiceConfig - customize the service config using
@@ -462,7 +467,6 @@ spec:
                       keys
                     type: string
                   certssecret:
-                    default: octavia-certs-secret
                     description: LoadBalancerCerts - Secret containing certs for securing
                       communication with amphora based Load Balancers
                     type: string
@@ -621,7 +625,6 @@ spec:
                     description: TransportURLSecret - Secret containing RabbitMQ transportURL
                     type: string
                 required:
-                - certssecret
                 - databaseInstance
                 - role
                 - secret
@@ -637,7 +640,6 @@ spec:
                       keys
                     type: string
                   certssecret:
-                    default: octavia-certs-secret
                     description: LoadBalancerCerts - Secret containing certs for securing
                       communication with amphora based Load Balancers
                     type: string
@@ -796,7 +798,6 @@ spec:
                     description: TransportURLSecret - Secret containing RabbitMQ transportURL
                     type: string
                 required:
-                - certssecret
                 - databaseInstance
                 - role
                 - secret
@@ -812,7 +813,6 @@ spec:
                       keys
                     type: string
                   certssecret:
-                    default: octavia-certs-secret
                     description: LoadBalancerCerts - Secret containing certs for securing
                       communication with amphora based Load Balancers
                     type: string
@@ -971,7 +971,6 @@ spec:
                     description: TransportURLSecret - Secret containing RabbitMQ transportURL
                     type: string
                 required:
-                - certssecret
                 - databaseInstance
                 - role
                 - secret
@@ -1015,6 +1014,7 @@ spec:
                 description: ServiceUser - service user name
                 type: string
             required:
+            - certssecret
             - databaseInstance
             - octaviaAPI
             - rabbitMqClusterName

api/v1beta1/amphoracontroller_types.go

@@ -70,8 +70,7 @@ type OctaviaAmphoraControllerSpec struct {
 	// Secret containing OpenStack password information for octavia OctaviaDatabasePassword, AdminPassword
 	Secret string `json:"secret"`
 
-	// +kubebuilder:validation:Required
-	// +kubebuilder:default=octavia-certs-secret
+	// +kubebuilder:validation:Optional
 	// LoadBalancerCerts - Secret containing certs for securing communication with amphora based Load Balancers
 	LoadBalancerCerts string `json:"certssecret"`
 

api/v1beta1/octavia_types.go

@@ -121,6 +121,11 @@ type OctaviaSpec struct {
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default={manageLbMgmtNetworks: true, subnetIpVersion: 4}
 	LbMgmtNetworks OctaviaLbMgmtNetworks `json:"lbMgmtNetwork"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=octavia-certs-secret
+	// LoadBalancerCerts - Secret containing certs for securing communication with amphora based Load Balancers
+	LoadBalancerCerts string `json:"certssecret"`
 }
 
 // PasswordSelector to identify the DB and AdminUser password from the Secret

config/crd/bases/octavia.openstack.org_octaviaamphoracontrollers.yaml

@@ -56,7 +56,6 @@ spec:
                   keys
                 type: string
               certssecret:
-                default: octavia-certs-secret
                 description: LoadBalancerCerts - Secret containing certs for securing
                   communication with amphora based Load Balancers
                 type: string
@@ -213,7 +212,6 @@ spec:
                 description: TransportURLSecret - Secret containing RabbitMQ transportURL
                 type: string
             required:
-            - certssecret
             - databaseInstance
             - role
             - secret

config/crd/bases/octavia.openstack.org_octavias.yaml

@@ -44,6 +44,11 @@ spec:
           spec:
             description: OctaviaSpec defines the desired state of Octavia
             properties:
+              certssecret:
+                default: octavia-certs-secret
+                description: LoadBalancerCerts - Secret containing certs for securing
+                  communication with amphora based Load Balancers
+                type: string
               customServiceConfig:
                 default: '# add your customization here'
                 description: CustomServiceConfig - customize the service config using
@@ -462,7 +467,6 @@ spec:
                       keys
                     type: string
                   certssecret:
-                    default: octavia-certs-secret
                     description: LoadBalancerCerts - Secret containing certs for securing
                       communication with amphora based Load Balancers
                     type: string
@@ -621,7 +625,6 @@ spec:
                     description: TransportURLSecret - Secret containing RabbitMQ transportURL
                     type: string
                 required:
-                - certssecret
                 - databaseInstance
                 - role
                 - secret
@@ -637,7 +640,6 @@ spec:
                       keys
                     type: string
                   certssecret:
-                    default: octavia-certs-secret
                     description: LoadBalancerCerts - Secret containing certs for securing
                       communication with amphora based Load Balancers
                     type: string
@@ -796,7 +798,6 @@ spec:
                     description: TransportURLSecret - Secret containing RabbitMQ transportURL
                     type: string
                 required:
-                - certssecret
                 - databaseInstance
                 - role
                 - secret
@@ -812,7 +813,6 @@ spec:
                       keys
                     type: string
                   certssecret:
-                    default: octavia-certs-secret
                     description: LoadBalancerCerts - Secret containing certs for securing
                       communication with amphora based Load Balancers
                     type: string
@@ -971,7 +971,6 @@ spec:
                     description: TransportURLSecret - Secret containing RabbitMQ transportURL
                     type: string
                 required:
-                - certssecret
                 - databaseInstance
                 - role
                 - secret
@@ -1015,6 +1014,7 @@ spec:
                 description: ServiceUser - service user name
                 type: string
             required:
+            - certssecret
             - databaseInstance
             - octaviaAPI
             - rabbitMqClusterName

controllers/octavia_controller.go

@@ -821,6 +821,7 @@ func (r *OctaviaReconciler) amphoraControllerDaemonSetCreateOrUpdate(
 		daemonset.Spec.ServiceAccount = instance.RbacResourceName()
 		daemonset.Spec.LbMgmtNetworks.ManageLbMgmtNetworks = instance.Spec.LbMgmtNetworks.ManageLbMgmtNetworks
 		daemonset.Spec.LbMgmtNetworks.SubnetIPVersion = instance.Spec.LbMgmtNetworks.SubnetIPVersion
+		daemonset.Spec.LoadBalancerCerts = instance.Spec.LoadBalancerCerts
 		if len(daemonset.Spec.NodeSelector) == 0 {
 			daemonset.Spec.NodeSelector = instance.Spec.NodeSelector
 		}

pkg/amphoracontrollers/amphora_certs.go

@@ -24,6 +24,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"math/big"
+	"sync"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -33,19 +34,19 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
 var (
 	subjectDefault = pkix.Name{
-		Organization:  []string{"Dis"},
-		Country:       []string{"US"},
-		Province:      []string{"Oregon"},
-		Locality:      []string{"Springfield"},
-		StreetAddress: []string{"Denial"},
-		PostalCode:    []string{""},
-		CommonName:    "www.example.com",
+		CommonName:         "www.example.com",
+		Organization:       []string{"OpenStack"},
+		OrganizationalUnit: []string{"Octavia Amphorae"},
+		Country:            []string{"DE"},
+		Province:           []string{"Bavaria"},
+		Locality:           []string{"Piding"},
 	}
+	onceEnsure   sync.Once
+	ensureResult error = nil
 )
 
 // generateKey generates a PEM encoded private RSA key and applies PEM
@@ -146,16 +147,16 @@ func generateClientCert(caCertPEM []byte, caPrivKey *rsa.PrivateKey) ([]byte, er
 	return certPEM.Bytes(), nil
 }
 
-// EnsureAmphoraCerts ensures Amphora certificates exist in the secret store
-func EnsureAmphoraCerts(ctx context.Context, instance *octaviav1.OctaviaAmphoraController, h *helper.Helper, log *logr.Logger) error {
+func doEnsureAmphoraCerts(ctx context.Context, instance *octaviav1.OctaviaAmphoraController,
+	h *helper.Helper, log *logr.Logger) {
 	var oAmpSecret *corev1.Secret
 	var serverCAPass []byte = nil
 
 	_, _, err := secret.GetSecret(ctx, h, instance.Spec.LoadBalancerCerts, instance.Namespace)
 	if err != nil {
 		if !k8serrors.IsNotFound(err) {
-			err = fmt.Errorf("Error retrieving secret %s - %w", instance.Spec.LoadBalancerCerts, err)
-			return err
+			ensureResult = fmt.Errorf("Error retrieving secret %s - %w", instance.Spec.LoadBalancerCerts, err)
+			return
 		}
 
 		cAPassSecret, _, err := secret.GetSecret(
@@ -168,35 +169,35 @@ func EnsureAmphoraCerts(ctx context.Context, instance *octaviav1.OctaviaAmphoraC
 
 		serverCAKey, serverCAKeyPEM, err := generateKey(serverCAPass)
 		if err != nil {
-			err = fmt.Errorf("Error while generating server CA key: %w", err)
-			return err
+			ensureResult = fmt.Errorf("Error while generating server CA key: %w", err)
+			return
 		}
 		serverCACert, err := generateCACert(serverCAKey, "Octavia server CA")
 		if err != nil {
-			err = fmt.Errorf("Error while generating server CA certificate: %w", err)
-			return err
+			ensureResult = fmt.Errorf("Error while generating server CA certificate: %w", err)
+			return
 		}
 
 		clientCAKey, _, err := generateKey(nil)
 		if err != nil {
-			err = fmt.Errorf("Error while generating client CA key: %w", err)
-			return err
+			ensureResult = fmt.Errorf("Error while generating client CA key: %w", err)
+			return
 		}
 		clientCACert, err := generateCACert(clientCAKey, "Octavia client CA")
 		if err != nil {
-			err = fmt.Errorf("Error while generating amphora client CA certificate: %w", err)
-			return err
+			ensureResult = fmt.Errorf("Error while generating amphora client CA certificate: %w", err)
+			return
 		}
 
 		clientKey, clientKeyPEM, err := generateKey(nil)
 		if err != nil {
-			err = fmt.Errorf("Error while generating amphora client key: %w", err)
-			return err
+			ensureResult = fmt.Errorf("Error while generating amphora client key: %w", err)
+			return
 		}
 		clientCert, err := generateClientCert(clientCACert, clientKey)
 		if err != nil {
-			err = fmt.Errorf("Error while generating amphora client certificate: %w", err)
-			return err
+			ensureResult = fmt.Errorf("Error while generating amphora client certificate: %w", err)
+			return
 		}
 		clientKeyAndCert := append(clientKeyPEM, clientCert...)
 
@@ -217,17 +218,19 @@ func EnsureAmphoraCerts(ctx context.Context, instance *octaviav1.OctaviaAmphoraC
 			},
 		}
 
-		// err = h.GetClient().Create(ctx, oAmpSecret)
-		_, result, err := secret.CreateOrPatchSecret(ctx, h, instance, oAmpSecret)
-
+		_, _, err = secret.CreateOrPatchSecret(ctx, h, instance, oAmpSecret)
 		if err != nil {
-			err = fmt.Errorf("Error creating certs secret %s - %w",
+			ensureResult = fmt.Errorf("Error creating certs secret %s - %w",
 				instance.Spec.LoadBalancerCerts, err)
-			return err
-		} else if result != controllerutil.OperationResultNone {
-			return nil
 		}
 	}
+}
+
+// EnsureAmphoraCerts ensures Amphora certificates exist in the secret store
+func EnsureAmphoraCerts(ctx context.Context, instance *octaviav1.OctaviaAmphoraController,
+	h *helper.Helper, log *logr.Logger) error {
 
-	return nil
+	// Do cert generation once, and only once for all services.
+	onceEnsure.Do(func() { doEnsureAmphoraCerts(ctx, instance, h, log) })
+	return ensureResult
 }