tls fixes

dprince · dprince · commit 1f3baccebeb4 · 2026-05-14T07:46:07.000-04:00
diff --git a/internal/controller/client/openstackclient_controller.go b/internal/controller/client/openstackclient_controller.go
@@ -43,6 +43,7 @@ import (
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/endpoint"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
@@ -217,7 +218,8 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	}
 
 	clientLabels := map[string]string{
-		common.AppSelector: "openstackclient",
+		common.AppSelector:   "openstackclient",
+		common.OwnerSelector: instance.Name,
 	}
 
 	configVars := make(map[string]env.Setter)
@@ -359,6 +361,27 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 			configVars[mcpTLSSecretName] = env.SetValue(certSecret.ResourceVersion)
 		}
 
+		// Use the internal Keystone endpoint for the MCP sidecar's clouds.yaml
+		// so it connects directly to the in-cluster service and avoids
+		// TLS issues with the public OCP route.
+		internalAuthURL, err := keystoneAPI.GetEndpoint(endpoint.EndpointInternal)
+		if err != nil {
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				clientv1.OpenStackClientReadyCondition,
+				condition.RequestedReason,
+				condition.SeverityInfo,
+				"waiting for internal Keystone endpoint"))
+			return ctrl.Result{RequeueAfter: time.Duration(5) * time.Second}, nil
+		}
+
+		mcpCloudsYAML := openstackclient.MCPCloudsYAML(
+			internalAuthURL,
+			keystoneAPI.Spec.AdminProject,
+			keystoneAPI.Spec.AdminUser,
+			keystoneAPI.Spec.Region,
+			instance.Spec.CaBundleSecretName,
+		)
+
 		mcpConfigCM := &corev1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      instance.Name + "-mcp-config",
@@ -368,13 +391,14 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		_, err = controllerutil.CreateOrPatch(ctx, r.Client, mcpConfigCM, func() error {
 			mcpConfigCM.Data = map[string]string{
 				"config.yaml": openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled),
+				"clouds.yaml": mcpCloudsYAML,
 			}
 			return controllerutil.SetControllerReference(instance, mcpConfigCM, r.Scheme)
 		})
 		if err != nil {
 			return ctrl.Result{}, fmt.Errorf("error creating MCP config ConfigMap: %w", err)
 		}
-		configVars[instance.Name+"-mcp-config"] = env.SetValue(openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled))
+		configVars[instance.Name+"-mcp-config"] = env.SetValue(openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled) + mcpCloudsYAML)
 
 	}
 
@@ -394,7 +418,6 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		mcpServiceHash, err := util.ObjectHash(map[string]interface{}{
 			"containerImage":    instance.Spec.ContainerImage,
 			"mcpContainerImage": instance.Spec.MCP.ContainerImage,
-			"mcpConfig":         openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, instance.Spec.CaBundleSecretName != ""),
 			"configVarsHash":    configVarsHash,
 		})
 		if err != nil {
diff --git a/internal/openstackclient/funcs.go b/internal/openstackclient/funcs.go
@@ -116,9 +116,10 @@ func ClientPodSpec(
 	if instance.Spec.MCP != nil && instance.Spec.MCP.Enabled {
 		mcpVolumeMounts := []corev1.VolumeMount{
 			{
-				Name:      "openstack-config",
+				Name:      "mcp-config",
 				MountPath: "/home/cloud-admin/.config/openstack/clouds.yaml",
 				SubPath:   "clouds.yaml",
+				ReadOnly:  true,
 			},
 			{
 				Name:      "openstack-config-secret",
@@ -127,7 +128,8 @@ func ClientPodSpec(
 			},
 			{
 				Name:      "mcp-config",
-				MountPath: "/tmp/mcp-config",
+				MountPath: "/tmp/mcp-config/config.yaml",
+				SubPath:   "config.yaml",
 				ReadOnly:  true,
 			},
 		}
@@ -234,6 +236,25 @@ mcp_transport_security:
 `, caCert, tlsConfig, allowedOriginScheme)
 }
 
+// MCPCloudsYAML returns a clouds.yaml using the given auth URL for the MCP sidecar.
+// When caBundleSecretName is set, a cacert path is included for TLS verification.
+func MCPCloudsYAML(authURL, projectName, userName, region, caBundleSecretName string) string {
+	caCert := ""
+	if caBundleSecretName != "" {
+		caCert = fmt.Sprintf("\n    cacert: %s", tls.DownstreamTLSCABundlePath)
+	}
+	return fmt.Sprintf(`clouds:
+  default:
+    auth:
+      auth_url: %s
+      project_name: %s
+      username: %s
+      user_domain_name: Default
+      project_domain_name: Default
+    region_name: %s%s
+`, authURL, projectName, userName, region, caCert)
+}
+
 func clientPodVolumeMounts() []corev1.VolumeMount {
 	return []corev1.VolumeMount{
 		{
