Skip to content

Commit c00ed7a

Browse files
dprincedprince
committed
combine CAs
1 parent 2389c06 commit c00ed7a

1 file changed

Lines changed: 27 additions & 14 deletions

File tree

internal/controller/assistant/openstackassistant_controller.go

Lines changed: 27 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -335,26 +335,39 @@ func (r *OpenStackAssistantReconciler) Reconcile(ctx context.Context, req ctrl.R
335335
configVars["mcp-ca-bundle"] = env.SetValue(mcpCaHash)
336336
}
337337

338-
// Build combined CA bundle when both lightspeed and MCP CA sources exist
338+
// Build combined CA bundle when MCP TLS is in use, merging the internal CA
339+
// (tls-ca-bundle.pem) with the lightspeed CA (ca-bundle.crt) if present.
340+
// This handles same-secret, different-secret, and MCP-only cases.
339341
hasCombinedCA := false
340342
combinedCAPEM := ""
341-
if instance.Spec.LightspeedStack.CaBundleSecretName != "" &&
342-
mcpCaBundleSecretName != "" &&
343-
mcpCaBundleSecretName != instance.Spec.LightspeedStack.CaBundleSecretName {
343+
if mcpCaBundleSecretName != "" {
344+
var lightspeedCA, mcpCA string
344345

345-
lightspeedCASecret, _, err := secret.GetSecret(ctx, helper, instance.Spec.LightspeedStack.CaBundleSecretName, instance.Namespace)
346-
if err != nil {
347-
return ctrl.Result{}, fmt.Errorf("error reading lightspeed CA secret: %w", err)
346+
if instance.Spec.LightspeedStack.CaBundleSecretName != "" {
347+
lightspeedCASecret, _, err := secret.GetSecret(ctx, helper, instance.Spec.LightspeedStack.CaBundleSecretName, instance.Namespace)
348+
if err != nil {
349+
return ctrl.Result{}, fmt.Errorf("error reading lightspeed CA secret: %w", err)
350+
}
351+
lightspeedCA = string(lightspeedCASecret.Data["ca-bundle.crt"])
352+
353+
if mcpCaBundleSecretName == instance.Spec.LightspeedStack.CaBundleSecretName {
354+
mcpCA = string(lightspeedCASecret.Data["tls-ca-bundle.pem"])
355+
}
348356
}
349-
mcpCASecret, _, err := secret.GetSecret(ctx, helper, mcpCaBundleSecretName, instance.Namespace)
350-
if err != nil {
351-
return ctrl.Result{}, fmt.Errorf("error reading MCP CA secret: %w", err)
357+
358+
if mcpCA == "" {
359+
mcpCASecret, _, err := secret.GetSecret(ctx, helper, mcpCaBundleSecretName, instance.Namespace)
360+
if err != nil {
361+
return ctrl.Result{}, fmt.Errorf("error reading MCP CA secret: %w", err)
362+
}
363+
mcpCA = string(mcpCASecret.Data["tls-ca-bundle.pem"])
352364
}
353365

354-
lightspeedCA := string(lightspeedCASecret.Data["ca-bundle.crt"])
355-
mcpCA := string(mcpCASecret.Data["tls-ca-bundle.pem"])
356-
if lightspeedCA != "" && mcpCA != "" {
357-
combinedCAPEM = lightspeedCA + "\n" + mcpCA
366+
if mcpCA != "" {
367+
combinedCAPEM = mcpCA
368+
if lightspeedCA != "" {
369+
combinedCAPEM = lightspeedCA + "\n" + mcpCA
370+
}
358371
hasCombinedCA = true
359372
}
360373
}

0 commit comments

Comments
 (0)