tls fixes

Author: dprince

internal/controller/assistant/openstackassistant_controller.go

@@ -324,12 +324,10 @@ func (r *OpenStackAssistantReconciler) Reconcile(ctx context.Context, req ctrl.R
 				}
 
 				mcpSvcName := mcp.OpenStackClientRef + "-mcp"
-				scheme := "http"
 				if osclient.Spec.CaBundleSecretName != "" {
-					scheme = "https"
 					mcpCaBundleSecretName = osclient.Spec.CaBundleSecretName
 				}
-				mcpURL := fmt.Sprintf("%s://%s.%s.svc:8080/openstack/", scheme, mcpSvcName, instance.Namespace)
+				mcpURL := fmt.Sprintf("http://%s.%s.svc:8080/openstack/", mcpSvcName, instance.Namespace)
 				resolvedMCPServers[mcp.Name] = mcpURL
 				Log.Info("Auto-resolved MCP server", "name", mcp.Name, "url", mcpURL, "openstackClientRef", mcp.OpenStackClientRef)
 			} else if mcp.URL != "" {

internal/controller/client/openstackclient_controller.go

@@ -41,9 +41,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
-	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/endpoint"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
@@ -217,7 +216,8 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	}
 
 	clientLabels := map[string]string{
-		common.AppSelector: "openstackclient",
+		common.AppSelector:   "openstackclient",
+		common.OwnerSelector: instance.Name,
 	}
 
 	configVars := make(map[string]env.Setter)
@@ -312,53 +312,28 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage)
 
 	// Reconcile MCP sidecar resources when enabled
-	mcpTLSSecretName := ""
 	if instance.Spec.MCP != nil && instance.Spec.MCP.Enabled {
-		mcpTLSEnabled := instance.Spec.CaBundleSecretName != ""
-
-		if mcpTLSEnabled {
-			issuer, err := certmanager.GetIssuerByLabels(
-				ctx, helper,
-				instance.Namespace,
-				map[string]string{certmanager.RootCAIssuerInternalLabel: ""},
-			)
-			if err != nil {
-				instance.Status.Conditions.Set(condition.FalseCondition(
-					clientv1.OpenStackClientReadyCondition,
-					condition.ErrorReason,
-					condition.SeverityWarning,
-					clientv1.OpenStackClientReadyErrorMessage,
-					err.Error()))
-				return ctrl.Result{}, err
-			}
-
-			clusterDomain := clusterdns.GetDNSClusterDomain()
-			mcpSvcName := instance.Name + "-mcp"
-			certRequest := certmanager.CertificateRequest{
-				IssuerName: issuer.Name,
-				CertName:   mcpSvcName + "-tls",
-				Hostnames: []string{
-					fmt.Sprintf("%s.%s.svc", mcpSvcName, instance.Namespace),
-					fmt.Sprintf("%s.%s.svc.%s", mcpSvcName, instance.Namespace, clusterDomain),
-				},
-				Labels: map[string]string{},
-			}
-			certSecret, ctrlResult, err := certmanager.EnsureCert(ctx, helper, certRequest, instance)
-			if err != nil {
-				instance.Status.Conditions.Set(condition.FalseCondition(
-					clientv1.OpenStackClientReadyCondition,
-					condition.ErrorReason,
-					condition.SeverityWarning,
-					clientv1.OpenStackClientReadyErrorMessage,
-					err.Error()))
-				return ctrlResult, err
-			} else if (ctrlResult != ctrl.Result{}) {
-				return ctrlResult, nil
-			}
-			mcpTLSSecretName = certSecret.Name
-			configVars[mcpTLSSecretName] = env.SetValue(certSecret.ResourceVersion)
+		// Use the internal Keystone endpoint for the MCP sidecar's clouds.yaml
+		// so it connects directly to the in-cluster service and avoids
+		// TLS issues with the public OCP route.
+		internalAuthURL, err := keystoneAPI.GetEndpoint(endpoint.EndpointInternal)
+		if err != nil {
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				clientv1.OpenStackClientReadyCondition,
+				condition.RequestedReason,
+				condition.SeverityInfo,
+				"waiting for internal Keystone endpoint"))
+			return ctrl.Result{RequeueAfter: time.Duration(5) * time.Second}, nil
 		}
 
+		mcpCloudsYAML := openstackclient.MCPCloudsYAML(
+			internalAuthURL,
+			keystoneAPI.Spec.AdminProject,
+			keystoneAPI.Spec.AdminUser,
+			keystoneAPI.Spec.Region,
+			instance.Spec.CaBundleSecretName,
+		)
+
 		mcpConfigCM := &corev1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      instance.Name + "-mcp-config",
@@ -367,14 +342,15 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		}
 		_, err = controllerutil.CreateOrPatch(ctx, r.Client, mcpConfigCM, func() error {
 			mcpConfigCM.Data = map[string]string{
-				"config.yaml": openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled),
+				"config.yaml": openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName),
+				"clouds.yaml": mcpCloudsYAML,
 			}
 			return controllerutil.SetControllerReference(instance, mcpConfigCM, r.Scheme)
 		})
 		if err != nil {
 			return ctrl.Result{}, fmt.Errorf("error creating MCP config ConfigMap: %w", err)
 		}
-		configVars[instance.Name+"-mcp-config"] = env.SetValue(openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled))
+		configVars[instance.Name+"-mcp-config"] = env.SetValue(openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName) + mcpCloudsYAML)
 
 	}
 
@@ -394,7 +370,6 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		mcpServiceHash, err := util.ObjectHash(map[string]interface{}{
 			"containerImage":    instance.Spec.ContainerImage,
 			"mcpContainerImage": instance.Spec.MCP.ContainerImage,
-			"mcpConfig":         openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, instance.Spec.CaBundleSecretName != ""),
 			"configVarsHash":    configVarsHash,
 		})
 		if err != nil {
@@ -428,7 +403,7 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		},
 	}
 
-	spec := openstackclient.ClientPodSpec(ctx, instance, helper, configVarsHash, mcpTLSSecretName)
+	spec := openstackclient.ClientPodSpec(ctx, instance, helper, configVarsHash)
 
 	podSpecHash, err := util.ObjectHash(spec)
 	if err != nil {

internal/openstackclient/funcs.go

@@ -34,7 +34,6 @@ func ClientPodSpec(
 	instance *clientv1.OpenStackClient,
 	helper *helper.Helper,
 	configHash string,
-	mcpTLSSecretName string,
 ) corev1.PodSpec {
 	envVars := map[string]env.Setter{}
 	envVars["OS_CLOUD"] = env.SetValue("default")
@@ -116,9 +115,10 @@ func ClientPodSpec(
 	if instance.Spec.MCP != nil && instance.Spec.MCP.Enabled {
 		mcpVolumeMounts := []corev1.VolumeMount{
 			{
-				Name:      "openstack-config",
+				Name:      "mcp-config",
 				MountPath: "/home/cloud-admin/.config/openstack/clouds.yaml",
 				SubPath:   "clouds.yaml",
+				ReadOnly:  true,
 			},
 			{
 				Name:      "openstack-config-secret",
@@ -127,7 +127,8 @@ func ClientPodSpec(
 			},
 			{
 				Name:      "mcp-config",
-				MountPath: "/tmp/mcp-config",
+				MountPath: "/tmp/mcp-config/config.yaml",
+				SubPath:   "config.yaml",
 				ReadOnly:  true,
 			},
 		}
@@ -136,22 +137,6 @@ func ClientPodSpec(
 			mcpVolumeMounts = append(mcpVolumeMounts, instance.Spec.CreateVolumeMounts(nil)...)
 		}
 
-		if mcpTLSSecretName != "" {
-			mcpVolumeMounts = append(mcpVolumeMounts, corev1.VolumeMount{
-				Name:      "mcp-tls",
-				MountPath: "/etc/pki/tls/mcp",
-				ReadOnly:  true,
-			})
-			podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{
-				Name: "mcp-tls",
-				VolumeSource: corev1.VolumeSource{
-					Secret: &corev1.SecretVolumeSource{
-						SecretName: mcpTLSSecretName,
-					},
-				},
-			})
-		}
-
 		podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{
 			Name: "mcp-config",
 			VolumeSource: corev1.VolumeSource{
@@ -205,33 +190,43 @@ func ClientPodSpec(
 }
 
 // MCPConfigYAML returns the rhos-mcps config.yaml content for the MCP sidecar
-func MCPConfigYAML(caBundleSecretName string, tlsEnabled bool) string {
+func MCPConfigYAML(caBundleSecretName string) string {
 	caCert := ""
 	if caBundleSecretName != "" {
 		caCert = fmt.Sprintf("\n  ca_cert: %s", tls.DownstreamTLSCABundlePath)
 	}
-	tlsConfig := ""
-	allowedOriginScheme := "http"
-	if tlsEnabled {
-		tlsConfig = `
-tls:
-  cert_file: /etc/pki/tls/mcp/tls.crt
-  key_file: /etc/pki/tls/mcp/tls.key`
-		allowedOriginScheme = "https"
-	}
 	return fmt.Sprintf(`port: 8080
 openstack:
   enabled: true
   allow_write: false%s
 openshift:
-  enabled: false%s
+  enabled: false
 mcp_transport_security:
   enable_dns_rebinding_protection: false
   allowed_hosts:
     - "*:*"
   allowed_origins:
-    - "%s://*:*"
-`, caCert, tlsConfig, allowedOriginScheme)
+    - "http://*:*"
+`, caCert)
+}
+
+// MCPCloudsYAML returns a clouds.yaml using the given auth URL for the MCP sidecar.
+// When caBundleSecretName is set, a cacert path is included for TLS verification.
+func MCPCloudsYAML(authURL, projectName, userName, region, caBundleSecretName string) string {
+	caCert := ""
+	if caBundleSecretName != "" {
+		caCert = fmt.Sprintf("\n    cacert: %s", tls.DownstreamTLSCABundlePath)
+	}
+	return fmt.Sprintf(`clouds:
+  default:
+    auth:
+      auth_url: %s
+      project_name: %s
+      username: %s
+      user_domain_name: Default
+      project_domain_name: Default
+    region_name: %s%s
+`, authURL, projectName, userName, region, caCert)
 }
 
 func clientPodVolumeMounts() []corev1.VolumeMount {