[ovn][metrics] Pass cert secrets

karelyatin · karelyatin · commit 404a2e819230 · 2025-10-16T17:54:06.000+05:30
Resolves: https://issues.redhat.com/browse/OSPRH-20823 Signed-off-by: Yatin Karel <ykarel@redhat.com>
diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -12116,6 +12116,13 @@ spec:
                           metricsEnabled:
                             default: true
                             type: boolean
+                          metricsTLS:
+                            properties:
+                              caBundleSecretName:
+                                type: string
+                              secretName:
+                                type: string
+                            type: object
                           networkAttachment:
                             type: string
                           nicMappings:
@@ -12195,6 +12202,13 @@ spec:
                             metricsEnabled:
                               default: true
                               type: boolean
+                            metricsTLS:
+                              properties:
+                                caBundleSecretName:
+                                  type: string
+                                secretName:
+                                  type: string
+                              type: object
                             networkAttachment:
                               type: string
                             nodeSelector:
@@ -12323,6 +12337,13 @@ spec:
                           metricsEnabled:
                             default: true
                             type: boolean
+                          metricsTLS:
+                            properties:
+                              caBundleSecretName:
+                                type: string
+                              secretName:
+                                type: string
+                            type: object
                           nThreads:
                             default: 1
                             format: int32
diff --git a/apis/go.mod b/apis/go.mod
@@ -144,3 +144,5 @@ replace k8s.io/code-generator => k8s.io/code-generator v0.31.13 //allow-merging
 replace k8s.io/component-base => k8s.io/component-base v0.31.13 //allow-merging
 
 replace github.com/cert-manager/cmctl/v2 => github.com/cert-manager/cmctl/v2 v2.1.2-0.20241127223932-88edb96860cf //allow-merging
+
+replace github.com/openstack-k8s-operators/ovn-operator/api => github.com/karelyatin/ovn-operator/api v0.0.0-20251016110332-fa590079ed53
diff --git a/apis/go.sum b/apis/go.sum
@@ -78,6 +78,8 @@ github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE
 github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/karelyatin/ovn-operator/api v0.0.0-20251016110332-fa590079ed53 h1:Ph5lDvRqiA5xHf35myJp51txhyADB8OY9jPqgA3oFlk=
+github.com/karelyatin/ovn-operator/api v0.0.0-20251016110332-fa590079ed53/go.mod h1:RTW7SRp+Fn8JmIjdOgLl3GB3tTAhnI0q2XgauR1eEUM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
@@ -150,8 +152,6 @@ github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20251007102453-
 github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20251007102453-ebfa5abc85f9/go.mod h1:9hVb6W4F+QOsScCF69O+y0DREQOYZNRHB3pAWNgdr9M=
 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20251007160653-73411ba26222 h1:6njT8VlvIBKuii7AEQumhqnI8u0dgoYkX8Rf7jcPySw=
 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20251007160653-73411ba26222/go.mod h1:StWvPTGwPxvaC5T+6qCEFVGlU1/en80J1pYijplyKZE=
-github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251009064229-83a344ba9732 h1:n8VE9b+geiFr6z3j6Ys6stT2ntSWDGeB8Pp2odf82fA=
-github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251009064229-83a344ba9732/go.mod h1:9A4u8gHLl+PeEfcqweyyIdUGRap3j95oTlkRhw6FDa0=
 github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20251006102217-a0180c9d1d51 h1:+uy6b+pzHzib8OtjXex+mYsWMZc41P327Lima/TtAOM=
 github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20251006102217-a0180c9d1d51/go.mod h1:tT7pLlledNe6qxzJPmgG4Vt3y8C8hjlUli0rPBeAiz0=
 github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec h1:saovr368HPAKHN0aRPh8h8n9s9dn3d8Frmfua0UYRlc=
diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -12116,6 +12116,13 @@ spec:
                           metricsEnabled:
                             default: true
                             type: boolean
+                          metricsTLS:
+                            properties:
+                              caBundleSecretName:
+                                type: string
+                              secretName:
+                                type: string
+                            type: object
                           networkAttachment:
                             type: string
                           nicMappings:
@@ -12195,6 +12202,13 @@ spec:
                             metricsEnabled:
                               default: true
                               type: boolean
+                            metricsTLS:
+                              properties:
+                                caBundleSecretName:
+                                  type: string
+                                secretName:
+                                  type: string
+                              type: object
                             networkAttachment:
                               type: string
                             nodeSelector:
@@ -12323,6 +12337,13 @@ spec:
                           metricsEnabled:
                             default: true
                             type: boolean
+                          metricsTLS:
+                            properties:
+                              caBundleSecretName:
+                                type: string
+                              secretName:
+                                type: string
+                            type: object
                           nThreads:
                             default: 1
                             format: int32
diff --git a/controllers/core/openstackcontrolplane_controller.go b/controllers/core/openstackcontrolplane_controller.go
@@ -370,7 +370,7 @@ func (r *OpenStackControlPlaneReconciler) Reconcile(ctx context.Context, req ctr
 }
 
 func (r *OpenStackControlPlaneReconciler) reconcileOVNControllers(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *common_helper.Helper) (ctrl.Result, error) {
-	OVNControllerReady, OVNControllerConditions, err := openstack.ReconcileOVNController(ctx, instance, version, helper)
+	OVNControllerReady, OVNControllerConditions, err := openstack.ReconcileOVNController(ctx, instance, version, helper, "")
 	if err != nil {
 		return ctrl.Result{}, err
 	} else if !OVNControllerReady {
diff --git a/go.mod b/go.mod
@@ -154,3 +154,5 @@ replace k8s.io/code-generator => k8s.io/code-generator v0.31.13 //allow-merging
 replace k8s.io/component-base => k8s.io/component-base v0.31.13 //allow-merging
 
 replace github.com/cert-manager/cmctl/v2 => github.com/cert-manager/cmctl/v2 v2.1.2-0.20241127223932-88edb96860cf //allow-merging
+
+replace github.com/openstack-k8s-operators/ovn-operator/api => github.com/karelyatin/ovn-operator/api v0.0.0-20251016110332-fa590079ed53
diff --git a/go.sum b/go.sum
@@ -82,6 +82,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.7 h1:z4P744DR+PIpkjwXSEc6TvN3L6LVzmUquFgmNm8wSUc=
 github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.7/go.mod h1:CM7HAH5PNuIsqjMN0fGc1ydM74Uj+0VZFhob620nklw=
+github.com/karelyatin/ovn-operator/api v0.0.0-20251016110332-fa590079ed53 h1:Ph5lDvRqiA5xHf35myJp51txhyADB8OY9jPqgA3oFlk=
+github.com/karelyatin/ovn-operator/api v0.0.0-20251016110332-fa590079ed53/go.mod h1:RTW7SRp+Fn8JmIjdOgLl3GB3tTAhnI0q2XgauR1eEUM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
@@ -160,8 +162,6 @@ github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20251007102453-
 github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20251007102453-ebfa5abc85f9/go.mod h1:9hVb6W4F+QOsScCF69O+y0DREQOYZNRHB3pAWNgdr9M=
 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20251007160653-73411ba26222 h1:6njT8VlvIBKuii7AEQumhqnI8u0dgoYkX8Rf7jcPySw=
 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20251007160653-73411ba26222/go.mod h1:StWvPTGwPxvaC5T+6qCEFVGlU1/en80J1pYijplyKZE=
-github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251009064229-83a344ba9732 h1:n8VE9b+geiFr6z3j6Ys6stT2ntSWDGeB8Pp2odf82fA=
-github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251009064229-83a344ba9732/go.mod h1:9A4u8gHLl+PeEfcqweyyIdUGRap3j95oTlkRhw6FDa0=
 github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20251006102217-a0180c9d1d51 h1:+uy6b+pzHzib8OtjXex+mYsWMZc41P327Lima/TtAOM=
 github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20251006102217-a0180c9d1d51/go.mod h1:tT7pLlledNe6qxzJPmgG4Vt3y8C8hjlUli0rPBeAiz0=
 github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec h1:saovr368HPAKHN0aRPh8h8n9s9dn3d8Frmfua0UYRlc=
diff --git a/pkg/openstack/ovn.go b/pkg/openstack/ovn.go
@@ -38,27 +38,30 @@ func ReconcileOVN(ctx context.Context, instance *corev1beta1.OpenStackControlPla
 	}
 
 	// Create TLS certificate for OVN metrics services when TLS is enabled
+	var ovnMetricsCertName string
 	if instance.Spec.Ovn.Enabled && instance.Spec.TLS.PodLevel.Enabled {
-		if err := EnsureOVNMetricsCert(ctx, instance, helper); err != nil {
+		var err error
+		ovnMetricsCertName, err = EnsureOVNMetricsCert(ctx, instance, helper)
+		if err != nil {
 			Log.Error(err, "Failed to ensure OVN metrics certificate")
 			setOVNReadyError(instance, err)
 			return ctrl.Result{}, err
 		}
 	}
 
-	OVNDBClustersReady, OVNDBClustersConditions, err := ReconcileOVNDbClusters(ctx, instance, version, helper)
+	OVNDBClustersReady, OVNDBClustersConditions, err := ReconcileOVNDbClusters(ctx, instance, version, helper, ovnMetricsCertName)
 	if err != nil {
 		Log.Error(err, "Failed to reconcile OVNDBClusters")
 		setOVNReadyError(instance, err)
 	}
 
-	OVNNorthdReady, OVNNorthdConditions, err := ReconcileOVNNorthd(ctx, instance, version, helper)
+	OVNNorthdReady, OVNNorthdConditions, err := ReconcileOVNNorthd(ctx, instance, version, helper, ovnMetricsCertName)
 	if err != nil {
 		Log.Error(err, "Failed to reconcile OVNNorthd")
 		setOVNReadyError(instance, err)
 	}
 
-	OVNControllerReady, OVNControllerConditions, err := ReconcileOVNController(ctx, instance, version, helper)
+	OVNControllerReady, OVNControllerConditions, err := ReconcileOVNController(ctx, instance, version, helper, ovnMetricsCertName)
 	if err != nil {
 		Log.Error(err, "Failed to reconcile OVNController")
 		setOVNReadyError(instance, err)
@@ -120,7 +123,7 @@ func ReconcileOVN(ctx context.Context, instance *corev1beta1.OpenStackControlPla
 }
 
 // ReconcileOVNDbClusters reconciles the OVN database clusters for the OpenStack control plane
-func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *helper.Helper) (bool, condition.Conditions, error) {
+func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *helper.Helper, ovnMetricsCertName string) (bool, condition.Conditions, error) {
 	Log := GetLogger(ctx)
 	dnsSuffix := clusterdns.GetDNSClusterDomain()
 	conditions := condition.Conditions{}
@@ -199,6 +202,12 @@ func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStack
 			dbcluster.TLS.SecretName = &certSecret.Name
 		}
 
+		// Set MetricsTLS configuration if TLS is enabled and metrics cert is available
+		if instance.Spec.TLS.PodLevel.Enabled && ovnMetricsCertName != "" {
+			dbcluster.MetricsTLS.SecretName = &ovnMetricsCertName
+			dbcluster.MetricsTLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+		}
+
 		if dbcluster.NodeSelector == nil {
 			dbcluster.NodeSelector = &instance.Spec.NodeSelector
 		}
@@ -259,7 +268,7 @@ func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStack
 }
 
 // ReconcileOVNNorthd reconciles the OVN Northd service for the OpenStack control plane
-func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *helper.Helper) (bool, condition.Conditions, error) {
+func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *helper.Helper, ovnMetricsCertName string) (bool, condition.Conditions, error) {
 	Log := GetLogger(ctx)
 	conditions := condition.Conditions{}
 
@@ -334,6 +343,12 @@ func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackCont
 	}
 	ovnNorthdSpec.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
 
+	// Set MetricsTLS configuration if TLS is enabled and metrics cert is available
+	if instance.Spec.TLS.PodLevel.Enabled && ovnMetricsCertName != "" {
+		ovnNorthdSpec.MetricsTLS.SecretName = &ovnMetricsCertName
+		ovnNorthdSpec.MetricsTLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+	}
+
 	if ovnNorthdSpec.NodeSelector == nil {
 		ovnNorthdSpec.NodeSelector = &instance.Spec.NodeSelector
 	}
@@ -386,7 +401,7 @@ func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackCont
 }
 
 // ReconcileOVNController reconciles the OVN Controller service for the OpenStack control plane
-func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *helper.Helper) (bool, condition.Conditions, error) {
+func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *helper.Helper, ovnMetricsCertName string) (bool, condition.Conditions, error) {
 	Log := GetLogger(ctx)
 	conditions := condition.Conditions{}
 
@@ -473,6 +488,12 @@ func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStack
 	}
 	ovnControllerSpec.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
 
+	// Set MetricsTLS configuration if TLS is enabled and metrics cert is available
+	if instance.Spec.TLS.PodLevel.Enabled && ovnMetricsCertName != "" {
+		ovnControllerSpec.MetricsTLS.SecretName = &ovnMetricsCertName
+		ovnControllerSpec.MetricsTLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
+	}
+
 	if ovnControllerSpec.NodeSelector == nil {
 		ovnControllerSpec.NodeSelector = &instance.Spec.NodeSelector
 	}
@@ -568,7 +589,7 @@ func OVNNorthImageMatch(ctx context.Context, controlPlane *corev1beta1.OpenStack
 }
 
 // EnsureOVNMetricsCert creates TLS certificate for OVN metrics services
-func EnsureOVNMetricsCert(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, helper *helper.Helper) error {
+func EnsureOVNMetricsCert(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, helper *helper.Helper) (string, error) {
 	Log := GetLogger(ctx)
 
 	dnsSuffix := clusterdns.GetDNSClusterDomain()
@@ -606,12 +627,12 @@ func EnsureOVNMetricsCert(ctx context.Context, instance *corev1beta1.OpenStackCo
 		certRequest,
 		nil)
 	if err != nil {
-		return err
+		return "", err
 	} else if (ctrlResult != ctrl.Result{}) {
 		Log.Info("OVN metrics certificate creation in progress", "certificate", certRequest.CertName)
-		return fmt.Errorf("OVN metrics certificate creation in progress")
+		return "", fmt.Errorf("OVN metrics certificate creation in progress")
 	}
 
 	Log.Info("OVN metrics certificate ensured", "secret", certSecret.Name, "certificate", certRequest.CertName)
-	return nil
+	return certSecret.Name, nil
 }

Original file line number	Diff line number	Diff line change
`@@ -370,7 +370,7 @@ func (r *OpenStackControlPlaneReconciler) Reconcile(ctx context.Context, req ctr`
`370`	`370`	`}`
`371`	`371`
`372`	`372`	`func (r OpenStackControlPlaneReconciler) reconcileOVNControllers(ctx context.Context, instance corev1beta1.OpenStackControlPlane, version corev1beta1.OpenStackVersion, helper common_helper.Helper) (ctrl.Result, error) {`
`373`		`- OVNControllerReady, OVNControllerConditions, err := openstack.ReconcileOVNController(ctx, instance, version, helper)`
	`373`	`+ OVNControllerReady, OVNControllerConditions, err := openstack.ReconcileOVNController(ctx, instance, version, helper, "")`
`374`	`374`	`if err != nil {`
`375`	`375`	`return ctrl.Result{}, err`
`376`	`376`	`} else if !OVNControllerReady {`