[northd][ovncontroller] Make certificate honor pod services names

karelyatin · karelyatin · commit 26a31c9a28ab · 2025-08-20T18:34:20.000+05:30
As part of Metrics TLS support in the Related-Issue, exporter will
be enabled per pod, so need to update certificates honor those
service names.

Related-Issue: OSPRH-12568
diff --git a/pkg/openstack/ovn.go b/pkg/openstack/ovn.go
@@ -234,9 +234,10 @@ func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackCont
 		certRequest := certmanager.CertificateRequest{
 			IssuerName: instance.GetOvnIssuer(),
 			CertName:   fmt.Sprintf("%s-ovndbs", "ovnnorthd"),
+			// Cert needs to be valid for the individual pod services in the deployment so make this a wildcard cert
 			Hostnames: []string{
-				fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
-				fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, dnsSuffix),
+				fmt.Sprintf("%s*.%s.svc", serviceName, instance.Namespace),
+				fmt.Sprintf("%s*.%s.svc.%s", serviceName, instance.Namespace, dnsSuffix),
 			},
 			Ips: nil,
 			Usages: []certmgrv1.KeyUsage{
@@ -365,9 +366,10 @@ func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStack
 		certRequest := certmanager.CertificateRequest{
 			IssuerName: instance.GetOvnIssuer(),
 			CertName:   fmt.Sprintf("%s-ovndbs", "ovncontroller"),
+			// Cert needs to be valid for the individual pod services in the daemonset so make this a wildcard cert
 			Hostnames: []string{
-				fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace),
-				fmt.Sprintf("%s.%s.svc.%s", serviceName, instance.Namespace, dnsSuffix),
+				fmt.Sprintf("%s*.%s.svc", serviceName, instance.Namespace),
+				fmt.Sprintf("%s*.%s.svc.%s", serviceName, instance.Namespace, dnsSuffix),
 			},
 			Ips: nil,
 			Usages: []certmgrv1.KeyUsage{
