Generate OVN RBAC PKI

slawqo · slawqo · commit 507f58b8168b · 2026-04-29T16:39:53.000+02:00
This patch adds generation of the rootca-ovn-rbac issuer which is
used by the ovn-operator to sign per-node ovn-controller RBAC
certificates. This CA is intentionally not added to the combined
CA bundle as it is only used between the SB database and
ovn-controller nodes.

When TLS is enabled, the reconciler passes the RBAC CA cert secret
name to the SB DB cluster and the RBAC issuer name to OVNController
so the ovn-operator can create cert-manager Certificate resources
and verify client connections.

Related: #OSPRH-1921
Related: #OSPRH-1922

Signed-off-by: Slawek Kaplonski &lt;skaplons@redhat.com&gt;
diff --git a/api/bases/core.openstack.org_openstackcontrolplanes.yaml b/api/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -13083,6 +13083,8 @@ spec:
                           ovsLogLevel:
                             default: info
                             type: string
+                          rbacIssuerName:
+                            type: string
                           resources:
                             properties:
                               claims:
@@ -13217,6 +13219,8 @@ spec:
                               default: 60000
                               format: int32
                               type: integer
+                            rbacCACertSecretName:
+                              type: string
                             replicas:
                               default: 1
                               format: int32
diff --git a/api/core/v1beta1/openstackcontrolplane_types.go b/api/core/v1beta1/openstackcontrolplane_types.go
@@ -61,6 +61,8 @@ const (
 	OvnDbCaName = tls.DefaultCAPrefix + "ovn"
 	// LibvirtCaName -
 	LibvirtCaName = tls.DefaultCAPrefix + "libvirt"
+	// OvnRbacCaName -
+	OvnRbacCaName = tls.DefaultCAPrefix + "ovn-rbac"
 
 	// GlanceName - Default Glance name
 	GlanceName = "glance"
@@ -1244,6 +1246,11 @@ func (instance OpenStackControlPlane) GetOvnIssuer() string {
 	return OvnDbCaName
 }
 
+// GetOvnRbacIssuer - returns the OVN RBAC CA issuer name
+func (instance OpenStackControlPlane) GetOvnRbacIssuer() string {
+	return OvnRbacCaName
+}
+
 // GetLibvirtIssuer - returns the libvirt CA issuer name or custom if configured
 func (instance OpenStackControlPlane) GetLibvirtIssuer() string {
 	// use custom issuer if set
diff --git a/bindata/crds/crds.yaml b/bindata/crds/crds.yaml
@@ -13617,6 +13617,8 @@ spec:
                           ovsLogLevel:
                             default: info
                             type: string
+                          rbacIssuerName:
+                            type: string
                           resources:
                             properties:
                               claims:
@@ -13751,6 +13753,8 @@ spec:
                               default: 60000
                               format: int32
                               type: integer
+                            rbacCACertSecretName:
+                              type: string
                             replicas:
                               default: 1
                               format: int32
diff --git a/bindata/crds/ovn.openstack.org_ovncontrollers.yaml b/bindata/crds/ovn.openstack.org_ovncontrollers.yaml
@@ -164,6 +164,13 @@ spec:
                 description: OVSLogLevel - Set log level off, emer, err, warn, info,
                   or dbg. Default is info.
                 type: string
+              rbacIssuerName:
+                description: |-
+                  RbacIssuerName - The name of the cert-manager Issuer used to sign
+                  per-node ovn-controller RBAC certificates. When set, the controller
+                  creates cert-manager Certificate resources for each node instead of
+                  signing certificates locally with the CA key.
+                type: string
               resources:
                 description: |-
                   Resources - Compute Resources required by this service (Limits/Requests).
diff --git a/bindata/crds/ovn.openstack.org_ovndbclusters.yaml b/bindata/crds/ovn.openstack.org_ovndbclusters.yaml
@@ -266,6 +266,12 @@ spec:
                   Active probe interval from standby to active ovsdb-server remote
                 format: int32
                 type: integer
+              rbacCACertSecretName:
+                description: |-
+                  RbacCACertSecretName - The name of the K8s Secret containing the RBAC
+                  PKI CA certificate (tls.crt). Used by the SB database to verify
+                  ovn-controller client certificates when RBAC is enabled.
+                type: string
               replicas:
                 default: 1
                 description: Replicas of OVN DBCluster to run
diff --git a/bindata/rbac/ovn-operator-rbac.yaml b/bindata/rbac/ovn-operator-rbac.yaml
@@ -127,6 +127,26 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - cert-manager.io
+  resources:
+    - certificates
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - cert-manager.io
+  resources:
+    - issuers
+  verbs:
+    - get
+    - list
+    - watch
 - apiGroups:
     - k8s.cni.cncf.io
   resources:
diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -13083,6 +13083,8 @@ spec:
                           ovsLogLevel:
                             default: info
                             type: string
+                          rbacIssuerName:
+                            type: string
                           resources:
                             properties:
                               claims:
@@ -13217,6 +13219,8 @@ spec:
                               default: 60000
                               format: int32
                               type: integer
+                            rbacCACertSecretName:
+                              type: string
                             replicas:
                               default: 1
                               format: int32
diff --git a/go.mod b/go.mod
@@ -181,3 +181,5 @@ replace k8s.io/code-generator => k8s.io/code-generator v0.31.14 //allow-merging
 replace k8s.io/component-base => k8s.io/component-base v0.31.14 //allow-merging
 
 replace github.com/cert-manager/cmctl/v2 => github.com/cert-manager/cmctl/v2 v2.1.2-0.20241127223932-88edb96860cf //allow-merging
+
+replace github.com/openstack-k8s-operators/ovn-operator/api => ../ovn-operator/api
diff --git a/go.sum b/go.sum
@@ -180,8 +180,6 @@ github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260413082059-
 github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260413082059-d107b5bac378/go.mod h1:XO02J/MSp7f+HMyoT5xImUvTtDvDY4SgG2mi+nwdTMY=
 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260413094947-83f411fa655c h1:77hLym7nButLmaRm2aKozn0kW2WmrAaaYpx/HWHlUzc=
 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260413094947-83f411fa655c/go.mod h1:WKiIsGtY1q6VbpSa8QmOY3rYFpI061hwqYVFnAFfiFI=
-github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260416085208-12e49450bfee h1:XoxZ0HVNN6uarOM8Nt2WFAsaS1JEbX+kHS8FCTJgqvM=
-github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260416085208-12e49450bfee/go.mod h1:wtnlbYH3u8jHHKltKDCf0ILNtCe7ZnOJSreSGXCbb2w=
 github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260413090520-f18a11875c1d h1:ZvVIq5E/F82tqQckheo3WnL6XywTPc+PiJWyrllkyVo=
 github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260413090520-f18a11875c1d/go.mod h1:34ka8QoEZ2LFmJv6wO5l9U29f9Kd1vizVzbkzRQnwVA=
 github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec h1:saovr368HPAKHN0aRPh8h8n9s9dn3d8Frmfua0UYRlc=
diff --git a/internal/openstack/ca.go b/internal/openstack/ca.go
@@ -408,6 +408,41 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 		}
 	}
 
+	// create CA for OVN RBAC (used to sign per-node ovn-controller certificates)
+	// This CA is NOT added to the combined CA bundle — it is only used between
+	// the SB database (to verify ovn-controller client certs) and the
+	// ovn-controller nodes (whose certs are signed by this CA via cert-manager).
+	issuerLabels = map[string]string{rootCAIssuerOvnRbacLabel: ""}
+	issuerAnnotations = getIssuerAnnotations(&instance.Spec.TLS.PodLevel.Ovn.Cert)
+	err = removeIssuerLabel(
+		ctx,
+		helper,
+		corev1.OvnRbacCaName,
+		instance.Namespace,
+		issuerLabels,
+	)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
+	ctrlResult, err = ensureRootCA(
+		ctx,
+		instance,
+		helper,
+		issuerReq,
+		corev1.OvnRbacCaName,
+		issuerLabels,
+		issuerAnnotations,
+		bundle,
+		caOnlyBundle,
+		instance.Spec.TLS.PodLevel.Ovn.Ca,
+	)
+	if err != nil {
+		return ctrlResult, err
+	} else if (ctrlResult != ctrl.Result{}) {
+		return ctrlResult, nil
+	}
+
 	// create/update combined CA secret
 	if instance.Spec.TLS.CaBundleSecretName != "" {
 		caSecret, _, err := secret.GetSecret(ctx, helper, instance.Spec.TLS.CaBundleSecretName, instance.Namespace)
diff --git a/internal/openstack/common.go b/internal/openstack/common.go
@@ -70,6 +70,10 @@ const (
 	// caCertSelector selector passed to cert-manager to set on the ca cert secret
 	caCertSelector = "ca-cert"
 
+	// rootCAIssuerOvnRbacLabel labels the OVN RBAC CA issuer.
+	// TODO: upstream this to lib-common certmanager module alongside the other RootCAIssuer*Label constants.
+	rootCAIssuerOvnRbacLabel = "osp-rootca-issuer-ovn-rbac"
+
 	// ReconcileTriggerAnnotation - Generic annotation to trigger reconciliation and webhook.
 	// Value is typically a timestamp to ensure annotation changes trigger updates
 	// Used by controller to trigger UPDATE webhook when needed (e.g., for service name caching, field migrations)
diff --git a/internal/openstack/ovn.go b/internal/openstack/ovn.go
@@ -208,6 +208,12 @@ func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStack
 			dbcluster.MetricsTLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
 		}
 
+		// Pass the RBAC CA cert secret name to SB DB clusters so they can
+		// build a combined CA bundle for verifying ovn-controller client certs
+		if instance.Spec.TLS.PodLevel.Enabled && dbcluster.DBType == ovnv1.SBDBType {
+			dbcluster.RbacCACertSecretName = corev1beta1.OvnRbacCaName
+		}
+
 		if dbcluster.NodeSelector == nil {
 			dbcluster.NodeSelector = &instance.Spec.NodeSelector
 		}
@@ -493,6 +499,12 @@ func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStack
 		ovnControllerSpec.MetricsTLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName
 	}
 
+	// Pass the RBAC CA issuer name so the OVNController can create per-node
+	// cert-manager Certificate resources for OVN RBAC
+	if instance.Spec.TLS.PodLevel.Enabled {
+		ovnControllerSpec.RbacIssuerName = instance.GetOvnRbacIssuer()
+	}
+
 	if ovnControllerSpec.NodeSelector == nil {
 		ovnControllerSpec.NodeSelector = &instance.Spec.NodeSelector
 	}
diff --git a/test/functional/ctlplane/base_test.go b/test/functional/ctlplane/base_test.go
@@ -86,6 +86,7 @@ type Names struct {
 	RootCAPublicName                     types.NamespacedName
 	RootCAInternalName                   types.NamespacedName
 	RootCAOvnName                        types.NamespacedName
+	RootCAOvnRbacName                    types.NamespacedName
 	RootCALibvirtName                    types.NamespacedName
 	SelfSignedIssuerName                 types.NamespacedName
 	CustomIssuerName                     types.NamespacedName
@@ -97,7 +98,9 @@ type Names struct {
 	OVNControllerName                    types.NamespacedName
 	OVNControllerCertName                types.NamespacedName
 	OVNDbServerNBName                    types.NamespacedName
+	OVNDbServerNBCertName                types.NamespacedName
 	OVNDbServerSBName                    types.NamespacedName
+	OVNDbServerSBCertName                types.NamespacedName
 	OVNMetricsCertName                   types.NamespacedName
 	NeutronOVNCertName                   types.NamespacedName
 	OpenStackTopology                    []types.NamespacedName
@@ -131,6 +134,9 @@ func CreateNames(openstackControlplaneName types.NamespacedName) Names {
 		RootCAOvnName: types.NamespacedName{
 			Namespace: openstackControlplaneName.Namespace,
 			Name:      "rootca-ovn"},
+		RootCAOvnRbacName: types.NamespacedName{
+			Namespace: openstackControlplaneName.Namespace,
+			Name:      "rootca-ovn-rbac"},
 		RootCALibvirtName: types.NamespacedName{
 			Namespace: openstackControlplaneName.Namespace,
 			Name:      "rootca-libvirt"},
@@ -275,10 +281,18 @@ func CreateNames(openstackControlplaneName types.NamespacedName) Names {
 			Namespace: openstackControlplaneName.Namespace,
 			Name:      "ovndbcluster-nb",
 		},
+		OVNDbServerNBCertName: types.NamespacedName{
+			Namespace: openstackControlplaneName.Namespace,
+			Name:      "cert-ovndbcluster-nb-ovndbs",
+		},
 		OVNDbServerSBName: types.NamespacedName{
 			Namespace: openstackControlplaneName.Namespace,
 			Name:      "ovndbcluster-sb",
 		},
+		OVNDbServerSBCertName: types.NamespacedName{
+			Namespace: openstackControlplaneName.Namespace,
+			Name:      "cert-ovndbcluster-sb-ovndbs",
+		},
 		OVNControllerName: types.NamespacedName{
 			Namespace: openstackControlplaneName.Namespace,
 			Name:      "ovncontroller",
diff --git a/test/functional/ctlplane/openstackoperator_controller_test.go b/test/functional/ctlplane/openstackoperator_controller_test.go
