Add TLS certificate for InstanceHA metrics endpoint

lmiccini · claude · lmiccini · commit 92fc786f9920 · 2026-05-28T07:09:01.000+02:00
Create a cert-manager Certificate for the InstanceHA metrics service
when pod-level TLS is enabled. The certificate uses the internal issuer
with wildcard hostnames for the namespace, following the same pattern
as EnsureOVNMetricsCert. The resulting secret (cert-instanceha-metrics)
is consumed by the infra-operator InstanceHA controller.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/internal/openstack/instanceha.go b/internal/openstack/instanceha.go
@@ -2,7 +2,11 @@ package openstack
 
 import (
 	"context"
+	"fmt"
 
+	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -21,6 +25,22 @@ const (
 
 // ReconcileInstanceHa reconciles the instance HA configuration for the OpenStack control plane
 func ReconcileInstanceHa(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, version *corev1beta1.OpenStackVersion, helper *helper.Helper) (ctrl.Result, error) {
+	Log := GetLogger(ctx)
+
+	if instance.Spec.TLS.PodLevel.Enabled {
+		_, err := EnsureInstanceHAMetricsCert(ctx, instance, helper)
+		if err != nil {
+			Log.Error(err, "Failed to ensure InstanceHA metrics certificate")
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				corev1beta1.OpenStackControlPlaneInstanceHaCMReadyCondition,
+				condition.ErrorReason,
+				condition.SeverityWarning,
+				corev1beta1.OpenStackControlPlaneInstanceHaCMReadyErrorMessage,
+				err.Error()))
+			return ctrl.Result{}, err
+		}
+	}
+
 	customData := map[string]string{
 		InstanceHaImageKey: *getImg(version.Status.ContainerImages.OpenstackClientImage, &missingImageDefault),
 	}
@@ -54,3 +74,48 @@ func ReconcileInstanceHa(ctx context.Context, instance *corev1beta1.OpenStackCon
 
 	return ctrl.Result{}, nil
 }
+
+// EnsureInstanceHAMetricsCert creates a TLS certificate for InstanceHA metrics services
+func EnsureInstanceHAMetricsCert(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, helper *helper.Helper) (string, error) {
+	Log := GetLogger(ctx)
+
+	dnsSuffix := clusterdns.GetDNSClusterDomain()
+
+	certRequest := certmanager.CertificateRequest{
+		IssuerName: instance.GetInternalIssuer(),
+		CertName:   "instanceha-metrics",
+		Hostnames: []string{
+			fmt.Sprintf("*.%s.svc", instance.Namespace),
+			fmt.Sprintf("*.%s.svc.%s", instance.Namespace, dnsSuffix),
+		},
+		Ips: nil,
+		Usages: []certmgrv1.KeyUsage{
+			certmgrv1.UsageKeyEncipherment,
+			certmgrv1.UsageDigitalSignature,
+			certmgrv1.UsageServerAuth,
+		},
+		Labels: map[string]string{ServiceCertSelector: ""},
+	}
+
+	if instance.Spec.TLS.PodLevel.Internal.Cert.Duration != nil {
+		certRequest.Duration = &instance.Spec.TLS.PodLevel.Internal.Cert.Duration.Duration
+	}
+	if instance.Spec.TLS.PodLevel.Internal.Cert.RenewBefore != nil {
+		certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Internal.Cert.RenewBefore.Duration
+	}
+
+	certSecret, ctrlResult, err := certmanager.EnsureCert(
+		ctx,
+		helper,
+		certRequest,
+		nil)
+	if err != nil {
+		return "", err
+	} else if (ctrlResult != ctrl.Result{}) {
+		Log.Info("InstanceHA metrics certificate creation in progress", "certificate", certRequest.CertName)
+		return "", fmt.Errorf("InstanceHA metrics certificate creation in progress")
+	}
+
+	Log.Info("InstanceHA metrics certificate ensured", "secret", certSecret.Name, "certificate", certRequest.CertName)
+	return certSecret.Name, nil
+}
