Generate SSL cert for ovn and neutron services running on EDPM nodes

This patch adds generations of the individual  SSL certificate for each
EDPM node. Those certificates are signed with the cert from the OVN SB
DB and each of them have CN field set to `uuid5(hostname)` so that the
same uuid can be later set as `system-id` on the EDPM node. This is
mandatory to make OVN with RBAC working fine.

Generated certificates are stored in secret and mounted in the ansibleee
POD which provisions ovn-controller service. From there edpm-ansible
role can copy it to the EDPM nodes individually.

Related: #OSPRH-1921
Related: #OSPRH-1923
Related: #OSPRH-1924
Related: #OSPRH-1925

Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>

Author: slawqo

api/bases/dataplane.openstack.org_openstackdataplaneservices.yaml

@@ -151,13 +151,22 @@ spec:
                     OpenstackDataPlaneServiceCert defines the property of a TLS cert issued for
                     a dataplane service
                   properties:
+                    commonName:
+                      description: |-
+                        CommonName overrides how the certificate Common Name is derived.
+                        When set to "system-id", the CN is a UUID5 derived from the node's
+                        ctlplane FQDN, matching the OVN chassis system-id convention.
+                        When empty, CN defaults to the short hostname.
+                      enum:
+                      - system-id
+                      type: string
                     contents:
                       description: |-
                         Contents of the certificate
-                        This is a list of strings for properties that are needed in the cert
+                        This is a list of strings for properties that are needed in the cert.
+                        May be empty for client-only certificates that require no SANs.
                       items:
                         type: string
-                      minItems: 1
                       type: array
                     edpmRoleServiceName:
                       description: |-
@@ -241,8 +250,6 @@ spec:
                         pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-_]*[a-zA-Z0-9]$
                         type: string
                       type: array
-                  required:
-                  - contents
                   type: object
                 description: TLSCerts tls certs to be generated
                 type: object

api/dataplane/v1beta1/openstackdataplaneservice_types.go

@@ -28,10 +28,10 @@ import (
 // a dataplane service
 type OpenstackDataPlaneServiceCert struct {
 	// Contents of the certificate
-	// This is a list of strings for properties that are needed in the cert
-	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:MinItems:=1
-	Contents []string `json:"contents"`
+	// This is a list of strings for properties that are needed in the cert.
+	// May be empty for client-only certificates that require no SANs.
+	// +kubebuilder:validation:Optional
+	Contents []string `json:"contents,omitempty"`
 
 	// Networks to include in SNI for the cert
 	// +kubebuilder:validation:Optional
@@ -46,6 +46,14 @@ type OpenstackDataPlaneServiceCert struct {
 	// +kubebuilder:validation:Optional
 	KeyUsages []certmgrv1.KeyUsage `json:"keyUsages,omitempty" yaml:"keyUsages,omitempty"`
 
+	// CommonName overrides how the certificate Common Name is derived.
+	// When set to "system-id", the CN is a UUID5 derived from the node's
+	// ctlplane FQDN, matching the OVN chassis system-id convention.
+	// When empty, CN defaults to the short hostname.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Enum=system-id
+	CommonName string `json:"commonName,omitempty"`
+
 	// EDPMRoleServiceName is the value of the <role>_service_name variable from
 	// the edpm-ansible role where this certificate is used. For example if the
 	// certificate is for edpm_ovn from edpm-ansible, EDPMRoleServiceName must be

bindata/crds/crds.yaml

@@ -21361,13 +21361,22 @@ spec:
                     OpenstackDataPlaneServiceCert defines the property of a TLS cert issued for
                     a dataplane service
                   properties:
+                    commonName:
+                      description: |-
+                        CommonName overrides how the certificate Common Name is derived.
+                        When set to "system-id", the CN is a UUID5 derived from the node's
+                        ctlplane FQDN, matching the OVN chassis system-id convention.
+                        When empty, CN defaults to the short hostname.
+                      enum:
+                      - system-id
+                      type: string
                     contents:
                       description: |-
                         Contents of the certificate
-                        This is a list of strings for properties that are needed in the cert
+                        This is a list of strings for properties that are needed in the cert.
+                        May be empty for client-only certificates that require no SANs.
                       items:
                         type: string
-                      minItems: 1
                       type: array
                     edpmRoleServiceName:
                       description: |-
@@ -21451,8 +21460,6 @@ spec:
                         pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-_]*[a-zA-Z0-9]$
                         type: string
                       type: array
-                  required:
-                  - contents
                   type: object
                 description: TLSCerts tls certs to be generated
                 type: object

config/crd/bases/dataplane.openstack.org_openstackdataplaneservices.yaml

@@ -151,13 +151,22 @@ spec:
                     OpenstackDataPlaneServiceCert defines the property of a TLS cert issued for
                     a dataplane service
                   properties:
+                    commonName:
+                      description: |-
+                        CommonName overrides how the certificate Common Name is derived.
+                        When set to "system-id", the CN is a UUID5 derived from the node's
+                        ctlplane FQDN, matching the OVN chassis system-id convention.
+                        When empty, CN defaults to the short hostname.
+                      enum:
+                      - system-id
+                      type: string
                     contents:
                       description: |-
                         Contents of the certificate
-                        This is a list of strings for properties that are needed in the cert
+                        This is a list of strings for properties that are needed in the cert.
+                        May be empty for client-only certificates that require no SANs.
                       items:
                         type: string
-                      minItems: 1
                       type: array
                     edpmRoleServiceName:
                       description: |-
@@ -241,8 +250,6 @@ spec:
                         pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-_]*[a-zA-Z0-9]$
                         type: string
                       type: array
-                  required:
-                  - contents
                   type: object
                 description: TLSCerts tls certs to be generated
                 type: object

config/services/dataplane_v1beta1_openstackdataplaneservice_neutron_metadata.yaml

@@ -24,6 +24,12 @@ spec:
         - digital signature
         - key encipherment
         - client auth
+    rbac:
+      commonName: system-id
+      issuer: osp-rootca-issuer-ovn-rbac
+      keyUsages:
+        - digital signature
+        - client auth
   caCerts: combined-ca-bundle
   containerImageFields:
   - EdpmNeutronMetadataAgentImage

config/services/dataplane_v1beta1_openstackdataplaneservice_neutron_ovn.yaml

@@ -25,6 +25,12 @@ spec:
         - digital signature
         - key encipherment
         - client auth
+    rbac:
+      commonName: system-id
+      issuer: osp-rootca-issuer-ovn-rbac
+      keyUsages:
+        - digital signature
+        - client auth
   caCerts: combined-ca-bundle
   containerImageFields:
   - EdpmNeutronOvnAgentImage

config/services/dataplane_v1beta1_openstackdataplaneservice_ovn.yaml

@@ -20,6 +20,12 @@ spec:
         - key encipherment
         - server auth
         - client auth
+    rbac:
+      commonName: system-id
+      issuer: osp-rootca-issuer-ovn-rbac
+      keyUsages:
+        - digital signature
+        - client auth
   caCerts: combined-ca-bundle
   containerImageFields:
   - OvnControllerImage

config/services/dataplane_v1beta1_openstackdataplaneservice_ovn_bgp_agent.yaml

@@ -23,6 +23,12 @@ spec:
         - key encipherment
         - server auth
         - client auth
+    rbac:
+      commonName: system-id
+      issuer: osp-rootca-issuer-ovn-rbac
+      keyUsages:
+        - digital signature
+        - client auth
   caCerts: combined-ca-bundle
   containerImageFields:
   - EdpmOvnBgpAgentImage

internal/dataplane/cert.go

@@ -35,6 +35,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	"github.com/google/uuid"
 	infranetworkv1 "github.com/openstack-k8s-operators/infra-operator/apis/network/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -43,6 +44,17 @@ import (
 	dataplanev1 "github.com/openstack-k8s-operators/openstack-operator/api/dataplane/v1beta1"
 )
 
+// CommonNameSystemID is the sentinel value for OpenstackDataPlaneServiceCert.CommonName
+// that triggers UUID5-based CN derivation matching the OVN chassis system-id convention.
+const CommonNameSystemID = "system-id"
+
+// computeSystemID derives a deterministic UUID5 from a name using the DNS
+// namespace, matching ovn-operator's ComputeSystemID() and edpm-ansible's
+// {{ name | to_uuid(namespace='6ba7b810-...') }}.
+func computeSystemID(name string) string {
+	return uuid.NewSHA1(uuid.NameSpaceDNS, []byte(name)).String()
+}
+
 // Generates an organized data structure that is leveraged to create the secrets.
 func createSecretsDataStructure(secretMaxSize int,
 	certsData map[string][]byte,
@@ -180,7 +192,12 @@ func EnsureTLSCerts(ctx context.Context, helper *helper.Helper,
 				nodeName)
 		}
 
-		commonName := strings.Split(baseName, ".")[0]
+		var commonName string
+		if service.Spec.TLSCerts[certKey].CommonName == CommonNameSystemID {
+			commonName = computeSystemID(baseName)
+		} else {
+			commonName = strings.Split(baseName, ".")[0]
+		}
 
 		certSecret, result, err = GetTLSNodeCert(ctx, helper, instance, certName,
 			issuer, labels, commonName, hosts, ips, service.Spec.TLSCerts[certKey].KeyUsages)

internal/dataplane/cert_test.go

@@ -0,0 +1,110 @@
+package deployment
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestComputeSystemID(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "short hostname",
+			input:    "edpm-compute-0",
+			expected: computeSystemID("edpm-compute-0"),
+		},
+		{
+			name:     "FQDN",
+			input:    "edpm-compute-0.ctlplane.example.com",
+			expected: computeSystemID("edpm-compute-0.ctlplane.example.com"),
+		},
+		{
+			name:  "deterministic: same input always yields same output",
+			input: "edpm-compute-0",
+		},
+		{
+			name:  "different inputs yield different outputs",
+			input: "edpm-compute-1",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := computeSystemID(tt.input)
+
+			// Must be non-empty
+			assert.NotEmpty(t, result)
+
+			// Must be deterministic
+			assert.Equal(t, result, computeSystemID(tt.input),
+				"computeSystemID must be deterministic")
+
+			if tt.expected != "" {
+				assert.Equal(t, tt.expected, result)
+			}
+		})
+	}
+
+	// Different inputs must produce different UUIDs
+	id0 := computeSystemID("edpm-compute-0")
+	id1 := computeSystemID("edpm-compute-1")
+	assert.NotEqual(t, id0, id1,
+		"different hostnames must produce different system IDs")
+
+	// Verify format is a valid UUID (8-4-4-4-12 hex)
+	assert.Regexp(t, `^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$`,
+		computeSystemID("test-node"),
+		"computeSystemID must return a valid UUID string")
+}
+
+func TestCreateSecretsDataStructure(t *testing.T) {
+	tests := []struct {
+		name           string
+		secretMaxSize  int
+		certsData      map[string][]byte
+		expectedChunks int
+	}{
+		{
+			name:          "single node fits in one secret",
+			secretMaxSize: 1048576,
+			certsData: map[string][]byte{
+				"node1-ca.crt":  []byte("ca-cert-data"),
+				"node1-tls.crt": []byte("tls-cert-data"),
+				"node1-tls.key": []byte("tls-key-data"),
+			},
+			expectedChunks: 1,
+		},
+		{
+			name:          "small max size forces multiple secrets",
+			secretMaxSize: 1,
+			certsData: map[string][]byte{
+				"node1-ca.crt":  []byte("ca-cert-data"),
+				"node1-tls.crt": []byte("tls-cert-data"),
+				"node1-tls.key": []byte("tls-key-data"),
+				"node2-ca.crt":  []byte("ca-cert-data"),
+				"node2-tls.crt": []byte("tls-cert-data"),
+				"node2-tls.key": []byte("tls-key-data"),
+			},
+			expectedChunks: 2,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := createSecretsDataStructure(tt.secretMaxSize, tt.certsData)
+			assert.Equal(t, tt.expectedChunks, len(result))
+
+			// Verify all data is present across chunks
+			totalKeys := 0
+			for _, chunk := range result {
+				totalKeys += len(chunk)
+			}
+			assert.Equal(t, len(tt.certsData), totalKeys,
+				"all cert data must be present across chunks")
+		})
+	}
+}