Add TLS and NetworkPolicy for MCP sidecar service

Enable TLS on the MCP sidecar service using cert-manager with the
internal CA issuer. When CaBundleSecretName is set (indicating TLS is
active on the control plane), the controller provisions a TLS certificate
for the MCP service DNS names via certmanager.EnsureCert(), mounts the
cert secret into the MCP sidecar container at /etc/pki/tls/mcp/, and
switches the service port from 8080 to 8443. The rhos-mcps config is
updated to include TLS cert/key paths and use https for allowed origins.

Add a Kubernetes NetworkPolicy that restricts ingress to the MCP port
so that only pods labeled app.kubernetes.io/name=openstackassistant can
connect, preventing unauthorized access to the MCP server.

Changes:
- internal/openstackclient/funcs.go: Add mcpTLSSecretName param to
  ClientPodSpec() for TLS secret volume mount; add tlsEnabled param to
  MCPConfigYAML() for TLS cert/key config and port selection
- internal/controller/client/openstackclient_controller.go: Look up
  internal CA issuer by label, provision TLS cert, create NetworkPolicy,
  add RBAC markers for cert-manager.io and networking.k8s.io resources,
  register NetworkPolicy as owned resource
- config/rbac/role.yaml, bindata/: Regenerated via make manifests and
  make bindata

Author: dprince

bindata/rbac/rbac.yaml

@@ -695,6 +695,18 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - neutron.openstack.org
   resources:

config/rbac/role.yaml

@@ -575,6 +575,18 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - neutron.openstack.org
   resources:

internal/controller/client/openstackclient_controller.go

@@ -23,11 +23,14 @@ import (
 	"github.com/go-logr/logr"
 
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes"
@@ -41,7 +44,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
+	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
@@ -83,6 +88,9 @@ func (r *OpenStackClientReconciler) GetLogger(ctx context.Context) logr.Logger {
 // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch;patch
 // +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;create;update;patch
+// +kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=cert-manager.io,resources=issuers,verbs=get;list;watch
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile -
 func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {
@@ -308,7 +316,53 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage)
 
 	// Reconcile MCP sidecar resources when enabled
+	mcpTLSSecretName := ""
 	if instance.Spec.MCP != nil && instance.Spec.MCP.Enabled {
+		mcpTLSEnabled := instance.Spec.CaBundleSecretName != ""
+
+		if mcpTLSEnabled {
+			issuer, err := certmanager.GetIssuerByLabels(
+				ctx, helper,
+				instance.Namespace,
+				map[string]string{certmanager.RootCAIssuerInternalLabel: ""},
+			)
+			if err != nil {
+				instance.Status.Conditions.Set(condition.FalseCondition(
+					clientv1.OpenStackClientReadyCondition,
+					condition.ErrorReason,
+					condition.SeverityWarning,
+					clientv1.OpenStackClientReadyErrorMessage,
+					err.Error()))
+				return ctrl.Result{}, err
+			}
+
+			clusterDomain := clusterdns.GetDNSClusterDomain()
+			mcpSvcName := instance.Name + "-mcp"
+			certRequest := certmanager.CertificateRequest{
+				IssuerName: issuer.Name,
+				CertName:   mcpSvcName + "-tls",
+				Hostnames: []string{
+					fmt.Sprintf("%s.%s.svc", mcpSvcName, instance.Namespace),
+					fmt.Sprintf("%s.%s.svc.%s", mcpSvcName, instance.Namespace, clusterDomain),
+				},
+				Labels: map[string]string{},
+			}
+			certSecret, ctrlResult, err := certmanager.EnsureCert(ctx, helper, certRequest, instance)
+			if err != nil {
+				instance.Status.Conditions.Set(condition.FalseCondition(
+					clientv1.OpenStackClientReadyCondition,
+					condition.ErrorReason,
+					condition.SeverityWarning,
+					clientv1.OpenStackClientReadyErrorMessage,
+					err.Error()))
+				return ctrlResult, err
+			} else if (ctrlResult != ctrl.Result{}) {
+				return ctrlResult, nil
+			}
+			mcpTLSSecretName = certSecret.Name
+			configVars[mcpTLSSecretName] = env.SetValue(certSecret.ResourceVersion)
+		}
+
 		mcpConfigCM := &corev1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      instance.Name + "-mcp-config",
@@ -317,14 +371,14 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		}
 		_, err = controllerutil.CreateOrPatch(ctx, r.Client, mcpConfigCM, func() error {
 			mcpConfigCM.Data = map[string]string{
-				"config.yaml": openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName),
+				"config.yaml": openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled),
 			}
 			return controllerutil.SetControllerReference(instance, mcpConfigCM, r.Scheme)
 		})
 		if err != nil {
 			return ctrl.Result{}, fmt.Errorf("error creating MCP config ConfigMap: %w", err)
 		}
-		configVars[instance.Name+"-mcp-config"] = env.SetValue(openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName))
+		configVars[instance.Name+"-mcp-config"] = env.SetValue(openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled))
 
 	}
 
@@ -335,6 +389,12 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 
 	// Reconcile MCP Service after configVarsHash so the hash annotation captures all config changes
 	if instance.Spec.MCP != nil && instance.Spec.MCP.Enabled {
+		mcpTLSEnabled := instance.Spec.CaBundleSecretName != ""
+		mcpPort := int32(8080)
+		if mcpTLSEnabled {
+			mcpPort = 8443
+		}
+
 		mcpService := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      instance.Name + "-mcp",
@@ -344,7 +404,7 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		mcpServiceHash, err := util.ObjectHash(map[string]interface{}{
 			"containerImage":    instance.Spec.ContainerImage,
 			"mcpContainerImage": instance.Spec.MCP.ContainerImage,
-			"mcpConfig":         openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName),
+			"mcpConfig":         openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled),
 			"configVarsHash":    configVarsHash,
 		})
 		if err != nil {
@@ -359,7 +419,7 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 			mcpService.Spec.Ports = []corev1.ServicePort{
 				{
 					Name:     "mcp",
-					Port:     8080,
+					Port:     mcpPort,
 					Protocol: corev1.ProtocolTCP,
 				},
 			}
@@ -368,6 +428,47 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		if err != nil {
 			return ctrl.Result{}, fmt.Errorf("error creating MCP Service: %w", err)
 		}
+
+		// NetworkPolicy to restrict MCP access to openstackassistant pods only
+		mcpNetPolicy := &networkingv1.NetworkPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      instance.Name + "-mcp",
+				Namespace: instance.Namespace,
+			},
+		}
+		_, err = controllerutil.CreateOrPatch(ctx, r.Client, mcpNetPolicy, func() error {
+			mcpNetPolicy.Spec = networkingv1.NetworkPolicySpec{
+				PodSelector: metav1.LabelSelector{
+					MatchLabels: clientLabels,
+				},
+				Ingress: []networkingv1.NetworkPolicyIngressRule{
+					{
+						From: []networkingv1.NetworkPolicyPeer{
+							{
+								PodSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{
+										common.AppSelector: "openstackassistant",
+									},
+								},
+							},
+						},
+						Ports: []networkingv1.NetworkPolicyPort{
+							{
+								Port:     &intstr.IntOrString{Type: intstr.Int, IntVal: mcpPort},
+								Protocol: ptr.To(corev1.ProtocolTCP),
+							},
+						},
+					},
+				},
+				PolicyTypes: []networkingv1.PolicyType{
+					networkingv1.PolicyTypeIngress,
+				},
+			}
+			return controllerutil.SetControllerReference(instance, mcpNetPolicy, r.Scheme)
+		})
+		if err != nil {
+			return ctrl.Result{}, fmt.Errorf("error creating MCP NetworkPolicy: %w", err)
+		}
 	}
 
 	osclient := &corev1.Pod{
@@ -377,7 +478,7 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		},
 	}
 
-	spec := openstackclient.ClientPodSpec(ctx, instance, helper, configVarsHash)
+	spec := openstackclient.ClientPodSpec(ctx, instance, helper, configVarsHash, mcpTLSSecretName)
 
 	podSpecHash, err := util.ObjectHash(spec)
 	if err != nil {
@@ -571,6 +672,7 @@ func (r *OpenStackClientReconciler) SetupWithManager(
 		Owns(&corev1.ServiceAccount{}).
 		Owns(&corev1.ConfigMap{}).
 		Owns(&corev1.Service{}).
+		Owns(&networkingv1.NetworkPolicy{}).
 		Owns(&rbacv1.Role{}).
 		Owns(&rbacv1.RoleBinding{}).
 		Watches(

internal/openstackclient/funcs.go

@@ -34,6 +34,7 @@ func ClientPodSpec(
 	instance *clientv1.OpenStackClient,
 	helper *helper.Helper,
 	configHash string,
+	mcpTLSSecretName string,
 ) corev1.PodSpec {
 	envVars := map[string]env.Setter{}
 	envVars["OS_CLOUD"] = env.SetValue("default")
@@ -135,6 +136,24 @@ func ClientPodSpec(
 			mcpVolumeMounts = append(mcpVolumeMounts, instance.Spec.CreateVolumeMounts(nil)...)
 		}
 
+		mcpPort := int32(8080)
+		if mcpTLSSecretName != "" {
+			mcpPort = 8443
+			mcpVolumeMounts = append(mcpVolumeMounts, corev1.VolumeMount{
+				Name:      "mcp-tls",
+				MountPath: "/etc/pki/tls/mcp",
+				ReadOnly:  true,
+			})
+			podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{
+				Name: "mcp-tls",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: mcpTLSSecretName,
+					},
+				},
+			})
+		}
+
 		podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{
 			Name: "mcp-config",
 			VolumeSource: corev1.VolumeSource{
@@ -156,7 +175,7 @@ func ClientPodSpec(
 				{Name: "OS_CLIENT_CONFIG_FILE", Value: "/home/cloud-admin/.config/openstack/clouds.yaml"},
 			},
 			Ports: []corev1.ContainerPort{
-				{Name: "mcp", ContainerPort: 8080, Protocol: corev1.ProtocolTCP},
+				{Name: "mcp", ContainerPort: mcpPort, Protocol: corev1.ProtocolTCP},
 			},
 			SecurityContext: &corev1.SecurityContext{
 				RunAsUser:                ptr.To[int64](42401),
@@ -179,24 +198,35 @@ func ClientPodSpec(
 }
 
 // MCPConfigYAML returns the rhos-mcps config.yaml content for the MCP sidecar
-func MCPConfigYAML(caBundleSecretName string) string {
+func MCPConfigYAML(caBundleSecretName string, tlsEnabled bool) string {
 	caCert := ""
 	if caBundleSecretName != "" {
 		caCert = fmt.Sprintf("\n  ca_cert: %s", tls.DownstreamTLSCABundlePath)
 	}
-	return fmt.Sprintf(`port: 8080
+	port := "8080"
+	tlsConfig := ""
+	allowedOriginScheme := "http"
+	if tlsEnabled {
+		port = "8443"
+		tlsConfig = `
+tls:
+  cert_file: /etc/pki/tls/mcp/tls.crt
+  key_file: /etc/pki/tls/mcp/tls.key`
+		allowedOriginScheme = "https"
+	}
+	return fmt.Sprintf(`port: %s
 openstack:
   enabled: true
   allow_write: false%s
 openshift:
-  enabled: false
+  enabled: false%s
 mcp_transport_security:
   enable_dns_rebinding_protection: false
   allowed_hosts:
     - "*:*"
   allowed_origins:
-    - "http://*:*"
-`, caCert)
+    - "%s://*:*"
+`, port, caCert, tlsConfig, allowedOriginScheme)
 }
 
 func clientPodVolumeMounts() []corev1.VolumeMount {