Add TLS for MCP sidecar service

Enable TLS on the MCP sidecar service using cert-manager with the
internal CA issuer. When CaBundleSecretName is set (indicating TLS is
active on the control plane), the controller provisions a TLS certificate
for the MCP service DNS names via certmanager.EnsureCert(), mounts the
cert secret into the MCP sidecar container at /etc/pki/tls/mcp/, and
switches the service port from 8080 to 8443. The rhos-mcps config is
updated to include TLS cert/key paths and use https for allowed origins.

Changes:
- internal/openstackclient/funcs.go: Add mcpTLSSecretName param to
  ClientPodSpec() for TLS secret volume mount; add tlsEnabled param to
  MCPConfigYAML() for TLS cert/key config and port selection
- config/rbac/role.yaml, bindata/: Regenerated via make manifests and
  make bindata

Author: dprince

internal/controller/client/openstackclient_controller.go

@@ -41,7 +41,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
+	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
@@ -83,6 +85,8 @@ func (r *OpenStackClientReconciler) GetLogger(ctx context.Context) logr.Logger {
 // +kubebuilder:rbac:groups="security.openshift.io",resourceNames=anyuid,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups="",resources=pods,verbs=create;delete;get;list;patch;update;watch;patch
 // +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;create;update;patch
+// +kubebuilder:rbac:groups=cert-manager.io,resources=issuers,verbs=get;list;watch
+// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile -
 func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {
@@ -308,7 +312,53 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage)
 
 	// Reconcile MCP sidecar resources when enabled
+	mcpTLSSecretName := ""
 	if instance.Spec.MCP != nil && instance.Spec.MCP.Enabled {
+		mcpTLSEnabled := instance.Spec.CaBundleSecretName != ""
+
+		if mcpTLSEnabled {
+			issuer, err := certmanager.GetIssuerByLabels(
+				ctx, helper,
+				instance.Namespace,
+				map[string]string{certmanager.RootCAIssuerInternalLabel: ""},
+			)
+			if err != nil {
+				instance.Status.Conditions.Set(condition.FalseCondition(
+					clientv1.OpenStackClientReadyCondition,
+					condition.ErrorReason,
+					condition.SeverityWarning,
+					clientv1.OpenStackClientReadyErrorMessage,
+					err.Error()))
+				return ctrl.Result{}, err
+			}
+
+			clusterDomain := clusterdns.GetDNSClusterDomain()
+			mcpSvcName := instance.Name + "-mcp"
+			certRequest := certmanager.CertificateRequest{
+				IssuerName: issuer.Name,
+				CertName:   mcpSvcName + "-tls",
+				Hostnames: []string{
+					fmt.Sprintf("%s.%s.svc", mcpSvcName, instance.Namespace),
+					fmt.Sprintf("%s.%s.svc.%s", mcpSvcName, instance.Namespace, clusterDomain),
+				},
+				Labels: map[string]string{},
+			}
+			certSecret, ctrlResult, err := certmanager.EnsureCert(ctx, helper, certRequest, instance)
+			if err != nil {
+				instance.Status.Conditions.Set(condition.FalseCondition(
+					clientv1.OpenStackClientReadyCondition,
+					condition.ErrorReason,
+					condition.SeverityWarning,
+					clientv1.OpenStackClientReadyErrorMessage,
+					err.Error()))
+				return ctrlResult, err
+			} else if (ctrlResult != ctrl.Result{}) {
+				return ctrlResult, nil
+			}
+			mcpTLSSecretName = certSecret.Name
+			configVars[mcpTLSSecretName] = env.SetValue(certSecret.ResourceVersion)
+		}
+
 		mcpConfigCM := &corev1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      instance.Name + "-mcp-config",
@@ -317,14 +367,14 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		}
 		_, err = controllerutil.CreateOrPatch(ctx, r.Client, mcpConfigCM, func() error {
 			mcpConfigCM.Data = map[string]string{
-				"config.yaml": openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName),
+				"config.yaml": openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled),
 			}
 			return controllerutil.SetControllerReference(instance, mcpConfigCM, r.Scheme)
 		})
 		if err != nil {
 			return ctrl.Result{}, fmt.Errorf("error creating MCP config ConfigMap: %w", err)
 		}
-		configVars[instance.Name+"-mcp-config"] = env.SetValue(openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName))
+		configVars[instance.Name+"-mcp-config"] = env.SetValue(openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled))
 
 	}
 
@@ -335,6 +385,12 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 
 	// Reconcile MCP Service after configVarsHash so the hash annotation captures all config changes
 	if instance.Spec.MCP != nil && instance.Spec.MCP.Enabled {
+		mcpTLSEnabled := instance.Spec.CaBundleSecretName != ""
+		mcpPort := int32(8080)
+		if mcpTLSEnabled {
+			mcpPort = 8443
+		}
+
 		mcpService := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      instance.Name + "-mcp",
@@ -344,7 +400,7 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		mcpServiceHash, err := util.ObjectHash(map[string]interface{}{
 			"containerImage":    instance.Spec.ContainerImage,
 			"mcpContainerImage": instance.Spec.MCP.ContainerImage,
-			"mcpConfig":         openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName),
+			"mcpConfig":         openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled),
 			"configVarsHash":    configVarsHash,
 		})
 		if err != nil {
@@ -359,7 +415,7 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 			mcpService.Spec.Ports = []corev1.ServicePort{
 				{
 					Name:     "mcp",
-					Port:     8080,
+					Port:     mcpPort,
 					Protocol: corev1.ProtocolTCP,
 				},
 			}
@@ -368,6 +424,7 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		if err != nil {
 			return ctrl.Result{}, fmt.Errorf("error creating MCP Service: %w", err)
 		}
+
 	}
 
 	osclient := &corev1.Pod{
@@ -377,7 +434,7 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		},
 	}
 
-	spec := openstackclient.ClientPodSpec(ctx, instance, helper, configVarsHash)
+	spec := openstackclient.ClientPodSpec(ctx, instance, helper, configVarsHash, mcpTLSSecretName)
 
 	podSpecHash, err := util.ObjectHash(spec)
 	if err != nil {

internal/openstackclient/funcs.go

@@ -34,6 +34,7 @@ func ClientPodSpec(
 	instance *clientv1.OpenStackClient,
 	helper *helper.Helper,
 	configHash string,
+	mcpTLSSecretName string,
 ) corev1.PodSpec {
 	envVars := map[string]env.Setter{}
 	envVars["OS_CLOUD"] = env.SetValue("default")
@@ -135,6 +136,24 @@ func ClientPodSpec(
 			mcpVolumeMounts = append(mcpVolumeMounts, instance.Spec.CreateVolumeMounts(nil)...)
 		}
 
+		mcpPort := int32(8080)
+		if mcpTLSSecretName != "" {
+			mcpPort = 8443
+			mcpVolumeMounts = append(mcpVolumeMounts, corev1.VolumeMount{
+				Name:      "mcp-tls",
+				MountPath: "/etc/pki/tls/mcp",
+				ReadOnly:  true,
+			})
+			podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{
+				Name: "mcp-tls",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: mcpTLSSecretName,
+					},
+				},
+			})
+		}
+
 		podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{
 			Name: "mcp-config",
 			VolumeSource: corev1.VolumeSource{
@@ -156,7 +175,7 @@ func ClientPodSpec(
 				{Name: "OS_CLIENT_CONFIG_FILE", Value: "/home/cloud-admin/.config/openstack/clouds.yaml"},
 			},
 			Ports: []corev1.ContainerPort{
-				{Name: "mcp", ContainerPort: 8080, Protocol: corev1.ProtocolTCP},
+				{Name: "mcp", ContainerPort: mcpPort, Protocol: corev1.ProtocolTCP},
 			},
 			SecurityContext: &corev1.SecurityContext{
 				RunAsUser:                ptr.To[int64](42401),
@@ -179,24 +198,35 @@ func ClientPodSpec(
 }
 
 // MCPConfigYAML returns the rhos-mcps config.yaml content for the MCP sidecar
-func MCPConfigYAML(caBundleSecretName string) string {
+func MCPConfigYAML(caBundleSecretName string, tlsEnabled bool) string {
 	caCert := ""
 	if caBundleSecretName != "" {
 		caCert = fmt.Sprintf("\n  ca_cert: %s", tls.DownstreamTLSCABundlePath)
 	}
-	return fmt.Sprintf(`port: 8080
+	port := "8080"
+	tlsConfig := ""
+	allowedOriginScheme := "http"
+	if tlsEnabled {
+		port = "8443"
+		tlsConfig = `
+tls:
+  cert_file: /etc/pki/tls/mcp/tls.crt
+  key_file: /etc/pki/tls/mcp/tls.key`
+		allowedOriginScheme = "https"
+	}
+	return fmt.Sprintf(`port: %s
 openstack:
   enabled: true
   allow_write: false%s
 openshift:
-  enabled: false
+  enabled: false%s
 mcp_transport_security:
   enable_dns_rebinding_protection: false
   allowed_hosts:
     - "*:*"
   allowed_origins:
-    - "http://*:*"
-`, caCert)
+    - "%s://*:*"
+`, port, caCert, tlsConfig, allowedOriginScheme)
 }
 
 func clientPodVolumeMounts() []corev1.VolumeMount {