From 0e20dd8f3f0f6da849edf84e065a2f4916cd98f1 Mon Sep 17 00:00:00 2001
From: Yatin Karel <ykarel@redhat.com>
Date: Wed, 20 Aug 2025 18:30:40 +0530
Subject: [PATCH] Create TLS certs for OVN exporter services

As part of Metrics TLS support in the Related-Issue, exporter will
be enabled per pod, so created a dedicated cert for this.

Related-Issue: OSPRH-12568
---
 pkg/openstack/ovn.go                          | 58 +++++++++++++++++++
 tests/functional/ctlplane/base_test.go        |  5 ++
 .../openstackoperator_controller_test.go      |  1 +
 3 files changed, 64 insertions(+)

diff --git a/pkg/openstack/ovn.go b/pkg/openstack/ovn.go
index 6ba45f338d..54a597fd31 100644
--- a/pkg/openstack/ovn.go
+++ b/pkg/openstack/ovn.go
@@ -36,6 +36,15 @@ func ReconcileOVN(ctx context.Context, instance *corev1beta1.OpenStackControlPla
 		instance.Spec.Ovn.Template = &corev1beta1.OvnResources{}
 	}
 
+	// Create TLS certificate for OVN metrics services when TLS is enabled
+	if instance.Spec.Ovn.Enabled && instance.Spec.TLS.PodLevel.Enabled {
+		if err := EnsureOVNMetricsCert(ctx, instance, helper); err != nil {
+			Log.Error(err, "Failed to ensure OVN metrics certificate")
+			setOVNReadyError(instance, err)
+			return ctrl.Result{}, err
+		}
+	}
+
 	OVNDBClustersReady, err := ReconcileOVNDbClusters(ctx, instance, version, helper)
 	if err != nil {
 		Log.Error(err, "Failed to reconcile OVNDBClusters")
@@ -490,3 +499,52 @@ func OVNNorthImageMatch(ctx context.Context, controlPlane *corev1beta1.OpenStack
 	}
 	return true
 }
+
+// EnsureOVNMetricsCert creates TLS certificate for OVN metrics services
+func EnsureOVNMetricsCert(ctx context.Context, instance *corev1beta1.OpenStackControlPlane, helper *helper.Helper) error {
+	Log := GetLogger(ctx)
+
+	dnsSuffix := clusterdns.GetDNSClusterDomain()
+
+	certRequest := certmanager.CertificateRequest{
+		IssuerName: instance.GetOvnIssuer(),
+		CertName:   "ovn-metrics",
+		Hostnames: []string{
+			// Cert needs to be valid for the individual pods services so make this a wildcard cert
+			fmt.Sprintf("*.%s.svc", instance.Namespace),
+			fmt.Sprintf("*.%s.svc.%s", instance.Namespace, dnsSuffix),
+		},
+		Ips: nil,
+		Usages: []certmgrv1.KeyUsage{
+			certmgrv1.UsageKeyEncipherment,
+			certmgrv1.UsageDigitalSignature,
+			certmgrv1.UsageServerAuth,
+			certmgrv1.UsageClientAuth,
+		},
+		Labels: map[string]string{serviceCertSelector: ""},
+	}
+
+	// Apply certificate duration settings if configured
+	if instance.Spec.TLS.PodLevel.Ovn.Cert.Duration != nil {
+		certRequest.Duration = &instance.Spec.TLS.PodLevel.Ovn.Cert.Duration.Duration
+	}
+	if instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore != nil {
+		certRequest.RenewBefore = &instance.Spec.TLS.PodLevel.Ovn.Cert.RenewBefore.Duration
+	}
+
+	// Create or update the certificate
+	certSecret, ctrlResult, err := certmanager.EnsureCert(
+		ctx,
+		helper,
+		certRequest,
+		nil)
+	if err != nil {
+		return err
+	} else if (ctrlResult != ctrl.Result{}) {
+		Log.Info("OVN metrics certificate creation in progress", "certificate", certRequest.CertName)
+		return fmt.Errorf("OVN metrics certificate creation in progress")
+	}
+
+	Log.Info("OVN metrics certificate ensured", "secret", certSecret.Name, "certificate", certRequest.CertName)
+	return nil
+}
diff --git a/tests/functional/ctlplane/base_test.go b/tests/functional/ctlplane/base_test.go
index 1ec7cea627..b3792b4c58 100644
--- a/tests/functional/ctlplane/base_test.go
+++ b/tests/functional/ctlplane/base_test.go
@@ -90,6 +90,7 @@ type Names struct {
 	OVNControllerCertName              types.NamespacedName
 	OVNDbServerNBName                  types.NamespacedName
 	OVNDbServerSBName                  types.NamespacedName
+	OVNMetricsCertName                 types.NamespacedName
 	NeutronOVNCertName                 types.NamespacedName
 	OpenStackTopology                  []types.NamespacedName
 	WatcherCertPublicRouteName         types.NamespacedName
@@ -262,6 +263,10 @@ func CreateNames(openstackControlplaneName types.NamespacedName) Names {
 			Namespace: openstackControlplaneName.Namespace,
 			Name:      "cert-ovncontroller-ovndbs",
 		},
+		OVNMetricsCertName: types.NamespacedName{
+			Namespace: openstackControlplaneName.Namespace,
+			Name:      "cert-ovn-metrics",
+		},
 		NeutronOVNCertName: types.NamespacedName{
 			Namespace: openstackControlplaneName.Namespace,
 			Name:      "cert-neutron-ovndbs",
diff --git a/tests/functional/ctlplane/openstackoperator_controller_test.go b/tests/functional/ctlplane/openstackoperator_controller_test.go
index 7f4b41c0be..688856e63f 100644
--- a/tests/functional/ctlplane/openstackoperator_controller_test.go
+++ b/tests/functional/ctlplane/openstackoperator_controller_test.go
@@ -850,6 +850,7 @@ var _ = Describe("OpenStackOperator controller", func() {
 			// create cert secrets for ovn instance
 			DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(names.OVNNorthdCertName))
 			DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(names.OVNControllerCertName))
+			DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(names.OVNMetricsCertName))
 			DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(names.NeutronOVNCertName))
 			DeferCleanup(
 				th.DeleteInstance,