Skip to content

Commit 6c1aaf3

Browse files
committed
OVN RBAC Switch to use exising CA to sign ovn-controller certs
This is test patch, if will work fine it should be merged with previous one. Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
1 parent b3fd5d2 commit 6c1aaf3

17 files changed

Lines changed: 29 additions & 141 deletions

api/bases/ovn.openstack.org_ovncontrollers.yaml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,13 @@ spec:
150150
description: Image used for the ovn-controller container (will be
151151
set to environmental default if empty)
152152
type: string
153+
ovnIssuerName:
154+
description: |-
155+
OvnIssuerName - The name of the cert-manager Issuer used to sign
156+
per-node ovn-controller certificates. When set, the controller
157+
creates cert-manager Certificate resources for each node with
158+
CN matching the chassis system-id for OVN RBAC.
159+
type: string
153160
ovnLogLevel:
154161
default: info
155162
description: OVNLogLevel - Set log level off, emer, err, warn, info
@@ -178,13 +185,6 @@ spec:
178185
- info
179186
- dbg
180187
type: string
181-
rbacIssuerName:
182-
description: |-
183-
RbacIssuerName - The name of the cert-manager Issuer used to sign
184-
per-node ovn-controller RBAC certificates. When set, the controller
185-
creates cert-manager Certificate resources for each node instead of
186-
signing certificates locally with the CA key.
187-
type: string
188188
resources:
189189
description: |-
190190
Resources - Compute Resources required by this service (Limits/Requests).

api/bases/ovn.openstack.org_ovndbclusters.yaml

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -274,12 +274,6 @@ spec:
274274
Active probe interval from standby to active ovsdb-server remote
275275
format: int32
276276
type: integer
277-
rbacCACertSecretName:
278-
description: |-
279-
RbacCACertSecretName - The name of the K8s Secret containing the RBAC
280-
PKI CA certificate (tls.crt). Used by the SB database to verify
281-
ovn-controller client certificates when RBAC is enabled.
282-
type: string
283277
replicas:
284278
default: 1
285279
description: Replicas of OVN DBCluster to run

api/v1beta1/ovncontroller_types.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -126,11 +126,11 @@ type OVNControllerSpecCore struct {
126126
MetricsTLS tls.SimpleService `json:"metricsTLS,omitempty"`
127127

128128
// +kubebuilder:validation:Optional
129-
// RbacIssuerName - The name of the cert-manager Issuer used to sign
130-
// per-node ovn-controller RBAC certificates. When set, the controller
131-
// creates cert-manager Certificate resources for each node instead of
132-
// signing certificates locally with the CA key.
133-
RbacIssuerName string `json:"rbacIssuerName,omitempty"`
129+
// OvnIssuerName - The name of the cert-manager Issuer used to sign
130+
// per-node ovn-controller certificates. When set, the controller
131+
// creates cert-manager Certificate resources for each node with
132+
// CN matching the chassis system-id for OVN RBAC.
133+
OvnIssuerName string `json:"ovnIssuerName,omitempty"`
134134
}
135135

136136
// OVNControllerStatus defines the observed state of OVNController

api/v1beta1/ovndbcluster_types.go

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -146,12 +146,6 @@ type OVNDBClusterSpecCore struct {
146146
// +kubebuilder:validation:Optional
147147
// MetricsTLS - Parameters related to TLS for metrics sidecar
148148
MetricsTLS tls.SimpleService `json:"metricsTLS,omitempty"`
149-
150-
// +kubebuilder:validation:Optional
151-
// RbacCACertSecretName - The name of the K8s Secret containing the RBAC
152-
// PKI CA certificate (tls.crt). Used by the SB database to verify
153-
// ovn-controller client certificates when RBAC is enabled.
154-
RbacCACertSecretName string `json:"rbacCACertSecretName,omitempty"`
155149
}
156150

157151
// OVNDBClusterOverrideSpec to override the generated manifest of several child resources.

config/crd/bases/ovn.openstack.org_ovncontrollers.yaml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,13 @@ spec:
150150
description: Image used for the ovn-controller container (will be
151151
set to environmental default if empty)
152152
type: string
153+
ovnIssuerName:
154+
description: |-
155+
OvnIssuerName - The name of the cert-manager Issuer used to sign
156+
per-node ovn-controller certificates. When set, the controller
157+
creates cert-manager Certificate resources for each node with
158+
CN matching the chassis system-id for OVN RBAC.
159+
type: string
153160
ovnLogLevel:
154161
default: info
155162
description: OVNLogLevel - Set log level off, emer, err, warn, info
@@ -178,13 +185,6 @@ spec:
178185
- info
179186
- dbg
180187
type: string
181-
rbacIssuerName:
182-
description: |-
183-
RbacIssuerName - The name of the cert-manager Issuer used to sign
184-
per-node ovn-controller RBAC certificates. When set, the controller
185-
creates cert-manager Certificate resources for each node instead of
186-
signing certificates locally with the CA key.
187-
type: string
188188
resources:
189189
description: |-
190190
Resources - Compute Resources required by this service (Limits/Requests).

config/crd/bases/ovn.openstack.org_ovndbclusters.yaml

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -274,12 +274,6 @@ spec:
274274
Active probe interval from standby to active ovsdb-server remote
275275
format: int32
276276
type: integer
277-
rbacCACertSecretName:
278-
description: |-
279-
RbacCACertSecretName - The name of the K8s Secret containing the RBAC
280-
PKI CA certificate (tls.crt). Used by the SB database to verify
281-
ovn-controller client certificates when RBAC is enabled.
282-
type: string
283277
replicas:
284278
default: 1
285279
description: Replicas of OVN DBCluster to run

internal/common/const.go

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,6 @@ const (
1414
// OVNMetricsKeyPath is the path to the metrics private key file
1515
OVNMetricsKeyPath string = "/etc/pki/tls/private/ovnmetrics.key"
1616

17-
// OVNRbacCACertPath is the mount path for the RBAC CA certificate in the SB DB pod
18-
OVNRbacCACertPath string = "/etc/pki/tls/certs/ovnrbacca.crt"
19-
2017
// OVNRbacCertMountPath is the mount path for the per-node RBAC certificate in config jobs
2118
OVNRbacCertMountPath string = "/tmp/ovn-rbac-cert"
2219

internal/controller/ovncontroller_controller.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -877,7 +877,7 @@ func (r *OVNControllerReconciler) reconcileNormal(ctx context.Context, instance
877877

878878
// Create per-node RBAC certificates if configured
879879
nodeSystemIDs := map[string]string{}
880-
if instance.Spec.RbacIssuerName != "" {
880+
if instance.Spec.OvnIssuerName != "" {
881881
ovnPods, podErr := ovncontroller.GetOVNControllerPods(ctx, r.Client, instance)
882882
if podErr != nil {
883883
return ctrl.Result{}, podErr
@@ -892,7 +892,7 @@ func (r *OVNControllerReconciler) reconcileNormal(ctx context.Context, instance
892892
certName := ovncontroller.RbacCertName(nodeName)
893893
nodeSystemIDs[nodeName] = systemID
894894

895-
certResult, certErr := ovncontroller.EnsureRbacCert(ctx, r.Client, r.Scheme, instance, certName, systemID, instance.Spec.RbacIssuerName, ovnServiceLabels)
895+
certResult, certErr := ovncontroller.EnsureRbacCert(ctx, r.Client, r.Scheme, instance, certName, systemID, instance.Spec.OvnIssuerName, ovnServiceLabels)
896896
if certErr != nil {
897897
return certResult, certErr
898898
}

internal/controller/ovndbcluster_controller.go

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1297,9 +1297,6 @@ func (r *OVNDBClusterReconciler) generateServiceConfigMaps(
12971297
templateParameters["OVN_METRICS_CERT_PATH"] = ovn_common.OVNMetricsCertPath
12981298
templateParameters["OVN_METRICS_KEY_PATH"] = ovn_common.OVNMetricsKeyPath
12991299
templateParameters["OVN_RUNDIR"] = "/etc/ovn"
1300-
if instance.Spec.DBType == ovnv1.SBDBType && instance.Spec.RbacCACertSecretName != "" {
1301-
templateParameters["OVN_RBAC_CACERT_PATH"] = ovn_common.OVNRbacCACertPath
1302-
}
13031300
if instance.Spec.DBType == ovnv1.SBDBType && instance.Spec.TLS.Enabled() {
13041301
templateParameters["DB_PORT_FULL_ACCESS"] = ovndbcluster.DbPortSBRBACFullAccess
13051302
} else {

internal/ovncontroller/daemonset.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@ func CreateOVNDaemonSet(
7777
// cert file before starting ovn-controller so it doesn't connect to
7878
// the SB DB without client authentication.
7979
var cmd []string
80-
if instance.Spec.TLS.Enabled() && instance.Spec.RbacIssuerName != "" {
80+
if instance.Spec.TLS.Enabled() && instance.Spec.OvnIssuerName != "" {
8181
cmd = []string{
8282
"/bin/bash", "-c",
8383
"source /usr/local/bin/container-scripts/functions && wait_for_rbac_cert && exec " + strings.Join(ovnCmd, " "),

0 commit comments

Comments
 (0)