Clean up certificate handling

There were multiple issues with how the operator handled certificates:

1) The lightspeed-stack pod used REQUESTS_CA_BUNDLE and SSL_CERT_FILE
   environment variables, which bypassed the system-configured
   certificates.

2) When a user provided a custom CA certificate, it was expected under
   the cert.crt key in their ConfigMap. This was undocumented and the
   required key name was not obvious.

3) PostgresDB appeared to be configured for mTLS because ssl_ca_file
   was set in postgres.conf and the openshift-service-ca.crt was
   mounted into the PostgresDB pod. This created a false sense of mTLS
   being in place, but with the default pg_hba.conf, client certificate
   verification [1] is not enabled. Neither OGX [3][4] nor Lightspeed
   Stack [5] supports providing client certificates to PostgresDB.

4) PostgresDB SSL connection settings were configured for OGX even
   though they have no effect. OGX does not support configuring the
   SSL mode for its PostgresDB connection [3][4], so the PostgresDB
   certificate verification cannot be strictly enforced on the OGX
   side (the default is "prefer" [2], which does not enforce
   certificate verification and can fall back to unencrypted
   communication). OGX uses a non-strict config mode, so unrecognized
   options are silently ignored.

5) The operator did not watch for changes to ConfigMaps. When the
   content of the CA bundle ConfigMap was updated, the operator did
   not automatically reconcile.

6) Not a bug strictly speaking, but Lightspeed Stack used ssl_mode
   "require" when it could have used "verify-full", which checks both
   that the certificate is signed by a trusted CA and that the server
   hostname matches the CN field in the certificate.

This commit simplifies certificate handling with the following changes:

- Introduce a single CA bundle ConfigMap
  (openstack-lightspeed-ca-bundle) containing the system CAs,
  user-provided CA certificates from the OpenStackLightspeed CRD,
  kube-root-ca.crt, and openshift-service-ca.crt. This bundle is
  mounted into all containers in the lightspeed-stack-deployment pod,
  eliminating the need for REQUESTS_CA_BUNDLE and SSL_CERT_FILE.

- When a user specifies a ConfigMap with custom CA certificates,
  iterate over all keys, validate that each holds a valid certificate,
  and append it to the CA bundle (resolves #2).

- Stop mounting openshift-service-ca into the Postgres pod and remove
  ssl_ca_file from postgres.conf. These gave a false sense of client
  certificate validation; actually enforcing it requires configuring
  pg_hba.conf [1], and neither OGX [3][4] nor Lightspeed Stack [5]
  currently supports providing client certificates.

- Remove ssl_mode, ca_cert_path, and gss_encmode from
  storage.backends.postgres_backend in ogx_config.yaml. These options
  are not supported by OGX [3][4] and gave a false sense of SSL being
  configured.

- Add a Watch() on ConfigMaps to the reconciler so that whenever a
  user updates the CA bundle ConfigMap, the reconcile loop runs
  automatically.

- Configure Lightspeed Stack with ssl_mode "verify-full" for its
  PostgreSQL connection, ensuring both CA trust and hostname
  verification.

[1]
https://www.postgresql.org/docs/current/ssl-tcp.html#SSL-CLIENT-CERTIFICATES
[2]
https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.connection.connect
[3]
https://github.com/ogx-ai/ogx/blob/34d7901/src/ogx/core/storage/datatypes.py#L200
[4]
https://github.com/ogx-ai/ogx/blob/34d7901/src/ogx/core/storage/sqlalchemy_sqlstore.py#L125
[5]
https://github.com/lightspeed-core/lightspeed-stack/blob/7503ebd/src/models/config.py#L181

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: lpiwowar

internal/controller/assets/postgres.conf

@@ -2,4 +2,8 @@ huge_pages = off
 ssl = on
 ssl_cert_file = '/etc/certs/tls.crt'
 ssl_key_file = '/etc/certs/tls.key'
-ssl_ca_file = '/etc/certs/cm-olspostgresca/service-ca.crt'
+# mTLS is not supported by lightspeed-stack or OGX (llama-stack) for the
+# database connection. Neither application supports presenting client certificates
+# (sslcert/sslkey) to PostgreSQL, so ssl_ca_file has no effect (even when pg_hba.conf
+# is correctly configured for mTLS)
+# ssl_ca_file = '<none>'

internal/controller/ca_bundle.go

@@ -0,0 +1,190 @@
+/*
+Copyright 2026.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"bytes"
+	"context"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"os"
+	"time"
+
+	common_helper "github.com/openstack-k8s-operators/lib-common/modules/common/helper"
+	apiv1beta1 "github.com/openstack-lightspeed/operator/api/v1beta1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+)
+
+type caCert struct {
+	hash   [sha256.Size]byte
+	cert   *x509.Certificate
+	expire time.Time
+}
+
+type caBundle struct {
+	certs []caCert
+}
+
+// getOperatorCABundle reads the system CA bundle from the operator pod's filesystem.
+var getOperatorCABundle = func() ([]byte, error) {
+	contents, err := os.ReadFile(SystemTLSCABundlePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read system CA bundle: %w", err)
+	}
+	return contents, nil
+}
+
+// getCertsFromPEM parses PEM data and adds valid certificates to the bundle.
+// Rejects non-CERTIFICATE blocks and invalid X.509 data. Skips expired certs.
+// Deduplicates by SHA256 hash of the raw DER bytes.
+func (cab *caBundle) getCertsFromPEM(pemData []byte) error {
+	if pemData == nil {
+		return fmt.Errorf("certificate data is nil")
+	}
+
+	rest := pemData
+	for {
+		var block *pem.Block
+		block, rest = pem.Decode(rest)
+		if block == nil {
+			break
+		}
+
+		if block.Type != "CERTIFICATE" {
+			return fmt.Errorf("invalid PEM block type %q: only CERTIFICATE blocks are permitted", block.Type)
+		}
+
+		certificate, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return fmt.Errorf("invalid certificate: %w", err)
+		}
+
+		if time.Now().After(certificate.NotAfter) {
+			continue
+		}
+
+		blockHash := sha256.Sum256(block.Bytes)
+		isDuplicate := false
+		for _, existing := range cab.certs {
+			if existing.hash == blockHash {
+				isDuplicate = true
+				break
+			}
+		}
+		if !isDuplicate {
+			cab.certs = append(cab.certs, caCert{
+				hash:   blockHash,
+				cert:   certificate,
+				expire: certificate.NotAfter,
+			})
+		}
+	}
+
+	if len(bytes.TrimSpace(rest)) > 0 {
+		return fmt.Errorf("trailing non-PEM data (%d bytes)", len(bytes.TrimSpace(rest)))
+	}
+
+	return nil
+}
+
+// encodePEM encodes all certificates in the bundle back to PEM format.
+func (cab *caBundle) encodePEM() []byte {
+	var result []byte
+	for _, c := range cab.certs {
+		block := &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: c.cert.Raw,
+		}
+		result = append(result, pem.EncodeToMemory(block)...)
+	}
+	return result
+}
+
+// mergeCertsFromConfigMap reads the Data section of the given ConfigMap
+// and adds any valid certificate entries to the bundle.
+func (cab *caBundle) mergeCertsFromConfigMap(h *common_helper.Helper, ctx context.Context, cmName string) error {
+	cm := &corev1.ConfigMap{}
+	if err := h.GetClient().Get(ctx, client.ObjectKey{
+		Name:      cmName,
+		Namespace: h.GetBeforeObject().GetNamespace(),
+	}, cm); err != nil {
+		return err
+	}
+	for key, certData := range cm.Data {
+		if err := cab.getCertsFromPEM([]byte(certData)); err != nil {
+			return fmt.Errorf("%w: key %q in ConfigMap %q: %v", ErrParseUserCA, key, cmName, err)
+		}
+	}
+	return nil
+}
+
+// reconcileCABundleConfigMap builds a CA bundle containing the operator's
+// system CA certificates, a user-provided CA ConfigMap (if specified), as well as
+// the "kube-root-ca.crt" and "openshift-service-ca.crt" ConfigMaps. It then creates
+// or updates the managed ConfigMap, which is mounted into application pods.
+func reconcileCABundleConfigMap(h *common_helper.Helper, ctx context.Context, instance *apiv1beta1.OpenStackLightspeed) error {
+	logger := h.GetLogger()
+	bundle := &caBundle{}
+
+	systemCAs, err := getOperatorCABundle()
+	if err != nil {
+		return fmt.Errorf("%w: %v", ErrReadSystemCABundle, err)
+	}
+
+	if err := bundle.getCertsFromPEM(systemCAs); err != nil {
+		return fmt.Errorf("%w: %v", ErrParseSystemCABundle, err)
+	}
+
+	certsCMs := []string{OpenShiftServiceCAConfigMap, KubeRootCAConfigMap}
+	if instance.Spec.TLSCACertBundle != "" {
+		certsCMs = append(certsCMs, instance.Spec.TLSCACertBundle)
+	}
+
+	for _, certCM := range certsCMs {
+		if err := bundle.mergeCertsFromConfigMap(h, ctx, certCM); err != nil {
+			return fmt.Errorf("%w %q: %v", ErrGetCAConfigMap, certCM, err)
+		}
+		logger.Info("CA certificates merged", "configmap", certCM)
+	}
+
+	bundlePEM := bundle.encodePEM()
+
+	cm := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      CABundleConfigMapName,
+			Namespace: h.GetBeforeObject().GetNamespace(),
+		},
+	}
+
+	result, err := controllerutil.CreateOrPatch(ctx, h.GetClient(), cm, func() error {
+		cm.Data = map[string]string{
+			CABundleKey: string(bundlePEM),
+		}
+		return controllerutil.SetControllerReference(h.GetBeforeObject(), cm, h.GetScheme())
+	})
+	if err != nil {
+		return fmt.Errorf("%w: %v", ErrCreateCABundle, err)
+	}
+
+	logger.Info("CA bundle ConfigMap reconciled", "name", cm.Name, "result", result, "certCount", len(bundle.certs))
+	return nil
+}