[b/r] Add restore=false label to internal service cert requests

Internal service certs (galera, memcached, rabbitmq, ovn, nova, neutron,
octavia, redis) are regenerated by cert-manager during restore and should
not be restored from backup. Add backup.BackupRestoreLabel: "false" to
their CertificateRequest Labels, matching what common.go already does for
route certs.

cert-manager propagates labels from Certificate CR to the Secret it
creates. The BackupConfig controller then sees restore=false and skips
these secrets during backup labeling.

Note: cert-nova-metadata-internal-svc uses lib-common's
EnsureCertForServiceWithSelector which needs a separate fix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: stuggi

api/go.mod

@@ -144,7 +144,7 @@ replace k8s.io/component-base => k8s.io/component-base v0.31.14 //allow-merging
 
 replace github.com/cert-manager/cmctl/v2 => github.com/cert-manager/cmctl/v2 v2.1.2-0.20241127223932-88edb96860cf //allow-merging
 
-replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/stuggi/lib-common/modules/common v0.0.0-20260319153531-b6972195788d
+replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/stuggi/lib-common/modules/common v0.0.0-20260324154846-c2eb57bed8d7
 
 replace github.com/openstack-k8s-operators/mariadb-operator/api => github.com/stuggi/mariadb-operator/api v0.0.0-20260323091819-07fa2e3001c0
 

api/go.sum

@@ -183,8 +183,8 @@ github.com/stuggi/glance-operator/api v0.0.0-20260319161100-d27378aa9783 h1:V94x
 github.com/stuggi/glance-operator/api v0.0.0-20260319161100-d27378aa9783/go.mod h1:TLRqdtji6ZhMcwI/uy70t8cKmIDjo/q4bjUUOYbeB+Y=
 github.com/stuggi/infra-operator/apis v0.0.0-20260313105254-f85e28889d29 h1:Z+Qo/USVFiq2TQFRaEHJ1rS6J6Dkd2wiYjxjGd7j9S0=
 github.com/stuggi/infra-operator/apis v0.0.0-20260313105254-f85e28889d29/go.mod h1:XsEbK1LxXg8beKXRf8s1OQanE82hCuGtkO1URg7uezU=
-github.com/stuggi/lib-common/modules/common v0.0.0-20260319153531-b6972195788d h1:bshrKJVnihAu8AGIxLUZ4Ta8DOjG7iOmBrpJbty+PGI=
-github.com/stuggi/lib-common/modules/common v0.0.0-20260319153531-b6972195788d/go.mod h1:I/VBXZLdjk8DUGsEbB+Ha72JBFYYntP7Pm2FpEto9K8=
+github.com/stuggi/lib-common/modules/common v0.0.0-20260324154846-c2eb57bed8d7 h1:oExdwaeBQae3Tpsc21QOwjagL30kCBvAoBWfeMEhxG0=
+github.com/stuggi/lib-common/modules/common v0.0.0-20260324154846-c2eb57bed8d7/go.mod h1:I/VBXZLdjk8DUGsEbB+Ha72JBFYYntP7Pm2FpEto9K8=
 github.com/stuggi/mariadb-operator/api v0.0.0-20260323091819-07fa2e3001c0 h1:vvSKXEVSc12xKF+yWh5HD9ZmEviECoovcNrqqObA160=
 github.com/stuggi/mariadb-operator/api v0.0.0-20260323091819-07fa2e3001c0/go.mod h1:cyeexUkEIgzQ3c1vVVv/DQ3AbnECfDwKdZteKC+sZKY=
 github.com/stuggi/swift-operator/api v0.0.0-20260319154125-3d8c75168895 h1:2thlxyQQ/EUmh+Shczy78nAcsMST8FgeztnlWpz19kM=

go.mod

@@ -182,7 +182,9 @@ replace k8s.io/component-base => k8s.io/component-base v0.31.14 //allow-merging
 
 replace github.com/cert-manager/cmctl/v2 => github.com/cert-manager/cmctl/v2 v2.1.2-0.20241127223932-88edb96860cf //allow-merging
 
-replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/stuggi/lib-common/modules/common v0.0.0-20260319153531-b6972195788d
+replace github.com/openstack-k8s-operators/lib-common/modules/common => github.com/stuggi/lib-common/modules/common v0.0.0-20260324154846-c2eb57bed8d7
+
+replace github.com/openstack-k8s-operators/lib-common/modules/certmanager => github.com/stuggi/lib-common/modules/certmanager v0.0.0-20260324154846-c2eb57bed8d7
 
 replace github.com/openstack-k8s-operators/mariadb-operator/api => github.com/stuggi/mariadb-operator/api v0.0.0-20260323091819-07fa2e3001c0
 

go.sum

@@ -152,8 +152,6 @@ github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260314080138
 github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260314080138-b41734470581/go.mod h1:l15wx+Qxi/I9Nlj6u6PheZqkf9dBW7cCxAcjl8zsu+8=
 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260310070607-b96da8dd520e h1:X7HkZG8rWmb5qK5IrGVuAQj1qCsjBRlo2JZyOPjmAiY=
 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260310070607-b96da8dd520e/go.mod h1:tXxVkkk8HlATwTmDA5RTP3b+c8apfuMM15mZ2wW5iNs=
-github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260310070607-b96da8dd520e h1:OthI0EGrntYyFV0YkQHJ1i4sYcylWBeh09x1lxK97ak=
-github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260310070607-b96da8dd520e/go.mod h1:GzD7Jc5o98ptJ97DSjhC0CQ6OiTP0PB/2qJqxYGcOH8=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260310070607-b96da8dd520e h1:42OT26Ak0lwWbJDNwhv/0HsjafVkLyPhfonS5DjDb2g=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260310070607-b96da8dd520e/go.mod h1:7yqbVpg0k0vW+kZks+TMU/cd1ovoejyHfVPWcyGYLHI=
 github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260310070607-b96da8dd520e h1:lHsE9kmPzGHfO6o9vXj6f5UTIlQRJNdrvrj8GWy/ct8=
@@ -226,8 +224,10 @@ github.com/stuggi/glance-operator/api v0.0.0-20260319161100-d27378aa9783 h1:V94x
 github.com/stuggi/glance-operator/api v0.0.0-20260319161100-d27378aa9783/go.mod h1:TLRqdtji6ZhMcwI/uy70t8cKmIDjo/q4bjUUOYbeB+Y=
 github.com/stuggi/infra-operator/apis v0.0.0-20260313105254-f85e28889d29 h1:Z+Qo/USVFiq2TQFRaEHJ1rS6J6Dkd2wiYjxjGd7j9S0=
 github.com/stuggi/infra-operator/apis v0.0.0-20260313105254-f85e28889d29/go.mod h1:XsEbK1LxXg8beKXRf8s1OQanE82hCuGtkO1URg7uezU=
-github.com/stuggi/lib-common/modules/common v0.0.0-20260319153531-b6972195788d h1:bshrKJVnihAu8AGIxLUZ4Ta8DOjG7iOmBrpJbty+PGI=
-github.com/stuggi/lib-common/modules/common v0.0.0-20260319153531-b6972195788d/go.mod h1:I/VBXZLdjk8DUGsEbB+Ha72JBFYYntP7Pm2FpEto9K8=
+github.com/stuggi/lib-common/modules/certmanager v0.0.0-20260324154846-c2eb57bed8d7 h1:dDdVqumOg+K9jewhtJjQzTMmt/ufuXpvB1YR9b9lv5M=
+github.com/stuggi/lib-common/modules/certmanager v0.0.0-20260324154846-c2eb57bed8d7/go.mod h1:GzD7Jc5o98ptJ97DSjhC0CQ6OiTP0PB/2qJqxYGcOH8=
+github.com/stuggi/lib-common/modules/common v0.0.0-20260324154846-c2eb57bed8d7 h1:oExdwaeBQae3Tpsc21QOwjagL30kCBvAoBWfeMEhxG0=
+github.com/stuggi/lib-common/modules/common v0.0.0-20260324154846-c2eb57bed8d7/go.mod h1:I/VBXZLdjk8DUGsEbB+Ha72JBFYYntP7Pm2FpEto9K8=
 github.com/stuggi/mariadb-operator/api v0.0.0-20260323091819-07fa2e3001c0 h1:vvSKXEVSc12xKF+yWh5HD9ZmEviECoovcNrqqObA160=
 github.com/stuggi/mariadb-operator/api v0.0.0-20260323091819-07fa2e3001c0/go.mod h1:cyeexUkEIgzQ3c1vVVv/DQ3AbnECfDwKdZteKC+sZKY=
 github.com/stuggi/swift-operator/api v0.0.0-20260319154125-3d8c75168895 h1:2thlxyQQ/EUmh+Shczy78nAcsMST8FgeztnlWpz19kM=

internal/openstack/galera.go

@@ -10,6 +10,7 @@ import (
 
 	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/backup"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -142,7 +143,7 @@ func ReconcileGaleras(
 				"server auth",
 				"client auth",
 			},
-			Labels: map[string]string{serviceCertSelector: ""},
+			Labels: map[string]string{serviceCertSelector: "", backup.BackupRestoreLabel: "false"},
 		}
 		if instance.Spec.TLS.PodLevel.Internal.Cert.Duration != nil {
 			certRequest.Duration = &instance.Spec.TLS.PodLevel.Internal.Cert.Duration.Duration

internal/openstack/memcached.go

@@ -10,6 +10,7 @@ import (
 	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	memcachedv1 "github.com/openstack-k8s-operators/infra-operator/apis/memcached/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/backup"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -213,7 +214,7 @@ func reconcileMemcached(
 				fmt.Sprintf("%s.%s.svc.%s", name, instance.Namespace, clusterDomain),
 				fmt.Sprintf("*.%s.%s.svc.%s", name, instance.Namespace, clusterDomain),
 			},
-			Labels: map[string]string{serviceCertSelector: ""},
+			Labels: map[string]string{serviceCertSelector: "", backup.BackupRestoreLabel: "false"},
 		}
 		if instance.Spec.TLS.PodLevel.Internal.Cert.Duration != nil {
 			certRequest.Duration = &instance.Spec.TLS.PodLevel.Internal.Cert.Duration.Duration
@@ -245,7 +246,7 @@ func reconcileMemcached(
 					fmt.Sprintf("*.%s.svc", instance.Namespace),
 					fmt.Sprintf("*.%s.svc.%s", instance.Namespace, clusterDomain),
 				},
-				Labels: map[string]string{serviceCertSelector: ""},
+				Labels: map[string]string{serviceCertSelector: "", backup.BackupRestoreLabel: "false"},
 				Usages: []certmgrv1.KeyUsage{
 					certmgrv1.UsageKeyEncipherment,
 					certmgrv1.UsageDigitalSignature,

internal/openstack/neutron.go

@@ -6,6 +6,7 @@ import (
 
 	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/backup"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -91,7 +92,7 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro
 				certmgrv1.UsageDigitalSignature,
 				certmgrv1.UsageClientAuth,
 			},
-			Labels: map[string]string{serviceCertSelector: ""},
+			Labels: map[string]string{serviceCertSelector: "", backup.BackupRestoreLabel: "false"},
 		}
 		if instance.Spec.TLS.PodLevel.Ovn.Cert.Duration != nil {
 			certRequest.Duration = &instance.Spec.TLS.PodLevel.Ovn.Cert.Duration.Duration

internal/openstack/nova.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/backup"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -273,7 +274,8 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 			nova.Namespace,
 			instance.Spec.Nova.Template.MetadataServiceTemplate.Override.Service.Labels,
 			instance.GetInternalIssuer(),
-			nil)
+			nil,
+			map[string]string{backup.BackupRestoreLabel: "false"})
 		if err != nil && !k8s_errors.IsNotFound(err) {
 			return ctrlResult, err
 		} else if (ctrlResult != ctrl.Result{}) {
@@ -296,7 +298,8 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 				nova.Namespace,
 				cellTemplate.MetadataServiceTemplate.Override.Service.Labels,
 				instance.GetInternalIssuer(),
-				nil)
+				nil,
+				map[string]string{backup.BackupRestoreLabel: "false"})
 			if err != nil && !k8s_errors.IsNotFound(err) {
 				return ctrlResult, err
 			} else if (ctrlResult != ctrl.Result{}) {
@@ -378,7 +381,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 							certmgrv1.UsageServerAuth,
 							certmgrv1.UsageClientAuth,
 						},
-						Labels: map[string]string{serviceCertSelector: ""},
+						Labels: map[string]string{serviceCertSelector: "", backup.BackupRestoreLabel: "false"},
 					}
 					if instance.Spec.TLS.PodLevel.Libvirt.Cert.Duration != nil {
 						certRequest.Duration = &instance.Spec.TLS.PodLevel.Libvirt.Cert.Duration.Duration

internal/openstack/octavia.go

@@ -22,6 +22,7 @@ import (
 
 	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/backup"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -132,7 +133,7 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro
 				certmgrv1.UsageDigitalSignature,
 				certmgrv1.UsageClientAuth,
 			},
-			Labels: map[string]string{serviceCertSelector: ""},
+			Labels: map[string]string{serviceCertSelector: "", backup.BackupRestoreLabel: "false"},
 		}
 		if instance.Spec.TLS.PodLevel.Ovn.Cert.Duration != nil {
 			certRequest.Duration = &instance.Spec.TLS.PodLevel.Ovn.Cert.Duration.Duration

internal/openstack/ovn.go

@@ -6,6 +6,7 @@ import (
 	"reflect"
 
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/backup"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -180,7 +181,7 @@ func ReconcileOVNDbClusters(ctx context.Context, instance *corev1beta1.OpenStack
 					certmgrv1.UsageServerAuth,
 					certmgrv1.UsageClientAuth,
 				},
-				Labels: map[string]string{serviceCertSelector: ""},
+				Labels: map[string]string{serviceCertSelector: "", backup.BackupRestoreLabel: "false"},
 			}
 			if instance.Spec.TLS.PodLevel.Ovn.Cert.Duration != nil {
 				certRequest.Duration = &instance.Spec.TLS.PodLevel.Ovn.Cert.Duration.Duration
@@ -320,7 +321,7 @@ func ReconcileOVNNorthd(ctx context.Context, instance *corev1beta1.OpenStackCont
 				certmgrv1.UsageServerAuth,
 				certmgrv1.UsageClientAuth,
 			},
-			Labels: map[string]string{serviceCertSelector: ""},
+			Labels: map[string]string{serviceCertSelector: "", backup.BackupRestoreLabel: "false"},
 		}
 		if instance.Spec.TLS.PodLevel.Ovn.Cert.Duration != nil {
 			certRequest.Duration = &instance.Spec.TLS.PodLevel.Ovn.Cert.Duration.Duration
@@ -464,7 +465,7 @@ func ReconcileOVNController(ctx context.Context, instance *corev1beta1.OpenStack
 				certmgrv1.UsageServerAuth,
 				certmgrv1.UsageClientAuth,
 			},
-			Labels: map[string]string{serviceCertSelector: ""},
+			Labels: map[string]string{serviceCertSelector: "", backup.BackupRestoreLabel: "false"},
 		}
 		if instance.Spec.TLS.PodLevel.Ovn.Cert.Duration != nil {
 			certRequest.Duration = &instance.Spec.TLS.PodLevel.Ovn.Cert.Duration.Duration
@@ -607,7 +608,7 @@ func EnsureOVNMetricsCert(ctx context.Context, instance *corev1beta1.OpenStackCo
 			certmgrv1.UsageServerAuth,
 			certmgrv1.UsageClientAuth,
 		},
-		Labels: map[string]string{serviceCertSelector: ""},
+		Labels: map[string]string{serviceCertSelector: "", backup.BackupRestoreLabel: "false"},
 	}
 
 	// Apply certificate duration settings if configured