Skip to content

Commit 16002e5

Browse files
dprincedprince
committed
tls fixes
1 parent 7f84ade commit 16002e5

2 files changed

Lines changed: 47 additions & 4 deletions

File tree

internal/controller/client/openstackclient_controller.go

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ import (
4343
keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
4444
"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
4545
"github.com/openstack-k8s-operators/lib-common/modules/common"
46+
"github.com/openstack-k8s-operators/lib-common/modules/common/endpoint"
4647
"github.com/openstack-k8s-operators/lib-common/modules/common/clusterdns"
4748
condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
4849
"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
@@ -359,6 +360,27 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
359360
configVars[mcpTLSSecretName] = env.SetValue(certSecret.ResourceVersion)
360361
}
361362

363+
// Use the internal Keystone endpoint for the MCP sidecar's clouds.yaml
364+
// so it connects directly to the in-cluster service and avoids
365+
// TLS issues with the public OCP route.
366+
internalAuthURL, err := keystoneAPI.GetEndpoint(endpoint.EndpointInternal)
367+
if err != nil {
368+
instance.Status.Conditions.Set(condition.FalseCondition(
369+
clientv1.OpenStackClientReadyCondition,
370+
condition.RequestedReason,
371+
condition.SeverityInfo,
372+
"waiting for internal Keystone endpoint"))
373+
return ctrl.Result{RequeueAfter: time.Duration(5) * time.Second}, nil
374+
}
375+
376+
mcpCloudsYAML := openstackclient.MCPCloudsYAML(
377+
internalAuthURL,
378+
keystoneAPI.Spec.AdminProject,
379+
keystoneAPI.Spec.AdminUser,
380+
keystoneAPI.Spec.Region,
381+
instance.Spec.CaBundleSecretName,
382+
)
383+
362384
mcpConfigCM := &corev1.ConfigMap{
363385
ObjectMeta: metav1.ObjectMeta{
364386
Name: instance.Name + "-mcp-config",
@@ -368,13 +390,14 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
368390
_, err = controllerutil.CreateOrPatch(ctx, r.Client, mcpConfigCM, func() error {
369391
mcpConfigCM.Data = map[string]string{
370392
"config.yaml": openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled),
393+
"clouds.yaml": mcpCloudsYAML,
371394
}
372395
return controllerutil.SetControllerReference(instance, mcpConfigCM, r.Scheme)
373396
})
374397
if err != nil {
375398
return ctrl.Result{}, fmt.Errorf("error creating MCP config ConfigMap: %w", err)
376399
}
377-
configVars[instance.Name+"-mcp-config"] = env.SetValue(openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled))
400+
configVars[instance.Name+"-mcp-config"] = env.SetValue(openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled) + mcpCloudsYAML)
378401

379402
}
380403

@@ -394,7 +417,6 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
394417
mcpServiceHash, err := util.ObjectHash(map[string]interface{}{
395418
"containerImage": instance.Spec.ContainerImage,
396419
"mcpContainerImage": instance.Spec.MCP.ContainerImage,
397-
"mcpConfig": openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, instance.Spec.CaBundleSecretName != ""),
398420
"configVarsHash": configVarsHash,
399421
})
400422
if err != nil {

internal/openstackclient/funcs.go

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -116,9 +116,10 @@ func ClientPodSpec(
116116
if instance.Spec.MCP != nil && instance.Spec.MCP.Enabled {
117117
mcpVolumeMounts := []corev1.VolumeMount{
118118
{
119-
Name: "openstack-config",
119+
Name: "mcp-config",
120120
MountPath: "/home/cloud-admin/.config/openstack/clouds.yaml",
121121
SubPath: "clouds.yaml",
122+
ReadOnly: true,
122123
},
123124
{
124125
Name: "openstack-config-secret",
@@ -127,7 +128,8 @@ func ClientPodSpec(
127128
},
128129
{
129130
Name: "mcp-config",
130-
MountPath: "/tmp/mcp-config",
131+
MountPath: "/tmp/mcp-config/config.yaml",
132+
SubPath: "config.yaml",
131133
ReadOnly: true,
132134
},
133135
}
@@ -234,6 +236,25 @@ mcp_transport_security:
234236
`, caCert, tlsConfig, allowedOriginScheme)
235237
}
236238

239+
// MCPCloudsYAML returns a clouds.yaml using the given auth URL for the MCP sidecar.
240+
// When caBundleSecretName is set, a cacert path is included for TLS verification.
241+
func MCPCloudsYAML(authURL, projectName, userName, region, caBundleSecretName string) string {
242+
caCert := ""
243+
if caBundleSecretName != "" {
244+
caCert = fmt.Sprintf("\n cacert: %s", tls.DownstreamTLSCABundlePath)
245+
}
246+
return fmt.Sprintf(`clouds:
247+
default:
248+
auth:
249+
auth_url: %s
250+
project_name: %s
251+
username: %s
252+
user_domain_name: Default
253+
project_domain_name: Default
254+
region_name: %s%s
255+
`, authURL, projectName, userName, region, caCert)
256+
}
257+
237258
func clientPodVolumeMounts() []corev1.VolumeMount {
238259
return []corev1.VolumeMount{
239260
{

0 commit comments

Comments
 (0)