Merge pull request #313 from fernandoroyosanchez/cert_driver_agent

Add OVN DB TLS Certificates to driver agent
openstack-k8s-operators · May 30, 2024 · c1107b8 · c1107b8
2 parents c80b32f + e751763
commit c1107b8
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 1 deletion.
diff --git a/pkg/octaviaapi/deployment.go b/pkg/octaviaapi/deployment.go
@@ -82,11 +82,14 @@ func Deployment(
 	// create Volume and VolumeMounts
 	volumes := getVolumes(instance.Name)
 	volumeMounts := getVolumeMounts("octavia-api")
+	volumeMountsDriverAgent := getVolumeMounts("octavia-driver-agent")
 
 	// add CA cert if defined
 	if instance.Spec.TLS.CaBundleSecretName != "" {
 		volumes = append(volumes, instance.Spec.TLS.CreateVolume())
 		volumeMounts = append(volumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
+		volumeMountsDriverAgent = append(volumeMountsDriverAgent, instance.Spec.TLS.CreateVolumeMounts(nil)...)
+
 	}
 
 	for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
@@ -105,6 +108,7 @@ func Deployment(
 			}
 			volumes = append(volumes, svc.CreateVolume(endpt.String()))
 			volumeMounts = append(volumeMounts, svc.CreateVolumeMounts(endpt.String())...)
+			volumeMountsDriverAgent = append(volumeMountsDriverAgent, svc.CreateVolumeMounts(endpt.String())...)
 		}
 	}
 
@@ -115,6 +119,7 @@ func Deployment(
 		}
 		volumes = append(volumes, svc.CreateVolume("ovndb"))
 		volumeMounts = append(volumeMounts, svc.CreateVolumeMounts("ovndb")...)
+		volumeMountsDriverAgent = append(volumeMountsDriverAgent, svc.CreateVolumeMounts("ovndb")...)
 	}
 
 	envVars := map[string]env.Setter{}
@@ -166,7 +171,7 @@ func Deployment(
 							Name:           fmt.Sprintf("%s-provider-agent", serviceName),
 							Image:          instance.Spec.ContainerImage,
 							Env:            env.MergeEnvs([]corev1.EnvVar{}, agentEnvVars),
-							VolumeMounts:   getVolumeMounts("octavia-driver-agent"),
+							VolumeMounts:   volumeMountsDriverAgent,
 							Resources:      instance.Spec.Resources,
 							ReadinessProbe: readinessProbe,
 							LivenessProbe:  livenessProbe,

diff --git a/templates/octaviaapi/config/octavia-driver-agent-config.json b/templates/octaviaapi/config/octavia-driver-agent-config.json
@@ -12,6 +12,22 @@
             "dest": "/etc/octavia/octavia.conf.d/custom.conf",
             "owner": "octavia",
             "perm": "0600"
+        },
+        {
+            "source": "/var/lib/config-data/tls/certs/*",
+            "dest": "/etc/pki/tls/certs/",
+            "owner": "octavia",
+            "perm": "0440",
+            "optional": true,
+            "merge": true
+        },
+        {
+            "source": "/var/lib/config-data/tls/private/*",
+            "dest": "/etc/pki/tls/private/",
+            "owner": "octavia",
+            "perm": "0400",
+            "optional": true,
+            "merge": true
         }
     ],
     "permissions": [

diff --git a/tests/kuttl/tests/octavia_tls/02-assert.yaml b/tests/kuttl/tests/octavia_tls/02-assert.yaml
@@ -198,6 +198,26 @@ spec:
           name: config-data
         - mountPath: /run/octavia
           name: octavia-run
+        - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+          name: combined-ca-bundle
+          readOnly: true
+          subPath: tls-ca-bundle.pem
+        - mountPath: /var/lib/config-data/tls/certs/internal.crt
+          name: internal-tls-certs
+          readOnly: true
+          subPath: tls.crt
+        - mountPath: /var/lib/config-data/tls/private/internal.key
+          name: internal-tls-certs
+          readOnly: true
+          subPath: tls.key
+        - mountPath: /var/lib/config-data/tls/certs/public.crt
+          name: public-tls-certs
+          readOnly: true
+          subPath: tls.crt
+        - mountPath: /var/lib/config-data/tls/private/public.key
+          name: public-tls-certs
+          readOnly: true
+          subPath: tls.key
       initContainers:
       - args:
         - -c