openstack-k8s-operators
diff --git a/‎config/services/dataplane_v1beta1_openstackdataplaneservice_bootstrap.yaml‎
Lines changed: 1 addition & 0 deletions b/‎config/services/dataplane_v1beta1_openstackdataplaneservice_bootstrap.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/dataplane/deployment.go‎
Lines changed: 54 additions & 25 deletions b/‎pkg/dataplane/deployment.go‎
Lines changed: 54 additions & 25 deletions
diff --git a/‎tests/functional/dataplane/base_test.go‎
Lines changed: 10 additions & 0 deletions b/‎tests/functional/dataplane/base_test.go‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎tests/functional/dataplane/openstackdataplanedeployment_controller_test.go‎
Lines changed: 20 additions & 4 deletions b/‎tests/functional/dataplane/openstackdataplanedeployment_controller_test.go‎
Lines changed: 20 additions & 4 deletions
@@ -5,3 +5,4 @@ metadata:
 spec:
   playbook: osp.edpm.bootstrap
   edpmServiceType: bootstrap
+  caCerts: combined-ca-bundle
@@ -131,6 +131,22 @@ func (d *Deployer) Deploy(services []string) (*ctrl.Result, error) {
 				d.Status.NodeSetConditions[d.NodeSet.Name] = nsConditions
 				return &ctrl.Result{}, err
 			}
+		} else if len(foundService.Spec.CACerts) > 0 {
+			// In general, we use the install-certs service (which has AddCertMounts=true
+			// to copy the cacerts over.  This may not be early enough for some services
+			// though.  In particular, we want the bootstrap service to copy the cacerts
+			// to the default location on the compute node.
+			d.AeeSpec, err = d.addCACertMount(foundService)
+			if err != nil {
+				nsConditions.Set(condition.FalseCondition(
+					readyCondition,
+					condition.ErrorReason,
+					condition.SeverityError,
+					readyErrorMessage,
+					err.Error()))
+				d.Status.NodeSetConditions[d.NodeSet.Name] = nsConditions
+				return &ctrl.Result{}, err
+			}
 		}
 
 		err = d.ConditionalDeploy(
@@ -351,38 +367,51 @@ func (d *Deployer) addCertMounts(
 
 		// add mount for cacert bundle, even if TLS-E is not enabled
 		if len(service.Spec.CACerts) > 0 {
-			log.Info("Mounting CA cert bundle for service", "service", svc)
-			volMounts := storage.VolMounts{}
-			cacertSecret := &corev1.Secret{}
-			err := client.Get(d.Ctx, types.NamespacedName{Name: service.Spec.CACerts, Namespace: service.Namespace}, cacertSecret)
+			d.AeeSpec, err = d.addCACertMount(service)
 			if err != nil {
 				return d.AeeSpec, err
 			}
-			volumeName := fmt.Sprintf("%s-%s", service.Name, service.Spec.CACerts)
-			if len(volumeName) > apimachineryvalidation.DNS1123LabelMaxLength {
-				hash := sha256.Sum224([]byte(volumeName))
-				volumeName = "cacert" + hex.EncodeToString(hash[:])
-			}
-			cacertVolume := storage.Volume{
-				Name: volumeName,
-				VolumeSource: storage.VolumeSource{
-					Secret: &corev1.SecretVolumeSource{
-						SecretName: service.Spec.CACerts,
-					},
-				},
-			}
+		}
+	}
 
-			cacertVolumeMount := corev1.VolumeMount{
-				Name:      volumeName,
-				MountPath: path.Join(CACertPaths, service.Spec.EDPMServiceType),
-			}
+	return d.AeeSpec, nil
+}
 
-			volMounts.Volumes = append(volMounts.Volumes, cacertVolume)
-			volMounts.Mounts = append(volMounts.Mounts, cacertVolumeMount)
-			d.AeeSpec.ExtraMounts = append(d.AeeSpec.ExtraMounts, volMounts)
-		}
+func (d *Deployer) addCACertMount(
+	service dataplanev1.OpenStackDataPlaneService,
+) (*dataplanev1.AnsibleEESpec, error) {
+	log := d.Helper.GetLogger()
+	client := d.Helper.GetClient()
+
+	log.Info("Mounting CA cert bundle for service", "service", service)
+	volMounts := storage.VolMounts{}
+	cacertSecret := &corev1.Secret{}
+	err := client.Get(d.Ctx, types.NamespacedName{Name: service.Spec.CACerts, Namespace: service.Namespace}, cacertSecret)
+	if err != nil {
+		return d.AeeSpec, err
+	}
+	volumeName := fmt.Sprintf("%s-%s", service.Name, service.Spec.CACerts)
+	if len(volumeName) > apimachineryvalidation.DNS1123LabelMaxLength {
+		hash := sha256.Sum224([]byte(volumeName))
+		volumeName = "cacert" + hex.EncodeToString(hash[:])
+	}
+	cacertVolume := storage.Volume{
+		Name: volumeName,
+		VolumeSource: storage.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName: service.Spec.CACerts,
+			},
+		},
+	}
+
+	cacertVolumeMount := corev1.VolumeMount{
+		Name:      volumeName,
+		MountPath: path.Join(CACertPaths, service.Spec.EDPMServiceType),
 	}
 
+	volMounts.Volumes = append(volMounts.Volumes, cacertVolume)
+	volMounts.Mounts = append(volMounts.Mounts, cacertVolumeMount)
+	d.AeeSpec.ExtraMounts = append(d.AeeSpec.ExtraMounts, volMounts)
 	return d.AeeSpec, nil
 }
 
 
@@ -166,6 +166,16 @@ func CreateSSHSecret(name types.NamespacedName) *corev1.Secret {
 	)
 }
 
+// Create CABundleSecret
+func CreateCABundleSecret(name types.NamespacedName) *corev1.Secret {
+	return th.CreateSecret(
+		types.NamespacedName{Namespace: name.Namespace, Name: name.Name},
+		map[string][]byte{
+			"tls-ca-bundle.pem": []byte("blah"),
+		},
+	)
+}
+
 // Create OpenStackVersion
 func CreateOpenStackVersion(name types.NamespacedName) *unstructured.Unstructured {
 	raw := DefaultOpenStackVersion(name)
 
@@ -24,6 +24,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 	var dataplaneDeploymentName types.NamespacedName
 	var dataplaneNodeSetName types.NamespacedName
 	var dataplaneSSHSecretName types.NamespacedName
+	var caBundleSecretName types.NamespacedName
 	var neutronOvnMetadataSecretName types.NamespacedName
 	var novaNeutronMetadataSecretName types.NamespacedName
 	var novaCellComputeConfigSecretName types.NamespacedName
@@ -59,6 +60,10 @@ var _ = Describe("Dataplane Deployment Test", func() {
 			Namespace: namespace,
 			Name:      "dataplane-ansible-ssh-private-key-secret",
 		}
+		caBundleSecretName = types.NamespacedName{
+			Namespace: namespace,
+			Name:      "combined-ca-bundle",
+		}
 		neutronOvnMetadataSecretName = types.NamespacedName{
 			Namespace: namespace,
 			Name:      "neutron-ovn-metadata-agent-neutron-config",
@@ -110,6 +115,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 	When("A dataplaneDeployment is created with matching NodeSet", func() {
 		BeforeEach(func() {
 			CreateSSHSecret(dataplaneSSHSecretName)
+			CreateCABundleSecret(caBundleSecretName)
 			DeferCleanup(th.DeleteInstance, th.CreateSecret(neutronOvnMetadataSecretName, map[string][]byte{
 				"fake_keys": []byte("blih"),
 			}))
@@ -249,6 +255,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 	When("A dataplaneDeployment is created with two NodeSets", func() {
 		BeforeEach(func() {
 			CreateSSHSecret(dataplaneSSHSecretName)
+			CreateCABundleSecret(caBundleSecretName)
 			DeferCleanup(th.DeleteInstance, th.CreateSecret(neutronOvnMetadataSecretName, map[string][]byte{
 				"fake_keys": []byte("blih"),
 			}))
@@ -430,9 +437,9 @@ var _ = Describe("Dataplane Deployment Test", func() {
 					}
 					ansibleEE := GetAnsibleee(ansibleeeName)
 					if service.Spec.DeployOnAllNodeSets {
-						g.Expect(ansibleEE.Spec.Template.Spec.Volumes).Should(HaveLen(4))
+						g.Expect(ansibleEE.Spec.Template.Spec.Volumes).Should(HaveLen(5))
 					} else {
-						g.Expect(ansibleEE.Spec.Template.Spec.Volumes).Should(HaveLen(2))
+						g.Expect(ansibleEE.Spec.Template.Spec.Volumes).Should(HaveLen(3))
 					}
 					ansibleEE.Status.Succeeded = 1
 					g.Expect(th.K8sClient.Status().Update(th.Ctx, ansibleEE)).To(Succeed())
@@ -469,9 +476,9 @@ var _ = Describe("Dataplane Deployment Test", func() {
 					}
 					ansibleEE := GetAnsibleee(ansibleeeName)
 					if service.Spec.DeployOnAllNodeSets {
-						g.Expect(ansibleEE.Spec.Template.Spec.Volumes).Should(HaveLen(4))
+						g.Expect(ansibleEE.Spec.Template.Spec.Volumes).Should(HaveLen(5))
 					} else {
-						g.Expect(ansibleEE.Spec.Template.Spec.Volumes).Should(HaveLen(2))
+						g.Expect(ansibleEE.Spec.Template.Spec.Volumes).Should(HaveLen(3))
 					}
 					ansibleEE.Status.Succeeded = 1
 					g.Expect(th.K8sClient.Status().Update(th.Ctx, ansibleEE)).To(Succeed())
@@ -501,6 +508,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 	When("A dataplaneDeployment is created with a missing nodeset", func() {
 		BeforeEach(func() {
 			CreateSSHSecret(dataplaneSSHSecretName)
+			CreateCABundleSecret(caBundleSecretName)
 			DeferCleanup(th.DeleteInstance, th.CreateSecret(neutronOvnMetadataSecretName, map[string][]byte{
 				"fake_keys": []byte("blih"),
 			}))
@@ -638,6 +646,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 		BeforeEach(func() {
 			CreateDataplaneServicesWithSameServiceType(dataplaneServiceName)
 			CreateSSHSecret(dataplaneSSHSecretName)
+			CreateCABundleSecret(caBundleSecretName)
 			DeferCleanup(th.DeleteInstance, th.CreateSecret(neutronOvnMetadataSecretName, map[string][]byte{
 				"fake_keys": []byte("blih"),
 			}))
@@ -720,6 +729,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 	When("A dataplaneDeployment is created with two NodeSets both containing same globalservice", func() {
 		BeforeEach(func() {
 			CreateSSHSecret(dataplaneSSHSecretName)
+			CreateCABundleSecret(caBundleSecretName)
 			DeferCleanup(th.DeleteInstance, th.CreateSecret(neutronOvnMetadataSecretName, map[string][]byte{
 				"fake_keys": []byte("blih"),
 			}))
@@ -951,6 +961,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 		BeforeEach(func() {
 			CreateDataplaneServicesWithSameServiceType(dataplaneServiceName)
 			CreateSSHSecret(dataplaneSSHSecretName)
+			CreateCABundleSecret(caBundleSecretName)
 			DeferCleanup(th.DeleteInstance, th.CreateSecret(neutronOvnMetadataSecretName, map[string][]byte{
 				"fake_keys": []byte("blih"),
 			}))
@@ -1051,6 +1062,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 	When("A dataplaneDeployment is created with serviceoverride containing single global service", func() {
 		BeforeEach(func() {
 			CreateSSHSecret(dataplaneSSHSecretName)
+			CreateCABundleSecret(caBundleSecretName)
 			DeferCleanup(th.DeleteInstance, th.CreateSecret(neutronOvnMetadataSecretName, map[string][]byte{
 				"fake_keys": []byte("blih"),
 			}))
@@ -1258,6 +1270,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 	When("A dataplaneDeployment is created with serviceoverride containing global service", func() {
 		BeforeEach(func() {
 			CreateSSHSecret(dataplaneSSHSecretName)
+			CreateCABundleSecret(caBundleSecretName)
 			DeferCleanup(th.DeleteInstance, th.CreateSecret(neutronOvnMetadataSecretName, map[string][]byte{
 				"fake_keys": []byte("blih"),
 			}))
@@ -1480,6 +1493,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 	When("A dataplaneDeployment is created with non-existent service in nodeset", func() {
 		BeforeEach(func() {
 			CreateSSHSecret(dataplaneSSHSecretName)
+			CreateCABundleSecret(caBundleSecretName)
 			DeferCleanup(th.DeleteInstance, th.CreateSecret(neutronOvnMetadataSecretName, map[string][]byte{
 				"fake_keys": []byte("blih"),
 			}))
@@ -1575,6 +1589,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 	When("A user sets TLSEnabled to true with control plane with PodLevel TLS disabled", func() {
 		BeforeEach(func() {
 			CreateSSHSecret(dataplaneSSHSecretName)
+			CreateCABundleSecret(caBundleSecretName)
 			DeferCleanup(th.DeleteInstance, th.CreateSecret(neutronOvnMetadataSecretName, map[string][]byte{
 				"fake_keys": []byte("blih"),
 			}))
@@ -1674,6 +1689,7 @@ var _ = Describe("Dataplane Deployment Test", func() {
 	When("A user sets TLSEnabled to true with control plane PodLevel TLS enabled", func() {
 		BeforeEach(func() {
 			CreateSSHSecret(dataplaneSSHSecretName)
+			CreateCABundleSecret(caBundleSecretName)
 			DeferCleanup(th.DeleteInstance, th.CreateSecret(neutronOvnMetadataSecretName, map[string][]byte{
 				"fake_keys": []byte("blih"),
 			}))