openstack-k8s-operators · openshift-merge-bot · Jan 23, 2025 · Jan 22, 2025 · Jan 17, 2025 · Jan 17, 2025
diff --git a/api/bases/watcher.openstack.org_watcherapis.yaml b/api/bases/watcher.openstack.org_watcherapis.yaml
@@ -194,6 +194,36 @@ spec:
                 description: ServiceUser - optional username used for this service
                   to register in keystone
                 type: string
+              tls:
+                description: TLS - Parameters related to the TLS
+                properties:
+                  api:
+                    description: API tls type which encapsulates for API services
+                    properties:
+                      internal:
+                        description: Internal GenericService - holds the secret for
+                          the internal endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                      public:
+                        description: Public GenericService - holds the secret for
+                          the public endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    description: CaBundleSecretName - holding the CA certs in a pre-created
+                      bundle file
+                    type: string
+                type: object
             required:
             - secret
             - serviceAccount

diff --git a/api/bases/watcher.openstack.org_watchers.yaml b/api/bases/watcher.openstack.org_watchers.yaml
@@ -224,6 +224,36 @@ spec:
                 description: ServiceUser - optional username used for this service
                   to register in keystone
                 type: string
+              tls:
+                description: TLS - Parameters related to the TLS
+                properties:
+                  api:
+                    description: API tls type which encapsulates for API services
+                    properties:
+                      internal:
+                        description: Internal GenericService - holds the secret for
+                          the internal endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                      public:
+                        description: Public GenericService - holds the secret for
+                          the public endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    description: CaBundleSecretName - holding the CA certs in a pre-created
+                      bundle file
+                    type: string
+                type: object
             required:
             - apiContainerImageURL
             - apiServiceTemplate

diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
@@ -17,7 +17,9 @@ limitations under the License.
 package v1beta1
 
 import (
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
+
 	corev1 "k8s.io/api/core/v1"
 )
 
@@ -55,6 +57,11 @@ type WatcherCommon struct {
 	// NodeSelector to target subset of worker nodes running this component. Setting here overrides
 	// any global NodeSelector settings within the Watcher CR.
 	NodeSelector *map[string]string `json:"nodeSelector,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// TLS - Parameters related to the TLS
+	TLS tls.API `json:"tls,omitempty"`
 }
 
 // WatcherTemplate defines the fields used in the top level CR

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/watcher.openstack.org_watcherapis.yaml b/config/crd/bases/watcher.openstack.org_watcherapis.yaml
@@ -194,6 +194,36 @@ spec:
                 description: ServiceUser - optional username used for this service
                   to register in keystone
                 type: string
+              tls:
+                description: TLS - Parameters related to the TLS
+                properties:
+                  api:
+                    description: API tls type which encapsulates for API services
+                    properties:
+                      internal:
+                        description: Internal GenericService - holds the secret for
+                          the internal endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                      public:
+                        description: Public GenericService - holds the secret for
+                          the public endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    description: CaBundleSecretName - holding the CA certs in a pre-created
+                      bundle file
+                    type: string
+                type: object
             required:
             - secret
             - serviceAccount

diff --git a/config/crd/bases/watcher.openstack.org_watchers.yaml b/config/crd/bases/watcher.openstack.org_watchers.yaml
@@ -224,6 +224,36 @@ spec:
                 description: ServiceUser - optional username used for this service
                   to register in keystone
                 type: string
+              tls:
+                description: TLS - Parameters related to the TLS
+                properties:
+                  api:
+                    description: API tls type which encapsulates for API services
+                    properties:
+                      internal:
+                        description: Internal GenericService - holds the secret for
+                          the internal endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                      public:
+                        description: Public GenericService - holds the secret for
+                          the public endpoint
+                        properties:
+                          secretName:
+                            description: SecretName - holding the cert, key for the
+                              service
+                            type: string
+                        type: object
+                    type: object
+                  caBundleSecretName:
+                    description: CaBundleSecretName - holding the CA certs in a pre-created
+                      bundle file
+                    type: string
+                type: object
             required:
             - apiContainerImageURL
             - apiServiceTemplate

diff --git a/config/manifests/bases/watcher-operator.clusterserviceversion.yaml b/config/manifests/bases/watcher-operator.clusterserviceversion.yaml
@@ -23,6 +23,10 @@ spec:
       displayName: Watcher API
       kind: WatcherAPI
       name: watcherapis.watcher.openstack.org
+      specDescriptors:
+      - description: TLS - Parameters related to the TLS
+        displayName: TLS
+        path: tls
       version: v1beta1
     - description: WatcherApplier is the Schema for the watcherappliers API
       displayName: Watcher Applier
@@ -39,6 +43,10 @@ spec:
       displayName: Watcher
       kind: Watcher
       name: watchers.watcher.openstack.org
+      specDescriptors:
+      - description: TLS - Parameters related to the TLS
+        displayName: TLS
+        path: tls
       version: v1beta1
   description: The Watcher Operator project
   displayName: Watcher Operator

diff --git a/config/samples/watcher_v1beta1_watcher.yaml b/config/samples/watcher_v1beta1_watcher.yaml
@@ -10,3 +10,5 @@ metadata:
   name: watcher
 spec:
   databaseInstance: "openstack"
+  tls:
+    caBundleSecretName: "combined-ca-bundle"
diff --git a/controllers/watcher_common.go b/controllers/watcher_common.go
@@ -36,6 +36,8 @@ var (
 const (
 	// TransportURLSelector is the name of key in the secret created by TransportURL
 	TransportURLSelector = "transport_url"
+	// DatabaseAccount is the name of key in the secret for the name of the Database Acount object
+	DatabaseAccount = "database_account"
 	// DatabaseUsername is the name of key in the secret for the user name used to login to the database
 	DatabaseUsername = "database_username"
 	// DatabaseUsername is the name of key in the secret for the password used to login to the database

diff --git a/controllers/watcher_controller.go b/controllers/watcher_controller.go
@@ -41,6 +41,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/labels"
 	common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -634,13 +635,20 @@ func (r *WatcherReconciler) generateServiceConfigDBSync(
 	Log := r.GetLogger(ctx)
 	Log.Info("generateServiceConfigs - reconciling config for Watcher CR")
 
-	customData := map[string]string{}
+	var tlsCfg *tls.Service
+	if instance.Spec.TLS.Ca.CaBundleSecretName != "" {
+		tlsCfg = &tls.Service{}
+	}
+	// customData hold any customization for the service.
+	customData := map[string]string{
+		"my.cnf": db.GetDatabaseClientConfig(tlsCfg), //(mschuppert) for now just get the default my.cnf
+	}
 
 	labels := labels.GetLabels(instance, labels.GetGroupLabel(watcher.ServiceName), map[string]string{})
 	databaseAccount := db.GetAccount()
 	databaseSecret := db.GetSecret()
 	templateParameters := map[string]interface{}{
-		"DatabaseConnection": fmt.Sprintf("mysql+pymysql://%s:%s@%s/%s?charset=utf8",
+		"DatabaseConnection": fmt.Sprintf("mysql+pymysql://%s:%s@%s/%s?read_default_file=/etc/my.cnf",
 			databaseAccount.Spec.UserName,
 			string(databaseSecret.Data[mariadbv1.DatabasePasswordSelector]),
 			db.GetDatabaseHostname(),
@@ -721,6 +729,7 @@ func (r *WatcherReconciler) createSubLevelSecret(
 	data := map[string]string{
 		instance.Spec.PasswordSelectors.Service: string(inputSecret.Data[instance.Spec.PasswordSelectors.Service]),
 		TransportURLSelector:                    string(transportURLSecret.Data[TransportURLSelector]),
+		DatabaseAccount:                         databaseAccount.Name,
 		DatabaseUsername:                        databaseAccount.Spec.UserName,
 		DatabasePassword:                        string(databaseSecret.Data[mariadbv1.DatabasePasswordSelector]),
 		DatabaseHostname:                        db.GetDatabaseHostname(),
@@ -774,6 +783,9 @@ func (r *WatcherReconciler) ensureAPI(
 		watcherAPISpec.NodeSelector = instance.Spec.NodeSelector
 	}
 
+	// We need to have TLS defined in SubCRs to have some values available
+	watcherAPISpec.TLS = instance.Spec.TLS
+
 	apiDeployment := &watcherv1beta1.WatcherAPI{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fmt.Sprintf("%s-api", instance.Name),

diff --git a/controllers/watcherapi_controller.go b/controllers/watcherapi_controller.go
@@ -43,9 +43,12 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/labels"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 
+	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 	watcherv1beta1 "github.com/openstack-k8s-operators/watcher-operator/api/v1beta1"
+
 	"github.com/openstack-k8s-operators/watcher-operator/pkg/watcher"
 	"github.com/openstack-k8s-operators/watcher-operator/pkg/watcherapi"
 
@@ -160,6 +163,7 @@ func (r *WatcherAPIReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		[]string{
 			instance.Spec.PasswordSelectors.Service,
 			TransportURLSelector,
+			DatabaseAccount,
 		},
 		helper.GetClient(),
 		&instance.Status.Conditions,
@@ -280,28 +284,49 @@ func (r *WatcherAPIReconciler) generateServiceConfigs(
 	if err != nil {
 		return err
 	}
+
+	databaseAccount := string(secret.Data[DatabaseAccount])
+	db, err := mariadbv1.GetDatabaseByNameAndAccount(ctx, helper, watcher.DatabaseCRName, databaseAccount, instance.Namespace)
+	if err != nil {
+		return err
+	}
 	// customData hold any customization for the service.
 	// NOTE jgilaber making an empty map for now, we'll probably want to
 	// implement CustomServiceConfig later
-	customData := map[string]string{}
+	var tlsCfg *tls.Service
+	if instance.Spec.TLS.Ca.CaBundleSecretName != "" {
+		tlsCfg = &tls.Service{}
+	}
+	// customData hold any customization for the service.
+	customData := map[string]string{
+		"my.cnf": db.GetDatabaseClientConfig(tlsCfg), //(mschuppert) for now just get the default my.cnf
+	}
 
 	databaseUsername := string(secret.Data[DatabaseUsername])
 	databaseHostname := string(secret.Data[DatabaseHostname])
 	databasePassword := string(secret.Data[DatabasePassword])
+
+	var CaFilePath string
+	if instance.Spec.TLS.CaBundleSecretName != "" {
+		CaFilePath = tls.DownstreamTLSCABundlePath
+	}
 	templateParameters := map[string]interface{}{
-		"DatabaseConnection": fmt.Sprintf("mysql+pymysql://%s:%s@%s/%s?charset=utf8",
+		"DatabaseConnection": fmt.Sprintf("mysql+pymysql://%s:%s@%s/%s?read_default_file=/etc/my.cnf",
 			databaseUsername,
 			databasePassword,
 			databaseHostname,
 			watcher.DatabaseName,
 		),
-		"KeystoneAuthURL":  keystoneInternalURL,
-		"ServicePassword":  string(secret.Data[instance.Spec.PasswordSelectors.Service]),
-		"ServiceUser":      instance.Spec.ServiceUser,
-		"TransportURL":     string(secret.Data[TransportURLSelector]),
-		"MemcachedServers": memcachedInstance.GetMemcachedServerListString(),
-		"LogFile":          fmt.Sprintf("%s%s.log", watcher.WatcherLogPath, instance.Name),
-		"APIPublicPort":    fmt.Sprintf("%d", watcher.WatcherPublicPort),
+		"KeystoneAuthURL":          keystoneInternalURL,
+		"ServicePassword":          string(secret.Data[instance.Spec.PasswordSelectors.Service]),
+		"ServiceUser":              instance.Spec.ServiceUser,
+		"TransportURL":             string(secret.Data[TransportURLSelector]),
+		"MemcachedServers":         memcachedInstance.GetMemcachedServerListString(),
+		"MemcachedServersWithInet": memcachedInstance.GetMemcachedServerListWithInetString(),
+		"MemcachedTLS":             memcachedInstance.GetMemcachedTLSSupport(),
+		"LogFile":                  fmt.Sprintf("%s%s.log", watcher.WatcherLogPath, instance.Name),
+		"APIPublicPort":            fmt.Sprintf("%d", watcher.WatcherPublicPort),
+		"CaFilePath":               CaFilePath,
 	}
 
 	// create httpd  vhost template parameters

diff --git a/pkg/watcher/dbsync.go b/pkg/watcher/dbsync.go
@@ -56,6 +56,12 @@ func DbSyncJob(instance *watcherv1beta1.Watcher, labels map[string]string, annot
 		},
 	}
 
+	// Create mount for bundle CA if defined in TLS.CaBundleSecretName
+	if instance.Spec.TLS.CaBundleSecretName != "" {
+		dbSyncVolume = append(dbSyncVolume, instance.Spec.TLS.CreateVolume())
+		dbSyncMounts = append(dbSyncMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
+	}
+
 	args := []string{"-c", DBSyncCommand}
 
 	runAsUser := int64(0)

diff --git a/pkg/watcherapi/deployment.go b/pkg/watcherapi/deployment.go
@@ -65,6 +65,12 @@ func Deployment(
 	}
 	apiVolumeMounts = append(apiVolumeMounts, watcher.GetLogVolumeMount()...)
 
+	// Create mount for bundle CA if defined in TLS.CaBundleSecretName
+	if instance.Spec.TLS.CaBundleSecretName != "" {
+		apiVolumes = append(apiVolumes, instance.Spec.TLS.CreateVolume())
+		apiVolumeMounts = append(apiVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
+	}
+
 	deployment := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      instance.Name,