Skip to content

Commit

Permalink
Configure CA Cert file for keystone and watcher clients
Browse files Browse the repository at this point in the history 
When connecting to internal services, watcher may find they have TLS
enabled. This patch is adding the required parameter `cafile` based on
the presence of TLS.CaBundleSecretName parameter which defines de Secret
of the CA bundle containing the cert used for internal communications.
  • Loading branch information
@amoralej
amoralej committed Jan 17, 2025
1 parent 8a09dbf commit 91b90ef
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 5 deletions.
6 changes: 6 additions & 0 deletions controllers/watcherapi_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,6 +290,11 @@ func (r *WatcherAPIReconciler) generateServiceConfigs(
databaseHostname := string(secret.Data[DatabaseHostname])
databasePassword := string(secret.Data[DatabasePassword])
prometheusTLS, _ := strconv.ParseBool(string(secret.Data[PrometheusTLSKey]))

var CaFilePath string
if instance.Spec.TLS.CaBundleSecretName != "" {
CaFilePath = tls.DownstreamTLSCABundlePath
}
templateParameters := map[string]interface{}{
"DatabaseConnection": fmt.Sprintf("mysql+pymysql://%s:%s@%s/%s?read_default_file=/etc/my.cnf",
databaseUsername,
Expand All @@ -310,6 +315,7 @@ func (r *WatcherAPIReconciler) generateServiceConfigs(
"PrometheusPort": string(secret.Data[PrometheusPortKey]),
"PrometheusTLS": prometheusTLS,
"PrometheusCaCert": string(secret.Data[PrometheusCaCertKey]),
"CaFilePath": CaFilePath,
}

// create httpd vhost template parameters
Expand Down
11 changes: 6 additions & 5 deletions templates/watcher/config/00-default.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,6 @@ driver = messagingv2
{{if (index . "MemcachedServersWithInet")}}
memcached_servers={{ .MemcachedServersWithInet }}
{{end}}

# TODO jgilaber implement handling this option when we add tls support
# cafile = /var/lib/ca-bundle.pem
project_domain_name = Default
project_name = service
user_domain_name = Default
Expand All @@ -32,12 +29,13 @@ username = {{ .ServiceUser }}
auth_url = {{ .KeystoneAuthURL }}
interface = internal
auth_type = password
{{if .CaFilePath}}
cafile = {{ .CaFilePath }}
{{ end }}
{{ end }}

{{ if (index . "KeystoneAuthURL") }}
[watcher_clients_auth]
# TODO jgilaber implement handling this option when we add tls support
# cafile = /var/lib/ca-bundle.pem
project_domain_name = Default
project_name = service
user_domain_name = Default
Expand All @@ -46,6 +44,9 @@ username = {{ .ServiceUser }}
auth_url = {{ .KeystoneAuthURL }}
interface = internal
auth_type = password
{{if .CaFilePath}}
cafile = {{ .CaFilePath }}
{{ end }}
{{ end }}


Expand Down

0 comments on commit 91b90ef

Please sign in to comment.