From 91b90ef4732c81b4894bf07429ef6cdf27c53287 Mon Sep 17 00:00:00 2001
From: Alfredo Moralejo <amoralej@redhat.com>
Date: Fri, 17 Jan 2025 12:24:28 +0100
Subject: [PATCH] Configure CA Cert file for keystone and watcher clients

When connecting to internal services, watcher may find they have TLS
enabled. This patch is adding the required parameter `cafile` based on
the presence of TLS.CaBundleSecretName parameter which defines de Secret
of the CA bundle containing the cert used for internal communications.
---
 controllers/watcherapi_controller.go     |  6 ++++++
 templates/watcher/config/00-default.conf | 11 ++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/controllers/watcherapi_controller.go b/controllers/watcherapi_controller.go
index d135e44..c3936ad 100644
--- a/controllers/watcherapi_controller.go
+++ b/controllers/watcherapi_controller.go
@@ -290,6 +290,11 @@ func (r *WatcherAPIReconciler) generateServiceConfigs(
 	databaseHostname := string(secret.Data[DatabaseHostname])
 	databasePassword := string(secret.Data[DatabasePassword])
 	prometheusTLS, _ := strconv.ParseBool(string(secret.Data[PrometheusTLSKey]))
+
+	var CaFilePath string
+	if instance.Spec.TLS.CaBundleSecretName != "" {
+		CaFilePath = tls.DownstreamTLSCABundlePath
+	}
 	templateParameters := map[string]interface{}{
 		"DatabaseConnection": fmt.Sprintf("mysql+pymysql://%s:%s@%s/%s?read_default_file=/etc/my.cnf",
 			databaseUsername,
@@ -310,6 +315,7 @@ func (r *WatcherAPIReconciler) generateServiceConfigs(
 		"PrometheusPort":           string(secret.Data[PrometheusPortKey]),
 		"PrometheusTLS":            prometheusTLS,
 		"PrometheusCaCert":         string(secret.Data[PrometheusCaCertKey]),
+		"CaFilePath":               CaFilePath,
 	}
 
 	// create httpd  vhost template parameters
diff --git a/templates/watcher/config/00-default.conf b/templates/watcher/config/00-default.conf
index 3f86ba1..f19ca3d 100644
--- a/templates/watcher/config/00-default.conf
+++ b/templates/watcher/config/00-default.conf
@@ -21,9 +21,6 @@ driver = messagingv2
 {{if (index . "MemcachedServersWithInet")}}
 memcached_servers={{ .MemcachedServersWithInet }}
 {{end}}
-
-# TODO jgilaber implement handling this option when we add tls support
-# cafile = /var/lib/ca-bundle.pem
 project_domain_name = Default
 project_name = service
 user_domain_name = Default
@@ -32,12 +29,13 @@ username = {{ .ServiceUser }}
 auth_url = {{ .KeystoneAuthURL }}
 interface = internal
 auth_type = password
+{{if .CaFilePath}}
+cafile = {{ .CaFilePath }}
+{{ end }}
 {{ end }}
 
 {{ if (index . "KeystoneAuthURL") }}
 [watcher_clients_auth]
-# TODO jgilaber implement handling this option when we add tls support
-# cafile = /var/lib/ca-bundle.pem
 project_domain_name = Default
 project_name = service
 user_domain_name = Default
@@ -46,6 +44,9 @@ username = {{ .ServiceUser }}
 auth_url = {{ .KeystoneAuthURL }}
 interface = internal
 auth_type = password
+{{if .CaFilePath}}
+cafile = {{ .CaFilePath }}
+{{ end }}
 {{ end }}