Generate OVN RBAC PKI

api/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -13083,6 +13083,8 @@ spec:
                           ovsLogLevel:
                             default: info
                             type: string
+                          rbacIssuerName:
+                            type: string
                           resources:
                             properties:
                               claims:
@@ -13217,6 +13219,8 @@ spec:
                               default: 60000
                               format: int32
                               type: integer
+                            rbacCACertSecretName:
+                              type: string
                             replicas:
                               default: 1
                               format: int32

api/bases/dataplane.openstack.org_openstackdataplaneservices.yaml

@@ -151,13 +151,22 @@ spec:
                     OpenstackDataPlaneServiceCert defines the property of a TLS cert issued for
                     a dataplane service
                   properties:
+                    commonName:
+                      description: |-
+                        CommonName overrides how the certificate Common Name is derived.
+                        When set to "system-id", the CN is a UUID5 derived from the node's
+                        ctlplane FQDN, matching the OVN chassis system-id convention.
+                        When empty, CN defaults to the short hostname.
+                      enum:
+                      - system-id
+                      type: string
                     contents:
                       description: |-
                         Contents of the certificate
-                        This is a list of strings for properties that are needed in the cert
+                        This is a list of strings for properties that are needed in the cert.
+                        May be empty for client-only certificates that require no SANs.
                       items:
                         type: string
-                      minItems: 1
                       type: array
                     edpmRoleServiceName:
                       description: |-
@@ -241,8 +250,6 @@ spec:
                         pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-_]*[a-zA-Z0-9]$
                         type: string
                       type: array
-                  required:
-                  - contents
                   type: object
                 description: TLSCerts tls certs to be generated
                 type: object

api/core/v1beta1/openstackcontrolplane_types.go

@@ -61,6 +61,8 @@ const (
 	OvnDbCaName = tls.DefaultCAPrefix + "ovn"
 	// LibvirtCaName -
 	LibvirtCaName = tls.DefaultCAPrefix + "libvirt"
+	// OvnRbacCaName -
+	OvnRbacCaName = tls.DefaultCAPrefix + "ovn-rbac"
 
 	// GlanceName - Default Glance name
 	GlanceName = "glance"
@@ -1244,6 +1246,11 @@ func (instance OpenStackControlPlane) GetOvnIssuer() string {
 	return OvnDbCaName
 }
 
+// GetOvnRbacIssuer - returns the OVN RBAC CA issuer name
+func (instance OpenStackControlPlane) GetOvnRbacIssuer() string {
+	return OvnRbacCaName
+}
+
 // GetLibvirtIssuer - returns the libvirt CA issuer name or custom if configured
 func (instance OpenStackControlPlane) GetLibvirtIssuer() string {
 	// use custom issuer if set

api/dataplane/v1beta1/openstackdataplaneservice_types.go

@@ -28,10 +28,10 @@ import (
 // a dataplane service
 type OpenstackDataPlaneServiceCert struct {
 	// Contents of the certificate
-	// This is a list of strings for properties that are needed in the cert
-	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:MinItems:=1
-	Contents []string `json:"contents"`
+	// This is a list of strings for properties that are needed in the cert.
+	// May be empty for client-only certificates that require no SANs.
+	// +kubebuilder:validation:Optional
+	Contents []string `json:"contents,omitempty"`
 
 	// Networks to include in SNI for the cert
 	// +kubebuilder:validation:Optional
@@ -46,6 +46,14 @@ type OpenstackDataPlaneServiceCert struct {
 	// +kubebuilder:validation:Optional
 	KeyUsages []certmgrv1.KeyUsage `json:"keyUsages,omitempty" yaml:"keyUsages,omitempty"`
 
+	// CommonName overrides how the certificate Common Name is derived.
+	// When set to "system-id", the CN is a UUID5 derived from the node's
+	// ctlplane FQDN, matching the OVN chassis system-id convention.
+	// When empty, CN defaults to the short hostname.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Enum=system-id
+	CommonName string `json:"commonName,omitempty"`
+
 	// EDPMRoleServiceName is the value of the <role>_service_name variable from
 	// the edpm-ansible role where this certificate is used. For example if the
 	// certificate is for edpm_ovn from edpm-ansible, EDPMRoleServiceName must be

bindata/crds/crds.yaml

@@ -13617,6 +13617,8 @@ spec:
                           ovsLogLevel:
                             default: info
                             type: string
+                          rbacIssuerName:
+                            type: string
                           resources:
                             properties:
                               claims:
@@ -13751,6 +13753,8 @@ spec:
                               default: 60000
                               format: int32
                               type: integer
+                            rbacCACertSecretName:
+                              type: string
                             replicas:
                               default: 1
                               format: int32

bindata/crds/ovn.openstack.org_ovncontrollers.yaml

@@ -164,6 +164,13 @@ spec:
                 description: OVSLogLevel - Set log level off, emer, err, warn, info,
                   or dbg. Default is info.
                 type: string
+              rbacIssuerName:
+                description: |-
+                  RbacIssuerName - The name of the cert-manager Issuer used to sign
+                  per-node ovn-controller RBAC certificates. When set, the controller
+                  creates cert-manager Certificate resources for each node instead of
+                  signing certificates locally with the CA key.
+                type: string
               resources:
                 description: |-
                   Resources - Compute Resources required by this service (Limits/Requests).

bindata/crds/ovn.openstack.org_ovndbclusters.yaml

@@ -266,6 +266,12 @@ spec:
                   Active probe interval from standby to active ovsdb-server remote
                 format: int32
                 type: integer
+              rbacCACertSecretName:
+                description: |-
+                  RbacCACertSecretName - The name of the K8s Secret containing the RBAC
+                  PKI CA certificate (tls.crt). Used by the SB database to verify
+                  ovn-controller client certificates when RBAC is enabled.
+                type: string
               replicas:
                 default: 1
                 description: Replicas of OVN DBCluster to run

bindata/rbac/ovn-operator-rbac.yaml

@@ -127,6 +127,26 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - cert-manager.io
+  resources:
+    - certificates
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - cert-manager.io
+  resources:
+    - issuers
+  verbs:
+    - get
+    - list
+    - watch
 - apiGroups:
     - k8s.cni.cncf.io
   resources:

config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -13083,6 +13083,8 @@ spec:
                           ovsLogLevel:
                             default: info
                             type: string
+                          rbacIssuerName:
+                            type: string
                           resources:
                             properties:
                               claims:
@@ -13217,6 +13219,8 @@ spec:
                               default: 60000
                               format: int32
                               type: integer
+                            rbacCACertSecretName:
+                              type: string
                             replicas:
                               default: 1
                               format: int32

config/crd/bases/dataplane.openstack.org_openstackdataplaneservices.yaml

@@ -151,13 +151,22 @@ spec:
                     OpenstackDataPlaneServiceCert defines the property of a TLS cert issued for
                     a dataplane service
                   properties:
+                    commonName:
+                      description: |-
+                        CommonName overrides how the certificate Common Name is derived.
+                        When set to "system-id", the CN is a UUID5 derived from the node's
+                        ctlplane FQDN, matching the OVN chassis system-id convention.
+                        When empty, CN defaults to the short hostname.
+                      enum:
+                      - system-id
+                      type: string
                     contents:
                       description: |-
                         Contents of the certificate
-                        This is a list of strings for properties that are needed in the cert
+                        This is a list of strings for properties that are needed in the cert.
+                        May be empty for client-only certificates that require no SANs.
                       items:
                         type: string
-                      minItems: 1
                       type: array
                     edpmRoleServiceName:
                       description: |-
@@ -241,8 +250,6 @@ spec:
                         pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-_]*[a-zA-Z0-9]$
                         type: string
                       type: array
-                  required:
-                  - contents
                   type: object
                 description: TLSCerts tls certs to be generated
                 type: object

config/services/dataplane_v1beta1_openstackdataplaneservice_neutron_metadata.yaml

@@ -24,6 +24,12 @@ spec:
         - digital signature
         - key encipherment
         - client auth
+    rbac:
+      commonName: system-id
+      issuer: osp-rootca-issuer-ovn-rbac
+      keyUsages:
+        - digital signature
+        - client auth
   caCerts: combined-ca-bundle
   containerImageFields:
   - EdpmNeutronMetadataAgentImage

config/services/dataplane_v1beta1_openstackdataplaneservice_neutron_ovn.yaml

@@ -25,6 +25,12 @@ spec:
         - digital signature
         - key encipherment
         - client auth
+    rbac:
+      commonName: system-id
+      issuer: osp-rootca-issuer-ovn-rbac
+      keyUsages:
+        - digital signature
+        - client auth
   caCerts: combined-ca-bundle
   containerImageFields:
   - EdpmNeutronOvnAgentImage

config/services/dataplane_v1beta1_openstackdataplaneservice_ovn.yaml

@@ -20,6 +20,12 @@ spec:
         - key encipherment
         - server auth
         - client auth
+    rbac:
+      commonName: system-id
+      issuer: osp-rootca-issuer-ovn-rbac
+      keyUsages:
+        - digital signature
+        - client auth
   caCerts: combined-ca-bundle
   containerImageFields:
   - OvnControllerImage

config/services/dataplane_v1beta1_openstackdataplaneservice_ovn_bgp_agent.yaml

@@ -23,6 +23,12 @@ spec:
         - key encipherment
         - server auth
         - client auth
+    rbac:
+      commonName: system-id
+      issuer: osp-rootca-issuer-ovn-rbac
+      keyUsages:
+        - digital signature
+        - client auth
   caCerts: combined-ca-bundle
   containerImageFields:
   - EdpmOvnBgpAgentImage

internal/dataplane/cert.go

@@ -35,6 +35,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	"github.com/google/uuid"
 	infranetworkv1 "github.com/openstack-k8s-operators/infra-operator/apis/network/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
@@ -43,6 +44,17 @@ import (
 	dataplanev1 "github.com/openstack-k8s-operators/openstack-operator/api/dataplane/v1beta1"
 )
 
+// CommonNameSystemID is the sentinel value for OpenstackDataPlaneServiceCert.CommonName
+// that triggers UUID5-based CN derivation matching the OVN chassis system-id convention.
+const CommonNameSystemID = "system-id"
+
+// computeSystemID derives a deterministic UUID5 from a name using the DNS
+// namespace, matching ovn-operator's ComputeSystemID() and edpm-ansible's
+// {{ name | to_uuid(namespace='6ba7b810-...') }}.
+func computeSystemID(name string) string {
+	return uuid.NewSHA1(uuid.NameSpaceDNS, []byte(name)).String()
+}
+
 // Generates an organized data structure that is leveraged to create the secrets.
 func createSecretsDataStructure(secretMaxSize int,
 	certsData map[string][]byte,
@@ -180,7 +192,12 @@ func EnsureTLSCerts(ctx context.Context, helper *helper.Helper,
 				nodeName)
 		}
 
-		commonName := strings.Split(baseName, ".")[0]
+		var commonName string
+		if service.Spec.TLSCerts[certKey].CommonName == CommonNameSystemID {
+			commonName = computeSystemID(baseName)
+		} else {
+			commonName = strings.Split(baseName, ".")[0]
+		}
 
 		certSecret, result, err = GetTLSNodeCert(ctx, helper, instance, certName,
 			issuer, labels, commonName, hosts, ips, service.Spec.TLSCerts[certKey].KeyUsages)