✨ Accept a Secret or a ConfigMap for BMC CA and Trusted CA

.golangci.yaml

@@ -134,6 +134,12 @@ linters:
     - linters:
       - tagliatelle
       text: CA
+    - linters:
+      - staticcheck
+      text: 'SA1019: tls\.(TrustedCAName|BMCCAName) is deprecated: .*'
+      paths:
+      - pkg/ironic/validation.go
+      - pkg/ironic/utils.go
     paths:
     - zz_generated.*\.go$
     - .*conversion.*\.go$

api/v1alpha1/common.go

@@ -18,3 +18,24 @@ var (
 	IronicServiceLabel = IronicLabelPrefix + "/ironic"
 	IronicVersionLabel = IronicLabelPrefix + "/version"
 )
+
+// ResourceReference references a ConfigMap or Secret resource.
+type ResourceReference struct {
+	// Name of the resource.
+	Name string `json:"name"`
+
+	// Kind of the resource (ConfigMap or Secret).
+	// +kubebuilder:validation:Enum=ConfigMap;Secret
+	Kind string `json:"kind"`
+}
+
+// ResourceReferenceWithKey references a ConfigMap or Secret resource and
+// targets a specific key from it.
+type ResourceReferenceWithKey struct {
+	ResourceReference `json:",inline"`
+
+	// Key within the resource to use. If not specified and the resource contains multiple keys,
+	// the first key will be used and a warning will be logged for other keys.
+	// +optional
+	Key string `json:"key,omitempty"`
+}

api/v1alpha1/ironic_types.go

@@ -21,6 +21,13 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+const (
+	// ResourceKindConfigMap is the kind for ConfigMap resources.
+	ResourceKindConfigMap = "ConfigMap"
+	// ResourceKindSecret is the kind for Secret resources.
+	ResourceKindSecret = "Secret"
+)
+
 var (
 	VersionLatest = Version{}
 	Version340    = Version{Major: 34, Minor: 0}
@@ -188,9 +195,17 @@ type DeployRamdisk struct {
 
 // TLS defines the TLS settings.
 type TLS struct {
+	// BMCCA is a reference to a ConfigMap or Secret containing the CA certificate(s)
+	// to use when validating TLS connections to BMCs.
+	// Supported in Ironic 32.0 or newer.
+	// +optional
+	BMCCA *ResourceReference `json:"bmcCA,omitempty"`
+
 	// BMCCAName is a reference to the secret with the CA certificate(s)
 	// to use when validating TLS connections to BMC's.
 	// Supported in Ironic 32.0 or newer.
+	//
+	// Deprecated: Use BMCCA instead. This field will be removed in a future release.
 	// +optional
 	BMCCAName string `json:"bmcCAName,omitempty"`
 
@@ -199,11 +214,19 @@ type TLS struct {
 	// +optional
 	CertificateName string `json:"certificateName,omitempty"`
 
+	// TrustedCA is a reference to a ConfigMap or Secret containing the CA certificate(s)
+	// to use when validating TLS connections to image servers and other services.
+	// The resource should contain one or more CA certificates in PEM format.
+	// +optional
+	TrustedCA *ResourceReferenceWithKey `json:"trustedCA,omitempty"`
+
 	// TrustedCAName is a reference to the configmap with the CA certificate(s)
 	// to use when validating TLS connections to image servers and other services.
 	// The configmap should contain one or more CA certificates in PEM format.
 	// If the configmap contains multiple keys, only the first key will be used and
 	// a warning will be logged.
+	//
+	// Deprecated: Use TrustedCA instead. This field will be removed in a future release.
 	// +optional
 	TrustedCAName string `json:"trustedCAName,omitempty"`
 

config/crd/bases/ironic.metal3.io_ironics.yaml

@@ -3425,11 +3425,32 @@ spec:
                 description: TLS defines TLS-related settings for various network
                   interactions.
                 properties:
+                  bmcCA:
+                    description: |-
+                      BMCCA is a reference to a ConfigMap or Secret containing the CA certificate(s)
+                      to use when validating TLS connections to BMCs.
+                      Supported in Ironic 32.0 or newer.
+                    properties:
+                      kind:
+                        description: Kind of the resource (ConfigMap or Secret).
+                        enum:
+                        - ConfigMap
+                        - Secret
+                        type: string
+                      name:
+                        description: Name of the resource.
+                        type: string
+                    required:
+                    - kind
+                    - name
+                    type: object
                   bmcCAName:
                     description: |-
                       BMCCAName is a reference to the secret with the CA certificate(s)
                       to use when validating TLS connections to BMC's.
                       Supported in Ironic 32.0 or newer.
+
+                      Deprecated: Use BMCCA instead. This field will be removed in a future release.
                     type: string
                   certificateName:
                     description: |-
@@ -3449,13 +3470,39 @@ spec:
                       Has no effect when HighAvailability is false and requires the
                       HighAvailability feature gate to be set.
                     type: boolean
+                  trustedCA:
+                    description: |-
+                      TrustedCA is a reference to a ConfigMap or Secret containing the CA certificate(s)
+                      to use when validating TLS connections to image servers and other services.
+                      The resource should contain one or more CA certificates in PEM format.
+                    properties:
+                      key:
+                        description: |-
+                          Key within the resource to use. If not specified and the resource contains multiple keys,
+                          the first key will be used and a warning will be logged for other keys.
+                        type: string
+                      kind:
+                        description: Kind of the resource (ConfigMap or Secret).
+                        enum:
+                        - ConfigMap
+                        - Secret
+                        type: string
+                      name:
+                        description: Name of the resource.
+                        type: string
+                    required:
+                    - kind
+                    - name
+                    type: object
                   trustedCAName:
                     description: |-
                       TrustedCAName is a reference to the configmap with the CA certificate(s)
                       to use when validating TLS connections to image servers and other services.
                       The configmap should contain one or more CA certificates in PEM format.
                       If the configmap contains multiple keys, only the first key will be used and
                       a warning will be logged.
+
+                      Deprecated: Use TrustedCA instead. This field will be removed in a future release.
                     type: string
                 type: object
               version:

docs/api.md

@@ -6889,12 +6889,23 @@ TLS defines TLS-related settings for various network interactions.
         </tr>
     </thead>
     <tbody><tr>
+        <td><b><a href="#ironicspectlsbmcca">bmcCA</a></b></td>
+        <td>object</td>
+        <td>
+          BMCCA is a reference to a ConfigMap or Secret containing the CA certificate(s)
+to use when validating TLS connections to BMCs.
+Supported in Ironic 32.0 or newer.<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
         <td><b>bmcCAName</b></td>
         <td>string</td>
         <td>
           BMCCAName is a reference to the secret with the CA certificate(s)
 to use when validating TLS connections to BMC's.
-Supported in Ironic 32.0 or newer.<br/>
+Supported in Ironic 32.0 or newer.
+
+Deprecated: Use BMCCA instead. This field will be removed in a future release.<br/>
         </td>
         <td>false</td>
       </tr><tr>
@@ -6924,6 +6935,15 @@ Has no effect when HighAvailability is false and requires the
 HighAvailability feature gate to be set.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#ironicspectlstrustedca">trustedCA</a></b></td>
+        <td>object</td>
+        <td>
+          TrustedCA is a reference to a ConfigMap or Secret containing the CA certificate(s)
+to use when validating TLS connections to image servers and other services.
+The resource should contain one or more CA certificates in PEM format.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>trustedCAName</b></td>
         <td>string</td>
@@ -6932,7 +6952,93 @@ HighAvailability feature gate to be set.<br/>
 to use when validating TLS connections to image servers and other services.
 The configmap should contain one or more CA certificates in PEM format.
 If the configmap contains multiple keys, only the first key will be used and
-a warning will be logged.<br/>
+a warning will be logged.
+
+Deprecated: Use TrustedCA instead. This field will be removed in a future release.<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
+### Ironic.spec.tls.bmcCA
+<sup><sup>[↩ Parent](#ironicspectls)</sup></sup>
+
+
+
+BMCCA is a reference to a ConfigMap or Secret containing the CA certificate(s)
+to use when validating TLS connections to BMCs.
+Supported in Ironic 32.0 or newer.
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>kind</b></td>
+        <td>enum</td>
+        <td>
+          Kind of the resource (ConfigMap or Secret).<br/>
+          <br/>
+            <i>Enum</i>: ConfigMap, Secret<br/>
+        </td>
+        <td>true</td>
+      </tr><tr>
+        <td><b>name</b></td>
+        <td>string</td>
+        <td>
+          Name of the resource.<br/>
+        </td>
+        <td>true</td>
+      </tr></tbody>
+</table>
+
+
+### Ironic.spec.tls.trustedCA
+<sup><sup>[↩ Parent](#ironicspectls)</sup></sup>
+
+
+
+TrustedCA is a reference to a ConfigMap or Secret containing the CA certificate(s)
+to use when validating TLS connections to image servers and other services.
+The resource should contain one or more CA certificates in PEM format.
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>kind</b></td>
+        <td>enum</td>
+        <td>
+          Kind of the resource (ConfigMap or Secret).<br/>
+          <br/>
+            <i>Enum</i>: ConfigMap, Secret<br/>
+        </td>
+        <td>true</td>
+      </tr><tr>
+        <td><b>name</b></td>
+        <td>string</td>
+        <td>
+          Name of the resource.<br/>
+        </td>
+        <td>true</td>
+      </tr><tr>
+        <td><b>key</b></td>
+        <td>string</td>
+        <td>
+          Key within the resource to use. If not specified and the resource contains multiple keys,
+the first key will be used and a warning will be logged for other keys.<br/>
         </td>
         <td>false</td>
       </tr></tbody>

internal/controller/ironic_controller.go

@@ -166,17 +166,29 @@ func (r *IronicReconciler) handleIronic(cctx ironic.ControllerContext, ironicCon
 		}
 	}
 
-	var bmcSecret *corev1.Secret
-	if bmcSecretName := ironicConf.Spec.TLS.BMCCAName; bmcSecretName != "" {
-		bmcSecret, requeue, err = r.getAndUpdateSecret(cctx, ironicConf, bmcSecretName)
+	var bmcCASecret *corev1.Secret
+	var bmcCAConfigMap *corev1.ConfigMap
+	if bmcCARef := ironic.GetBMCCA(&ironicConf.Spec.TLS); bmcCARef != nil {
+		switch bmcCARef.Kind {
+		case metal3api.ResourceKindSecret:
+			bmcCASecret, requeue, err = r.getAndUpdateSecret(cctx, ironicConf, bmcCARef.Name)
+		case metal3api.ResourceKindConfigMap:
+			bmcCAConfigMap, requeue, err = r.getConfigMap(cctx, ironicConf, bmcCARef.Name)
+		}
 		if requeue || err != nil {
 			return requeue, err
 		}
 	}
 
+	var trustedCASecret *corev1.Secret
 	var trustedCAConfigMap *corev1.ConfigMap
-	if trustedCAConfigMapName := ironicConf.Spec.TLS.TrustedCAName; trustedCAConfigMapName != "" {
-		trustedCAConfigMap, requeue, err = r.getConfigMap(cctx, ironicConf, trustedCAConfigMapName)
+	if trustedCARef := ironic.GetTrustedCA(&ironicConf.Spec.TLS); trustedCARef != nil {
+		switch trustedCARef.Kind {
+		case metal3api.ResourceKindSecret:
+			trustedCASecret, requeue, err = r.getAndUpdateSecret(cctx, ironicConf, trustedCARef.Name)
+		case metal3api.ResourceKindConfigMap:
+			trustedCAConfigMap, requeue, err = r.getConfigMap(cctx, ironicConf, trustedCARef.Name)
+		}
 		if requeue || err != nil {
 			return requeue, err
 		}
@@ -186,7 +198,9 @@ func (r *IronicReconciler) handleIronic(cctx ironic.ControllerContext, ironicCon
 		Ironic:             ironicConf,
 		APISecret:          apiSecret,
 		TLSSecret:          tlsSecret,
-		BMCCASecret:        bmcSecret,
+		BMCCASecret:        bmcCASecret,
+		BMCCAConfigMap:     bmcCAConfigMap,
+		TrustedCASecret:    trustedCASecret,
 		TrustedCAConfigMap: trustedCAConfigMap,
 	}