From 178e4ce313010f9cd1229e5f06e4e21ad7205a54 Mon Sep 17 00:00:00 2001
From: josebb <jose.bautista.barato@gmail.com>
Date: Thu, 2 Dec 2021 18:45:34 +0200
Subject: [PATCH] Support TLS for ks jobs and oslo_db/oslo_message in
deployment - barbican
Change-Id: I8bee4e7a075d8431e22941c4b88e31889bb6701c
---
barbican/Chart.yaml | 2 +-
barbican/templates/deployment-api.yaml | 11 +++++++++++
barbican/templates/job-bootstrap.yaml | 3 +++
barbican/templates/job-ks-endpoints.yaml | 3 +++
barbican/templates/job-ks-service.yaml | 3 +++
barbican/templates/job-ks-user.yaml | 3 +++
barbican/values.yaml | 4 ++++
releasenotes/notes/barbican.yaml | 1 +
8 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/barbican/Chart.yaml b/barbican/Chart.yaml
index 3f80979f25..2f346cb491 100644
--- a/barbican/Chart.yaml
+++ b/barbican/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Barbican
name: barbican
-version: 0.2.17
+version: 0.2.18
home: https://docs.openstack.org/barbican/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
sources:
diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml
index ea6added09..6bb7dd05f2 100644
--- a/barbican/templates/deployment-api.yaml
+++ b/barbican/templates/deployment-api.yaml
@@ -64,6 +64,11 @@ spec:
command:
- /tmp/barbican.sh
- start
+ env:
+{{- if .Values.manifests.certificates }}
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/barbican/certs/ca.crt"
+{{- end }}
lifecycle:
preStop:
exec:
@@ -114,6 +119,9 @@ spec:
subPath: barbican.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.key_manager.api.internal "path" "/etc/barbican/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+
{{ if $mounts_barbican_api.volumeMounts }}{{ toYaml $mounts_barbican_api.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@@ -129,5 +137,8 @@ spec:
name: barbican-bin
defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.key_manager.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+
{{ if $mounts_barbican_api.volumes }}{{ toYaml $mounts_barbican_api.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/barbican/templates/job-bootstrap.yaml b/barbican/templates/job-bootstrap.yaml
index ced8bc3e05..7555aec912 100644
--- a/barbican/templates/job-bootstrap.yaml
+++ b/barbican/templates/job-bootstrap.yaml
@@ -24,5 +24,8 @@ helm.sh/hook-weight: "5"
{{- if .Values.pod.tolerations.barbican.enabled -}}
{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
{{- end -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}
diff --git a/barbican/templates/job-ks-endpoints.yaml b/barbican/templates/job-ks-endpoints.yaml
index 023f58e150..248a54f3a4 100644
--- a/barbican/templates/job-ks-endpoints.yaml
+++ b/barbican/templates/job-ks-endpoints.yaml
@@ -24,5 +24,8 @@ helm.sh/hook-weight: "-2"
{{- if .Values.pod.tolerations.barbican.enabled -}}
{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
{{- end -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}
diff --git a/barbican/templates/job-ks-service.yaml b/barbican/templates/job-ks-service.yaml
index c0e068304d..7a05e53311 100644
--- a/barbican/templates/job-ks-service.yaml
+++ b/barbican/templates/job-ks-service.yaml
@@ -24,5 +24,8 @@ helm.sh/hook-weight: "-3"
{{- if .Values.pod.tolerations.barbican.enabled -}}
{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
{{- end -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}
diff --git a/barbican/templates/job-ks-user.yaml b/barbican/templates/job-ks-user.yaml
index e16e03381c..6900013164 100644
--- a/barbican/templates/job-ks-user.yaml
+++ b/barbican/templates/job-ks-user.yaml
@@ -24,5 +24,8 @@ helm.sh/hook-weight: "-1"
{{- if .Values.pod.tolerations.barbican.enabled -}}
{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
{{- end -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}
diff --git a/barbican/values.yaml b/barbican/values.yaml
index 704267b960..0e0a45c78d 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -496,6 +496,7 @@ secrets:
key_manager:
api:
public: barbican-tls-public
+ internal: barbican-tls-internal
oci_image_registry:
barbican: barbican-oci-image-registry
@@ -601,6 +602,9 @@ endpoints:
admin:
username: rabbitmq
password: password
+ secret:
+ tls:
+ internal: rabbitmq-tls-direct
barbican:
username: barbican
password: password
diff --git a/releasenotes/notes/barbican.yaml b/releasenotes/notes/barbican.yaml
index 24cce3f589..bd576cd5ee 100644
--- a/releasenotes/notes/barbican.yaml
+++ b/releasenotes/notes/barbican.yaml
@@ -21,4 +21,5 @@ barbican:
- 0.2.15 Added OCI registry authentication
- 0.2.16 Distinguish between port number of internal endpoint and binding port number
- 0.2.17 Use HTTP probe instead of TCP probe
+ - 0.2.18 Support TLS for ks jobs
...