From 753e43072d4a1391f8f88a1d2ee228ee9c2f30f8 Mon Sep 17 00:00:00 2001
From: josebb <jose.bautista.barato@gmail.com>
Date: Thu, 2 Dec 2021 19:27:56 +0200
Subject: [PATCH] Support TLS endpoints in neutron

This allows neutron to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And neutron itself interact with other openstack services via
endpoints.

Change-Id: I204b8a1a5a1fb253ea4207f5f5d76d47fac41bef
---
 neutron/Chart.yaml                           |  2 +-
 neutron/templates/deployment-server.yaml     |  9 +++++++--
 neutron/templates/job-bootstrap.yaml         |  2 +-
 neutron/templates/job-ks-endpoints.yaml      |  2 +-
 neutron/templates/job-ks-service.yaml        |  2 +-
 neutron/templates/job-ks-user.yaml           |  2 +-
 neutron/values.yaml                          |  5 +++++
 neutron/values_overrides/tls-offloading.yaml | 14 ++++++++++++++
 releasenotes/notes/neutron.yaml              |  1 +
 9 files changed, 32 insertions(+), 7 deletions(-)
 create mode 100644 neutron/values_overrides/tls-offloading.yaml

diff --git a/neutron/Chart.yaml b/neutron/Chart.yaml
index 59c59a2f86..4ff6edc12b 100644
--- a/neutron/Chart.yaml
+++ b/neutron/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Neutron
 name: neutron
-version: 0.2.24
+version: 0.2.25
 home: https://docs.openstack.org/neutron/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
 sources:
diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml
index 94c4e1a2d5..d7315d22d0 100644
--- a/neutron/templates/deployment-server.yaml
+++ b/neutron/templates/deployment-server.yaml
@@ -153,6 +153,11 @@ spec:
           command:
             - /tmp/neutron-server.sh
             - start
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/neutron/certs/ca.crt"
+{{- end }}
           lifecycle:
             preStop:
               exec:
@@ -241,7 +246,7 @@ spec:
               subPath: policy.yaml
               readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -266,7 +271,7 @@ spec:
           emptyDir: {}
         {{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/neutron/templates/job-bootstrap.yaml b/neutron/templates/job-bootstrap.yaml
index 3a3faba077..ff9dbe8f44 100644
--- a/neutron/templates/job-bootstrap.yaml
+++ b/neutron/templates/job-bootstrap.yaml
@@ -19,7 +19,7 @@ helm.sh/hook-weight: "5"
 
 {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
 {{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append  -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml
index 39b9387f55..ec76b71dd2 100644
--- a/neutron/templates/job-ks-endpoints.yaml
+++ b/neutron/templates/job-ks-endpoints.yaml
@@ -19,7 +19,7 @@ helm.sh/hook-weight: "-2"
 
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksEndpointsJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksEndpointsJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml
index 84fb56d4c6..e4225c6e6d 100644
--- a/neutron/templates/job-ks-service.yaml
+++ b/neutron/templates/job-ks-service.yaml
@@ -19,7 +19,7 @@ helm.sh/hook-weight: "-3"
 
 {{- if .Values.manifests.job_ks_service }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml
index 80a19bc92d..563ba7baf1 100644
--- a/neutron/templates/job-ks-user.yaml
+++ b/neutron/templates/job-ks-user.yaml
@@ -19,7 +19,7 @@ helm.sh/hook-weight: "-1"
 
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/neutron/values.yaml b/neutron/values.yaml
index ee417bb072..843c5ad945 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -2544,6 +2544,11 @@ health_probe:
   logging:
     level: ERROR
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true
diff --git a/neutron/values_overrides/tls-offloading.yaml b/neutron/values_overrides/tls-offloading.yaml
new file mode 100644
index 0000000000..8b36a23ac6
--- /dev/null
+++ b/neutron/values_overrides/tls-offloading.yaml
@@ -0,0 +1,14 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      neutron:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      test:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+tls:
+  identity: true
+...
diff --git a/releasenotes/notes/neutron.yaml b/releasenotes/notes/neutron.yaml
index 014e457685..634cb03784 100644
--- a/releasenotes/notes/neutron.yaml
+++ b/releasenotes/notes/neutron.yaml
@@ -38,4 +38,5 @@ neutron:
   - 0.2.22 Fix /run/xtables.lock may be a directory
   - 0.2.23 Add neutron_netns_cleanup_cron release image override, so that the respective release image is used
   - 0.2.24 Added OCI registry authentication
+  - 0.2.25 Support TLS endpoints
 ...