Support TLS endpoints in placement

This allows placement to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And placement itself interact with other openstack services via
endpoints.

Change-Id: I1a44844826eec4f6238f9b37064ccadcdcc7336a

placement/Chart.yaml

@@ -16,7 +16,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Placement
 name: placement
-version: 0.2.12
+version: 0.2.13
 home: https://docs.openstack.org/placement/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png
 sources:

placement/templates/deployment.yaml

@@ -64,6 +64,11 @@ spec:
 {{ tuple $envAll "placement" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "placement" "container" "placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/placement/certs/ca.crt"
+{{- end }}
           command:
             - /tmp/placement-api.sh
             - start
@@ -118,7 +123,7 @@ spec:
               subPath: wsgi-placement.conf
               readOnly: true
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }}
       volumes:
         - name: pod-tmp
@@ -134,6 +139,6 @@ spec:
             secretName: placement-etc
             defaultMode: 0444
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }}
 {{- end }}

placement/templates/job-ks-endpoints.yaml

@@ -21,7 +21,7 @@ helm.sh/hook-weight: "1"
 
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}

placement/templates/job-ks-service.yaml

@@ -21,7 +21,7 @@ helm.sh/hook-weight: "-2"
 
 {{- if .Values.manifests.job_ks_service }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}

placement/templates/job-ks-user.yaml

@@ -21,7 +21,7 @@ helm.sh/hook-weight: "-1"
 
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}

placement/values.yaml

@@ -513,6 +513,11 @@ dependencies:
 # set helm3_hook: false when using the helm2 binary.
 helm3_hook: true
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true

placement/values_overrides/tls-offloading.yaml

@@ -0,0 +1,12 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      placement:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+tls:
+  identity: true
+...

releasenotes/notes/placement.yaml

@@ -21,4 +21,5 @@ placement:
   - 0.2.10 Added OCI registry authentication
   - 0.2.11 Distinguish between port number of internal endpoint and binding port number
   - 0.2.12 Use HTTP probe instead of TCP probe
+  - 0.2.13 Support TLS endpoints
 ...