Merge "Support TLS endpoints in placement"

2022-09-06 04:45:02 +00:00 · 2022-09-06 04:45:02 +00:00 · d041037b65
commit d041037b65
parent 1ece13de23 ca6677457e
8 changed files with 29 additions and 6 deletions
--- a/placement/Chart.yaml
+++ b/placement/Chart.yaml
@ -16,7 +16,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Placement
 name: placement
-version: 0.2.12
+version: 0.2.13
 home: https://docs.openstack.org/placement/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png
 sources:
--- a/placement/templates/deployment.yaml
+++ b/placement/templates/deployment.yaml
@ -64,6 +64,11 @@ spec:
 {{ tuple $envAll "placement" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "placement" "container" "placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/placement/certs/ca.crt"
+{{- end }}
          command:
            - /tmp/placement-api.sh
            - start
@ -118,7 +123,7 @@ spec:
              subPath: wsgi-placement.conf
              readOnly: true
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -134,6 +139,6 @@ spec:
            secretName: placement-etc
            defaultMode: 0444
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/placement/templates/job-ks-endpoints.yaml
+++ b/placement/templates/job-ks-endpoints.yaml
@ -21,7 +21,7 @@ helm.sh/hook-weight: "1"

 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
--- a/placement/templates/job-ks-service.yaml
+++ b/placement/templates/job-ks-service.yaml
@ -21,7 +21,7 @@ helm.sh/hook-weight: "-2"

 {{- if .Values.manifests.job_ks_service }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
--- a/placement/templates/job-ks-user.yaml
+++ b/placement/templates/job-ks-user.yaml
@ -21,7 +21,7 @@ helm.sh/hook-weight: "-1"

 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
--- a/placement/values.yaml
+++ b/placement/values.yaml
@ -513,6 +513,11 @@ dependencies:
 # set helm3_hook: false when using the helm2 binary.
 helm3_hook: true

+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
  certificates: false
  configmap_bin: true
--- a/placement/values_overrides/tls-offloading.yaml
+++ b/placement/values_overrides/tls-offloading.yaml
@ -0,0 +1,12 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      placement:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+tls:
+  identity: true
+...
--- a/releasenotes/notes/placement.yaml
+++ b/releasenotes/notes/placement.yaml
@ -21,4 +21,5 @@ placement:
  - 0.2.10 Added OCI registry authentication
  - 0.2.11 Distinguish between port number of internal endpoint and binding port number
  - 0.2.12 Use HTTP probe instead of TCP probe
+  - 0.2.13 Support TLS endpoints
 ...