Allow Barbican to talk to TLS'd mariadb

Barbican is NOT tls'ed, this is only for communicating with tls'd mariadb Change-Id: Ia9598095456f35585eafa68f665d2a763e208571
2021-06-29 14:50:47 -04:00 · 2021-06-29 14:50:47 -04:00 · 040aa3b774
commit 040aa3b774
parent 3ac3caa013
10 changed files with 33 additions and 3 deletions
--- a/barbican/Chart.yaml
+++ b/barbican/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Barbican
 name: barbican
-version: 0.2.5
+version: 0.2.6
 home: https://docs.openstack.org/barbican/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
 sources:
--- a/barbican/templates/configmap-etc.yaml
+++ b/barbican/templates/configmap-etc.yaml
@ -50,7 +50,12 @@ limitations under the License.
 {{- end -}}

 {{- if empty .Values.conf.barbican.DEFAULT.sql_connection -}}
-{{- $_ := tuple "oslo_db" "internal" "barbican" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.barbican.DEFAULT "sql_connection" -}}
+{{- $connection := tuple "oslo_db" "internal" "barbican" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.barbican.DEFAULT "sql_connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.barbican.DEFAULT "connection" $connection -}}
+{{- end -}}
 {{- end -}}

 {{- if empty .Values.conf.barbican.DEFAULT.transport_url -}}
--- a/barbican/templates/deployment-api.yaml
+++ b/barbican/templates/deployment-api.yaml
@ -108,6 +108,7 @@ spec:
              mountPath: /tmp/barbican.sh
              subPath: barbican.sh
              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_barbican_api.volumeMounts }}{{ toYaml $mounts_barbican_api.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -122,5 +123,6 @@ spec:
          configMap:
            name: barbican-bin
            defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_barbican_api.volumes }}{{ toYaml $mounts_barbican_api.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/barbican/templates/job-db-drop.yaml
+++ b/barbican/templates/job-db-drop.yaml
@ -16,5 +16,8 @@ limitations under the License.
 {{- $serviceName := "barbican" -}}
 {{- $dbToDrop := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "DEFAULT" "configDbKey" "sql_connection" -}}
 {{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbToDrop" $dbToDrop -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbToDrop "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
--- a/barbican/templates/job-db-init.yaml
+++ b/barbican/templates/job-db-init.yaml
@ -23,5 +23,8 @@ helm.sh/hook-weight: "-5"
 {{- $serviceName := "barbican" -}}
 {{- $dbToInit := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "DEFAULT" "configDbKey" "sql_connection" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
 {{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbToInit" $dbToInit -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
--- a/barbican/templates/job-db-sync.yaml
+++ b/barbican/templates/job-db-sync.yaml
@ -25,5 +25,8 @@ helm.sh/hook-weight: "-4"

 {{- if .Values.manifests.job_db_sync }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "barbican" "podVolMounts" $podVolMounts "podVols" .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumes "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
--- a/barbican/templates/secret-db.yaml
+++ b/barbican/templates/secret-db.yaml
@ -16,6 +16,7 @@ limitations under the License.
 {{- $envAll := . }}
 {{- range $key1, $userClass := tuple "admin" "barbican" }}
 {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
 ---
 apiVersion: v1
 kind: Secret
@ -23,6 +24,10 @@ metadata:
  name: {{ $secretName }}
 type: Opaque
 data:
-  DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@ -650,6 +650,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      barbican:
        username: barbican
        password: password
@ -740,6 +743,7 @@ endpoints:
        default: 80

 manifests:
+  certificates: false
  configmap_bin: true
  configmap_etc: true
  deployment_api: true
--- a/barbican/values_overrides/tls.yaml
+++ b/barbican/values_overrides/tls.yaml
@ -0,0 +1,4 @@
+---
+manifests:
+  certificates: true
+...
--- a/releasenotes/notes/barbican.yaml
+++ b/releasenotes/notes/barbican.yaml
@ -9,4 +9,5 @@ barbican:
  - 0.2.3 Add support for master kek rotation
  - 0.2.4 Add Ussuri release support
  - 0.2.5 Add Victoria and Wallaby releases support
+  - 0.2.6 Allow Barbican to talk to Mariadb over TLS
 ...