From 178e4ce313010f9cd1229e5f06e4e21ad7205a54 Mon Sep 17 00:00:00 2001
From: josebb <jose.bautista.barato@gmail.com>
Date: Thu, 2 Dec 2021 18:45:34 +0200
Subject: [PATCH] Support TLS for ks jobs and oslo_db/oslo_message in
 deployment - barbican

Change-Id: I8bee4e7a075d8431e22941c4b88e31889bb6701c
---
 barbican/Chart.yaml                      |  2 +-
 barbican/templates/deployment-api.yaml   | 11 +++++++++++
 barbican/templates/job-bootstrap.yaml    |  3 +++
 barbican/templates/job-ks-endpoints.yaml |  3 +++
 barbican/templates/job-ks-service.yaml   |  3 +++
 barbican/templates/job-ks-user.yaml      |  3 +++
 barbican/values.yaml                     |  4 ++++
 releasenotes/notes/barbican.yaml         |  1 +
 8 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/barbican/Chart.yaml b/barbican/Chart.yaml
index 3f80979f25..2f346cb491 100644
--- a/barbican/Chart.yaml
+++ b/barbican/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Barbican
 name: barbican
-version: 0.2.17
+version: 0.2.18
 home: https://docs.openstack.org/barbican/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
 sources:
diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml
index ea6added09..6bb7dd05f2 100644
--- a/barbican/templates/deployment-api.yaml
+++ b/barbican/templates/deployment-api.yaml
@@ -64,6 +64,11 @@ spec:
           command:
             - /tmp/barbican.sh
             - start
+          env:
+{{- if .Values.manifests.certificates }}
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/barbican/certs/ca.crt"
+{{- end }}
           lifecycle:
             preStop:
               exec:
@@ -114,6 +119,9 @@ spec:
               subPath: barbican.sh
               readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.key_manager.api.internal "path" "/etc/barbican/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+
 {{ if $mounts_barbican_api.volumeMounts }}{{ toYaml $mounts_barbican_api.volumeMounts | indent 12 }}{{ end }}
       volumes:
         - name: pod-tmp
@@ -129,5 +137,8 @@ spec:
             name: barbican-bin
             defaultMode: 0555
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.key_manager.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+
 {{ if $mounts_barbican_api.volumes }}{{ toYaml $mounts_barbican_api.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/barbican/templates/job-bootstrap.yaml b/barbican/templates/job-bootstrap.yaml
index ced8bc3e05..7555aec912 100644
--- a/barbican/templates/job-bootstrap.yaml
+++ b/barbican/templates/job-bootstrap.yaml
@@ -24,5 +24,8 @@ helm.sh/hook-weight: "5"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
 {{- end -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
 {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
 {{- end }}
diff --git a/barbican/templates/job-ks-endpoints.yaml b/barbican/templates/job-ks-endpoints.yaml
index 023f58e150..248a54f3a4 100644
--- a/barbican/templates/job-ks-endpoints.yaml
+++ b/barbican/templates/job-ks-endpoints.yaml
@@ -24,5 +24,8 @@ helm.sh/hook-weight: "-2"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
 {{- end -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
 {{- end }}
diff --git a/barbican/templates/job-ks-service.yaml b/barbican/templates/job-ks-service.yaml
index c0e068304d..7a05e53311 100644
--- a/barbican/templates/job-ks-service.yaml
+++ b/barbican/templates/job-ks-service.yaml
@@ -24,5 +24,8 @@ helm.sh/hook-weight: "-3"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
 {{- end -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
 {{- end }}
diff --git a/barbican/templates/job-ks-user.yaml b/barbican/templates/job-ks-user.yaml
index e16e03381c..6900013164 100644
--- a/barbican/templates/job-ks-user.yaml
+++ b/barbican/templates/job-ks-user.yaml
@@ -24,5 +24,8 @@ helm.sh/hook-weight: "-1"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
 {{- end -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
+{{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{- end }}
diff --git a/barbican/values.yaml b/barbican/values.yaml
index 704267b960..0e0a45c78d 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -496,6 +496,7 @@ secrets:
     key_manager:
       api:
         public: barbican-tls-public
+        internal: barbican-tls-internal
   oci_image_registry:
     barbican: barbican-oci-image-registry
 
@@ -601,6 +602,9 @@ endpoints:
       admin:
         username: rabbitmq
         password: password
+        secret:
+          tls:
+            internal: rabbitmq-tls-direct
       barbican:
         username: barbican
         password: password
diff --git a/releasenotes/notes/barbican.yaml b/releasenotes/notes/barbican.yaml
index 24cce3f589..bd576cd5ee 100644
--- a/releasenotes/notes/barbican.yaml
+++ b/releasenotes/notes/barbican.yaml
@@ -21,4 +21,5 @@ barbican:
   - 0.2.15 Added OCI registry authentication
   - 0.2.16 Distinguish between port number of internal endpoint and binding port number
   - 0.2.17 Use HTTP probe instead of TCP probe
+  - 0.2.18 Support TLS for ks jobs
 ...