Merge "Support TLS endpoints in barbican"

2022-09-08 17:58:56 +00:00 · 2022-09-08 17:58:56 +00:00 · 3199faadb6
commit 3199faadb6
parent d554d74bf0 52444cf3c8
9 changed files with 26 additions and 8 deletions
--- a/barbican/Chart.yaml
+++ b/barbican/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Barbican
 name: barbican
-version: 0.2.18
+version: 0.2.19
 home: https://docs.openstack.org/barbican/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
 sources:
--- a/barbican/templates/deployment-api.yaml
+++ b/barbican/templates/deployment-api.yaml
@ -65,7 +65,7 @@ spec:
            - /tmp/barbican.sh
            - start
          env:
-{{- if .Values.manifests.certificates }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
            - name: REQUESTS_CA_BUNDLE
              value: "/etc/barbican/certs/ca.crt"
 {{- end }}
@ -119,7 +119,7 @@ spec:
              subPath: barbican.sh
              readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.key_manager.api.internal "path" "/etc/barbican/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.key_manager.api.internal "path" "/etc/barbican/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}

 {{ if $mounts_barbican_api.volumeMounts }}{{ toYaml $mounts_barbican_api.volumeMounts | indent 12 }}{{ end }}
@ -137,7 +137,7 @@ spec:
            name: barbican-bin
            defaultMode: 0555
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.key_manager.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.key_manager.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}

 {{ if $mounts_barbican_api.volumes }}{{ toYaml $mounts_barbican_api.volumes | indent 8 }}{{ end }}
--- a/barbican/templates/job-bootstrap.yaml
+++ b/barbican/templates/job-bootstrap.yaml
@ -24,7 +24,7 @@ helm.sh/hook-weight: "5"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
--- a/barbican/templates/job-ks-endpoints.yaml
+++ b/barbican/templates/job-ks-endpoints.yaml
@ -24,7 +24,7 @@ helm.sh/hook-weight: "-2"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
--- a/barbican/templates/job-ks-service.yaml
+++ b/barbican/templates/job-ks-service.yaml
@ -24,7 +24,7 @@ helm.sh/hook-weight: "-3"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
--- a/barbican/templates/job-ks-user.yaml
+++ b/barbican/templates/job-ks-user.yaml
@ -24,7 +24,7 @@ helm.sh/hook-weight: "-1"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@ -677,6 +677,11 @@ endpoints:
      ingress:
        default: 80

+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
  certificates: false
  configmap_bin: true
--- a/barbican/values_overrides/tls-offloading.yaml
+++ b/barbican/values_overrides/tls-offloading.yaml
@ -0,0 +1,12 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      barbican:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+tls:
+  identity: true
+...
--- a/releasenotes/notes/barbican.yaml
+++ b/releasenotes/notes/barbican.yaml
@ -22,4 +22,5 @@ barbican:
  - 0.2.16 Distinguish between port number of internal endpoint and binding port number
  - 0.2.17 Use HTTP probe instead of TCP probe
  - 0.2.18 Support TLS for ks jobs
+  - 0.2.19 Support SSL offloading at reverse proxy for internal and admin endpoints
 ...