openstack/openstack-helm
Code Issues Proposed changes

feat(tls): Change Issuer to ClusterIssuer

Browse Source 
ClusterIssuer does not belong to a single namespace (unlike Issuer)
and can be referenced by Certificate resources from multiple different
namespaces. When internal TLS is added to multiple namespaces, same
ClusterIssuer can be used instead of one Issuer per namespace.

Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/766359

Change-Id: I6585d5a8c2ccb507a5c99784c0190502b55a5bcf
This commit is contained in:
sgupta 2020-12-09 22:51:44 +00:00 committed by Nafiz Haider
parent 0a1d6aeb94
commit 43e75eaa83
17 changed files with 29 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cinder/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Cinder description: OpenStack-Helm Cinder
name: cinder name: cinder
version: 0.1.6 version: 0.1.7
home: https://docs.openstack.org/cinder/latest/ home: https://docs.openstack.org/cinder/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png
sources: sources:

3
cinder/values_overrides/tls.yaml
View File

@ -97,6 +97,7 @@ endpoints:
secretName: cinder-tls-api secretName: cinder-tls-api
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
internal: https internal: https
@ -110,6 +111,7 @@ endpoints:
secretName: cinder-tls-api secretName: cinder-tls-api
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
internal: https internal: https
@ -123,6 +125,7 @@ endpoints:
secretName: cinder-tls-api secretName: cinder-tls-api
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
internal: https internal: https

2
glance/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Glance description: OpenStack-Helm Glance
name: glance name: glance
version: 0.1.1 version: 0.1.2
home: https://docs.openstack.org/glance/latest/ home: https://docs.openstack.org/glance/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
sources: sources:

2
glance/values_overrides/tls.yaml
View File

@ -92,6 +92,7 @@ endpoints:
secretName: glance-tls-api secretName: glance-tls-api
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
public: https public: https
@ -105,6 +106,7 @@ endpoints:
secretName: glance-tls-reg secretName: glance-tls-reg
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
public: https public: https

2
heat/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Heat description: OpenStack-Helm Heat
name: heat name: heat
version: 0.1.2 version: 0.1.3
home: https://docs.openstack.org/heat/latest/ home: https://docs.openstack.org/heat/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
sources: sources:

4
heat/values_overrides/tls.yaml
View File

@ -144,6 +144,7 @@ endpoints:
secretName: heat-tls-api secretName: heat-tls-api
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
port: port:
@ -156,6 +157,7 @@ endpoints:
secretName: heat-tls-cfn secretName: heat-tls-cfn
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
port: port:
@ -169,7 +171,7 @@ endpoints:
secretName: heat-tls-cloudwatch secretName: heat-tls-cloudwatch
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: Issuer kind: ClusterIssuer
ingress: ingress:
port: port:
ingress: ingress:

2
horizon/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Horizon description: OpenStack-Helm Horizon
name: horizon name: horizon
version: 0.1.3 version: 0.1.4
home: https://docs.openstack.org/horizon/latest/ home: https://docs.openstack.org/horizon/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png
sources: sources:

1
horizon/values_overrides/tls.yaml
View File

@ -93,6 +93,7 @@ endpoints:
secretName: horizon-tls-web secretName: horizon-tls-web
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
public: https public: https

2
keystone/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Keystone description: OpenStack-Helm Keystone
name: keystone name: keystone
version: 0.1.3 version: 0.1.4
home: https://docs.openstack.org/keystone/latest/ home: https://docs.openstack.org/keystone/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
sources: sources:

2
keystone/values_overrides/tls.yaml
View File

@ -68,7 +68,7 @@ endpoints:
secretName: keystone-tls-api secretName: keystone-tls-api
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: Issuer kind: ClusterIssuer
scheme: scheme:
default: https default: https
public: https public: https

2
neutron/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Neutron description: OpenStack-Helm Neutron
name: neutron name: neutron
version: 0.1.6 version: 0.1.7
home: https://docs.openstack.org/neutron/latest/ home: https://docs.openstack.org/neutron/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
sources: sources:

1
neutron/values_overrides/tls.yaml
View File

@ -117,6 +117,7 @@ endpoints:
secretName: neutron-tls-server secretName: neutron-tls-server
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
port: port:

2
nova/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Nova description: OpenStack-Helm Nova
name: nova name: nova
version: 0.1.7 version: 0.1.8
home: https://docs.openstack.org/nova/latest/ home: https://docs.openstack.org/nova/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
sources: sources:

5
nova/values_overrides/tls.yaml
View File

@ -171,6 +171,7 @@ endpoints:
secretName: nova-tls-api secretName: nova-tls-api
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: 'https' default: 'https'
port: port:
@ -183,6 +184,7 @@ endpoints:
secretName: metadata-tls-metadata secretName: metadata-tls-metadata
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
port: port:
@ -195,6 +197,7 @@ endpoints:
secretName: nova-novncproxy-tls-proxy secretName: nova-novncproxy-tls-proxy
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
port: port:
@ -207,6 +210,7 @@ endpoints:
secretName: nova-tls-spiceproxy secretName: nova-tls-spiceproxy
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
placement: placement:
@ -216,6 +220,7 @@ endpoints:
secretName: placement-tls-api secretName: placement-tls-api
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
port: port:

2
placement/Chart.yaml
View File

@ -16,7 +16,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Placement description: OpenStack-Helm Placement
name: placement name: placement
version: 0.1.4 version: 0.1.5
home: https://docs.openstack.org/placement/latest/ home: https://docs.openstack.org/placement/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png
sources: sources:

1
placement/values_overrides/tls.yaml
View File

@ -68,6 +68,7 @@ endpoints:
secretName: placement-tls-api secretName: placement-tls-api
issuerRef: issuerRef:
name: ca-issuer name: ca-issuer
kind: ClusterIssuer
scheme: scheme:
default: https default: https
port: port:

11
tools/scripts/tls/cert-manager.sh
View File

@ -2,7 +2,7 @@
set -eux set -eux
: ${CERT_MANAGER_VERSION:="v0.15.0"} : ${CERT_MANAGER_VERSION:="v1.1.0"}
cert_path="/etc/openstack-helm" cert_path="/etc/openstack-helm"
ca_cert_root="$cert_path/certs/ca" ca_cert_root="$cert_path/certs/ca"
@ -126,14 +126,12 @@ helm repo update
helm install --name cert-manager --namespace cert-manager \ helm install --name cert-manager --namespace cert-manager \
--version ${CERT_MANAGER_VERSION} jetstack/cert-manager \ --version ${CERT_MANAGER_VERSION} jetstack/cert-manager \
--set installCRDs=true \ --set installCRDs=true \
--set featureGates=ExperimentalCertificateControllers=true \
--set extraArgs[0]="--enable-certificate-owner-ref=true" --set extraArgs[0]="--enable-certificate-owner-ref=true"
# helm 3 command # helm 3 command
# helm install cert-manager jetstack/cert-manager --namespace cert-manager \ # helm install cert-manager jetstack/cert-manager --namespace cert-manager \
# --version ${CERT_MANAGER_VERSION} \ # --version ${CERT_MANAGER_VERSION} \
# --set installCRDs=true \ # --set installCRDs=true \
#. --set featureGates=ExperimentalCertificateControllers=true \
# --set extraArgs[0]="--enable-certificate-owner-ref=true" # --set extraArgs[0]="--enable-certificate-owner-ref=true"
helm repo remove jetstack helm repo remove jetstack
@ -147,16 +145,15 @@ apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: ca-key-pair name: ca-key-pair
namespace: openstack namespace: cert-manager
data: data:
tls.crt: $crt tls.crt: $crt
tls.key: $key tls.key: $key
--- ---
apiVersion: cert-manager.io/v1alpha3 apiVersion: cert-manager.io/v1
kind: Issuer kind: ClusterIssuer
metadata: metadata:
name: ca-issuer name: ca-issuer
namespace: openstack
spec: spec:
ca: ca:
secretName: ca-key-pair secretName: ca-key-pair