From 5028aa8de11a64fbc01e292853fabc9945b9d184 Mon Sep 17 00:00:00 2001 From: "Gupta, Sangeet (sg774j)" Date: Tue, 8 Jun 2021 12:47:31 +0000 Subject: [PATCH] Mount rabbitmq TLS secret Mount rabbitmq TLS secret to openstack services which support internal TLS. Once internal TLS support is added to other service, the TLSed rabbitmq support should be added. Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/795188 Change-Id: I9aa272e365f846746f2e06aa7b7010db730e17df --- cinder/Chart.yaml | 2 +- cinder/templates/secret_rabbitmq.yaml | 6 +++++- cinder/values_overrides/tls.yaml | 4 ++++ glance/Chart.yaml | 2 +- glance/templates/secret-rabbitmq.yaml | 7 +++++-- glance/values_overrides/tls.yaml | 4 ++++ heat/Chart.yaml | 2 +- heat/templates/secret-rabbitmq.yaml | 6 +++++- heat/values_overrides/tls.yaml | 5 ++++- keystone/Chart.yaml | 2 +- keystone/templates/secret-rabbitmq.yaml | 6 +++++- keystone/values_overrides/tls.yaml | 4 ++++ neutron/Chart.yaml | 2 +- neutron/templates/secret_rabbitmq.yaml | 6 +++++- neutron/values_overrides/tls.yaml | 4 ++++ nova/Chart.yaml | 2 +- nova/templates/secret_rabbitmq.yaml | 6 +++++- nova/values_overrides/tls.yaml | 4 ++++ releasenotes/notes/cinder.yaml | 1 + releasenotes/notes/glance.yaml | 1 + releasenotes/notes/heat.yaml | 1 + releasenotes/notes/keystone.yaml | 1 + releasenotes/notes/neutron.yaml | 2 ++ releasenotes/notes/nova.yaml | 1 + 24 files changed, 67 insertions(+), 14 deletions(-) diff --git a/cinder/Chart.yaml b/cinder/Chart.yaml index aaff4fa38f..9e0b358220 100644 --- a/cinder/Chart.yaml +++ b/cinder/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Cinder name: cinder -version: 0.2.2 +version: 0.2.3 home: https://docs.openstack.org/cinder/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png sources: diff --git a/cinder/templates/secret_rabbitmq.yaml b/cinder/templates/secret_rabbitmq.yaml index e49844a66e..2c4403e205 100644 --- a/cinder/templates/secret_rabbitmq.yaml +++ b/cinder/templates/secret_rabbitmq.yaml @@ -14,6 +14,10 @@ limitations under the License. {{- if .Values.manifests.secret_rabbitmq }} {{- $envAll := . }} +{{- $rabbitmqProtocol := "http" }} +{{- if $envAll.Values.manifests.certificates }} +{{- $rabbitmqProtocol = "https" }} +{{- end }} {{- range $key1, $userClass := tuple "admin" "cinder" }} {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} --- @@ -23,6 +27,6 @@ metadata: name: {{ $secretName }} type: Opaque data: - RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} {{- end }} {{- end }} diff --git a/cinder/values_overrides/tls.yaml b/cinder/values_overrides/tls.yaml index 27c90d2763..1b6c834bdd 100644 --- a/cinder/values_overrides/tls.yaml +++ b/cinder/values_overrides/tls.yaml @@ -141,6 +141,10 @@ endpoints: port: ingress: default: 443 + oslo_messaging: + port: + https: + default: 15680 manifests: certificates: true ... diff --git a/glance/Chart.yaml b/glance/Chart.yaml index d1044b9bfc..5b95840ef5 100644 --- a/glance/Chart.yaml +++ b/glance/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Glance name: glance -version: 0.2.3 +version: 0.2.4 home: https://docs.openstack.org/glance/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png sources: diff --git a/glance/templates/secret-rabbitmq.yaml b/glance/templates/secret-rabbitmq.yaml index 56a84f472b..aba76397ac 100644 --- a/glance/templates/secret-rabbitmq.yaml +++ b/glance/templates/secret-rabbitmq.yaml @@ -14,9 +14,12 @@ limitations under the License. {{- if .Values.manifests.secret_rabbitmq }} {{- $envAll := . }} +{{- $rabbitmqProtocol := "http" }} +{{- if $envAll.Values.manifests.certificates }} +{{- $rabbitmqProtocol = "https" }} +{{- end }} {{- range $key1, $userClass := tuple "admin" "glance" }} {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} -{{- $connection := tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} --- apiVersion: v1 kind: Secret @@ -24,6 +27,6 @@ metadata: name: {{ $secretName }} type: Opaque data: - RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} {{- end }} {{- end }} diff --git a/glance/values_overrides/tls.yaml b/glance/values_overrides/tls.yaml index f02f3df35b..27c11f57dd 100644 --- a/glance/values_overrides/tls.yaml +++ b/glance/values_overrides/tls.yaml @@ -131,6 +131,10 @@ endpoints: web: default: 80 public: 443 + oslo_messaging: + port: + https: + default: 15680 pod: security_context: glance: diff --git a/heat/Chart.yaml b/heat/Chart.yaml index 23442f3159..2da244780e 100644 --- a/heat/Chart.yaml +++ b/heat/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Heat name: heat -version: 0.2.2 +version: 0.2.3 home: https://docs.openstack.org/heat/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png sources: diff --git a/heat/templates/secret-rabbitmq.yaml b/heat/templates/secret-rabbitmq.yaml index c6fdcc1982..ca1ea8c345 100644 --- a/heat/templates/secret-rabbitmq.yaml +++ b/heat/templates/secret-rabbitmq.yaml @@ -14,6 +14,10 @@ limitations under the License. {{- if .Values.manifests.secret_rabbitmq }} {{- $envAll := . }} +{{- $rabbitmqProtocol := "http" }} +{{- if $envAll.Values.manifests.certificates }} +{{- $rabbitmqProtocol = "https" }} +{{- end }} {{- range $key1, $userClass := tuple "admin" "heat" }} {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} --- @@ -23,6 +27,6 @@ metadata: name: {{ $secretName }} type: Opaque data: - RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} {{- end }} {{- end }} diff --git a/heat/values_overrides/tls.yaml b/heat/values_overrides/tls.yaml index 38fff06408..e69fdcdd53 100644 --- a/heat/values_overrides/tls.yaml +++ b/heat/values_overrides/tls.yaml @@ -181,7 +181,10 @@ endpoints: port: ingress: default: 443 - + oslo_messaging: + port: + https: + default: 15680 manifests: certificates: true ... diff --git a/keystone/Chart.yaml b/keystone/Chart.yaml index 2cb147f24b..e93f5ceb7e 100644 --- a/keystone/Chart.yaml +++ b/keystone/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Keystone name: keystone -version: 0.2.4 +version: 0.2.5 home: https://docs.openstack.org/keystone/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png sources: diff --git a/keystone/templates/secret-rabbitmq.yaml b/keystone/templates/secret-rabbitmq.yaml index 8bd0a6e23b..d48ea2631d 100644 --- a/keystone/templates/secret-rabbitmq.yaml +++ b/keystone/templates/secret-rabbitmq.yaml @@ -14,6 +14,10 @@ limitations under the License. {{- if .Values.manifests.secret_rabbitmq }} {{- $envAll := . }} +{{- $rabbitmqProtocol := "http" }} +{{- if $envAll.Values.manifests.certificates }} +{{- $rabbitmqProtocol = "https" }} +{{- end }} {{- range $key1, $userClass := tuple "admin" "keystone" }} {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} --- @@ -23,6 +27,6 @@ metadata: name: {{ $secretName }} type: Opaque data: - RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} {{- end }} {{- end }} diff --git a/keystone/values_overrides/tls.yaml b/keystone/values_overrides/tls.yaml index 6c708c0582..a9f2fe722c 100644 --- a/keystone/values_overrides/tls.yaml +++ b/keystone/values_overrides/tls.yaml @@ -81,6 +81,10 @@ endpoints: port: api: default: 443 + oslo_messaging: + port: + https: + default: 15680 manifests: certificates: true ... diff --git a/neutron/Chart.yaml b/neutron/Chart.yaml index e3972427d9..2362f1813d 100644 --- a/neutron/Chart.yaml +++ b/neutron/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Neutron name: neutron -version: 0.2.2 +version: 0.2.3 home: https://docs.openstack.org/neutron/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png sources: diff --git a/neutron/templates/secret_rabbitmq.yaml b/neutron/templates/secret_rabbitmq.yaml index c3124310b5..16c70e4bdb 100644 --- a/neutron/templates/secret_rabbitmq.yaml +++ b/neutron/templates/secret_rabbitmq.yaml @@ -14,6 +14,10 @@ limitations under the License. {{- if .Values.manifests.secret_rabbitmq }} {{- $envAll := . }} +{{- $rabbitmqProtocol := "http" }} +{{- if $envAll.Values.manifests.certificates }} +{{- $rabbitmqProtocol = "https" }} +{{- end }} {{- range $key1, $userClass := tuple "admin" "neutron" }} {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} --- @@ -23,6 +27,6 @@ metadata: name: {{ $secretName }} type: Opaque data: - RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} {{- end }} {{- end }} diff --git a/neutron/values_overrides/tls.yaml b/neutron/values_overrides/tls.yaml index 3cd198daf9..00fe098916 100644 --- a/neutron/values_overrides/tls.yaml +++ b/neutron/values_overrides/tls.yaml @@ -132,6 +132,10 @@ endpoints: port: ingress: default: 443 + oslo_messaging: + port: + https: + default: 15680 manifests: certificates: true ... diff --git a/nova/Chart.yaml b/nova/Chart.yaml index c4d98c8cc0..f80d483364 100644 --- a/nova/Chart.yaml +++ b/nova/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Nova name: nova -version: 0.2.3 +version: 0.2.4 home: https://docs.openstack.org/nova/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png sources: diff --git a/nova/templates/secret_rabbitmq.yaml b/nova/templates/secret_rabbitmq.yaml index 22db36bac0..b49f84ea76 100644 --- a/nova/templates/secret_rabbitmq.yaml +++ b/nova/templates/secret_rabbitmq.yaml @@ -14,6 +14,10 @@ limitations under the License. {{- if .Values.manifests.secret_rabbitmq }} {{- $envAll := . }} +{{- $rabbitmqProtocol := "http" }} +{{- if $envAll.Values.manifests.certificates }} +{{- $rabbitmqProtocol = "https" }} +{{- end }} {{- range $key1, $userClass := tuple "admin" "nova" }} {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} --- @@ -23,7 +27,7 @@ metadata: name: {{ $secretName }} type: Opaque data: - RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} + RABBITMQ_CONNECTION: {{ tuple "oslo_messaging" "internal" $userClass $rabbitmqProtocol $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc }} TRANSPORT_URL: {{ tuple "oslo_messaging" "internal" $userClass "amqp" $envAll | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | b64enc }} {{- end }} {{- end }} diff --git a/nova/values_overrides/tls.yaml b/nova/values_overrides/tls.yaml index f6e8040bd7..cf020ada24 100644 --- a/nova/values_overrides/tls.yaml +++ b/nova/values_overrides/tls.yaml @@ -237,6 +237,10 @@ endpoints: port: api: public: 443 + oslo_messaging: + port: + https: + default: 15680 pod: security_context: nova: diff --git a/releasenotes/notes/cinder.yaml b/releasenotes/notes/cinder.yaml index b2e1365694..e42863c573 100644 --- a/releasenotes/notes/cinder.yaml +++ b/releasenotes/notes/cinder.yaml @@ -19,3 +19,4 @@ cinder: - 0.2.0 Remove support for releases before T - 0.2.1 Fix the ceph pool creations for openstack services - 0.2.2 Adding rabbitmq TLS logic + - 0.2.3 Mount rabbitmq TLS secret diff --git a/releasenotes/notes/glance.yaml b/releasenotes/notes/glance.yaml index 57963d5229..22f9f19e4a 100644 --- a/releasenotes/notes/glance.yaml +++ b/releasenotes/notes/glance.yaml @@ -13,3 +13,4 @@ glance: - 0.2.1 Fix the ceph pool creations for openstack services - 0.2.2 Adding rabbitmq TLS logic - 0.2.3 Use policies in yaml format + - 0.2.4 Mount rabbitmq TLS secret diff --git a/releasenotes/notes/heat.yaml b/releasenotes/notes/heat.yaml index f18a1ad634..b2a2b92c8b 100644 --- a/releasenotes/notes/heat.yaml +++ b/releasenotes/notes/heat.yaml @@ -9,3 +9,4 @@ heat: - 0.2.0 Remove support for releases before T - 0.2.1 Adding rabbitmq TLS logic - 0.2.2 Use policies in yaml format + - 0.2.3 Mount rabbitmq TLS secret diff --git a/releasenotes/notes/keystone.yaml b/releasenotes/notes/keystone.yaml index 6352abeae5..51518e5aa3 100644 --- a/releasenotes/notes/keystone.yaml +++ b/releasenotes/notes/keystone.yaml @@ -20,4 +20,5 @@ keystone: - 0.2.2 Make python script PEP8 compliant - 0.2.3 Adding rabbitmq TLS logic - 0.2.4 Use policies in yaml format + - 0.2.5 Mount rabbitmq TLS secret ... diff --git a/releasenotes/notes/neutron.yaml b/releasenotes/notes/neutron.yaml index 6fa3a3d261..181f114ad3 100644 --- a/releasenotes/notes/neutron.yaml +++ b/releasenotes/notes/neutron.yaml @@ -16,3 +16,5 @@ neutron: - 0.2.0 Remove support for releases before T - 0.2.1 Adding rabbitmq TLS logic - 0.2.2 Use policies in yaml format + - 0.2.3 Mount rabbitmq TLS secret +... diff --git a/releasenotes/notes/nova.yaml b/releasenotes/notes/nova.yaml index 89256b1e1e..daa4de882e 100644 --- a/releasenotes/notes/nova.yaml +++ b/releasenotes/notes/nova.yaml @@ -24,4 +24,5 @@ nova: - 0.2.1 Remove unnecessary +x permission on gotpl files - 0.2.2 Adding rabbitmq TLS logic - 0.2.3 Replace deprecated configuration ``[vnc]/vncserver_proxyclient_address`` + - 0.2.4 Mount rabbitmq TLS secret ...