Support TLS endpoints in barbican

This allows barbican to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And barbican itself interact with other openstack services via
endpoints.

Change-Id: I890f909fc6466b696ee64aa7dfdd528934fccb2d

barbican/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Barbican
 name: barbican
-version: 0.2.18
+version: 0.2.19
 home: https://docs.openstack.org/barbican/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
 sources:

barbican/templates/deployment-api.yaml

@@ -65,7 +65,7 @@ spec:
             - /tmp/barbican.sh
             - start
           env:
-{{- if .Values.manifests.certificates }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
             - name: REQUESTS_CA_BUNDLE
               value: "/etc/barbican/certs/ca.crt"
 {{- end }}
@@ -119,7 +119,7 @@ spec:
               subPath: barbican.sh
               readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.key_manager.api.internal "path" "/etc/barbican/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.key_manager.api.internal "path" "/etc/barbican/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 
 {{ if $mounts_barbican_api.volumeMounts }}{{ toYaml $mounts_barbican_api.volumeMounts | indent 12 }}{{ end }}
@@ -137,7 +137,7 @@ spec:
             name: barbican-bin
             defaultMode: 0555
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.key_manager.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.key_manager.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 
 {{ if $mounts_barbican_api.volumes }}{{ toYaml $mounts_barbican_api.volumes | indent 8 }}{{ end }}

barbican/templates/job-bootstrap.yaml

@@ -24,7 +24,7 @@ helm.sh/hook-weight: "5"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}

barbican/templates/job-ks-endpoints.yaml

@@ -24,7 +24,7 @@ helm.sh/hook-weight: "-2"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}

barbican/templates/job-ks-service.yaml

@@ -24,7 +24,7 @@ helm.sh/hook-weight: "-3"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}

barbican/templates/job-ks-user.yaml

@@ -24,7 +24,7 @@ helm.sh/hook-weight: "-1"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}

barbican/values.yaml

@@ -677,6 +677,11 @@ endpoints:
       ingress:
         default: 80
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true

barbican/values_overrides/tls-offloading.yaml

@@ -0,0 +1,12 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      barbican:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+tls:
+  identity: true
+...

releasenotes/notes/barbican.yaml

@@ -22,4 +22,5 @@ barbican:
   - 0.2.16 Distinguish between port number of internal endpoint and binding port number
   - 0.2.17 Use HTTP probe instead of TCP probe
   - 0.2.18 Support TLS for ks jobs
+  - 0.2.19 Support SSL offloading at reverse proxy for internal and admin endpoints
 ...