From 68822ee4390d0b17af00a0ab7ce2809b8af1c567 Mon Sep 17 00:00:00 2001 From: josebb Date: Thu, 2 Dec 2021 19:25:07 +0200 Subject: [PATCH] Support TLS endpoints in heat This allows heat to consume TLS openstack endpoints. Jobs consume openstack endpoints, typically identity endpoints. And heat itself interact with other openstack services via endpoints. Change-Id: I7af6c52377db479b7f7e28ade23582dcc6f8f2f9 --- heat/Chart.yaml | 2 +- heat/templates/cron-job-engine-cleaner.yaml | 7 +++++++ heat/templates/cron-job-purge-deleted.yaml | 7 +++++++ heat/templates/deployment-api.yaml | 9 +++++++-- heat/templates/deployment-cfn.yaml | 9 +++++++-- heat/templates/deployment-engine.yaml | 11 ++++++++--- heat/templates/job-bootstrap.yaml | 2 +- heat/templates/job-ks-endpoints.yaml | 2 +- heat/templates/job-ks-service.yaml | 2 +- heat/templates/job-ks-user-domain.yaml | 6 +++--- heat/templates/job-ks-user-trustee.yaml | 2 +- heat/templates/job-ks-user.yaml | 2 +- heat/templates/job-trusts.yaml | 6 +++--- heat/values.yaml | 5 +++++ heat/values_overrides/tls-offloading.yaml | 16 ++++++++++++++++ releasenotes/notes/heat.yaml | 1 + 16 files changed, 70 insertions(+), 19 deletions(-) create mode 100644 heat/values_overrides/tls-offloading.yaml diff --git a/heat/Chart.yaml b/heat/Chart.yaml index 86a3a75392..9955a19592 100644 --- a/heat/Chart.yaml +++ b/heat/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Heat name: heat -version: 0.2.15 +version: 0.2.16 home: https://docs.openstack.org/heat/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png sources: diff --git a/heat/templates/cron-job-engine-cleaner.yaml b/heat/templates/cron-job-engine-cleaner.yaml index eac56d3006..a7eded42ac 100644 --- a/heat/templates/cron-job-engine-cleaner.yaml +++ b/heat/templates/cron-job-engine-cleaner.yaml @@ -67,6 +67,11 @@ spec: {{ tuple $envAll "heat_engine_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.engine_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }} {{ dict "envAll" $envAll "application" "engine_cleaner" "container" "heat_engine_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/heat/certs/ca.crt" +{{- end }} command: - /tmp/heat-engine-cleaner.sh volumeMounts: @@ -88,6 +93,7 @@ spec: subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }} readOnly: true {{ end }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }} {{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }} volumes: @@ -99,6 +105,7 @@ spec: secret: secretName: heat-etc defaultMode: 0444 +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} - name: heat-bin configMap: diff --git a/heat/templates/cron-job-purge-deleted.yaml b/heat/templates/cron-job-purge-deleted.yaml index 936d52b6be..4d83c29493 100644 --- a/heat/templates/cron-job-purge-deleted.yaml +++ b/heat/templates/cron-job-purge-deleted.yaml @@ -60,6 +60,11 @@ spec: - name: heat-purge-deleted {{ tuple $envAll "heat_purge_deleted" | include "helm-toolkit.snippets.image" | indent 14 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.purge_deleted | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/heat/certs/ca.crt" +{{- end }} command: - /tmp/heat-purge-deleted-active.sh - {{ quote .Values.jobs.purge_deleted.purge_age }} @@ -82,6 +87,7 @@ spec: subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }} readOnly: true {{ end }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }} {{ if $mounts_heat_purge_deleted.volumeMounts }}{{ toYaml $mounts_heat_purge_deleted.volumeMounts | indent 14 }}{{ end }} volumes: @@ -93,6 +99,7 @@ spec: secret: secretName: heat-etc defaultMode: 0444 +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} - name: heat-bin configMap: diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml index 1274e88365..1ecb544ec2 100644 --- a/heat/templates/deployment-api.yaml +++ b/heat/templates/deployment-api.yaml @@ -62,6 +62,11 @@ spec: {{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "heat" "container" "heat_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/heat/certs/ca.crt" +{{- end }} command: - /tmp/heat-api.sh - start @@ -124,7 +129,7 @@ spec: subPath: mpm_event.conf readOnly: true {{- end }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }} volumes: @@ -142,7 +147,7 @@ spec: secret: secretName: heat-etc defaultMode: 0444 -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml index 2f16901662..7f28095fe8 100644 --- a/heat/templates/deployment-cfn.yaml +++ b/heat/templates/deployment-cfn.yaml @@ -62,6 +62,11 @@ spec: {{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "heat" "container" "heat_cfn" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/heat/certs/ca.crt" +{{- end }} command: - /tmp/heat-cfn.sh - start @@ -124,7 +129,7 @@ spec: subPath: mpm_event.conf readOnly: true {{- end }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -141,6 +146,6 @@ spec: secret: secretName: heat-etc defaultMode: 0444 -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml index da9c905f29..7b7b8adf66 100644 --- a/heat/templates/deployment-engine.yaml +++ b/heat/templates/deployment-engine.yaml @@ -70,6 +70,11 @@ spec: {{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "heat" "container" "heat_engine" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/heat/certs/ca.crt" +{{- end }} command: - /tmp/heat-engine.sh - start @@ -103,7 +108,7 @@ spec: subPath: policy.yaml readOnly: true {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }} volumes: @@ -119,8 +124,8 @@ spec: secret: secretName: heat-etc defaultMode: 0444 - {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/heat/templates/job-bootstrap.yaml b/heat/templates/job-bootstrap.yaml index ee32154574..0230a2ac2c 100644 --- a/heat/templates/job-bootstrap.yaml +++ b/heat/templates/job-bootstrap.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "5" {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} {{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/heat/templates/job-ks-endpoints.yaml b/heat/templates/job-ks-endpoints.yaml index 9c7daeee1d..21b0bd1ef4 100644 --- a/heat/templates/job-ks-endpoints.yaml +++ b/heat/templates/job-ks-endpoints.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-2" {{- if .Values.manifests.job_ks_endpoints }} {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml index 6505cefe4d..930707ad98 100644 --- a/heat/templates/job-ks-service.yaml +++ b/heat/templates/job-ks-service.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-3" {{- if .Values.manifests.job_ks_service }} {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/heat/templates/job-ks-user-domain.yaml b/heat/templates/job-ks-user-domain.yaml index 89b73dd90e..6e76df8fe4 100644 --- a/heat/templates/job-ks-user-domain.yaml +++ b/heat/templates/job-ks-user-domain.yaml @@ -64,9 +64,9 @@ spec: mountPath: /tmp/ks-domain-user.sh subPath: ks-domain-user.sh readOnly: true -{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} env: -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME @@ -100,5 +100,5 @@ spec: configMap: name: heat-bin defaultMode: 0555 -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/heat/templates/job-ks-user-trustee.yaml b/heat/templates/job-ks-user-trustee.yaml index 934c6021b2..665be8171b 100644 --- a/heat/templates/job-ks-user-trustee.yaml +++ b/heat/templates/job-ks-user-trustee.yaml @@ -18,7 +18,7 @@ helm.sh/hook: post-install,post-upgrade {{- if .Values.manifests.job_ks_user_trustee }} {{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml index db39a5562b..c5be1fea97 100644 --- a/heat/templates/job-ks-user.yaml +++ b/heat/templates/job-ks-user.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-1" {{- if .Values.manifests.job_ks_user }} {{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/heat/templates/job-trusts.yaml b/heat/templates/job-trusts.yaml index e713d2781f..ae5bc64481 100644 --- a/heat/templates/job-trusts.yaml +++ b/heat/templates/job-trusts.yaml @@ -68,10 +68,10 @@ spec: mountPath: /tmp/trusts.sh subPath: trusts.sh readOnly: true -{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }} env: -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_ROLES @@ -87,5 +87,5 @@ spec: configMap: name: heat-bin defaultMode: 0555 -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }} diff --git a/heat/values.yaml b/heat/values.yaml index 31b481abeb..3dd9fdac09 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -1326,6 +1326,11 @@ network_policy: # set helm3_hook: false when using the helm2 binary. helm3_hook: true +tls: + identity: false + oslo_messaging: false + oslo_db: false + manifests: certificates: false configmap_bin: true diff --git a/heat/values_overrides/tls-offloading.yaml b/heat/values_overrides/tls-offloading.yaml new file mode 100644 index 0000000000..ac2c1c9702 --- /dev/null +++ b/heat/values_overrides/tls-offloading.yaml @@ -0,0 +1,16 @@ +--- +endpoints: + identity: + auth: + admin: + cacert: /etc/ssl/certs/openstack-helm.crt + heat: + cacert: /etc/ssl/certs/openstack-helm.crt + heat_trustee: + cacert: /etc/ssl/certs/openstack-helm.crt + test: + cacert: /etc/ssl/certs/openstack-helm.crt + +tls: + identity: true +... diff --git a/releasenotes/notes/heat.yaml b/releasenotes/notes/heat.yaml index a495b16263..ab77d57c6b 100644 --- a/releasenotes/notes/heat.yaml +++ b/releasenotes/notes/heat.yaml @@ -22,4 +22,5 @@ heat: - 0.2.13 Add Xena and Yoga values overrides - 0.2.14 Added OCI registry authentication - 0.2.15 Distinguish between port number of internal endpoint and binding port number + - 0.2.16 Support TLS endpoints ...