From 85943e2433cf0629fedcffae5b1770c3198d99cf Mon Sep 17 00:00:00 2001
From: josebb <jose.bautista.barato@gmail.com>
Date: Mon, 28 Feb 2022 15:32:43 +0200
Subject: [PATCH] Support TLS for identtiy endpoint in Rally

Change-Id: I37dddb76ef1b96fe0daf630d0d8a2c843de0a6a2
---
 rally/Chart.yaml                           |  2 +-
 rally/templates/job-bootstrap.yaml         |  9 ++++++++-
 rally/templates/job-ks-endpoints.yaml      |  8 +++++++-
 rally/templates/job-ks-service.yaml        |  8 +++++++-
 rally/templates/job-ks-user.yaml           |  4 ++++
 rally/templates/job-run-task.yaml          |  7 +++++++
 rally/values.yaml                          |  8 ++++++++
 rally/values_overrides/tls-offloading.yaml | 14 ++++++++++++++
 releasenotes/notes/rally.yaml              |  1 +
 9 files changed, 57 insertions(+), 4 deletions(-)
 create mode 100644 rally/values_overrides/tls-offloading.yaml

diff --git a/rally/Chart.yaml b/rally/Chart.yaml
index 8b65d2eb09..1f20bf4058 100644
--- a/rally/Chart.yaml
+++ b/rally/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm rally
 name: rally
-version: 0.2.6
+version: 0.2.7
 home: https://docs.openstack.org/developer/rally
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/rally/OpenStack_Project_rally_vertical.png
 sources:
diff --git a/rally/templates/job-bootstrap.yaml b/rally/templates/job-bootstrap.yaml
index 7d8263fe30..1c8f38f283 100644
--- a/rally/templates/job-bootstrap.yaml
+++ b/rally/templates/job-bootstrap.yaml
@@ -21,6 +21,11 @@ limitations under the License.
 
 {{- $serviceAccountName := "rally-bootstrap" }}
 {{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+
+{{- $tlsSecret := "" -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $tlsSecret = .Values.secrets.tls.identity.api.internal | default "" -}}
+{{- end -}}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -45,7 +50,7 @@ spec:
 {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
           env:
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
           command:
@@ -57,6 +62,7 @@ spec:
               mountPath: /tmp/bootstrap.sh
               subPath: bootstrap.sh
               readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_rally_bootstrap.volumeMounts }}{{ toYaml $mounts_rally_bootstrap.volumeMounts | indent 12 }}{{ end }}
       volumes:
         - name: pod-tmp
@@ -65,6 +71,7 @@ spec:
           configMap:
             name: rally-bin
             defaultMode: 0555
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_rally_bootstrap.volumes }}{{ toYaml $mounts_rally_bootstrap.volumes | indent 8 }}{{ end }}
 {{- end }}
 {{- end }}
diff --git a/rally/templates/job-ks-endpoints.yaml b/rally/templates/job-ks-endpoints.yaml
index 32749feca3..2626b6eec5 100644
--- a/rally/templates/job-ks-endpoints.yaml
+++ b/rally/templates/job-ks-endpoints.yaml
@@ -18,6 +18,10 @@ limitations under the License.
 {{- $serviceAccountName := "rally-ks-endpoints" }}
 {{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
+{{- $tlsSecret := "" -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $tlsSecret = .Values.secrets.tls.identity.api.internal | default "" -}}
+{{- end }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -55,8 +59,9 @@ spec:
               mountPath: /tmp/ks-endpoints.sh
               subPath: ks-endpoints.sh
               readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
           env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: OS_SVC_ENDPOINT
@@ -76,4 +81,5 @@ spec:
           configMap:
             name: rally-bin
             defaultMode: 0555
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
diff --git a/rally/templates/job-ks-service.yaml b/rally/templates/job-ks-service.yaml
index 392472f8f8..89e6c9370e 100644
--- a/rally/templates/job-ks-service.yaml
+++ b/rally/templates/job-ks-service.yaml
@@ -18,6 +18,10 @@ limitations under the License.
 {{- $serviceAccountName := "rally-ks-service" }}
 {{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
+{{- $tlsSecret := "" -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $tlsSecret = .Values.secrets.tls.identity.api.internal | default "" -}}
+{{- end }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -54,8 +58,9 @@ spec:
               mountPath: /tmp/ks-service.sh
               subPath: ks-service.sh
               readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
           env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: OS_SERVICE_NAME
@@ -70,4 +75,5 @@ spec:
           configMap:
             name: rally-bin
             defaultMode: 0555
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
diff --git a/rally/templates/job-ks-user.yaml b/rally/templates/job-ks-user.yaml
index 146787691f..997495d6d2 100644
--- a/rally/templates/job-ks-user.yaml
+++ b/rally/templates/job-ks-user.yaml
@@ -20,6 +20,10 @@ helm.sh/hook-weight: "1"
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "rally" -}}
 
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
+{{- end -}}
+
 {{- if .Values.helm3_hook }}
 {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
 {{- end }}
diff --git a/rally/templates/job-run-task.yaml b/rally/templates/job-run-task.yaml
index efcdc58d1f..c4cb14cf4a 100644
--- a/rally/templates/job-run-task.yaml
+++ b/rally/templates/job-run-task.yaml
@@ -65,6 +65,11 @@ spec:
           env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/rally/certs/ca.crt"
 {{- end }}
             - name: ENABLED_TESTS
               value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.enabled_tasks }}
@@ -89,6 +94,7 @@ spec:
               readOnly: true
             - name: rally-reports
               mountPath: /var/lib/rally/data
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.identity.api.internal "path" "/etc/rally/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
       volumes:
         - name: pod-tmp
           emptyDir: {}
@@ -112,4 +118,5 @@ spec:
         - name: rally-reports
           persistentVolumeClaim:
             claimName: {{ .Values.pvc.name }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
diff --git a/rally/values.yaml b/rally/values.yaml
index 476c678e9c..3bbc0ae415 100644
--- a/rally/values.yaml
+++ b/rally/values.yaml
@@ -207,6 +207,11 @@ secrets:
     rally: rally-db-user
   oci_image_registry:
     rally: rally-oci-image-registry
+  tls:
+    identity:
+      api:
+        public: keystone-tls-public
+        internal: keystone-tls-api
 
 endpoints:
   cluster_domain_suffix: cluster.local
@@ -4022,6 +4027,9 @@ conf:
 # set helm3_hook: false when using the helm2 binary.
 helm3_hook: true
 
+tls:
+  identity: false
+
 manifests:
   configmap_bin: true
   configmap_etc: true
diff --git a/rally/values_overrides/tls-offloading.yaml b/rally/values_overrides/tls-offloading.yaml
new file mode 100644
index 0000000000..5946cac8e5
--- /dev/null
+++ b/rally/values_overrides/tls-offloading.yaml
@@ -0,0 +1,14 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      rally:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      test:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+tls:
+  identity: true
+...
diff --git a/releasenotes/notes/rally.yaml b/releasenotes/notes/rally.yaml
index d779a8c05d..1fc5c7e2bf 100644
--- a/releasenotes/notes/rally.yaml
+++ b/releasenotes/notes/rally.yaml
@@ -9,4 +9,5 @@ rally:
   - 0.2.4 Migrated PodDisruptionBudget resource to policy/v1 API version
   - 0.2.5 Add helm hook for jobs
   - 0.2.6 Added OCI registry authentication
+  - 0.2.7 Support TLS for identity endpoint
 ...