From ca6677457eb8844e5a97069e34600b44b1cad429 Mon Sep 17 00:00:00 2001
From: josebb <jose.bautista.barato@gmail.com>
Date: Thu, 2 Dec 2021 19:38:18 +0200
Subject: [PATCH] Support TLS endpoints in placement

This allows placement to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And placement itself interact with other openstack services via
endpoints.

Change-Id: I1a44844826eec4f6238f9b37064ccadcdcc7336a
---
 placement/Chart.yaml                           |  2 +-
 placement/templates/deployment.yaml            |  9 +++++++--
 placement/templates/job-ks-endpoints.yaml      |  2 +-
 placement/templates/job-ks-service.yaml        |  2 +-
 placement/templates/job-ks-user.yaml           |  2 +-
 placement/values.yaml                          |  5 +++++
 placement/values_overrides/tls-offloading.yaml | 12 ++++++++++++
 releasenotes/notes/placement.yaml              |  1 +
 8 files changed, 29 insertions(+), 6 deletions(-)
 create mode 100644 placement/values_overrides/tls-offloading.yaml

diff --git a/placement/Chart.yaml b/placement/Chart.yaml
index 6dcb5f2f49..e475f6e42f 100644
--- a/placement/Chart.yaml
+++ b/placement/Chart.yaml
@@ -16,7 +16,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Placement
 name: placement
-version: 0.2.12
+version: 0.2.13
 home: https://docs.openstack.org/placement/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png
 sources:
diff --git a/placement/templates/deployment.yaml b/placement/templates/deployment.yaml
index 1ab24bb517..605f952000 100644
--- a/placement/templates/deployment.yaml
+++ b/placement/templates/deployment.yaml
@@ -64,6 +64,11 @@ spec:
 {{ tuple $envAll "placement" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "placement" "container" "placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/placement/certs/ca.crt"
+{{- end }}
           command:
             - /tmp/placement-api.sh
             - start
@@ -118,7 +123,7 @@ spec:
               subPath: wsgi-placement.conf
               readOnly: true
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }}
       volumes:
         - name: pod-tmp
@@ -134,6 +139,6 @@ spec:
             secretName: placement-etc
             defaultMode: 0444
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/placement/templates/job-ks-endpoints.yaml b/placement/templates/job-ks-endpoints.yaml
index 111ba33a40..bfb0bd2831 100644
--- a/placement/templates/job-ks-endpoints.yaml
+++ b/placement/templates/job-ks-endpoints.yaml
@@ -21,7 +21,7 @@ helm.sh/hook-weight: "1"
 
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/placement/templates/job-ks-service.yaml b/placement/templates/job-ks-service.yaml
index 10e45bd61e..3f05eb0654 100644
--- a/placement/templates/job-ks-service.yaml
+++ b/placement/templates/job-ks-service.yaml
@@ -21,7 +21,7 @@ helm.sh/hook-weight: "-2"
 
 {{- if .Values.manifests.job_ks_service }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/placement/templates/job-ks-user.yaml b/placement/templates/job-ks-user.yaml
index 2c1a00232c..056938bdda 100644
--- a/placement/templates/job-ks-user.yaml
+++ b/placement/templates/job-ks-user.yaml
@@ -21,7 +21,7 @@ helm.sh/hook-weight: "-1"
 
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/placement/values.yaml b/placement/values.yaml
index 4566dca42f..198b949365 100644
--- a/placement/values.yaml
+++ b/placement/values.yaml
@@ -513,6 +513,11 @@ dependencies:
 # set helm3_hook: false when using the helm2 binary.
 helm3_hook: true
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true
diff --git a/placement/values_overrides/tls-offloading.yaml b/placement/values_overrides/tls-offloading.yaml
new file mode 100644
index 0000000000..ff972853ea
--- /dev/null
+++ b/placement/values_overrides/tls-offloading.yaml
@@ -0,0 +1,12 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      placement:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+tls:
+  identity: true
+...
diff --git a/releasenotes/notes/placement.yaml b/releasenotes/notes/placement.yaml
index 081a1c6791..094f412e78 100644
--- a/releasenotes/notes/placement.yaml
+++ b/releasenotes/notes/placement.yaml
@@ -21,4 +21,5 @@ placement:
   - 0.2.10 Added OCI registry authentication
   - 0.2.11 Distinguish between port number of internal endpoint and binding port number
   - 0.2.12 Use HTTP probe instead of TCP probe
+  - 0.2.13 Support TLS endpoints
 ...