Support TLS endpoints in placement

This allows placement to consume TLS openstack endpoints. Jobs consume openstack endpoints, typically identity endpoints. And placement itself interact with other openstack services via endpoints. Change-Id: I1a44844826eec4f6238f9b37064ccadcdcc7336a
2021-12-02 19:38:18 +02:00 · 2021-12-02 19:38:18 +02:00 · ca6677457e
commit ca6677457e
parent 350d55baad
8 changed files with 29 additions and 6 deletions
--- a/placement/Chart.yaml
+++ b/placement/Chart.yaml
@ -16,7 +16,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Placement
 name: placement
-version: 0.2.12
+version: 0.2.13
 home: https://docs.openstack.org/placement/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png
 sources:
--- a/placement/templates/deployment.yaml
+++ b/placement/templates/deployment.yaml
@ -64,6 +64,11 @@ spec:
 {{ tuple $envAll "placement" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "placement" "container" "placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
 {{- if or .Values.manifests.certificates .Values.tls.identity }}
          env:
            - name: REQUESTS_CA_BUNDLE
              value: "/etc/placement/certs/ca.crt"
 {{- end }}
          command:
            - /tmp/placement-api.sh
            - start
@ -118,7 +123,7 @@ spec:
              subPath: wsgi-placement.conf
              readOnly: true
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -134,6 +139,6 @@ spec:
            secretName: placement-etc
            defaultMode: 0444
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/placement/templates/job-ks-endpoints.yaml
+++ b/placement/templates/job-ks-endpoints.yaml
@ -21,7 +21,7 @@ helm.sh/hook-weight: "1"
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
--- a/placement/templates/job-ks-service.yaml
+++ b/placement/templates/job-ks-service.yaml
@ -21,7 +21,7 @@ helm.sh/hook-weight: "-2"
 {{- if .Values.manifests.job_ks_service }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
--- a/placement/templates/job-ks-user.yaml
+++ b/placement/templates/job-ks-user.yaml
@ -21,7 +21,7 @@ helm.sh/hook-weight: "-1"
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
--- a/placement/values.yaml
+++ b/placement/values.yaml
@ -513,6 +513,11 @@ dependencies:
 # set helm3_hook: false when using the helm2 binary.
 helm3_hook: true
 tls:
  identity: false
  oslo_messaging: false
  oslo_db: false
 manifests:
  certificates: false
  configmap_bin: true
--- a/placement/values_overrides/tls-offloading.yaml
+++ b/placement/values_overrides/tls-offloading.yaml
@ -0,0 +1,12 @@
 ---
 endpoints:
  identity:
    auth:
      admin:
        cacert: /etc/ssl/certs/openstack-helm.crt
      placement:
        cacert: /etc/ssl/certs/openstack-helm.crt
 tls:
  identity: true
 ...
--- a/releasenotes/notes/placement.yaml
+++ b/releasenotes/notes/placement.yaml
@ -21,4 +21,5 @@ placement:
  - 0.2.10 Added OCI registry authentication
  - 0.2.11 Distinguish between port number of internal endpoint and binding port number
  - 0.2.12 Use HTTP probe instead of TCP probe
  - 0.2.13 Support TLS endpoints
 ...