Ingress: Add initial TLS Support for core service public endpoints

This PS adds support for TLS on over-ridden fqdn's for public
endpoints for core OpenStack Services. Currently this implementation
is limited, in that it does not provide support for dynamicly loading
CAs into the containers, or specifying them manually via configuration.
As a result only well known or CA's added manually to containers will
be recognised.

Change-Id: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Depends-On: I535f38a8d92c01280d79926a1f0acd06984aabbf
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>

barbican/templates/ingress-api.yaml

@@ -15,6 +15,6 @@ limitations under the License.
 */}}
 
 {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
-{{- $ingressOpts := dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" -}}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "key_manager" "backendPort" "b-api" -}}
 {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
 {{- end }}

barbican/templates/secret-ingress-tls.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key_manager" ) }}
+{{- end }}

barbican/values.yaml

@@ -438,6 +438,10 @@ secrets:
   oslo_messaging:
     admin: barbican-rabbitmq-admin
     barbican: barbican-rabbitmq-user
+  tls:
+    key_manager:
+      api:
+        public: barbican-tls-public
 
 endpoints:
   cluster_domain_suffix: cluster.local
@@ -569,6 +573,7 @@ manifests:
   pdb_api: true
   pod_test: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_api: true

ceph-client/templates/secret-ingress-tls.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_ingress_tls ( and .Values.deployment.ceph .Values.conf.features.rgw ) }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "object_store" ) }}
+{{- end }}

ceph-client/values.yaml

@@ -160,6 +160,10 @@ secrets:
     admin: ceph-keystone-admin
     swift: ceph-keystone-user
     user_rgw: ceph-keystone-user-rgw
+  tls:
+    object_store:
+      api:
+        public: ceph-tls-public
 
 network:
   api:
@@ -505,6 +509,13 @@ endpoints:
       public: radosgw
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /swift/v1/KEY_$(tenant_id)s
     scheme:
@@ -564,6 +575,7 @@ manifests:
   job_namespace_client_key_cleaner: true
   job_namespace_client_key: true
   job_rbd_pool: true
+  secret_ingress_tls: true
   secret_keystone_rgw: true
   secret_keystone: true
   service_ingress_rgw: true

cinder/templates/secret-ingress-tls.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "volume" ) }}
+{{- end }}

cinder/values.yaml

@@ -934,6 +934,10 @@ secrets:
   oslo_messaging:
     admin: cinder-rabbitmq-admin
     cinder: cinder-rabbitmq-user
+  tls:
+    volume:
+      api:
+        public: cinder-tls-public
 
 # We use a different layout of the endpoints here to account for versioning
 # this swaps the service name and type, and should be rolled out to other
@@ -1029,6 +1033,13 @@ endpoints:
       public: cinder
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v1/%(tenant_id)s'
     scheme:
@@ -1044,6 +1055,13 @@ endpoints:
       public: cinder
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v2/%(tenant_id)s'
     scheme:
@@ -1059,6 +1077,13 @@ endpoints:
       public: cinder
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v3/%(tenant_id)s'
     scheme:
@@ -1144,6 +1169,7 @@ manifests:
   pod_rally_test: true
   pvc_backup: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_api: true

glance/templates/secret-ingress-tls.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "image" ) }}
+{{- end }}

glance/values.yaml

@@ -441,6 +441,10 @@ secrets:
   oslo_messaging:
     admin: glance-rabbitmq-admin
     glance: glance-rabbitmq-user
+  tls:
+    image:
+      api:
+        public: glance-tls-public
 
 
 # typically overridden by environmental
@@ -507,6 +511,13 @@ endpoints:
       public: glance
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: null
     scheme:
@@ -781,6 +792,7 @@ manifests:
   pod_rally_test: true
   pvc_images: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_api: true

heat/templates/secret-ingress-tls.yaml

@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "orchestration" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "cfn" "backendServiceType" "cloudformation" ) }}
+{{- end }}

heat/values.yaml

@@ -664,6 +664,13 @@ secrets:
   oslo_messaging:
     admin: heat-rabbitmq-admin
     heat: heat-rabbitmq-user
+  tls:
+    orchestration:
+      api:
+        public: heat-tls-public
+    cloudformation:
+      cfn:
+        public: cloudformation-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -745,6 +752,13 @@ endpoints:
       public: heat
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v1/%(project_id)s'
     scheme:
@@ -760,6 +774,13 @@ endpoints:
       public: cloudformation
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /v1
     scheme:
@@ -1044,6 +1065,7 @@ manifests:
   pdb_cloudwatch: false
   pod_rally_test: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_api: true

horizon/templates/secret-ingress-tls.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "dashboard" "backendServiceType" "dashboard" ) }}
+{{- end }}

horizon/values.yaml

@@ -1974,6 +1974,10 @@ secrets:
   oslo_db:
     admin: horizon-db-admin
     horizon: horizon-db-user
+  tls:
+    dashboard:
+      dashboard:
+        public: horizon-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -2023,6 +2027,13 @@ endpoints:
       public: horizon
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: null
     scheme:
@@ -2059,5 +2070,6 @@ manifests:
   job_image_repo_sync: true
   pdb: true
   secret_db: true
+  secret_ingress_tls: true
   service_ingress: true
   service: true

keystone/templates/secret-ingress-tls.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "identity" ) }}
+{{- end }}

keystone/values.yaml

@@ -789,6 +789,10 @@ secrets:
     keystone: keystone-rabbitmq-user
   ldap:
     tls: keystone-ldap-tls
+  tls:
+    identity:
+      api:
+        public: keystone-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -831,6 +835,13 @@ endpoints:
       public: keystone
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /v3
     scheme:
@@ -922,6 +933,7 @@ manifests:
   secret_credential_keys: true
   secret_db: true
   secret_fernet_keys: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_api: true

neutron/templates/secret-ingress-tls.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "server" "backendServiceType" "network" ) }}
+{{- end }}

neutron/values.yaml

@@ -1557,6 +1557,10 @@ secrets:
   oslo_messaging:
     admin: neutron-rabbitmq-admin
     neutron: neutron-rabbitmq-user
+  tls:
+    network:
+      server:
+        public: neutron-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -1712,6 +1716,13 @@ endpoints:
       public: neutron
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: null
     scheme:
@@ -1744,6 +1755,7 @@ manifests:
   pdb_server: true
   pod_rally_test: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_server: true

nova/templates/secret-ingress-tls.yaml

@@ -0,0 +1,21 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "osapi" "backendServiceType" "compute" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "placement" "backendServiceType" "placement" ) }}
+{{- end }}

nova/values.yaml

@@ -1121,6 +1121,16 @@ secrets:
   oslo_messaging:
     admin: nova-rabbitmq-admin
     nova: nova-rabbitmq-user
+  tls:
+    compute:
+      osapi:
+        public: nova-tls-public
+    compute_novnc_proxy:
+      novncproxy:
+        public: nova-novncproxy-tls-public
+    placement:
+      placement:
+        public: placement-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -1314,6 +1324,13 @@ endpoints:
       public: nova
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: "/v2.1/%(tenant_id)s"
     scheme:
@@ -1349,6 +1366,13 @@ endpoints:
       public: novncproxy
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /vnc_auto.html
     scheme:
@@ -1697,6 +1721,7 @@ manifests:
   pod_rally_test: true
   secret_db_api: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_keystone_placement: true
   secret_rabbitmq: true

tools/deployment/common/setup-certificates.sh

@@ -0,0 +1,417 @@
+#!/bin/bash
+
+# Copyright 2018 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+set -xe
+
+CURRENT_DIR=$(pwd)
+CFSSLURL=https://pkg.cfssl.org/R1.2
+
+TDIR=/tmp/certs
+rm -rf $TDIR
+mkdir -p $TDIR/bin
+
+cd $TDIR
+curl -sSL -o bin/cfssl $CFSSLURL/cfssl_linux-amd64
+curl -sSL -o bin/cfssljson $CFSSLURL/cfssljson_linux-amd64
+chmod +x bin/{cfssl,cfssljson}
+export PATH=$PATH:./bin
+
+OSH_CONFIG_ROOT="/etc/openstack-helm"
+OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
+OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server"
+
+sudo mkdir -p ${OSH_CONFIG_ROOT}
+sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}
+
+mkdir -p "${OSH_CA_ROOT}"
+tee ${OSH_CA_ROOT}/ca-config.json << EOF
+{
+    "signing": {
+        "default": {
+            "expiry": "24h"
+        },
+        "profiles": {
+            "server": {
+                "expiry": "24h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth"
+                ]
+            }
+        }
+    }
+}
+EOF
+
+tee ${OSH_CA_ROOT}/ca-csr.json << EOF
+{
+  "CN": "ACME Company",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "SomeState",
+      "ST": "SomeCity",
+      "O": "SomeOrg",
+      "OU": "SomeUnit"
+    }
+  ]
+}
+EOF
+
+cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca -
+
+function check_cert_and_key () {
+  TLS_CERT=$1
+  TLS_KEY=$2
+  openssl x509 -inform pem -in ${TLS_CERT} -noout -text
+  CERT_MOD="$(openssl x509 -noout -modulus -in ${TLS_CERT})"
+  KEY_MOD="$(openssl rsa -noout -modulus -in ${TLS_KEY})"
+  if ! [ "${CERT_MOD}" = "${KEY_MOD}" ]; then
+    echo "Failure: TLS private key does not match this certificate."
+    exit 1
+  else
+    CERT_MOD=""
+    KEY_MOD=""
+    echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
+  fi
+}
+check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem
+
+DOMAIN=openstackhelm.test
+for HOSTNAME in "swift" "keystone" "heat" "cloudformation" "horizon" "glance" "cinder" "nova" "placement" "novnc" "metadata" "neutron" "barbican"; do
+  FQDN="${HOSTNAME}.${DOMAIN}"
+
+  OSH_SERVER_CERTS="${OSH_SERVER_TLS_ROOT}/${HOSTNAME}"
+  mkdir -p "${OSH_SERVER_CERTS}"
+
+  tee ${OSH_SERVER_CERTS}/server-csr-${HOSTNAME}.json <<EOF
+{
+  "CN": "${FQDN}",
+  "hosts": [
+    "${FQDN}"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "SomeState",
+      "ST": "SomeCity",
+      "O": "SomeOrg",
+      "OU": "SomeUnit"
+    }
+  ]
+}
+EOF
+  cfssl gencert \
+    -hostname="${FQDN}" \
+    -ca=${OSH_CA_ROOT}/ca.pem \
+    -ca-key=${OSH_CA_ROOT}/ca-key.pem \
+    -config=${OSH_CA_ROOT}/ca-config.json \
+    -profile=server \
+    ${OSH_SERVER_CERTS}/server-csr-${HOSTNAME}.json | cfssljson -bare ${OSH_SERVER_CERTS}/server
+
+  check_cert_and_key ${OSH_SERVER_CERTS}/server.pem ${OSH_SERVER_CERTS}/server-key.pem
+done
+
+cd $CURRENT_DIR
+
+KEYSTONE_CRT=${OSH_SERVER_TLS_ROOT}/keystone/server.pem
+KEYSTONE_KEY=${OSH_SERVER_TLS_ROOT}/keystone/server-key.pem
+KEYSTONE_CSR=${OSH_SERVER_TLS_ROOT}/keystone/server-csr-keystone.json
+
+SWIFT_CRT=${OSH_SERVER_TLS_ROOT}/swift/server.pem
+SWIFT_KEY=${OSH_SERVER_TLS_ROOT}/swift/server-key.pem
+SWIFT_CSR=${OSH_SERVER_TLS_ROOT}/swift/server-csr-swift.json
+
+BARBICAN_CRT=${OSH_SERVER_TLS_ROOT}/barbican/server.pem
+BARBICAN_KEY=${OSH_SERVER_TLS_ROOT}/barbican/server-key.pem
+BARBICAN_CSR=${OSH_SERVER_TLS_ROOT}/barbican/server-csr-barbican.json
+
+HEAT_API_CRT=${OSH_SERVER_TLS_ROOT}/heat/server.pem
+HEAT_API_KEY=${OSH_SERVER_TLS_ROOT}/heat/server-key.pem
+HEAT_API_CSR=${OSH_SERVER_TLS_ROOT}/heat/server-csr-heat.json
+HEAT_CFN_CRT=${OSH_SERVER_TLS_ROOT}/cloudformation/server.pem
+HEAT_CFN_KEY=${OSH_SERVER_TLS_ROOT}/cloudformation/server-key.pem
+HEAT_CFN_CSR=${OSH_SERVER_TLS_ROOT}/cloudformation/server-csr-cloudformation.json
+
+HORIZON_CRT=${OSH_SERVER_TLS_ROOT}/horizon/server.pem
+HORIZON_KEY=${OSH_SERVER_TLS_ROOT}/horizon/server-key.pem
+HORIZON_CSR=${OSH_SERVER_TLS_ROOT}/horizon/server-csr-horizon.json
+
+GLANCE_API_CRT=${OSH_SERVER_TLS_ROOT}/glance/server.pem
+GLANCE_API_KEY=${OSH_SERVER_TLS_ROOT}/glance/server-key.pem
+GLANCE_API_CSR=${OSH_SERVER_TLS_ROOT}/glance/server-csr-glance.json
+
+CINDER_CRT=${OSH_SERVER_TLS_ROOT}/cinder/server.pem
+CINDER_KEY=${OSH_SERVER_TLS_ROOT}/cinder/server-key.pem
+CINDER_CSR=${OSH_SERVER_TLS_ROOT}/cinder/server-csr-cinder.json
+
+NOVA_API_CRT=${OSH_SERVER_TLS_ROOT}/nova/server.pem
+NOVA_API_KEY=${OSH_SERVER_TLS_ROOT}/nova/server-key.pem
+NOVA_API_CSR=${OSH_SERVER_TLS_ROOT}/nova/server-csr-nova.json
+
+NOVA_NOVNC_CRT=${OSH_SERVER_TLS_ROOT}/novnc/server.pem
+NOVA_NOVNC_KEY=${OSH_SERVER_TLS_ROOT}/novnc/server-key.pem
+NOVA_NOVNC_CSR=${OSH_SERVER_TLS_ROOT}/novnc/server-csr-novnc.json
+
+PLACEMENT_CRT=${OSH_SERVER_TLS_ROOT}/placement/server.pem
+PLACEMENT_KEY=${OSH_SERVER_TLS_ROOT}/placement/server-key.pem
+PLACEMENT_CSR=${OSH_SERVER_TLS_ROOT}/placement/server-csr-placement.json
+
+NEUTRON_SERVER_CRT=${OSH_SERVER_TLS_ROOT}/neutron/server.pem
+NEUTRON_SERVER_KEY=${OSH_SERVER_TLS_ROOT}/neutron/server-key.pem
+NEUTRON_SERVER_CSR=${OSH_SERVER_TLS_ROOT}/neutron/server-csr-neutron.json
+
+BARBICAN_API_CRT=${OSH_SERVER_TLS_ROOT}/barbican/server.pem
+BARBICAN_API_KEY=${OSH_SERVER_TLS_ROOT}/barbican/server-key.pem
+BARBICAN_API_CSR=${OSH_SERVER_TLS_ROOT}/barbican/server-csr-barbican.json
+
+tee /tmp/tls-endpoints.yaml << EOF
+endpoints:
+  object_store:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${SWIFT_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${SWIFT_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${SWIFT_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  identity:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${KEYSTONE_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${KEYSTONE_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${KEYSTONE_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  orchestration:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${HEAT_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${HEAT_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${HEAT_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  cloudformation:
+    scheme:
+      public: https
+    port:
+      cfn:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${HEAT_CFN_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${HEAT_CFN_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${HEAT_CFN_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  dashboard:
+    scheme:
+      public: https
+    port:
+      web:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${HORIZON_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${HORIZON_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${HORIZON_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  image:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${GLANCE_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${GLANCE_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${GLANCE_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  volume:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${CINDER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${CINDER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  volumev2:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${CINDER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${CINDER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  volumev3:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${CINDER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${CINDER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  compute:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${NOVA_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${NOVA_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${NOVA_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  compute_novnc_proxy:
+    scheme:
+      public: https
+    port:
+      novnc_proxy:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${NOVA_NOVNC_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${NOVA_NOVNC_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${NOVA_NOVNC_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  placement:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${PLACEMENT_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${PLACEMENT_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${PLACEMENT_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${PLACEMENT_ROOT}/ca.pem | sed 's/^/            /')
+  network:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${NEUTRON_SERVER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${NEUTRON_SERVER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${NEUTRON_SERVER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  key_manager:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${BARBICAN_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${BARBICAN_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${BARBICAN_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+EOF
+
+export OSH_EXTRA_HELM_ARGS="--values=/tmp/tls-endpoints.yaml"