From f16ac058664c54bec443fa767517d0965d6a5e6a Mon Sep 17 00:00:00 2001 From: josebb Date: Thu, 2 Dec 2021 19:12:18 +0200 Subject: [PATCH] Support TLS endpoints in cinder This allows cinder to consume TLS openstack endpoints. Jobs consume openstack endpoints, typically identity endpoints. And cinder itself interact with other openstack services via endpoints. Change-Id: Id5668f9dde1f63fe472fef639571936de831e217 --- cinder/Chart.yaml | 2 +- .../cron-job-cinder-volume-usage-audit.yaml | 7 +++++++ cinder/templates/deployment-api.yaml | 9 +++++++-- cinder/templates/deployment-volume.yaml | 13 +++++++++---- cinder/templates/job-bootstrap.yaml | 2 +- cinder/templates/job-create-internal-tenant.yaml | 6 +++--- cinder/templates/job-ks-endpoints.yaml | 2 +- cinder/templates/job-ks-service.yaml | 2 +- cinder/templates/job-ks-user.yaml | 2 +- cinder/values.yaml | 5 +++++ cinder/values_overrides/tls-offloading.yaml | 12 ++++++++++++ releasenotes/notes/cinder.yaml | 1 + 12 files changed, 49 insertions(+), 14 deletions(-) create mode 100644 cinder/values_overrides/tls-offloading.yaml diff --git a/cinder/Chart.yaml b/cinder/Chart.yaml index 4642bfeebf..d1d2279dbc 100644 --- a/cinder/Chart.yaml +++ b/cinder/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Cinder name: cinder -version: 0.2.26 +version: 0.2.27 home: https://docs.openstack.org/cinder/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png sources: diff --git a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml index c1c317c3a0..1d935f1255 100644 --- a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml +++ b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml @@ -64,6 +64,11 @@ spec: {{ tuple $envAll "cinder_volume_usage_audit" | include "helm-toolkit.snippets.image" | indent 14 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.volume_usage_audit | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }} {{ dict "envAll" $envAll "application" "volume_usage_audit" "container" "cinder_volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/cinder/certs/ca.crt" +{{- end }} command: - /tmp/volume-usage-audit.sh volumeMounts: @@ -85,6 +90,7 @@ spec: mountPath: /tmp/volume-usage-audit.sh subPath: volume-usage-audit.sh readOnly: true +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} {{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }} @@ -101,6 +107,7 @@ spec: configMap: name: cinder-bin defaultMode: 0555 +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }} diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index 4eb009553f..b8d305b615 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -80,6 +80,11 @@ spec: command: - /tmp/cinder-api.sh - start + env: +{{- if or .Values.manifests.certificates .Values.tls.identity }} + - name: REQUESTS_CA_BUNDLE + value: "/etc/cinder/certs/ca.crt" +{{- end }} lifecycle: preStop: exec: @@ -156,7 +161,7 @@ spec: readOnly: true {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }} volumes: @@ -179,7 +184,7 @@ spec: emptyDir: {} {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index 135672a0f7..ad605da046 100755 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -131,9 +131,9 @@ spec: readOnly: true - name: pod-shared mountPath: /tmp/pod-shared -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} env: -{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: INTERNAL_PROJECT_NAME @@ -150,6 +150,11 @@ spec: {{ dict "envAll" $envAll "application" "cinder_volume" "container" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/cinder-volume.sh + env: +{{- if or .Values.manifests.certificates .Values.tls.identity }} + - name: REQUESTS_CA_BUNDLE + value: "/etc/cinder/certs/ca.crt" +{{- end }} terminationMessagePath: /var/log/termination-log volumeMounts: - name: pod-tmp @@ -269,7 +274,7 @@ spec: mountPropagation: HostToContainer {{- end }} {{- end }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }} @@ -333,7 +338,7 @@ spec: path: /sys {{- end }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml index 0db54091f7..a7b590e224 100644 --- a/cinder/templates/job-bootstrap.yaml +++ b/cinder/templates/job-bootstrap.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "5" {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} {{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}} {{- end -}} {{- if .Values.pod.tolerations.cinder.enabled -}} diff --git a/cinder/templates/job-create-internal-tenant.yaml b/cinder/templates/job-create-internal-tenant.yaml index b298e369d7..78de218893 100644 --- a/cinder/templates/job-create-internal-tenant.yaml +++ b/cinder/templates/job-create-internal-tenant.yaml @@ -68,9 +68,9 @@ spec: mountPath: /tmp/create-internal-tenant.sh subPath: create-internal-tenant.sh readOnly: true -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} env: -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME @@ -97,5 +97,5 @@ spec: configMap: name: {{ $configMapBin | quote }} defaultMode: 0555 -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end -}} diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml index 6b0493d923..99d5360ef3 100644 --- a/cinder/templates/job-ks-endpoints.yaml +++ b/cinder/templates/job-ks-endpoints.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-2" {{- if .Values.manifests.job_ks_endpoints }} {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volumev3" ) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml index 329950641b..159f66a577 100644 --- a/cinder/templates/job-ks-service.yaml +++ b/cinder/templates/job-ks-service.yaml @@ -25,7 +25,7 @@ helm.sh/hook-weight: "-3" {{- end }} {{- end }} {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" $serviceTypes -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml index 4cd671d8fc..78f48cfc8f 100644 --- a/cinder/templates/job-ks-user.yaml +++ b/cinder/templates/job-ks-user.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-1" {{- if .Values.manifests.job_ks_user }} {{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/cinder/values.yaml b/cinder/values.yaml index 647a0492a1..6c5d7014fe 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -1481,6 +1481,11 @@ network_policy: # set helm3_hook: false when using the helm2 binary. helm3_hook: true +tls: + identity: false + oslo_messaging: false + oslo_db: false + manifests: certificates: false configmap_bin: true diff --git a/cinder/values_overrides/tls-offloading.yaml b/cinder/values_overrides/tls-offloading.yaml new file mode 100644 index 0000000000..914ab5e6c5 --- /dev/null +++ b/cinder/values_overrides/tls-offloading.yaml @@ -0,0 +1,12 @@ +--- +endpoints: + identity: + auth: + admin: + cacert: /etc/ssl/certs/openstack-helm.crt + test: + cacert: /etc/ssl/certs/openstack-helm.crt + +tls: + identity: true +... diff --git a/releasenotes/notes/cinder.yaml b/releasenotes/notes/cinder.yaml index 8ef8a58fef..d859e60b12 100644 --- a/releasenotes/notes/cinder.yaml +++ b/releasenotes/notes/cinder.yaml @@ -43,4 +43,5 @@ cinder: - 0.2.24 Fix conditional check for cinder.utils.has_ceph_backend template - 0.2.25 Remove volumes unrelated with ceph backend from conditional volume list in cinder-volume deployment - 0.2.26 Distinguish between port number of internal endpoint and binding port number + - 0.2.27 Support TLS endpoints ...