openstack-helm/openstack/values_overrides/placement/tls.yaml

---
placement:
  network:
    api:
      ingress:
        annotations:
          nginx.ingress.kubernetes.io/backend-protocol: "https"
  conf:
    software:
      apache2:
        a2enmod:
          - ssl
    placement:
      keystone_authtoken:
        cafile: /etc/placement/certs/ca.crt
    wsgi_placement: |
      Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
      LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
      SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
      CustomLog /dev/stdout combined env=!forwarded
      CustomLog /dev/stdout proxy env=forwarded
      <VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
        ServerName {{ printf "%s.%s.svc.%s" "placement-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
        WSGIDaemonProcess placement-api processes=4 threads=1 user=placement group=placement display-name=%{GROUP}
        WSGIProcessGroup placement-api
        WSGIScriptAlias / /var/www/cgi-bin/placement/placement-api
        WSGIApplicationGroup %{GLOBAL}
        WSGIPassAuthorization On
        <IfVersion >= 2.4>
          ErrorLogFormat "%{cu}t %M"
        </IfVersion>
        ErrorLog /dev/stdout
        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
        CustomLog /dev/stdout combined env=!forwarded
        CustomLog /dev/stdout proxy env=forwarded

        SSLEngine on
        SSLCertificateFile      /etc/placement/certs/tls.crt
        SSLCertificateKeyFile   /etc/placement/certs/tls.key
        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
        SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
        SSLHonorCipherOrder     on
      </VirtualHost>
      Alias /placement /var/www/cgi-bin/placement/placement-api
      <Location /placement>
        SetHandler wsgi-script
        Options +ExecCGI
        WSGIProcessGroup placement-api
        WSGIApplicationGroup %{GLOBAL}
        WSGIPassAuthorization On
      </Location>      
  endpoints:
    identity:
      auth:
        admin:
          cacert: /etc/ssl/certs/openstack-helm.crt
        placement:
          cacert: /etc/ssl/certs/openstack-helm.crt
      scheme:
        default: https
      port:
        api:
          default: 443
    placement:
      host_fqdn_override:
        default:
          tls:
            secretName: placement-tls-api
            issuerRef:
              name: ca-issuer
              kind: ClusterIssuer
      scheme:
        default: https
      port:
        api:
          public: 443
  manifests:
    certificates: true
...