openstack-helm/placement/values_overrides/tls.yaml

---
network:
  api:
    ingress:
      annotations:
        nginx.ingress.kubernetes.io/backend-protocol: "https"
conf:
  software:
    apache2:
      a2enmod:
        - ssl
  placement:
    keystone_authtoken:
      cafile: /etc/placement/certs/ca.crt
  wsgi_placement: |
    Listen 0.0.0.0:{{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
    CustomLog /dev/stdout combined env=!forwarded
    CustomLog /dev/stdout proxy env=forwarded
    <VirtualHost *:{{ tuple "placement" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
      ServerName {{ printf "%s.%s.svc.%s" "placement-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
      WSGIDaemonProcess placement-api processes=4 threads=1 user=placement group=placement display-name=%{GROUP}
      WSGIProcessGroup placement-api
      WSGIScriptAlias / /var/www/cgi-bin/placement/placement-api
      WSGIApplicationGroup %{GLOBAL}
      WSGIPassAuthorization On
      <IfVersion >= 2.4>
        ErrorLogFormat "%{cu}t %M"
      </IfVersion>
      ErrorLog /dev/stdout
      SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
      CustomLog /dev/stdout combined env=!forwarded
      CustomLog /dev/stdout proxy env=forwarded

      SSLEngine on
      SSLCertificateFile      /etc/placement/certs/tls.crt
      SSLCertificateKeyFile   /etc/placement/certs/tls.key
      SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
      SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
      SSLHonorCipherOrder     on
    </VirtualHost>
    Alias /placement /var/www/cgi-bin/placement/placement-api
    <Location /placement>
      SetHandler wsgi-script
      Options +ExecCGI
      WSGIProcessGroup placement-api
      WSGIApplicationGroup %{GLOBAL}
      WSGIPassAuthorization On
    </Location>    
endpoints:
  identity:
    auth:
      admin:
        cacert: /etc/ssl/certs/openstack-helm.crt
      placement:
        cacert: /etc/ssl/certs/openstack-helm.crt
    scheme:
      default: https
    port:
      api:
        default: 443
  placement:
    host_fqdn_override:
      default:
        tls:
          secretName: placement-tls-api
          issuerRef:
            name: ca-issuer
            kind: ClusterIssuer
    scheme:
      default: https
      service: https
    port:
      api:
        public: 443
manifests:
  certificates: true
...