Add support for trust public ingress

Adding a certificate and ca_certificate using: `certificate-install -m {openstack | openstack_ca}` ends up breaking openstack application. OS-STX forces public endpoint and when such endpoint has TLS enabled everything breaks, therefore based on the implementation of tls support for openstack-helm that enables tls for the openstack services we picked the trust cert code without actually enabling tls backends Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com> Change-Id: I2dfc7c12defcc948fcdc353251301980e65f3011 Closes-Bug: 1937260
2021-07-22 09:40:12 -03:00 · 2021-07-22 09:40:12 -03:00 · 4fa28660d3
commit 4fa28660d3
parent 2c483f00e2
10 changed files with 2076 additions and 3 deletions
--- a/openstack-helm-infra/centos/openstack-helm-infra.spec
+++ b/openstack-helm-infra/centos/openstack-helm-infra.spec
@ -30,6 +30,7 @@ Patch12: 0012-enable-Values.conf.database.config_override-for-mari.patch
 Patch13: 0013-Allow-set-public-endpoint-url-for-all-openstack-types.patch
 Patch14: 0014-Add-tolerations-to-rabbitmq-chart.patch
 Patch15: 0015-Add-tolerations-to-mariadb-chart.patch
 Patch16: 0016-Add-Trust-ingress-support-to-helm-toolkit.patch
 BuildRequires: helm
 BuildRequires: chartmuseum
@ -54,6 +55,7 @@ Openstack Helm Infra charts
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
 %build
 # Host a server for the charts
--- a/openstack-helm-infra/files/0016-Add-Trust-ingress-support-to-helm-toolkit.patch
+++ b/openstack-helm-infra/files/0016-Add-Trust-ingress-support-to-helm-toolkit.patch
@ -0,0 +1,365 @@
 From 77afb812d696e25e5f889a54bcedbb6a898656b8 Mon Sep 17 00:00:00 2001
 From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
 Date: Thu, 22 Jul 2021 09:01:02 -0300
 Subject: [PATCH] Add Trust ingress support to helm-toolkit
 This patch enables the following OpenStack services to trust
 public ingress certificate: keystone, horizon, glance,
 cinder, heat, nova, placement and neutron.
 This patch is roughly based on
 https://review.opendev.org/c/openstack/openstack-helm-infra/+/737194
 Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
 ---
 .../templates/manifests/_job-bootstrap.tpl    |  5 +-
 .../templates/manifests/_job-ks-endpoints.tpl |  5 +-
 .../templates/manifests/_job-ks-service.tpl   |  5 +-
 .../templates/manifests/_job-ks-user.yaml.tpl |  5 +-
 .../templates/scripts/_rally_test.sh.tpl      |  2 +-
 .../snippets/_keystone_openrc_env_vars.tpl    | 13 +++
 .../snippets/_keystone_secret_openrc.tpl      |  3 +
 .../_keystone_user_create_env_vars.tpl        |  1 +
 .../templates/snippets/_tls_volume.tpl        | 47 +++++++++++
 .../templates/snippets/_tls_volume_mount.tpl  | 82 +++++++++++++++++++
 10 files changed, 163 insertions(+), 5 deletions(-)
 create mode 100644 helm-toolkit/templates/snippets/_tls_volume.tpl
 create mode 100644 helm-toolkit/templates/snippets/_tls_volume_mount.tpl
 diff --git a/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/helm-toolkit/templates/manifests/_job-bootstrap.tpl
 index 9c1f9aae..c67a4a70 100644
 --- a/helm-toolkit/templates/manifests/_job-bootstrap.tpl
 +++ b/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -29,6 +29,7 @@ limitations under the License.
 {{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
 {{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
 {{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
 +{{- $tlsSecret := index . "tlsSecret" | default "" -}}
 {{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
 {{- $openrc := index . "openrc" | default "true" -}}
 {{- $secretBin := index . "secretBin" -}}
@@ -68,7 +69,7 @@ spec:
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{- if eq $openrc "true" }}
           env:
 -{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }}
 +{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
 {{- end }}
@@ -93,6 +94,7 @@ spec:
               mountPath: {{ $logConfigFile | quote }}
               subPath: {{ base $logConfigFile | quote }}
               readOnly: true
 +{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- if $podVolMounts }}
 {{ $podVolMounts | toYaml | indent 12 }}
 {{- end }}
@@ -115,6 +117,7 @@ spec:
           secret:
             secretName: {{ $configMapEtc | quote }}
             defaultMode: 0444
 +{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- if $podVols }}
 {{ $podVols | toYaml | indent 8 }}
 {{- end }}
 diff --git a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
 index 11e77335..674bb214 100644
 --- a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
 +++ b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -25,6 +25,7 @@ limitations under the License.
 {{- $serviceTypes := index . "serviceTypes" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 +{{- $tlsSecret := index . "tlsSecret" | default "" -}}
 {{- $secretBin := index . "secretBin" -}}
 {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
 {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
@@ -73,8 +74,9 @@ spec:
               mountPath: /tmp/ks-endpoints.sh
               subPath: ks-endpoints.sh
               readOnly: true
 +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
           env:
 -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: OS_SVC_ENDPOINT
@@ -100,4 +102,5 @@ spec:
             name: {{ $configMapBin | quote }}
             defaultMode: 0555
 {{- end }}
 +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
 diff --git a/helm-toolkit/templates/manifests/_job-ks-service.tpl b/helm-toolkit/templates/manifests/_job-ks-service.tpl
 index 71cc9094..f3a9503e 100644
 --- a/helm-toolkit/templates/manifests/_job-ks-service.tpl
 +++ b/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -25,6 +25,7 @@ limitations under the License.
 {{- $serviceTypes := index . "serviceTypes" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 +{{- $tlsSecret := index . "tlsSecret" | default "" -}}
 {{- $secretBin := index . "secretBin" -}}
 {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
 {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
@@ -72,8 +73,9 @@ spec:
               mountPath: /tmp/ks-service.sh
               subPath: ks-service.sh
               readOnly: true
 +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
           env:
 -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: OS_SERVICE_NAME
@@ -94,4 +96,5 @@ spec:
             name: {{ $configMapBin | quote }}
             defaultMode: 0555
 {{- end }}
 +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
 diff --git a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
 index 1003e4f7..2fafaa16 100644
 --- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
 +++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -26,6 +26,7 @@ limitations under the License.
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 {{- $serviceUser := index . "serviceUser" | default $serviceName -}}
 {{- $secretBin := index . "secretBin" -}}
 +{{- $tlsSecret := index . "tlsSecret" | default "" -}}
 {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
 {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
 {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
@@ -71,8 +72,9 @@ spec:
               mountPath: /tmp/ks-user.sh
               subPath: ks-user.sh
               readOnly: true
 +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
           env:
 -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: SERVICE_OS_SERVICE_NAME
@@ -100,4 +102,5 @@ spec:
             name: {{ $configMapBin | quote }}
             defaultMode: 0555
 {{- end }}
 +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end -}}
 diff --git a/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/helm-toolkit/templates/scripts/_rally_test.sh.tpl
 index a7b614a6..ccaf435b 100644
 --- a/helm-toolkit/templates/scripts/_rally_test.sh.tpl
 +++ b/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -68,7 +68,7 @@ cat > /tmp/rally-config.json << EOF
             }
         ],
         "https_insecure": false,
 -        "https_cacert": ""
 +		"https_cacert": "${OS_CACERT}"
     }
 }
 EOF
 diff --git a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
 index d856ab21..dcbb361a 100644
 --- a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
 +++ b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -67,9 +67,15 @@ return: |
       secretKeyRef:
         name: example-keystone-admin
         key: OS_PASSWORD
 +  - name: OS_CACERT
 +    valueFrom:
 +      secretKeyRef:
 +        name: example-keystone-admin
 +        key: OS_CACERT
 */}}
 {{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
 +{{- $useCA := .useCA -}}
 {{- $ksUserSecret := .ksUserSecret }}
 - name: OS_IDENTITY_API_VERSION
   value: "3"
@@ -118,4 +124,11 @@ return: |
     secretKeyRef:
       name: {{ $ksUserSecret }}
       key: OS_DEFAULT_DOMAIN
 +{{- if $useCA }}
 +- name: OS_CACERT
 +  valueFrom:
 +    secretKeyRef:
 +      name: {{ $ksUserSecret }}
 +      key: OS_CACERT
 +{{- end }}
 {{- end }}
 diff --git a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
 index f6083b9b..e328ea4a 100644
 --- a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
 +++ b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -28,4 +28,7 @@ OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
 OS_USERNAME: {{ $userContext.username | b64enc }}
 OS_PASSWORD: {{ $userContext.password | b64enc }}
 OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
 +{{- if $userContext.cacert }}
 +OS_CACERT: {{ $userContext.cacert | b64enc }}
 +{{- end }}
 {{- end }}
 diff --git a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
 index 622757bc..ff717ef3 100644
 --- a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
 +++ b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -24,6 +24,7 @@ values: |
       service_user: example-keystone-user
 usage: |
   {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user ) }}
 +  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
 return: |
   - name: SERVICE_OS_REGION_NAME
     valueFrom:
 diff --git a/helm-toolkit/templates/snippets/_tls_volume.tpl b/helm-toolkit/templates/snippets/_tls_volume.tpl
 new file mode 100644
 index 00000000..41fe3d96
 --- /dev/null
 +++ b/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
 +{{/*
 +Licensed under the Apache License, Version 2.0 (the "License");
 +you may not use this file except in compliance with the License.
 +You may obtain a copy of the License at
 +
 +  http://www.apache.org/licenses/LICENSE-2.0
 +
 +Unless required by applicable law or agreed to in writing, software
 +distributed under the License is distributed on an "AS IS" BASIS,
 +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +See the License for the specific language governing permissions and
 +limitations under the License.
 +*/}}
 +{{/*
 +abstract: |
 +  Renders a secret volume for tls.
 +
 +  Dictionary Parameters:
 +    enabled: boolean check if you want to conditional disable this snippet (optional)
 +    name: name of the volume (required)
 +    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
 +
 +values: |
 +  manifests:
 +    certificates: true
 +
 +usage: |
 +  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
 +  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
 +
 +return: |
 +  - name: glance-tls-api
 +    secret:
 +      secretName: glance-tls-api
 +      defaultMode: 292
 +*/}}
 +{{- define "helm-toolkit.snippets.tls_volume" }}
 +{{- $enabled := index . "enabled" -}}
 +{{- $name := index . "name" -}}
 +{{- $secretName := index . "secretName" | default $name -}}
 +{{- if and $enabled (ne $name "") }}
 +- name: {{ $name }}
 +  secret:
 +    secretName: {{ $secretName }}
 +    defaultMode: 292
 +{{- end }}
 +{{- end }}
 diff --git a/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
 new file mode 100644
 index 00000000..9cfa8195
 --- /dev/null
 +++ b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
 +{{/*
 +Licensed under the Apache License, Version 2.0 (the "License");
 +you may not use this file except in compliance with the License.
 +You may obtain a copy of the License at
 +
 +  http://www.apache.org/licenses/LICENSE-2.0
 +
 +Unless required by applicable law or agreed to in writing, software
 +distributed under the License is distributed on an "AS IS" BASIS,
 +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +See the License for the specific language governing permissions and
 +limitations under the License.
 +*/}}
 +{{/*
 +abstract: |
 +  Renders a volume mount for TLS key, cert and CA.
 +
 +  Dictionary Parameters:
 +    enabled: boolean check if you want to conditional disable this snippet (optional)
 +    name: name that of the volume and should match the volume name (required)
 +    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
 +    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
 +          the default is the full set. (optional)
 +
 +values: |
 +  manifests:
 +    certificates: true
 +
 +usage: |
 +  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
 +  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
 +
 +return: |
 +  - name: glance-tls-api
 +    mountPath: /etc/glance/certs/tls.crt
 +    subPath: tls.crt
 +    readOnly: true
 +  - name: glance-tls-api
 +    mountPath: /etc/glance/certs/tls.key
 +    subPath: tls.key
 +    readOnly: true
 +  - name: glance-tls-api
 +    mountPath: /etc/glance/certs/ca.crt
 +    subPath: ca.crt
 +    readOnly: true
 +
 +abstract: |
 +  This mounts a specific issuing CA only for service validation
 +
 +usage: |
 +  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
 +  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
 +
 +return: |
 +  - name: glance-tls-api
 +    mountPath: /etc/ssl/certs/openstack-helm.crt
 +    subPath: ca.crt
 +    readOnly: true
 +*/}}
 +{{- define "helm-toolkit.snippets.tls_volume_mount" }}
 +{{- $enabled := index . "enabled" -}}
 +{{- $name := index . "name" -}}
 +{{- $path := index . "path" | default "" -}}
 +{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
 +{{- if $enabled }}
 +{{- if and (eq $path "") (ne $name "") }}
 +- name: {{ $name }}
 +  mountPath: "/etc/ssl/certs/openstack-helm.crt"
 +  subPath: ca.crt
 +  readOnly: true
 +{{- else }}
 +{{- if ne $name "" }}
 +{{- range $key, $value := $certs }}
 +- name: {{ $name }}
 +  mountPath: {{ printf "%s/%s" $path $value }}
 +  subPath: {{ $value }}
 +  readOnly: true
 +{{- end }}
 +{{- end }}
 +{{- end }}
 +{{- end }}
 +{{- end }}
 -- 
 2.17.1
--- a/openstack-helm-infra/files/0017-Add-Trust-ingress-support-to-helm-toolkit.patch
+++ b/openstack-helm-infra/files/0017-Add-Trust-ingress-support-to-helm-toolkit.patch
@ -0,0 +1,365 @@
 From 77afb812d696e25e5f889a54bcedbb6a898656b8 Mon Sep 17 00:00:00 2001
 From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
 Date: Thu, 22 Jul 2021 09:01:02 -0300
 Subject: [PATCH] Add Trust ingress support to helm-toolkit
 This patch enables the following OpenStack services to trust
 public ingress certificate: keystone, horizon, glance,
 cinder, heat, nova, placement and neutron.
 This patch is roughly based on
 https://review.opendev.org/c/openstack/openstack-helm-infra/+/737194
 Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
 ---
 .../templates/manifests/_job-bootstrap.tpl    |  5 +-
 .../templates/manifests/_job-ks-endpoints.tpl |  5 +-
 .../templates/manifests/_job-ks-service.tpl   |  5 +-
 .../templates/manifests/_job-ks-user.yaml.tpl |  5 +-
 .../templates/scripts/_rally_test.sh.tpl      |  2 +-
 .../snippets/_keystone_openrc_env_vars.tpl    | 13 +++
 .../snippets/_keystone_secret_openrc.tpl      |  3 +
 .../_keystone_user_create_env_vars.tpl        |  1 +
 .../templates/snippets/_tls_volume.tpl        | 47 +++++++++++
 .../templates/snippets/_tls_volume_mount.tpl  | 82 +++++++++++++++++++
 10 files changed, 163 insertions(+), 5 deletions(-)
 create mode 100644 helm-toolkit/templates/snippets/_tls_volume.tpl
 create mode 100644 helm-toolkit/templates/snippets/_tls_volume_mount.tpl
 diff --git a/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/helm-toolkit/templates/manifests/_job-bootstrap.tpl
 index 9c1f9aae..c67a4a70 100644
 --- a/helm-toolkit/templates/manifests/_job-bootstrap.tpl
 +++ b/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -29,6 +29,7 @@ limitations under the License.
 {{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
 {{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
 {{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
 +{{- $tlsSecret := index . "tlsSecret" | default "" -}}
 {{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
 {{- $openrc := index . "openrc" | default "true" -}}
 {{- $secretBin := index . "secretBin" -}}
@@ -68,7 +69,7 @@ spec:
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{- if eq $openrc "true" }}
           env:
 -{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }}
 +{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
 {{- end }}
@@ -93,6 +94,7 @@ spec:
               mountPath: {{ $logConfigFile | quote }}
               subPath: {{ base $logConfigFile | quote }}
               readOnly: true
 +{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- if $podVolMounts }}
 {{ $podVolMounts | toYaml | indent 12 }}
 {{- end }}
@@ -115,6 +117,7 @@ spec:
           secret:
             secretName: {{ $configMapEtc | quote }}
             defaultMode: 0444
 +{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- if $podVols }}
 {{ $podVols | toYaml | indent 8 }}
 {{- end }}
 diff --git a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
 index 11e77335..674bb214 100644
 --- a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
 +++ b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -25,6 +25,7 @@ limitations under the License.
 {{- $serviceTypes := index . "serviceTypes" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 +{{- $tlsSecret := index . "tlsSecret" | default "" -}}
 {{- $secretBin := index . "secretBin" -}}
 {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
 {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
@@ -73,8 +74,9 @@ spec:
               mountPath: /tmp/ks-endpoints.sh
               subPath: ks-endpoints.sh
               readOnly: true
 +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
           env:
 -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: OS_SVC_ENDPOINT
@@ -100,4 +102,5 @@ spec:
             name: {{ $configMapBin | quote }}
             defaultMode: 0555
 {{- end }}
 +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
 diff --git a/helm-toolkit/templates/manifests/_job-ks-service.tpl b/helm-toolkit/templates/manifests/_job-ks-service.tpl
 index 71cc9094..f3a9503e 100644
 --- a/helm-toolkit/templates/manifests/_job-ks-service.tpl
 +++ b/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -25,6 +25,7 @@ limitations under the License.
 {{- $serviceTypes := index . "serviceTypes" -}}
 {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 +{{- $tlsSecret := index . "tlsSecret" | default "" -}}
 {{- $secretBin := index . "secretBin" -}}
 {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
 {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
@@ -72,8 +73,9 @@ spec:
               mountPath: /tmp/ks-service.sh
               subPath: ks-service.sh
               readOnly: true
 +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
           env:
 -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: OS_SERVICE_NAME
@@ -94,4 +96,5 @@ spec:
             name: {{ $configMapBin | quote }}
             defaultMode: 0555
 {{- end }}
 +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end }}
 diff --git a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
 index 1003e4f7..2fafaa16 100644
 --- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
 +++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -26,6 +26,7 @@ limitations under the License.
 {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
 {{- $serviceUser := index . "serviceUser" | default $serviceName -}}
 {{- $secretBin := index . "secretBin" -}}
 +{{- $tlsSecret := index . "tlsSecret" | default "" -}}
 {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
 {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
 {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
@@ -71,8 +72,9 @@ spec:
               mountPath: /tmp/ks-user.sh
               subPath: ks-user.sh
               readOnly: true
 +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
           env:
 -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
 +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
             - name: SERVICE_OS_SERVICE_NAME
@@ -100,4 +102,5 @@ spec:
             name: {{ $configMapBin | quote }}
             defaultMode: 0555
 {{- end }}
 +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- end -}}
 diff --git a/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/helm-toolkit/templates/scripts/_rally_test.sh.tpl
 index a7b614a6..ccaf435b 100644
 --- a/helm-toolkit/templates/scripts/_rally_test.sh.tpl
 +++ b/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -68,7 +68,7 @@ cat > /tmp/rally-config.json << EOF
             }
         ],
         "https_insecure": false,
 -        "https_cacert": ""
 +		"https_cacert": "${OS_CACERT}"
     }
 }
 EOF
 diff --git a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
 index d856ab21..dcbb361a 100644
 --- a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
 +++ b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -67,9 +67,15 @@ return: |
       secretKeyRef:
         name: example-keystone-admin
         key: OS_PASSWORD
 +  - name: OS_CACERT
 +    valueFrom:
 +      secretKeyRef:
 +        name: example-keystone-admin
 +        key: OS_CACERT
 */}}
 {{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
 +{{- $useCA := .useCA -}}
 {{- $ksUserSecret := .ksUserSecret }}
 - name: OS_IDENTITY_API_VERSION
   value: "3"
@@ -118,4 +124,11 @@ return: |
     secretKeyRef:
       name: {{ $ksUserSecret }}
       key: OS_DEFAULT_DOMAIN
 +{{- if $useCA }}
 +- name: OS_CACERT
 +  valueFrom:
 +    secretKeyRef:
 +      name: {{ $ksUserSecret }}
 +      key: OS_CACERT
 +{{- end }}
 {{- end }}
 diff --git a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
 index f6083b9b..e328ea4a 100644
 --- a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
 +++ b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -28,4 +28,7 @@ OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
 OS_USERNAME: {{ $userContext.username | b64enc }}
 OS_PASSWORD: {{ $userContext.password | b64enc }}
 OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
 +{{- if $userContext.cacert }}
 +OS_CACERT: {{ $userContext.cacert | b64enc }}
 +{{- end }}
 {{- end }}
 diff --git a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
 index 622757bc..ff717ef3 100644
 --- a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
 +++ b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -24,6 +24,7 @@ values: |
       service_user: example-keystone-user
 usage: |
   {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user ) }}
 +  {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
 return: |
   - name: SERVICE_OS_REGION_NAME
     valueFrom:
 diff --git a/helm-toolkit/templates/snippets/_tls_volume.tpl b/helm-toolkit/templates/snippets/_tls_volume.tpl
 new file mode 100644
 index 00000000..41fe3d96
 --- /dev/null
 +++ b/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
 +{{/*
 +Licensed under the Apache License, Version 2.0 (the "License");
 +you may not use this file except in compliance with the License.
 +You may obtain a copy of the License at
 +
 +  http://www.apache.org/licenses/LICENSE-2.0
 +
 +Unless required by applicable law or agreed to in writing, software
 +distributed under the License is distributed on an "AS IS" BASIS,
 +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +See the License for the specific language governing permissions and
 +limitations under the License.
 +*/}}
 +{{/*
 +abstract: |
 +  Renders a secret volume for tls.
 +
 +  Dictionary Parameters:
 +    enabled: boolean check if you want to conditional disable this snippet (optional)
 +    name: name of the volume (required)
 +    secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
 +
 +values: |
 +  manifests:
 +    certificates: true
 +
 +usage: |
 +  {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
 +  {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
 +
 +return: |
 +  - name: glance-tls-api
 +    secret:
 +      secretName: glance-tls-api
 +      defaultMode: 292
 +*/}}
 +{{- define "helm-toolkit.snippets.tls_volume" }}
 +{{- $enabled := index . "enabled" -}}
 +{{- $name := index . "name" -}}
 +{{- $secretName := index . "secretName" | default $name -}}
 +{{- if and $enabled (ne $name "") }}
 +- name: {{ $name }}
 +  secret:
 +    secretName: {{ $secretName }}
 +    defaultMode: 292
 +{{- end }}
 +{{- end }}
 diff --git a/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
 new file mode 100644
 index 00000000..9cfa8195
 --- /dev/null
 +++ b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
 +{{/*
 +Licensed under the Apache License, Version 2.0 (the "License");
 +you may not use this file except in compliance with the License.
 +You may obtain a copy of the License at
 +
 +  http://www.apache.org/licenses/LICENSE-2.0
 +
 +Unless required by applicable law or agreed to in writing, software
 +distributed under the License is distributed on an "AS IS" BASIS,
 +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +See the License for the specific language governing permissions and
 +limitations under the License.
 +*/}}
 +{{/*
 +abstract: |
 +  Renders a volume mount for TLS key, cert and CA.
 +
 +  Dictionary Parameters:
 +    enabled: boolean check if you want to conditional disable this snippet (optional)
 +    name: name that of the volume and should match the volume name (required)
 +    path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
 +    certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
 +          the default is the full set. (optional)
 +
 +values: |
 +  manifests:
 +    certificates: true
 +
 +usage: |
 +  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
 +  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
 +
 +return: |
 +  - name: glance-tls-api
 +    mountPath: /etc/glance/certs/tls.crt
 +    subPath: tls.crt
 +    readOnly: true
 +  - name: glance-tls-api
 +    mountPath: /etc/glance/certs/tls.key
 +    subPath: tls.key
 +    readOnly: true
 +  - name: glance-tls-api
 +    mountPath: /etc/glance/certs/ca.crt
 +    subPath: ca.crt
 +    readOnly: true
 +
 +abstract: |
 +  This mounts a specific issuing CA only for service validation
 +
 +usage: |
 +  {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
 +  {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
 +
 +return: |
 +  - name: glance-tls-api
 +    mountPath: /etc/ssl/certs/openstack-helm.crt
 +    subPath: ca.crt
 +    readOnly: true
 +*/}}
 +{{- define "helm-toolkit.snippets.tls_volume_mount" }}
 +{{- $enabled := index . "enabled" -}}
 +{{- $name := index . "name" -}}
 +{{- $path := index . "path" | default "" -}}
 +{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
 +{{- if $enabled }}
 +{{- if and (eq $path "") (ne $name "") }}
 +- name: {{ $name }}
 +  mountPath: "/etc/ssl/certs/openstack-helm.crt"
 +  subPath: ca.crt
 +  readOnly: true
 +{{- else }}
 +{{- if ne $name "" }}
 +{{- range $key, $value := $certs }}
 +- name: {{ $name }}
 +  mountPath: {{ printf "%s/%s" $path $value }}
 +  subPath: {{ $value }}
 +  readOnly: true
 +{{- end }}
 +{{- end }}
 +{{- end }}
 +{{- end }}
 +{{- end }}
 -- 
 2.17.1
--- a/openstack-helm/centos/openstack-helm.spec
+++ b/openstack-helm/centos/openstack-helm.spec
@ -29,6 +29,7 @@ Patch07: 0007-Allow-more-generic-overrides-for-placeme.patch
 Patch08: 0008-Allow-set-public-endpoint-url-for-keystone-endpoints.patch
 Patch09: 0009-Wrong-usage-of-rbd_store_chunk_size.patch
 Patch10: 0010-Add-stx_admin-account.patch
 Patch11: 0011-Trust-public-ingress-certificate.patch
 BuildRequires: helm
 BuildRequires: openstack-helm-infra
@ -50,6 +51,7 @@ Openstack Helm charts
 %patch08 -p1
 %patch09 -p1
 %patch10 -p1
 %patch11 -p1
 %build
 # Stage helm-toolkit in the local repo
--- a/openstack-helm/files/0010-Add-stx_admin-account.patch
+++ b/openstack-helm/files/0010-Add-stx_admin-account.patch
@ -100,4 +100,3 @@ index 473379d..68bbcdd 100644
   pod_rally_test: true
 -- 
 2.7.4
--- a/openstack-helm/files/0011-Trust-public-ingress-certificate.patch
+++ b/openstack-helm/files/0011-Trust-public-ingress-certificate.patch
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml
@ -74,6 +74,7 @@ spec:
              mountPath: /etc/proxy/api-proxy-paste.ini
              subPath: api-proxy-paste.ini
              readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_api_proxy.volumeMounts }}{{ toYaml $mounts_nova_api_proxy.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: nova-api-proxy-bin
@ -84,5 +85,6 @@ spec:
          configMap:
            name: nova-api-proxy-etc
            defaultMode: 0777
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_api_proxy.volumes}}{{ toYaml $mounts_nova_api_proxy.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml
@ -8,5 +8,8 @@
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
 {{- if .Values.manifests.certificates -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.api_proxy.public -}}
 {{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
 {{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/values.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/values.yaml
@ -291,7 +291,7 @@ secrets:
  tls:
    compute:
      api_proxy:
-        public: nova-api-proxy-tls-public
+        public: nova-tls-public
 manifests:
  configmap_bin: true
--- a/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml
@ -3213,8 +3213,10 @@ data:
            # Disable SSL certificate checks (useful for self-signed certificates):
            #OPENSTACK_SSL_NO_VERIFY = True
            {{- if .Values.manifests.certificates }}
            # The CA certificate to use to verify SSL connections
-            #OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
+            OPENSTACK_SSL_CACERT = '/etc/ssl/certs/openstack-helm.crt'
            {{- end }}
            # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
            # capabilities of the auth backend for Keystone.