Add TLS support for telemetry service public endpoints

This commit adds the capability for Aodh, Panko and Gnocchi charts to support TLS on overriden fqdn for public endpoints. Upstream(openstack-helm/openstack-helm-infra) reviews: https://review.opendev.org/#/c/670121/ https://review.opendev.org/#/c/670123/ Change-Id: I3011a9f0f07c9cf1b30694c97f3c02db6cdef56e Partial-Bug: 1826583 Signed-off-by: Angie Wang <angie.wang@windriver.com>
2019-07-10 10:35:52 -04:00 · 2019-07-10 10:35:52 -04:00 · e03692c512
commit e03692c512
parent 56a56693b5
6 changed files with 224 additions and 2 deletions
--- a/openstack-helm-infra/centos/build_srpm.data
+++ b/openstack-helm-infra/centos/build_srpm.data
@ -5,4 +5,4 @@ TAR="$TAR_NAME-$SHA.tar.gz"

 COPY_LIST="${CGCS_BASE}/downloads/$TAR $PKG_BASE/files/*"

-TIS_PATCH_VER=11
+TIS_PATCH_VER=12
--- a/openstack-helm-infra/centos/openstack-helm-infra.spec
+++ b/openstack-helm-infra/centos/openstack-helm-infra.spec
@ -20,6 +20,7 @@ Patch02: 0002-Add-imagePullSecrets-in-service-account.patch
 Patch03: 0003-Set-Min-NGINX-handles.patch
 Patch04: 0004-Partial-revert-of-31e3469d28858d7b5eb6355e88b6f49fd6.patch
 Patch05: 0005-Add-a-configmap-for-ingress-controller-config.patch
+Patch06: 0006-Add-TLS-support-for-Gnocchi-public-endpoint.patch

 BuildRequires: helm

@ -33,6 +34,7 @@ Openstack Helm Infra charts
 %patch03 -p1
 %patch04 -p1
 %patch05 -p1
+%patch06 -p1

 %build
 # initialize helm and build the toolkit
--- a/openstack-helm-infra/files/0006-Add-TLS-support-for-Gnocchi-public-endpoint.patch
+++ b/openstack-helm-infra/files/0006-Add-TLS-support-for-Gnocchi-public-endpoint.patch
@ -0,0 +1,77 @@
+From e2e9b3c707599b4074ebf504f6a2fa5c185481e2 Mon Sep 17 00:00:00 2001
+From: Angie Wang <angie.wang@windriver.com>
+Date: Tue, 9 Jul 2019 13:37:29 -0400
+Subject: [PATCH 1/1] Add TLS support for Gnocchi public endpoint
+
+Signed-off-by: Angie Wang <angie.wang@windriver.com>
+---
+ gnocchi/templates/secret-ingress-tls.yaml | 19 +++++++++++++++++++
+ gnocchi/values.yaml                       | 12 ++++++++++++
+ 2 files changed, 31 insertions(+)
+ create mode 100644 gnocchi/templates/secret-ingress-tls.yaml
+
+diff --git a/gnocchi/templates/secret-ingress-tls.yaml b/gnocchi/templates/secret-ingress-tls.yaml
+new file mode 100644
+index 0000000..fc279cd
+--- /dev/null
+++ b/gnocchi/templates/secret-ingress-tls.yaml
+@@ -0,0 +1,19 @@
+{{/*
+Copyright 2019 Wind River Systems, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "metric" ) }}
+{{- end }}
+diff --git a/gnocchi/values.yaml b/gnocchi/values.yaml
+index 2d5f48b..73e245f 100644
+--- a/gnocchi/values.yaml
+++ b/gnocchi/values.yaml
+@@ -470,6 +470,10 @@ secrets:
+     admin: gnocchi-db-indexer-admin
+     gnocchi: gnocchi-db-indexer-user
+   rbd: gnocchi-rbd-keyring
+  tls:
+    metric:
+      api:
+        public: gnocchi-tls-public
+ 
+ bootstrap:
+   enabled: false
+@@ -536,6 +540,13 @@ endpoints:
+       public: gnocchi
+     host_fqdn_override:
+       default: null
+      # NOTE: this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+     path:
+       default: null
+     scheme:
+@@ -631,6 +642,7 @@ manifests:
+   pod_gnocchi_test: true
+   secret_db: true
+   secret_keystone: true
+  secret_ingress_tls: true
+   service_api: true
+   service_ingress_api: true
+   service_statsd: true
+-- 
+1.8.3.1
+
--- a/openstack-helm/centos/build_srpm.data
+++ b/openstack-helm/centos/build_srpm.data
@ -5,4 +5,4 @@ TAR="$TAR_NAME-$SHA.tar.gz"

 COPY_LIST="${CGCS_BASE}/downloads/$TAR $PKG_BASE/files/* "

-TIS_PATCH_VER=19
+TIS_PATCH_VER=20
--- a/openstack-helm/centos/openstack-helm.spec
+++ b/openstack-helm/centos/openstack-helm.spec
@ -37,6 +37,7 @@ Patch15: 0015-Add-Placement-Chart.patch
 Patch16: 0016-Cinder-rename-is_ceph_volume-configured.patch
 Patch17: 0017-Cinder-support-multiple-ceph-volume-backends.patch
 Patch18: 0018-Nova-add-service-token.patch
+Patch19: 0019-Add-TLS-support-for-Aodh-and-Panko-public-endpoints.patch

 BuildRequires: helm
 BuildRequires: openstack-helm-infra
@ -65,6 +66,7 @@ Openstack Helm charts
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
+%patch19 -p1

 %build
 # initialize helm and build the toolkit
--- a/openstack-helm/files/0019-Add-TLS-support-for-Aodh-and-Panko-public-endpoints.patch
+++ b/openstack-helm/files/0019-Add-TLS-support-for-Aodh-and-Panko-public-endpoints.patch
@ -0,0 +1,141 @@
+From c92678ff20a3ab9b07861131966ea38b340dfff8 Mon Sep 17 00:00:00 2001
+From: Angie Wang <angie.wang@windriver.com>
+Date: Tue, 9 Jul 2019 14:22:02 -0400
+Subject: [PATCH 1/1] Add TLS support for Aodh and Panko public endpoints
+
+Signed-off-by: Angie Wang <angie.wang@windriver.com>
+---
+ aodh/templates/secret-ingress-tls.yaml  | 19 +++++++++++++++++++
+ aodh/values.yaml                        | 12 ++++++++++++
+ panko/templates/secret-ingress-tls.yaml | 19 +++++++++++++++++++
+ panko/values.yaml                       | 12 ++++++++++++
+ 4 files changed, 62 insertions(+)
+ create mode 100644 aodh/templates/secret-ingress-tls.yaml
+ create mode 100644 panko/templates/secret-ingress-tls.yaml
+
+diff --git a/aodh/templates/secret-ingress-tls.yaml b/aodh/templates/secret-ingress-tls.yaml
+new file mode 100644
+index 0000000..707b38c
+--- /dev/null
+++ b/aodh/templates/secret-ingress-tls.yaml
+@@ -0,0 +1,19 @@
+{{/*
+Copyright 2019 Wind River Systems, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "alarming" ) }}
+{{- end }}
+diff --git a/aodh/values.yaml b/aodh/values.yaml
+index 90c9fac..cf7c6d7 100644
+--- a/aodh/values.yaml
+++ b/aodh/values.yaml
+@@ -536,6 +536,10 @@ secrets:
+   oslo_messaging:
+     admin: aodh-rabbitmq-admin
+     aodh: aodh-rabbitmq-user
+  tls:
+    alarming:
+      api:
+        public: aodh-tls-public
+ 
+ bootstrap:
+   enabled: false
+@@ -598,6 +602,13 @@ endpoints:
+       public: aodh
+     host_fqdn_override:
+       default: null
+      # NOTE: this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+     path:
+       default: null
+     scheme:
+@@ -696,5 +707,6 @@ manifests:
+   secret_db: true
+   secret_keystone: true
+   secret_rabbitmq: true
+  secret_ingress_tls: true
+   service_api: true
+   service_ingress_api: true
+diff --git a/panko/templates/secret-ingress-tls.yaml b/panko/templates/secret-ingress-tls.yaml
+new file mode 100644
+index 0000000..9773f53
+--- /dev/null
+++ b/panko/templates/secret-ingress-tls.yaml
+@@ -0,0 +1,19 @@
+{{/*
+Copyright 2019 Wind River Systems, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "event" ) }}
+{{- end }}
+diff --git a/panko/values.yaml b/panko/values.yaml
+index 7adefd0..3acaf06 100644
+--- a/panko/values.yaml
+++ b/panko/values.yaml
+@@ -159,6 +159,10 @@ secrets:
+   oslo_db:
+     admin: panko-db-admin
+     panko: panko-db-user
+  tls:
+    event:
+      api:
+        public: panko-tls-public
+ 
+ bootstrap:
+   enabled: false
+@@ -374,6 +378,13 @@ endpoints:
+       public: panko
+     host_fqdn_override:
+       default: null
+      # NOTE: this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+     path:
+       default: null
+     scheme:
+@@ -580,6 +591,7 @@ manifests:
+   pod_rally_test: true
+   secret_db: true
+   secret_keystone: true
+  secret_ingress_tls: true
+   service_api: true
+   service_ingress_api: true
+ 
+-- 
+1.8.3.1
+