From 77afb812d696e25e5f889a54bcedbb6a898656b8 Mon Sep 17 00:00:00 2001 From: Lucas Cavalcante Date: Thu, 22 Jul 2021 09:01:02 -0300 Subject: [PATCH] Add Trust ingress support to helm-toolkit This patch enables the following OpenStack services to trust public ingress certificate: keystone, horizon, glance, cinder, heat, nova, placement and neutron. This patch is roughly based on https://review.opendev.org/c/openstack/openstack-helm-infra/+/737194 Signed-off-by: Lucas Cavalcante --- .../templates/manifests/_job-bootstrap.tpl | 5 +- .../templates/manifests/_job-ks-endpoints.tpl | 5 +- .../templates/manifests/_job-ks-service.tpl | 5 +- .../templates/manifests/_job-ks-user.yaml.tpl | 5 +- .../templates/scripts/_rally_test.sh.tpl | 2 +- .../snippets/_keystone_openrc_env_vars.tpl | 13 +++ .../snippets/_keystone_secret_openrc.tpl | 3 + .../_keystone_user_create_env_vars.tpl | 1 + .../templates/snippets/_tls_volume.tpl | 47 +++++++++++ .../templates/snippets/_tls_volume_mount.tpl | 82 +++++++++++++++++++ 10 files changed, 163 insertions(+), 5 deletions(-) create mode 100644 helm-toolkit/templates/snippets/_tls_volume.tpl create mode 100644 helm-toolkit/templates/snippets/_tls_volume_mount.tpl diff --git a/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/helm-toolkit/templates/manifests/_job-bootstrap.tpl index 9c1f9aae..c67a4a70 100644 --- a/helm-toolkit/templates/manifests/_job-bootstrap.tpl +++ b/helm-toolkit/templates/manifests/_job-bootstrap.tpl @@ -29,6 +29,7 @@ limitations under the License. {{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} {{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}} {{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} {{- $keystoneUser := index . "keystoneUser" | default $serviceName -}} {{- $openrc := index . "openrc" | default "true" -}} {{- $secretBin := index . "secretBin" -}} @@ -68,7 +69,7 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{- if eq $openrc "true" }} env: -{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }} +{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} {{- end }} @@ -93,6 +94,7 @@ spec: mountPath: {{ $logConfigFile | quote }} subPath: {{ base $logConfigFile | quote }} readOnly: true +{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- if $podVolMounts }} {{ $podVolMounts | toYaml | indent 12 }} {{- end }} @@ -115,6 +117,7 @@ spec: secret: secretName: {{ $configMapEtc | quote }} defaultMode: 0444 +{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- if $podVols }} {{ $podVols | toYaml | indent 8 }} {{- end }} diff --git a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl index 11e77335..674bb214 100644 --- a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl +++ b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl @@ -25,6 +25,7 @@ limitations under the License. {{- $serviceTypes := index . "serviceTypes" -}} {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} {{- $secretBin := index . "secretBin" -}} {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} @@ -73,8 +74,9 @@ spec: mountPath: /tmp/ks-endpoints.sh subPath: ks-endpoints.sh readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} env: -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SVC_ENDPOINT @@ -100,4 +102,5 @@ spec: name: {{ $configMapBin | quote }} defaultMode: 0555 {{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/helm-toolkit/templates/manifests/_job-ks-service.tpl b/helm-toolkit/templates/manifests/_job-ks-service.tpl index 71cc9094..f3a9503e 100644 --- a/helm-toolkit/templates/manifests/_job-ks-service.tpl +++ b/helm-toolkit/templates/manifests/_job-ks-service.tpl @@ -25,6 +25,7 @@ limitations under the License. {{- $serviceTypes := index . "serviceTypes" -}} {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} {{- $secretBin := index . "secretBin" -}} {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} @@ -72,8 +73,9 @@ spec: mountPath: /tmp/ks-service.sh subPath: ks-service.sh readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} env: -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: OS_SERVICE_NAME @@ -94,4 +96,5 @@ spec: name: {{ $configMapBin | quote }} defaultMode: 0555 {{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl index 1003e4f7..2fafaa16 100644 --- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl +++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl @@ -26,6 +26,7 @@ limitations under the License. {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} {{- $serviceUser := index . "serviceUser" | default $serviceName -}} {{- $secretBin := index . "secretBin" -}} +{{- $tlsSecret := index . "tlsSecret" | default "" -}} {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} @@ -71,8 +72,9 @@ spec: mountPath: /tmp/ks-user.sh subPath: ks-user.sh readOnly: true +{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} env: -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME @@ -100,4 +102,5 @@ spec: name: {{ $configMapBin | quote }} defaultMode: 0555 {{- end }} +{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end -}} diff --git a/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/helm-toolkit/templates/scripts/_rally_test.sh.tpl index a7b614a6..ccaf435b 100644 --- a/helm-toolkit/templates/scripts/_rally_test.sh.tpl +++ b/helm-toolkit/templates/scripts/_rally_test.sh.tpl @@ -68,7 +68,7 @@ cat > /tmp/rally-config.json << EOF } ], "https_insecure": false, - "https_cacert": "" + "https_cacert": "${OS_CACERT}" } } EOF diff --git a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl index d856ab21..dcbb361a 100644 --- a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl +++ b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl @@ -67,9 +67,15 @@ return: | secretKeyRef: name: example-keystone-admin key: OS_PASSWORD + - name: OS_CACERT + valueFrom: + secretKeyRef: + name: example-keystone-admin + key: OS_CACERT */}} {{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }} +{{- $useCA := .useCA -}} {{- $ksUserSecret := .ksUserSecret }} - name: OS_IDENTITY_API_VERSION value: "3" @@ -118,4 +124,11 @@ return: | secretKeyRef: name: {{ $ksUserSecret }} key: OS_DEFAULT_DOMAIN +{{- if $useCA }} +- name: OS_CACERT + valueFrom: + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_CACERT +{{- end }} {{- end }} diff --git a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl index f6083b9b..e328ea4a 100644 --- a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl +++ b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl @@ -28,4 +28,7 @@ OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }} OS_USERNAME: {{ $userContext.username | b64enc }} OS_PASSWORD: {{ $userContext.password | b64enc }} OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }} +{{- if $userContext.cacert }} +OS_CACERT: {{ $userContext.cacert | b64enc }} +{{- end }} {{- end }} diff --git a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl index 622757bc..ff717ef3 100644 --- a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl +++ b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl @@ -24,6 +24,7 @@ values: | service_user: example-keystone-user usage: | {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user ) }} + {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }} return: | - name: SERVICE_OS_REGION_NAME valueFrom: diff --git a/helm-toolkit/templates/snippets/_tls_volume.tpl b/helm-toolkit/templates/snippets/_tls_volume.tpl new file mode 100644 index 00000000..41fe3d96 --- /dev/null +++ b/helm-toolkit/templates/snippets/_tls_volume.tpl @@ -0,0 +1,47 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +abstract: | + Renders a secret volume for tls. + + Dictionary Parameters: + enabled: boolean check if you want to conditional disable this snippet (optional) + name: name of the volume (required) + secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional) + +values: | + manifests: + certificates: true + +usage: | + {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume" -}} + +return: | + - name: glance-tls-api + secret: + secretName: glance-tls-api + defaultMode: 292 +*/}} +{{- define "helm-toolkit.snippets.tls_volume" }} +{{- $enabled := index . "enabled" -}} +{{- $name := index . "name" -}} +{{- $secretName := index . "secretName" | default $name -}} +{{- if and $enabled (ne $name "") }} +- name: {{ $name }} + secret: + secretName: {{ $secretName }} + defaultMode: 292 +{{- end }} +{{- end }} diff --git a/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl new file mode 100644 index 00000000..9cfa8195 --- /dev/null +++ b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl @@ -0,0 +1,82 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +abstract: | + Renders a volume mount for TLS key, cert and CA. + + Dictionary Parameters: + enabled: boolean check if you want to conditional disable this snippet (optional) + name: name that of the volume and should match the volume name (required) + path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required) + certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}. + the default is the full set. (optional) + +values: | + manifests: + certificates: true + +usage: | + {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} + +return: | + - name: glance-tls-api + mountPath: /etc/glance/certs/tls.crt + subPath: tls.crt + readOnly: true + - name: glance-tls-api + mountPath: /etc/glance/certs/tls.key + subPath: tls.key + readOnly: true + - name: glance-tls-api + mountPath: /etc/glance/certs/ca.crt + subPath: ca.crt + readOnly: true + +abstract: | + This mounts a specific issuing CA only for service validation + +usage: | + {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}} + {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} + +return: | + - name: glance-tls-api + mountPath: /etc/ssl/certs/openstack-helm.crt + subPath: ca.crt + readOnly: true +*/}} +{{- define "helm-toolkit.snippets.tls_volume_mount" }} +{{- $enabled := index . "enabled" -}} +{{- $name := index . "name" -}} +{{- $path := index . "path" | default "" -}} +{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }} +{{- if $enabled }} +{{- if and (eq $path "") (ne $name "") }} +- name: {{ $name }} + mountPath: "/etc/ssl/certs/openstack-helm.crt" + subPath: ca.crt + readOnly: true +{{- else }} +{{- if ne $name "" }} +{{- range $key, $value := $certs }} +- name: {{ $name }} + mountPath: {{ printf "%s/%s" $path $value }} + subPath: {{ $value }} + readOnly: true +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} -- 2.17.1