feat(tls): add tls to swift user and service of ceph-rgw

This patch adds certs needed for swift user and ceph service to
communicate with keystone.

Change-Id: I4de035f6fe2138c1d1022140c7571fac91ed1a84
This commit is contained in:
Gupta, Sangeet (sg774j) 2020-07-29 14:48:22 +00:00 committed by Tin Lam
parent d5aff1df64
commit 8633b93548
6 changed files with 23 additions and 2 deletions

View File

@ -98,7 +98,7 @@ spec:
apiVersion: v1
fieldPath: metadata.name
{{ if .Values.conf.rgw_ks.enabled }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: KEYSTONE_URL
@ -123,6 +123,9 @@ spec:
mountPath: /etc/ceph/ceph.conf.template
subPath: ceph.conf
readOnly: true
{{ if .Values.conf.rgw_ks.enabled }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
containers:
- name: ceph-rgw
{{ tuple $envAll "ceph_rgw" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -191,4 +194,7 @@ spec:
- name: ceph-bootstrap-rgw-keyring
secret:
secretName: {{ .Values.secrets.keyrings.rgw }}
{{ if .Values.conf.rgw_ks.enabled }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_ks_endpoints .Values.conf.rgw_ks.enabled }}
{{- $ksServiceJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceTypes" ( tuple "object-store" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.object_store.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_ks_service .Values.conf.rgw_ks.enabled }}
{{- $ksServiceJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceTypes" ( tuple "object-store" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.object_store.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_ks_user .Values.conf.rgw_ks.enabled }}
{{- $ksUserJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceUser" "swift" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.object_store.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

View File

@ -39,7 +39,7 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "rgw_test" "container" "ceph_rgw_ks_validation" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
- name: OS_AUTH_TYPE
valueFrom:
@ -73,6 +73,7 @@ spec:
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{- end }}
{{ if .Values.conf.rgw_s3.enabled }}
- name: ceph-rgw-s3-validation
@ -115,4 +116,7 @@ spec:
configMap:
name: ceph-rgw-etc
defaultMode: 0444
{{- if .Values.conf.rgw_ks.enabled }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{- end }}
{{- end }}

View File

@ -244,6 +244,7 @@ secrets:
object_store:
api:
public: ceph-tls-public
internal: keystone-tls-api
network:
api:
@ -623,6 +624,7 @@ endpoints:
protocol: UDP
manifests:
certificates: false
configmap_ceph_templates: true
configmap_bin: true
configmap_bin_ks: true