From 8633b935487fcefe10a3d73d6b7b452b8986c1aa Mon Sep 17 00:00:00 2001 From: "Gupta, Sangeet (sg774j)" Date: Wed, 29 Jul 2020 14:48:22 +0000 Subject: [PATCH] feat(tls): add tls to swift user and service of ceph-rgw This patch adds certs needed for swift user and ceph service to communicate with keystone. Change-Id: I4de035f6fe2138c1d1022140c7571fac91ed1a84 --- ceph-rgw/templates/deployment-rgw.yaml | 8 +++++++- ceph-rgw/templates/job-ks-endpoints.yaml | 3 +++ ceph-rgw/templates/job-ks-service.yaml | 3 +++ ceph-rgw/templates/job-ks-user.yaml | 3 +++ ceph-rgw/templates/pod-helm-tests.yaml | 6 +++++- ceph-rgw/values.yaml | 2 ++ 6 files changed, 23 insertions(+), 2 deletions(-) diff --git a/ceph-rgw/templates/deployment-rgw.yaml b/ceph-rgw/templates/deployment-rgw.yaml index 5fc76eed3..9a087e5b6 100644 --- a/ceph-rgw/templates/deployment-rgw.yaml +++ b/ceph-rgw/templates/deployment-rgw.yaml @@ -98,7 +98,7 @@ spec: apiVersion: v1 fieldPath: metadata.name {{ if .Values.conf.rgw_ks.enabled }} -{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw "useCA" .Values.manifests.certificates }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: KEYSTONE_URL @@ -123,6 +123,9 @@ spec: mountPath: /etc/ceph/ceph.conf.template subPath: ceph.conf readOnly: true +{{ if .Values.conf.rgw_ks.enabled }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} containers: - name: ceph-rgw {{ tuple $envAll "ceph_rgw" | include "helm-toolkit.snippets.image" | indent 10 }} @@ -191,4 +194,7 @@ spec: - name: ceph-bootstrap-rgw-keyring secret: secretName: {{ .Values.secrets.keyrings.rgw }} +{{ if .Values.conf.rgw_ks.enabled }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} {{- end }} diff --git a/ceph-rgw/templates/job-ks-endpoints.yaml b/ceph-rgw/templates/job-ks-endpoints.yaml index 8afbecef2..c60be015b 100644 --- a/ceph-rgw/templates/job-ks-endpoints.yaml +++ b/ceph-rgw/templates/job-ks-endpoints.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if and .Values.manifests.job_ks_endpoints .Values.conf.rgw_ks.enabled }} {{- $ksServiceJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceTypes" ( tuple "object-store" ) -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.object_store.api.internal -}} +{{- end -}} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} {{- end }} diff --git a/ceph-rgw/templates/job-ks-service.yaml b/ceph-rgw/templates/job-ks-service.yaml index 46e92599c..f62040a6b 100644 --- a/ceph-rgw/templates/job-ks-service.yaml +++ b/ceph-rgw/templates/job-ks-service.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if and .Values.manifests.job_ks_service .Values.conf.rgw_ks.enabled }} {{- $ksServiceJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceTypes" ( tuple "object-store" ) -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.object_store.api.internal -}} +{{- end -}} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} {{- end }} diff --git a/ceph-rgw/templates/job-ks-user.yaml b/ceph-rgw/templates/job-ks-user.yaml index 134a06911..8f6e12a5c 100644 --- a/ceph-rgw/templates/job-ks-user.yaml +++ b/ceph-rgw/templates/job-ks-user.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if and .Values.manifests.job_ks_user .Values.conf.rgw_ks.enabled }} {{- $ksUserJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceUser" "swift" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.object_store.api.internal -}} +{{- end -}} {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} {{- end }} diff --git a/ceph-rgw/templates/pod-helm-tests.yaml b/ceph-rgw/templates/pod-helm-tests.yaml index 64af98de8..6c1fef91b 100644 --- a/ceph-rgw/templates/pod-helm-tests.yaml +++ b/ceph-rgw/templates/pod-helm-tests.yaml @@ -39,7 +39,7 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} {{ dict "envAll" $envAll "application" "rgw_test" "container" "ceph_rgw_ks_validation" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }} env: -{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw "useCA" .Values.manifests.certificates }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - name: OS_AUTH_TYPE valueFrom: @@ -73,6 +73,7 @@ spec: mountPath: /etc/ceph/ceph.conf subPath: ceph.conf readOnly: true +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} {{- end }} {{ if .Values.conf.rgw_s3.enabled }} - name: ceph-rgw-s3-validation @@ -115,4 +116,7 @@ spec: configMap: name: ceph-rgw-etc defaultMode: 0444 +{{- if .Values.conf.rgw_ks.enabled }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }} +{{- end }} {{- end }} diff --git a/ceph-rgw/values.yaml b/ceph-rgw/values.yaml index aa3cb1cc2..e9af5a55a 100644 --- a/ceph-rgw/values.yaml +++ b/ceph-rgw/values.yaml @@ -244,6 +244,7 @@ secrets: object_store: api: public: ceph-tls-public + internal: keystone-tls-api network: api: @@ -623,6 +624,7 @@ endpoints: protocol: UDP manifests: + certificates: false configmap_ceph_templates: true configmap_bin: true configmap_bin_ks: true