feat(tls): add tls to swift user and service of ceph-rgw
This patch adds certs needed for swift user and ceph service to communicate with keystone. Change-Id: I4de035f6fe2138c1d1022140c7571fac91ed1a84
This commit is contained in:
Gupta, Sangeet (sg774j)
Tin Lam
parent
d5aff1df64
commit
8633b93548
@ -98,7 +98,7 @@ spec:
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
fieldPath: metadata.name
|
fieldPath: metadata.name
|
||||||
{{ if .Values.conf.rgw_ks.enabled }}
|
{{ if .Values.conf.rgw_ks.enabled }}
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: KEYSTONE_URL
|
- name: KEYSTONE_URL
|
||||||
@ -123,6 +123,9 @@ spec:
|
|||||||
mountPath: /etc/ceph/ceph.conf.template
|
mountPath: /etc/ceph/ceph.conf.template
|
||||||
subPath: ceph.conf
|
subPath: ceph.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ if .Values.conf.rgw_ks.enabled }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
containers:
|
containers:
|
||||||
- name: ceph-rgw
|
- name: ceph-rgw
|
||||||
{{ tuple $envAll "ceph_rgw" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "ceph_rgw" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
@ -191,4 +194,7 @@ spec:
|
|||||||
- name: ceph-bootstrap-rgw-keyring
|
- name: ceph-bootstrap-rgw-keyring
|
||||||
secret:
|
secret:
|
||||||
secretName: {{ .Values.secrets.keyrings.rgw }}
|
secretName: {{ .Values.secrets.keyrings.rgw }}
|
||||||
|
{{ if .Values.conf.rgw_ks.enabled }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if and .Values.manifests.job_ks_endpoints .Values.conf.rgw_ks.enabled }}
|
{{- if and .Values.manifests.job_ks_endpoints .Values.conf.rgw_ks.enabled }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceTypes" ( tuple "object-store" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceTypes" ( tuple "object-store" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.object_store.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if and .Values.manifests.job_ks_service .Values.conf.rgw_ks.enabled }}
|
{{- if and .Values.manifests.job_ks_service .Values.conf.rgw_ks.enabled }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceTypes" ( tuple "object-store" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceTypes" ( tuple "object-store" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.object_store.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if and .Values.manifests.job_ks_user .Values.conf.rgw_ks.enabled }}
|
{{- if and .Values.manifests.job_ks_user .Values.conf.rgw_ks.enabled }}
|
||||||
{{- $ksUserJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceUser" "swift" -}}
|
{{- $ksUserJob := dict "envAll" . "configMapBin" "ceph-rgw-bin-ks" "serviceName" "ceph" "serviceUser" "swift" -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.object_store.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -39,7 +39,7 @@ spec:
|
|||||||
{{ tuple $envAll $envAll.Values.pod.resources.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||||
{{ dict "envAll" $envAll "application" "rgw_test" "container" "ceph_rgw_ks_validation" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
{{ dict "envAll" $envAll "application" "rgw_test" "container" "ceph_rgw_ks_validation" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user_rgw "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||||
- name: OS_AUTH_TYPE
|
- name: OS_AUTH_TYPE
|
||||||
valueFrom:
|
valueFrom:
|
||||||
@ -73,6 +73,7 @@ spec:
|
|||||||
mountPath: /etc/ceph/ceph.conf
|
mountPath: /etc/ceph/ceph.conf
|
||||||
subPath: ceph.conf
|
subPath: ceph.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{ if .Values.conf.rgw_s3.enabled }}
|
{{ if .Values.conf.rgw_s3.enabled }}
|
||||||
- name: ceph-rgw-s3-validation
|
- name: ceph-rgw-s3-validation
|
||||||
@ -115,4 +116,7 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: ceph-rgw-etc
|
name: ceph-rgw-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- if .Values.conf.rgw_ks.enabled }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -244,6 +244,7 @@ secrets:
|
|||||||
object_store:
|
object_store:
|
||||||
api:
|
api:
|
||||||
public: ceph-tls-public
|
public: ceph-tls-public
|
||||||
|
internal: keystone-tls-api
|
||||||
|
|
||||||
network:
|
network:
|
||||||
api:
|
api:
|
||||||
@ -623,6 +624,7 @@ endpoints:
|
|||||||
protocol: UDP
|
protocol: UDP
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
|
certificates: false
|
||||||
configmap_ceph_templates: true
|
configmap_ceph_templates: true
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_bin_ks: true
|
configmap_bin_ks: true
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user