From e19be77f087995faccf06dd834a203fb2154a5f3 Mon Sep 17 00:00:00 2001
From: Pete Birley <pete@port.direct>
Date: Mon, 18 Jun 2018 16:16:06 -0500
Subject: [PATCH] Ingress: Add initial TLS Support for core service public
 endpoints

This PS adds support for TLS on over-ridden fqdn's for public
endpoints for core OpenStack Services. Currently this implementation
is limited, in that it does not provide support for dynamicly loading
CAs into the containers, or specifying them manually via configuration.
As a result only well known or CA's added manually to containers will
be recognised.

Change-Id: I8f1b699af29cbed2d83ad91bb6840dccce8c5146
Depends-On: I535f38a8d92c01280d79926a1f0acd06984aabbf
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>
---
 barbican/templates/ingress-api.yaml           |   2 +-
 barbican/templates/secret-ingress-tls.yaml    |  19 +
 barbican/values.yaml                          |   5 +
 ceph-client/templates/secret-ingress-tls.yaml |  19 +
 ceph-client/values.yaml                       |  12 +
 cinder/templates/secret-ingress-tls.yaml      |  19 +
 cinder/values.yaml                            |  26 ++
 glance/templates/secret-ingress-tls.yaml      |  19 +
 glance/values.yaml                            |  12 +
 heat/templates/secret-ingress-tls.yaml        |  20 +
 heat/values.yaml                              |  22 +
 horizon/templates/secret-ingress-tls.yaml     |  19 +
 horizon/values.yaml                           |  12 +
 keystone/templates/secret-ingress-tls.yaml    |  19 +
 keystone/values.yaml                          |  12 +
 neutron/templates/secret-ingress-tls.yaml     |  19 +
 neutron/values.yaml                           |  12 +
 nova/templates/secret-ingress-tls.yaml        |  21 +
 nova/values.yaml                              |  25 ++
 tools/deployment/common/setup-certificates.sh | 417 ++++++++++++++++++
 20 files changed, 730 insertions(+), 1 deletion(-)
 create mode 100644 barbican/templates/secret-ingress-tls.yaml
 create mode 100644 ceph-client/templates/secret-ingress-tls.yaml
 create mode 100644 cinder/templates/secret-ingress-tls.yaml
 create mode 100644 glance/templates/secret-ingress-tls.yaml
 create mode 100644 heat/templates/secret-ingress-tls.yaml
 create mode 100644 horizon/templates/secret-ingress-tls.yaml
 create mode 100644 keystone/templates/secret-ingress-tls.yaml
 create mode 100644 neutron/templates/secret-ingress-tls.yaml
 create mode 100644 nova/templates/secret-ingress-tls.yaml
 create mode 100755 tools/deployment/common/setup-certificates.sh

diff --git a/barbican/templates/ingress-api.yaml b/barbican/templates/ingress-api.yaml
index f0bf5f6843..9e1734f23f 100644
--- a/barbican/templates/ingress-api.yaml
+++ b/barbican/templates/ingress-api.yaml
@@ -15,6 +15,6 @@ limitations under the License.
 */}}
 
 {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
-{{- $ingressOpts := dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" -}}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "key_manager" "backendPort" "b-api" -}}
 {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
 {{- end }}
diff --git a/barbican/templates/secret-ingress-tls.yaml b/barbican/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..cd58e51d71
--- /dev/null
+++ b/barbican/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key_manager" ) }}
+{{- end }}
diff --git a/barbican/values.yaml b/barbican/values.yaml
index b7a803975a..42e9f387fd 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -438,6 +438,10 @@ secrets:
   oslo_messaging:
     admin: barbican-rabbitmq-admin
     barbican: barbican-rabbitmq-user
+  tls:
+    key_manager:
+      api:
+        public: barbican-tls-public
 
 endpoints:
   cluster_domain_suffix: cluster.local
@@ -569,6 +573,7 @@ manifests:
   pdb_api: true
   pod_test: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_api: true
diff --git a/ceph-client/templates/secret-ingress-tls.yaml b/ceph-client/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..dee370f370
--- /dev/null
+++ b/ceph-client/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_ingress_tls ( and .Values.deployment.ceph .Values.conf.features.rgw ) }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "object_store" ) }}
+{{- end }}
diff --git a/ceph-client/values.yaml b/ceph-client/values.yaml
index fdc54230f5..9a1b5baaf4 100644
--- a/ceph-client/values.yaml
+++ b/ceph-client/values.yaml
@@ -160,6 +160,10 @@ secrets:
     admin: ceph-keystone-admin
     swift: ceph-keystone-user
     user_rgw: ceph-keystone-user-rgw
+  tls:
+    object_store:
+      api:
+        public: ceph-tls-public
 
 network:
   api:
@@ -505,6 +509,13 @@ endpoints:
       public: radosgw
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /swift/v1/KEY_$(tenant_id)s
     scheme:
@@ -564,6 +575,7 @@ manifests:
   job_namespace_client_key_cleaner: true
   job_namespace_client_key: true
   job_rbd_pool: true
+  secret_ingress_tls: true
   secret_keystone_rgw: true
   secret_keystone: true
   service_ingress_rgw: true
diff --git a/cinder/templates/secret-ingress-tls.yaml b/cinder/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..a787387841
--- /dev/null
+++ b/cinder/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "volume" ) }}
+{{- end }}
diff --git a/cinder/values.yaml b/cinder/values.yaml
index b61e0fa8fa..66aa477e49 100644
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@@ -934,6 +934,10 @@ secrets:
   oslo_messaging:
     admin: cinder-rabbitmq-admin
     cinder: cinder-rabbitmq-user
+  tls:
+    volume:
+      api:
+        public: cinder-tls-public
 
 # We use a different layout of the endpoints here to account for versioning
 # this swaps the service name and type, and should be rolled out to other
@@ -1029,6 +1033,13 @@ endpoints:
       public: cinder
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v1/%(tenant_id)s'
     scheme:
@@ -1044,6 +1055,13 @@ endpoints:
       public: cinder
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v2/%(tenant_id)s'
     scheme:
@@ -1059,6 +1077,13 @@ endpoints:
       public: cinder
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v3/%(tenant_id)s'
     scheme:
@@ -1144,6 +1169,7 @@ manifests:
   pod_rally_test: true
   pvc_backup: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_api: true
diff --git a/glance/templates/secret-ingress-tls.yaml b/glance/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..f9b4ae5eae
--- /dev/null
+++ b/glance/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "image" ) }}
+{{- end }}
diff --git a/glance/values.yaml b/glance/values.yaml
index 4ff296c79f..fb2ad013ba 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -441,6 +441,10 @@ secrets:
   oslo_messaging:
     admin: glance-rabbitmq-admin
     glance: glance-rabbitmq-user
+  tls:
+    image:
+      api:
+        public: glance-tls-public
 
 
 # typically overridden by environmental
@@ -507,6 +511,13 @@ endpoints:
       public: glance
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: null
     scheme:
@@ -781,6 +792,7 @@ manifests:
   pod_rally_test: true
   pvc_images: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_api: true
diff --git a/heat/templates/secret-ingress-tls.yaml b/heat/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..76fec5bc5c
--- /dev/null
+++ b/heat/templates/secret-ingress-tls.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "orchestration" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "cfn" "backendServiceType" "cloudformation" ) }}
+{{- end }}
diff --git a/heat/values.yaml b/heat/values.yaml
index 990cc2649d..358bd57abc 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -664,6 +664,13 @@ secrets:
   oslo_messaging:
     admin: heat-rabbitmq-admin
     heat: heat-rabbitmq-user
+  tls:
+    orchestration:
+      api:
+        public: heat-tls-public
+    cloudformation:
+      cfn:
+        public: cloudformation-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -745,6 +752,13 @@ endpoints:
       public: heat
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v1/%(project_id)s'
     scheme:
@@ -760,6 +774,13 @@ endpoints:
       public: cloudformation
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /v1
     scheme:
@@ -1044,6 +1065,7 @@ manifests:
   pdb_cloudwatch: false
   pod_rally_test: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_api: true
diff --git a/horizon/templates/secret-ingress-tls.yaml b/horizon/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..04705bc362
--- /dev/null
+++ b/horizon/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "dashboard" "backendServiceType" "dashboard" ) }}
+{{- end }}
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 78eb30ffd7..8e9e41db86 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -1974,6 +1974,10 @@ secrets:
   oslo_db:
     admin: horizon-db-admin
     horizon: horizon-db-user
+  tls:
+    dashboard:
+      dashboard:
+        public: horizon-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -2023,6 +2027,13 @@ endpoints:
       public: horizon
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: null
     scheme:
@@ -2059,5 +2070,6 @@ manifests:
   job_image_repo_sync: true
   pdb: true
   secret_db: true
+  secret_ingress_tls: true
   service_ingress: true
   service: true
diff --git a/keystone/templates/secret-ingress-tls.yaml b/keystone/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..3b57b4aa28
--- /dev/null
+++ b/keystone/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "identity" ) }}
+{{- end }}
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 3d6d901157..439cdfd0b4 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -789,6 +789,10 @@ secrets:
     keystone: keystone-rabbitmq-user
   ldap:
     tls: keystone-ldap-tls
+  tls:
+    identity:
+      api:
+        public: keystone-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -831,6 +835,13 @@ endpoints:
       public: keystone
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /v3
     scheme:
@@ -922,6 +933,7 @@ manifests:
   secret_credential_keys: true
   secret_db: true
   secret_fernet_keys: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_api: true
diff --git a/neutron/templates/secret-ingress-tls.yaml b/neutron/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..1a15f2468b
--- /dev/null
+++ b/neutron/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "server" "backendServiceType" "network" ) }}
+{{- end }}
diff --git a/neutron/values.yaml b/neutron/values.yaml
index d3fb64d719..5f80d81a4d 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -1557,6 +1557,10 @@ secrets:
   oslo_messaging:
     admin: neutron-rabbitmq-admin
     neutron: neutron-rabbitmq-user
+  tls:
+    network:
+      server:
+        public: neutron-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -1712,6 +1716,13 @@ endpoints:
       public: neutron
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: null
     scheme:
@@ -1744,6 +1755,7 @@ manifests:
   pdb_server: true
   pod_rally_test: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_server: true
diff --git a/nova/templates/secret-ingress-tls.yaml b/nova/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..3b9062e3c7
--- /dev/null
+++ b/nova/templates/secret-ingress-tls.yaml
@@ -0,0 +1,21 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "osapi" "backendServiceType" "compute" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "placement" "backendServiceType" "placement" ) }}
+{{- end }}
diff --git a/nova/values.yaml b/nova/values.yaml
index 97718fb49f..d407de9b67 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -1121,6 +1121,16 @@ secrets:
   oslo_messaging:
     admin: nova-rabbitmq-admin
     nova: nova-rabbitmq-user
+  tls:
+    compute:
+      osapi:
+        public: nova-tls-public
+    compute_novnc_proxy:
+      novncproxy:
+        public: nova-novncproxy-tls-public
+    placement:
+      placement:
+        public: placement-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -1314,6 +1324,13 @@ endpoints:
       public: nova
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: "/v2.1/%(tenant_id)s"
     scheme:
@@ -1349,6 +1366,13 @@ endpoints:
       public: novncproxy
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /vnc_auto.html
     scheme:
@@ -1697,6 +1721,7 @@ manifests:
   pod_rally_test: true
   secret_db_api: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_keystone_placement: true
   secret_rabbitmq: true
diff --git a/tools/deployment/common/setup-certificates.sh b/tools/deployment/common/setup-certificates.sh
new file mode 100755
index 0000000000..9811b5fde9
--- /dev/null
+++ b/tools/deployment/common/setup-certificates.sh
@@ -0,0 +1,417 @@
+#!/bin/bash
+
+# Copyright 2018 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+set -xe
+
+CURRENT_DIR=$(pwd)
+CFSSLURL=https://pkg.cfssl.org/R1.2
+
+TDIR=/tmp/certs
+rm -rf $TDIR
+mkdir -p $TDIR/bin
+
+cd $TDIR
+curl -sSL -o bin/cfssl $CFSSLURL/cfssl_linux-amd64
+curl -sSL -o bin/cfssljson $CFSSLURL/cfssljson_linux-amd64
+chmod +x bin/{cfssl,cfssljson}
+export PATH=$PATH:./bin
+
+OSH_CONFIG_ROOT="/etc/openstack-helm"
+OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
+OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server"
+
+sudo mkdir -p ${OSH_CONFIG_ROOT}
+sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}
+
+mkdir -p "${OSH_CA_ROOT}"
+tee ${OSH_CA_ROOT}/ca-config.json << EOF
+{
+    "signing": {
+        "default": {
+            "expiry": "24h"
+        },
+        "profiles": {
+            "server": {
+                "expiry": "24h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth"
+                ]
+            }
+        }
+    }
+}
+EOF
+
+tee ${OSH_CA_ROOT}/ca-csr.json << EOF
+{
+  "CN": "ACME Company",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "SomeState",
+      "ST": "SomeCity",
+      "O": "SomeOrg",
+      "OU": "SomeUnit"
+    }
+  ]
+}
+EOF
+
+cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca -
+
+function check_cert_and_key () {
+  TLS_CERT=$1
+  TLS_KEY=$2
+  openssl x509 -inform pem -in ${TLS_CERT} -noout -text
+  CERT_MOD="$(openssl x509 -noout -modulus -in ${TLS_CERT})"
+  KEY_MOD="$(openssl rsa -noout -modulus -in ${TLS_KEY})"
+  if ! [ "${CERT_MOD}" = "${KEY_MOD}" ]; then
+    echo "Failure: TLS private key does not match this certificate."
+    exit 1
+  else
+    CERT_MOD=""
+    KEY_MOD=""
+    echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
+  fi
+}
+check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem
+
+DOMAIN=openstackhelm.test
+for HOSTNAME in "swift" "keystone" "heat" "cloudformation" "horizon" "glance" "cinder" "nova" "placement" "novnc" "metadata" "neutron" "barbican"; do
+  FQDN="${HOSTNAME}.${DOMAIN}"
+
+  OSH_SERVER_CERTS="${OSH_SERVER_TLS_ROOT}/${HOSTNAME}"
+  mkdir -p "${OSH_SERVER_CERTS}"
+
+  tee ${OSH_SERVER_CERTS}/server-csr-${HOSTNAME}.json <<EOF
+{
+  "CN": "${FQDN}",
+  "hosts": [
+    "${FQDN}"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "SomeState",
+      "ST": "SomeCity",
+      "O": "SomeOrg",
+      "OU": "SomeUnit"
+    }
+  ]
+}
+EOF
+  cfssl gencert \
+    -hostname="${FQDN}" \
+    -ca=${OSH_CA_ROOT}/ca.pem \
+    -ca-key=${OSH_CA_ROOT}/ca-key.pem \
+    -config=${OSH_CA_ROOT}/ca-config.json \
+    -profile=server \
+    ${OSH_SERVER_CERTS}/server-csr-${HOSTNAME}.json | cfssljson -bare ${OSH_SERVER_CERTS}/server
+
+  check_cert_and_key ${OSH_SERVER_CERTS}/server.pem ${OSH_SERVER_CERTS}/server-key.pem
+done
+
+cd $CURRENT_DIR
+
+KEYSTONE_CRT=${OSH_SERVER_TLS_ROOT}/keystone/server.pem
+KEYSTONE_KEY=${OSH_SERVER_TLS_ROOT}/keystone/server-key.pem
+KEYSTONE_CSR=${OSH_SERVER_TLS_ROOT}/keystone/server-csr-keystone.json
+
+SWIFT_CRT=${OSH_SERVER_TLS_ROOT}/swift/server.pem
+SWIFT_KEY=${OSH_SERVER_TLS_ROOT}/swift/server-key.pem
+SWIFT_CSR=${OSH_SERVER_TLS_ROOT}/swift/server-csr-swift.json
+
+BARBICAN_CRT=${OSH_SERVER_TLS_ROOT}/barbican/server.pem
+BARBICAN_KEY=${OSH_SERVER_TLS_ROOT}/barbican/server-key.pem
+BARBICAN_CSR=${OSH_SERVER_TLS_ROOT}/barbican/server-csr-barbican.json
+
+HEAT_API_CRT=${OSH_SERVER_TLS_ROOT}/heat/server.pem
+HEAT_API_KEY=${OSH_SERVER_TLS_ROOT}/heat/server-key.pem
+HEAT_API_CSR=${OSH_SERVER_TLS_ROOT}/heat/server-csr-heat.json
+HEAT_CFN_CRT=${OSH_SERVER_TLS_ROOT}/cloudformation/server.pem
+HEAT_CFN_KEY=${OSH_SERVER_TLS_ROOT}/cloudformation/server-key.pem
+HEAT_CFN_CSR=${OSH_SERVER_TLS_ROOT}/cloudformation/server-csr-cloudformation.json
+
+HORIZON_CRT=${OSH_SERVER_TLS_ROOT}/horizon/server.pem
+HORIZON_KEY=${OSH_SERVER_TLS_ROOT}/horizon/server-key.pem
+HORIZON_CSR=${OSH_SERVER_TLS_ROOT}/horizon/server-csr-horizon.json
+
+GLANCE_API_CRT=${OSH_SERVER_TLS_ROOT}/glance/server.pem
+GLANCE_API_KEY=${OSH_SERVER_TLS_ROOT}/glance/server-key.pem
+GLANCE_API_CSR=${OSH_SERVER_TLS_ROOT}/glance/server-csr-glance.json
+
+CINDER_CRT=${OSH_SERVER_TLS_ROOT}/cinder/server.pem
+CINDER_KEY=${OSH_SERVER_TLS_ROOT}/cinder/server-key.pem
+CINDER_CSR=${OSH_SERVER_TLS_ROOT}/cinder/server-csr-cinder.json
+
+NOVA_API_CRT=${OSH_SERVER_TLS_ROOT}/nova/server.pem
+NOVA_API_KEY=${OSH_SERVER_TLS_ROOT}/nova/server-key.pem
+NOVA_API_CSR=${OSH_SERVER_TLS_ROOT}/nova/server-csr-nova.json
+
+NOVA_NOVNC_CRT=${OSH_SERVER_TLS_ROOT}/novnc/server.pem
+NOVA_NOVNC_KEY=${OSH_SERVER_TLS_ROOT}/novnc/server-key.pem
+NOVA_NOVNC_CSR=${OSH_SERVER_TLS_ROOT}/novnc/server-csr-novnc.json
+
+PLACEMENT_CRT=${OSH_SERVER_TLS_ROOT}/placement/server.pem
+PLACEMENT_KEY=${OSH_SERVER_TLS_ROOT}/placement/server-key.pem
+PLACEMENT_CSR=${OSH_SERVER_TLS_ROOT}/placement/server-csr-placement.json
+
+NEUTRON_SERVER_CRT=${OSH_SERVER_TLS_ROOT}/neutron/server.pem
+NEUTRON_SERVER_KEY=${OSH_SERVER_TLS_ROOT}/neutron/server-key.pem
+NEUTRON_SERVER_CSR=${OSH_SERVER_TLS_ROOT}/neutron/server-csr-neutron.json
+
+BARBICAN_API_CRT=${OSH_SERVER_TLS_ROOT}/barbican/server.pem
+BARBICAN_API_KEY=${OSH_SERVER_TLS_ROOT}/barbican/server-key.pem
+BARBICAN_API_CSR=${OSH_SERVER_TLS_ROOT}/barbican/server-csr-barbican.json
+
+tee /tmp/tls-endpoints.yaml << EOF
+endpoints:
+  object_store:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${SWIFT_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${SWIFT_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${SWIFT_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  identity:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${KEYSTONE_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${KEYSTONE_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${KEYSTONE_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  orchestration:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${HEAT_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${HEAT_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${HEAT_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  cloudformation:
+    scheme:
+      public: https
+    port:
+      cfn:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${HEAT_CFN_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${HEAT_CFN_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${HEAT_CFN_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  dashboard:
+    scheme:
+      public: https
+    port:
+      web:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${HORIZON_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${HORIZON_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${HORIZON_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  image:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${GLANCE_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${GLANCE_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${GLANCE_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  volume:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${CINDER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${CINDER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  volumev2:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${CINDER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${CINDER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  volumev3:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${CINDER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${CINDER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  compute:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${NOVA_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${NOVA_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${NOVA_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  compute_novnc_proxy:
+    scheme:
+      public: https
+    port:
+      novnc_proxy:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${NOVA_NOVNC_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${NOVA_NOVNC_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${NOVA_NOVNC_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  placement:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${PLACEMENT_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${PLACEMENT_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${PLACEMENT_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${PLACEMENT_ROOT}/ca.pem | sed 's/^/            /')
+  network:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${NEUTRON_SERVER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${NEUTRON_SERVER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${NEUTRON_SERVER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  key_manager:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${BARBICAN_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${BARBICAN_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${BARBICAN_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+EOF
+
+export OSH_EXTRA_HELM_ARGS="--values=/tmp/tls-endpoints.yaml"