From 1a2e660bc85c6a79a8120f181b39faa3121ed1fb Mon Sep 17 00:00:00 2001
From: josebb <jose.bautista.barato@gmail.com>
Date: Thu, 2 Dec 2021 19:17:20 +0200
Subject: [PATCH] Support TLS endpoints in glance

This allows glance to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And glance itself interact with other openstack services via
endpoints.

Change-Id: I35ab5d1bbaa20bfc73d0dc7af2710ca1d14b0627
---
 glance/Chart.yaml                           |  2 +-
 glance/templates/deployment-api.yaml        |  9 +++++++--
 glance/templates/job-bootstrap.yaml         |  2 +-
 glance/templates/job-ks-endpoints.yaml      |  2 +-
 glance/templates/job-ks-service.yaml        |  2 +-
 glance/templates/job-ks-user.yaml           |  2 +-
 glance/values.yaml                          |  5 +++++
 glance/values_overrides/tls-offloading.yaml | 12 ++++++++++++
 releasenotes/notes/glance.yaml              |  1 +
 9 files changed, 30 insertions(+), 7 deletions(-)
 create mode 100644 glance/values_overrides/tls-offloading.yaml

diff --git a/glance/Chart.yaml b/glance/Chart.yaml
index 2d9f630f60..4ad4a0d5c1 100644
--- a/glance/Chart.yaml
+++ b/glance/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Glance
 name: glance
-version: 0.3.8
+version: 0.3.9
 home: https://docs.openstack.org/glance/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
 sources:
diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml
index 72fe3613e7..ac4f540bf4 100644
--- a/glance/templates/deployment-api.yaml
+++ b/glance/templates/deployment-api.yaml
@@ -142,6 +142,11 @@ spec:
           command:
             - /tmp/glance-api.sh
             - start
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/glance/certs/ca.crt"
+{{- end }}
           lifecycle:
             preStop:
               exec:
@@ -223,7 +228,7 @@ spec:
               readOnly: true
 {{- end }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -259,7 +264,7 @@ spec:
             secretName: {{ .Values.secrets.rbd | quote }}
 {{- end }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml
index 461c52af35..56bebfc5be 100644
--- a/glance/templates/job-bootstrap.yaml
+++ b/glance/templates/job-bootstrap.yaml
@@ -30,7 +30,7 @@ volumes:
 {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
 {{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }}
 {{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/glance/templates/job-ks-endpoints.yaml b/glance/templates/job-ks-endpoints.yaml
index 992ee37fc8..fe761a38ca 100644
--- a/glance/templates/job-ks-endpoints.yaml
+++ b/glance/templates/job-ks-endpoints.yaml
@@ -19,7 +19,7 @@ helm.sh/hook-weight: "-2"
 
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/glance/templates/job-ks-service.yaml b/glance/templates/job-ks-service.yaml
index 21bb13029a..8aaef789dc 100644
--- a/glance/templates/job-ks-service.yaml
+++ b/glance/templates/job-ks-service.yaml
@@ -19,7 +19,7 @@ helm.sh/hook-weight: "-3"
 
 {{- if .Values.manifests.job_ks_service }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/glance/templates/job-ks-user.yaml b/glance/templates/job-ks-user.yaml
index 226be7182c..7f646e39e3 100644
--- a/glance/templates/job-ks-user.yaml
+++ b/glance/templates/job-ks-user.yaml
@@ -19,7 +19,7 @@ helm.sh/hook-weight: "-1"
 
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}
diff --git a/glance/values.yaml b/glance/values.yaml
index ba5eca7d81..23361bd0af 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -966,6 +966,11 @@ pod:
 # set helm3_hook: false when using the helm2 binary.
 helm3_hook: true
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true
diff --git a/glance/values_overrides/tls-offloading.yaml b/glance/values_overrides/tls-offloading.yaml
new file mode 100644
index 0000000000..914ab5e6c5
--- /dev/null
+++ b/glance/values_overrides/tls-offloading.yaml
@@ -0,0 +1,12 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      test:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+tls:
+  identity: true
+...
diff --git a/releasenotes/notes/glance.yaml b/releasenotes/notes/glance.yaml
index 7c15a5c8c3..3909cb509f 100644
--- a/releasenotes/notes/glance.yaml
+++ b/releasenotes/notes/glance.yaml
@@ -29,4 +29,5 @@ glance:
   - 0.3.6 Add Xena and Yoga values overrides
   - 0.3.7 Fix glance-etc template changing due to comment and whitespace between install and first upgrade
   - 0.3.8 Added OCI registry authentication
+  - 0.3.9 Support TLS endpoints
 ...