Support TLS endpoints in glance

This allows glance to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And glance itself interact with other openstack services via
endpoints.

Change-Id: I35ab5d1bbaa20bfc73d0dc7af2710ca1d14b0627

glance/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Glance
 name: glance
-version: 0.3.8
+version: 0.3.9
 home: https://docs.openstack.org/glance/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
 sources:

glance/templates/deployment-api.yaml

@@ -142,6 +142,11 @@ spec:
           command:
             - /tmp/glance-api.sh
             - start
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/etc/glance/certs/ca.crt"
+{{- end }}
           lifecycle:
             preStop:
               exec:
@@ -223,7 +228,7 @@ spec:
               readOnly: true
 {{- end }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -259,7 +264,7 @@ spec:
             secretName: {{ .Values.secrets.rbd | quote }}
 {{- end }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
 {{- end }}

glance/templates/job-bootstrap.yaml

@@ -30,7 +30,7 @@ volumes:
 {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
 {{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }}
 {{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}

glance/templates/job-ks-endpoints.yaml

@@ -19,7 +19,7 @@ helm.sh/hook-weight: "-2"
 
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}

glance/templates/job-ks-service.yaml

@@ -19,7 +19,7 @@ helm.sh/hook-weight: "-3"
 
 {{- if .Values.manifests.job_ks_service }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}

glance/templates/job-ks-user.yaml

@@ -19,7 +19,7 @@ helm.sh/hook-weight: "-1"
 
 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
 {{- end -}}
 {{- if .Values.helm3_hook }}

glance/values.yaml

@@ -966,6 +966,11 @@ pod:
 # set helm3_hook: false when using the helm2 binary.
 helm3_hook: true
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true

glance/values_overrides/tls-offloading.yaml

@@ -0,0 +1,12 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      test:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+tls:
+  identity: true
+...

releasenotes/notes/glance.yaml

@@ -29,4 +29,5 @@ glance:
   - 0.3.6 Add Xena and Yoga values overrides
   - 0.3.7 Fix glance-etc template changing due to comment and whitespace between install and first upgrade
   - 0.3.8 Added OCI registry authentication
+  - 0.3.9 Support TLS endpoints
 ...