keystone: Make internal TLS more robust
Keystone may communicate with other components that do not support TLS. This patchset makes keystone more flexible and enable it to communicate successfully with such components Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/800097 Change-Id: I5c697c1748b62a81b43e7b0d6c7f89d374a50d94
This commit is contained in:
Gupta, Sangeet (sg774j)
Nafiz Haider
parent
9a8a476d9f
commit
2d248874dd
@ -14,7 +14,7 @@ apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Keystone
|
||||
name: keystone
|
||||
version: 0.2.9
|
||||
version: 0.2.10
|
||||
home: https://docs.openstack.org/keystone/latest/
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
|
||||
sources:
|
||||
|
||||
@ -12,6 +12,6 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
|
||||
{{ dict "envAll" . "service" "identity" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||
{{- end -}}
|
||||
|
||||
@ -17,7 +17,7 @@ limitations under the License.
|
||||
|
||||
{{- if empty .Values.conf.keystone.database.connection -}}
|
||||
{{- $connection := tuple "oslo_db" "internal" "keystone" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.keystone.database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.keystone.database "connection" $connection -}}
|
||||
|
||||
@ -147,9 +147,15 @@ spec:
|
||||
{{- end }}
|
||||
- name: keystone-credential-keys
|
||||
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
{{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -183,8 +189,14 @@ spec:
|
||||
- name: keystone-credential-keys
|
||||
secret:
|
||||
secretName: keystone-credential-keys
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -19,7 +19,7 @@ helm.sh/hook-weight: "5"
|
||||
|
||||
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
||||
{{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
|
||||
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
|
||||
{{- end -}}
|
||||
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
|
||||
|
||||
@ -68,7 +68,7 @@ spec:
|
||||
- name: OPENSTACK_CONFIG_DB_KEY
|
||||
value: {{ $dbToClean.configDbKey | quote }}
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
|
||||
- name: MARIADB_X509
|
||||
value: "REQUIRE X509"
|
||||
{{- end }}
|
||||
@ -94,7 +94,7 @@ spec:
|
||||
subPath: {{ base $dbToClean.logConfigFile | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
@ -104,7 +104,7 @@ spec:
|
||||
configMap:
|
||||
name: "keystone-bin"
|
||||
defaultMode: 0555
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- $local := dict "configMapBinFirst" true -}}
|
||||
|
||||
@ -14,7 +14,7 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_drop }}
|
||||
{{- $dbDropJob := dict "envAll" . "serviceName" "keystone" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
|
||||
@ -21,7 +21,7 @@ helm.sh/hook-weight: "-5"
|
||||
|
||||
{{- if .Values.manifests.job_db_init }}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
|
||||
|
||||
@ -49,9 +49,13 @@ volumeMounts:
|
||||
- name: keystone-fernet-keys
|
||||
mountPath: {{ $envAll.Values.conf.keystone.fernet_tokens.key_repository }}
|
||||
readOnly: true
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }}
|
||||
{{- end }}
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "keystone.templates._job_db_sync.pod_vols" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
@ -59,9 +63,13 @@ volumes:
|
||||
- name: keystone-fernet-keys
|
||||
secret:
|
||||
secretName: keystone-fernet-keys
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }}
|
||||
{{- end }}
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.job_db_sync }}
|
||||
{{- $local := dict "podVolMounts" false "podVols" false -}}
|
||||
|
||||
@ -51,7 +51,7 @@ spec:
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
@ -63,14 +63,16 @@ spec:
|
||||
mountPath: /tmp/domain-manage-init.sh
|
||||
subPath: domain-manage-init.sh
|
||||
readOnly: true
|
||||
{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: keystone-domain-manage
|
||||
{{ tuple $envAll "keystone_domain_manage" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
@ -112,7 +114,9 @@ spec:
|
||||
{{- end }}
|
||||
- name: keystone-credential-keys
|
||||
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
|
||||
{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
{{ if $mounts_keystone_domain_manage.volumeMounts }}{{ toYaml $mounts_keystone_domain_manage.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -137,6 +141,8 @@ spec:
|
||||
- name: keystone-credential-keys
|
||||
secret:
|
||||
secretName: keystone-credential-keys
|
||||
{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{ if $mounts_keystone_domain_manage.volumes }}{{ toYaml $mounts_keystone_domain_manage.volumes | indent 9 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-4"
|
||||
|
||||
{{- if .Values.manifests.job_rabbit_init }}
|
||||
{{- $rmqUserJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if and .Values.manifests.certificates .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
|
||||
{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
|
||||
|
||||
@ -52,9 +52,11 @@ spec:
|
||||
mountPath: /tmp/ks-user.sh
|
||||
subPath: ks-user.sh
|
||||
readOnly: true
|
||||
{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||
{{- end }}
|
||||
- name: SERVICE_OS_SERVICE_NAME
|
||||
@ -70,7 +72,7 @@ spec:
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
{{ dict "envAll" $envAll "application" "test" "container" "keystone_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6}}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||
{{- end }}
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
||||
@ -95,7 +97,9 @@ spec:
|
||||
mountPath: /var/lib/rally
|
||||
- name: rally-work
|
||||
mountPath: /home/rally/.rally
|
||||
{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -112,6 +116,8 @@ spec:
|
||||
emptyDir: {}
|
||||
- name: rally-work
|
||||
emptyDir: {}
|
||||
{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
||||
{{- end }}
|
||||
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -15,7 +15,7 @@ limitations under the License.
|
||||
{{- if .Values.manifests.secret_rabbitmq }}
|
||||
{{- $envAll := . }}
|
||||
{{- $rabbitmqProtocol := "http" }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
|
||||
{{- $rabbitmqProtocol = "https" }}
|
||||
{{- end }}
|
||||
{{- range $key1, $userClass := tuple "admin" "keystone" }}
|
||||
|
||||
@ -25,4 +25,5 @@ keystone:
|
||||
- 0.2.7 Add Ussuri release support
|
||||
- 0.2.8 Remove member bootstrap logic
|
||||
- 0.2.9 Add Victoria and Wallaby releases support
|
||||
- 0.2.10 Make internal TLS more robust
|
||||
...
|
||||
|
||||
Loading…
Reference in New Issue
Block a user