From 2d248874dde562b2086ba208cf6f674fd41b7256 Mon Sep 17 00:00:00 2001 From: "Gupta, Sangeet (sg774j)" Date: Thu, 8 Jul 2021 00:29:29 +0000 Subject: [PATCH] keystone: Make internal TLS more robust Keystone may communicate with other components that do not support TLS. This patchset makes keystone more flexible and enable it to communicate successfully with such components Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/800097 Change-Id: I5c697c1748b62a81b43e7b0d6c7f89d374a50d94 --- keystone/Chart.yaml | 2 +- keystone/templates/certificates.yaml | 2 +- keystone/templates/configmap-etc.yaml | 2 +- keystone/templates/deployment-api.yaml | 12 ++++++++++++ keystone/templates/job-bootstrap.yaml | 2 +- keystone/templates/job-credential-cleanup.yaml | 6 +++--- keystone/templates/job-db-drop.yaml | 2 +- keystone/templates/job-db-init.yaml | 2 +- keystone/templates/job-db-sync.yaml | 8 ++++++++ keystone/templates/job-domain-manage.yaml | 10 ++++++++-- keystone/templates/job-rabbit-init.yaml | 2 +- keystone/templates/pod-rally-test.yaml | 10 ++++++++-- keystone/templates/secret-rabbitmq.yaml | 2 +- releasenotes/notes/keystone.yaml | 1 + 14 files changed, 48 insertions(+), 15 deletions(-) diff --git a/keystone/Chart.yaml b/keystone/Chart.yaml index 95469b9605..3871ee758e 100644 --- a/keystone/Chart.yaml +++ b/keystone/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Keystone name: keystone -version: 0.2.9 +version: 0.2.10 home: https://docs.openstack.org/keystone/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png sources: diff --git a/keystone/templates/certificates.yaml b/keystone/templates/certificates.yaml index d545771e86..f8a73c4b86 100644 --- a/keystone/templates/certificates.yaml +++ b/keystone/templates/certificates.yaml @@ -12,6 +12,6 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.certificates -}} +{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}} {{ dict "envAll" . "service" "identity" "type" "internal" | include "helm-toolkit.manifests.certificates" }} {{- end -}} diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml index f37a731f48..4b7f04631e 100644 --- a/keystone/templates/configmap-etc.yaml +++ b/keystone/templates/configmap-etc.yaml @@ -17,7 +17,7 @@ limitations under the License. {{- if empty .Values.conf.keystone.database.connection -}} {{- $connection := tuple "oslo_db" "internal" "keystone" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} -{{- if .Values.manifests.certificates -}} +{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} {{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.keystone.database "connection" -}} {{- else -}} {{- $_ := set .Values.conf.keystone.database "connection" $connection -}} diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml index 4cf9da9edc..f4154932e2 100644 --- a/keystone/templates/deployment-api.yaml +++ b/keystone/templates/deployment-api.yaml @@ -147,9 +147,15 @@ spec: {{- end }} - name: keystone-credential-keys mountPath: {{ .Values.conf.keystone.credential.key_repository }} +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} +{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} {{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -183,8 +189,14 @@ spec: - name: keystone-credential-keys secret: secretName: keystone-credential-keys +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} +{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} {{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml index f065f2a6e0..e90892749e 100644 --- a/keystone/templates/job-bootstrap.yaml +++ b/keystone/templates/job-bootstrap.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "5" {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} {{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}} -{{- if .Values.manifests.certificates -}} +{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}} {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}} {{- end -}} {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} diff --git a/keystone/templates/job-credential-cleanup.yaml b/keystone/templates/job-credential-cleanup.yaml index 62dfa85d9e..fe74ecf9a1 100644 --- a/keystone/templates/job-credential-cleanup.yaml +++ b/keystone/templates/job-credential-cleanup.yaml @@ -68,7 +68,7 @@ spec: - name: OPENSTACK_CONFIG_DB_KEY value: {{ $dbToClean.configDbKey | quote }} {{- end }} -{{- if $envAll.Values.manifests.certificates }} +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} - name: MARIADB_X509 value: "REQUIRE X509" {{- end }} @@ -94,7 +94,7 @@ spec: subPath: {{ base $dbToClean.logConfigFile | quote }} readOnly: true {{- end }} -{{- if $envAll.Values.manifests.certificates }} +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- end }} volumes: @@ -104,7 +104,7 @@ spec: configMap: name: "keystone-bin" defaultMode: 0555 -{{- if $envAll.Values.manifests.certificates }} +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} {{- $local := dict "configMapBinFirst" true -}} diff --git a/keystone/templates/job-db-drop.yaml b/keystone/templates/job-db-drop.yaml index 0da4f4edec..512b8eb243 100644 --- a/keystone/templates/job-db-drop.yaml +++ b/keystone/templates/job-db-drop.yaml @@ -14,7 +14,7 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $dbDropJob := dict "envAll" . "serviceName" "keystone" -}} -{{- if .Values.manifests.certificates -}} +{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} {{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} {{- end -}} {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} diff --git a/keystone/templates/job-db-init.yaml b/keystone/templates/job-db-init.yaml index 6302d6a1c2..53e9573db1 100644 --- a/keystone/templates/job-db-init.yaml +++ b/keystone/templates/job-db-init.yaml @@ -21,7 +21,7 @@ helm.sh/hook-weight: "-5" {{- if .Values.manifests.job_db_init }} {{- $dbInitJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}} -{{- if .Values.manifests.certificates -}} +{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} {{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} {{- end -}} {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml index e5ed0fe3c3..c3e731570c 100644 --- a/keystone/templates/job-db-sync.yaml +++ b/keystone/templates/job-db-sync.yaml @@ -49,9 +49,13 @@ volumeMounts: - name: keystone-fernet-keys mountPath: {{ $envAll.Values.conf.keystone.fernet_tokens.key_repository }} readOnly: true +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }} +{{- end }} +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }} {{- end }} +{{- end }} {{- define "keystone.templates._job_db_sync.pod_vols" -}} {{- $envAll := index . 0 -}} @@ -59,9 +63,13 @@ volumes: - name: keystone-fernet-keys secret: secretName: keystone-fernet-keys +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }} +{{- end }} +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }} {{- end }} +{{- end }} {{- if .Values.manifests.job_db_sync }} {{- $local := dict "podVolMounts" false "podVols" false -}} diff --git a/keystone/templates/job-domain-manage.yaml b/keystone/templates/job-domain-manage.yaml index 7164623a42..24efacc277 100644 --- a/keystone/templates/job-domain-manage.yaml +++ b/keystone/templates/job-domain-manage.yaml @@ -51,7 +51,7 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: -{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} command: @@ -63,14 +63,16 @@ spec: mountPath: /tmp/domain-manage-init.sh subPath: domain-manage-init.sh readOnly: true +{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} containers: - name: keystone-domain-manage {{ tuple $envAll "keystone_domain_manage" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: -{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} command: @@ -112,7 +114,9 @@ spec: {{- end }} - name: keystone-credential-keys mountPath: {{ .Values.conf.keystone.credential.key_repository }} +{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} {{ if $mounts_keystone_domain_manage.volumeMounts }}{{ toYaml $mounts_keystone_domain_manage.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -137,6 +141,8 @@ spec: - name: keystone-credential-keys secret: secretName: keystone-credential-keys +{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} {{ if $mounts_keystone_domain_manage.volumes }}{{ toYaml $mounts_keystone_domain_manage.volumes | indent 9 }}{{ end }} {{- end }} diff --git a/keystone/templates/job-rabbit-init.yaml b/keystone/templates/job-rabbit-init.yaml index 61c0bfdfd7..2bb258e712 100644 --- a/keystone/templates/job-rabbit-init.yaml +++ b/keystone/templates/job-rabbit-init.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-4" {{- if .Values.manifests.job_rabbit_init }} {{- $rmqUserJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}} -{{- if .Values.manifests.certificates -}} +{{- if and .Values.manifests.certificates .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} {{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} {{- end -}} {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml index 39b5e6da2e..c3730cc3b8 100644 --- a/keystone/templates/pod-rally-test.yaml +++ b/keystone/templates/pod-rally-test.yaml @@ -52,9 +52,11 @@ spec: mountPath: /tmp/ks-user.sh subPath: ks-user.sh readOnly: true +{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} +{{- end }} env: -{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} - name: SERVICE_OS_SERVICE_NAME @@ -70,7 +72,7 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} {{ dict "envAll" $envAll "application" "test" "container" "keystone_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6}} env: -{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- end }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} @@ -95,7 +97,9 @@ spec: mountPath: /var/lib/rally - name: rally-work mountPath: /home/rally/.rally +{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} +{{- end }} {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} volumes: - name: pod-tmp @@ -112,6 +116,8 @@ spec: emptyDir: {} - name: rally-work emptyDir: {} +{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }} +{{- end }} {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} {{- end }} diff --git a/keystone/templates/secret-rabbitmq.yaml b/keystone/templates/secret-rabbitmq.yaml index d48ea2631d..fb7c7041a9 100644 --- a/keystone/templates/secret-rabbitmq.yaml +++ b/keystone/templates/secret-rabbitmq.yaml @@ -15,7 +15,7 @@ limitations under the License. {{- if .Values.manifests.secret_rabbitmq }} {{- $envAll := . }} {{- $rabbitmqProtocol := "http" }} -{{- if $envAll.Values.manifests.certificates }} +{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} {{- $rabbitmqProtocol = "https" }} {{- end }} {{- range $key1, $userClass := tuple "admin" "keystone" }} diff --git a/releasenotes/notes/keystone.yaml b/releasenotes/notes/keystone.yaml index 7ea61842fb..e1c7e9e20b 100644 --- a/releasenotes/notes/keystone.yaml +++ b/releasenotes/notes/keystone.yaml @@ -25,4 +25,5 @@ keystone: - 0.2.7 Add Ussuri release support - 0.2.8 Remove member bootstrap logic - 0.2.9 Add Victoria and Wallaby releases support + - 0.2.10 Make internal TLS more robust ...