From 52444cf3c88c00ab6aefb8791656c81c4e904e63 Mon Sep 17 00:00:00 2001
From: josebb <jose.bautista.barato@gmail.com>
Date: Thu, 2 Dec 2021 19:00:35 +0200
Subject: [PATCH] Support TLS endpoints in barbican

This allows barbican to consume TLS openstack endpoints.
Jobs consume openstack endpoints, typically identity endpoints.
And barbican itself interact with other openstack services via
endpoints.

Change-Id: I890f909fc6466b696ee64aa7dfdd528934fccb2d
---
 barbican/Chart.yaml                           |  2 +-
 barbican/templates/deployment-api.yaml        |  6 +++---
 barbican/templates/job-bootstrap.yaml         |  2 +-
 barbican/templates/job-ks-endpoints.yaml      |  2 +-
 barbican/templates/job-ks-service.yaml        |  2 +-
 barbican/templates/job-ks-user.yaml           |  2 +-
 barbican/values.yaml                          |  5 +++++
 barbican/values_overrides/tls-offloading.yaml | 12 ++++++++++++
 releasenotes/notes/barbican.yaml              |  1 +
 9 files changed, 26 insertions(+), 8 deletions(-)
 create mode 100644 barbican/values_overrides/tls-offloading.yaml

diff --git a/barbican/Chart.yaml b/barbican/Chart.yaml
index 2f346cb491..d3c5be8e14 100644
--- a/barbican/Chart.yaml
+++ b/barbican/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Barbican
 name: barbican
-version: 0.2.18
+version: 0.2.19
 home: https://docs.openstack.org/barbican/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
 sources:
diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml
index 6bb7dd05f2..4e281d9104 100644
--- a/barbican/templates/deployment-api.yaml
+++ b/barbican/templates/deployment-api.yaml
@@ -65,7 +65,7 @@ spec:
             - /tmp/barbican.sh
             - start
           env:
-{{- if .Values.manifests.certificates }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
             - name: REQUESTS_CA_BUNDLE
               value: "/etc/barbican/certs/ca.crt"
 {{- end }}
@@ -119,7 +119,7 @@ spec:
               subPath: barbican.sh
               readOnly: true
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.key_manager.api.internal "path" "/etc/barbican/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.key_manager.api.internal "path" "/etc/barbican/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 
 {{ if $mounts_barbican_api.volumeMounts }}{{ toYaml $mounts_barbican_api.volumeMounts | indent 12 }}{{ end }}
@@ -137,7 +137,7 @@ spec:
             name: barbican-bin
             defaultMode: 0555
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.key_manager.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.key_manager.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 
 {{ if $mounts_barbican_api.volumes }}{{ toYaml $mounts_barbican_api.volumes | indent 8 }}{{ end }}
diff --git a/barbican/templates/job-bootstrap.yaml b/barbican/templates/job-bootstrap.yaml
index 7555aec912..da4392daf6 100644
--- a/barbican/templates/job-bootstrap.yaml
+++ b/barbican/templates/job-bootstrap.yaml
@@ -24,7 +24,7 @@ helm.sh/hook-weight: "5"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
diff --git a/barbican/templates/job-ks-endpoints.yaml b/barbican/templates/job-ks-endpoints.yaml
index 248a54f3a4..cd5d9bc85a 100644
--- a/barbican/templates/job-ks-endpoints.yaml
+++ b/barbican/templates/job-ks-endpoints.yaml
@@ -24,7 +24,7 @@ helm.sh/hook-weight: "-2"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
diff --git a/barbican/templates/job-ks-service.yaml b/barbican/templates/job-ks-service.yaml
index 7a05e53311..08a93d0ba0 100644
--- a/barbican/templates/job-ks-service.yaml
+++ b/barbican/templates/job-ks-service.yaml
@@ -24,7 +24,7 @@ helm.sh/hook-weight: "-3"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
diff --git a/barbican/templates/job-ks-user.yaml b/barbican/templates/job-ks-user.yaml
index 6900013164..c74bf31d32 100644
--- a/barbican/templates/job-ks-user.yaml
+++ b/barbican/templates/job-ks-user.yaml
@@ -24,7 +24,7 @@ helm.sh/hook-weight: "-1"
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
 {{- end -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
 {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.key_manager.api.internal -}}
 {{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
diff --git a/barbican/values.yaml b/barbican/values.yaml
index 0e0a45c78d..93b7661fa5 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -677,6 +677,11 @@ endpoints:
       ingress:
         default: 80
 
+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
   certificates: false
   configmap_bin: true
diff --git a/barbican/values_overrides/tls-offloading.yaml b/barbican/values_overrides/tls-offloading.yaml
new file mode 100644
index 0000000000..99fbe5a412
--- /dev/null
+++ b/barbican/values_overrides/tls-offloading.yaml
@@ -0,0 +1,12 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      barbican:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+tls:
+  identity: true
+...
diff --git a/releasenotes/notes/barbican.yaml b/releasenotes/notes/barbican.yaml
index bd576cd5ee..2b5b682c95 100644
--- a/releasenotes/notes/barbican.yaml
+++ b/releasenotes/notes/barbican.yaml
@@ -22,4 +22,5 @@ barbican:
   - 0.2.16 Distinguish between port number of internal endpoint and binding port number
   - 0.2.17 Use HTTP probe instead of TCP probe
   - 0.2.18 Support TLS for ks jobs
+  - 0.2.19 Support SSL offloading at reverse proxy for internal and admin endpoints
 ...