Support TLS endpoints in keystone

This allows ks-bootstrap job to consume TLS endpoint. Change-Id: I02c07878376934b27888dc643e42ebf1a4caf0ce
2021-12-01 18:42:05 +02:00 · 2021-12-01 18:42:05 +02:00 · 5e1e535dd8
commit 5e1e535dd8
parent ced30abead
5 changed files with 27 additions and 2 deletions
--- a/keystone/Chart.yaml
+++ b/keystone/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Keystone
 name: keystone
-version: 0.2.28
+version: 0.2.29
 home: https://docs.openstack.org/keystone/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
 sources:
--- a/keystone/templates/job-bootstrap.yaml
+++ b/keystone/templates/job-bootstrap.yaml
@ -19,7 +19,7 @@ helm.sh/hook-weight: "5"

 {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
 {{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
+{{- if and ( or .Values.manifests.certificates .Values.tls.identity) .Values.secrets.tls.identity.api.internal -}}
 {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
 {{- end -}}
 {{- if .Values.pod.tolerations.keystone.enabled -}}
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -1087,6 +1087,11 @@ endpoints:
      ingress:
        default: 80

+tls:
+  identity: false
+  oslo_messaging: false
+  oslo_db: false
+
 manifests:
  certificates: false
  configmap_bin: true
--- a/keystone/values_overrides/tls-custom.yaml
+++ b/keystone/values_overrides/tls-custom.yaml
@ -0,0 +1,19 @@
+---
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+      test:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+
+secrets:
+  tls:
+    identity:
+      api:
+        # manually created
+        internal: keystone-tls-api
+
+tls:
+  identity: true
+...
--- a/releasenotes/notes/keystone.yaml
+++ b/releasenotes/notes/keystone.yaml
@ -44,4 +44,5 @@ keystone:
  - 0.2.26 Add Xena and Yoga values overrides
  - 0.2.27 Use LOG.warning instead of deprecated LOG.warn
  - 0.2.28 Added OCI registry authentication
+  - 0.2.29 Support TLS endpoints
 ...