From 6ed9a4132ecd0dd54613c2779f7bb108fefb635c Mon Sep 17 00:00:00 2001
From: "Anselme, Schubert (sa246v)" <sa246v@att.com>
Date: Tue, 5 Dec 2023 09:03:11 -0500
Subject: [PATCH] Make barbican & keystone TLS configuration granular

Change-Id: Ibdcb202d8f813a248df3f0743b949e9befe18c7a
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
---
 barbican/Chart.yaml                     |  2 +-
 barbican/templates/deployment-api.yaml  | 12 ++++++------
 barbican/templates/job-rabbit-init.yaml |  2 +-
 barbican/values_overrides/tls.yaml      |  4 ++++
 keystone/Chart.yaml                     |  2 +-
 keystone/templates/deployment-api.yaml  | 26 ++++++++-----------------
 keystone/templates/job-rabbit-init.yaml |  2 +-
 keystone/values_overrides/tls.yaml      |  4 ++++
 releasenotes/notes/barbican.yaml        |  1 +
 releasenotes/notes/keystone.yaml        |  1 +
 10 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/barbican/Chart.yaml b/barbican/Chart.yaml
index 710c046558..1911c5c2b4 100644
--- a/barbican/Chart.yaml
+++ b/barbican/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Barbican
 name: barbican
-version: 0.3.7
+version: 0.3.8
 home: https://docs.openstack.org/barbican/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
 sources:
diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml
index 4e281d9104..de26c3168c 100644
--- a/barbican/templates/deployment-api.yaml
+++ b/barbican/templates/deployment-api.yaml
@@ -118,9 +118,9 @@ spec:
               mountPath: /tmp/barbican.sh
               subPath: barbican.sh
               readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.key_manager.api.internal "path" "/etc/barbican/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.tls.oslo_db "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.tls.identity "name" .Values.secrets.tls.key_manager.api.internal "path" "/etc/barbican/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.tls.oslo_messaging "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 
 {{ if $mounts_barbican_api.volumeMounts }}{{ toYaml $mounts_barbican_api.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -136,9 +136,9 @@ spec:
           configMap:
             name: barbican-bin
             defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.key_manager.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.tls.oslo_db "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.tls.identity "name" .Values.secrets.tls.key_manager.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.tls.oslo_messaging "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 
 {{ if $mounts_barbican_api.volumes }}{{ toYaml $mounts_barbican_api.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/barbican/templates/job-rabbit-init.yaml b/barbican/templates/job-rabbit-init.yaml
index 45ca6aa871..0f9839e980 100644
--- a/barbican/templates/job-rabbit-init.yaml
+++ b/barbican/templates/job-rabbit-init.yaml
@@ -21,7 +21,7 @@ helm.sh/hook-weight: "-4"
 
 {{- if .Values.manifests.job_rabbit_init }}
 {{- $rmqUserJob := dict "envAll" . "serviceName" "barbican" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if and .Values.tls.oslo_messaging .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
 {{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
 {{- end -}}
 {{- if .Values.pod.tolerations.barbican.enabled -}}
diff --git a/barbican/values_overrides/tls.yaml b/barbican/values_overrides/tls.yaml
index 99667ca857..8d73b4a4c4 100644
--- a/barbican/values_overrides/tls.yaml
+++ b/barbican/values_overrides/tls.yaml
@@ -1,4 +1,8 @@
 ---
 manifests:
   certificates: true
+tls:
+  identity: true
+  oslo_messaging: true
+  oslo_db: true
 ...
diff --git a/keystone/Chart.yaml b/keystone/Chart.yaml
index 6284033213..fb037b5544 100644
--- a/keystone/Chart.yaml
+++ b/keystone/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Keystone
 name: keystone
-version: 0.3.6
+version: 0.3.7
 home: https://docs.openstack.org/keystone/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
 sources:
diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
index c9e8d0f908..978feb50ab 100644
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@@ -150,15 +150,10 @@ spec:
 {{- end }}
             - name: keystone-credential-keys
               mountPath: {{ .Values.conf.keystone.credential.key_repository }}
-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- end }}
-{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- end  }}
-{{- if and $envAll.Values.manifests.certificates  $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- end }}
+{{- dict "enabled" .Values.tls.oslo_db "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.tls.identity "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.tls.oslo_messaging "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+
 {{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
       volumes:
         - name: pod-tmp
@@ -192,14 +187,9 @@ spec:
         - name: keystone-credential-keys
           secret:
             secretName: keystone-credential-keys
-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- end }}
-{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- end }}
-{{- if and $envAll.Values.manifests.certificates  $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- end }}
+{{- dict "enabled" .Values.tls.oslo_db "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.tls.identity "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.tls.oslo_messaging "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+
 {{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
 {{- end }}
diff --git a/keystone/templates/job-rabbit-init.yaml b/keystone/templates/job-rabbit-init.yaml
index 02390adf9d..e07bd1e4b8 100644
--- a/keystone/templates/job-rabbit-init.yaml
+++ b/keystone/templates/job-rabbit-init.yaml
@@ -19,7 +19,7 @@ helm.sh/hook-weight: "-4"
 
 {{- if .Values.manifests.job_rabbit_init }}
 {{- $rmqUserJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
-{{- if and .Values.manifests.certificates .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- if and .Values.tls.oslo_messaging .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
 {{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
 {{- end -}}
 {{- if .Values.pod.tolerations.keystone.enabled -}}
diff --git a/keystone/values_overrides/tls.yaml b/keystone/values_overrides/tls.yaml
index 416194ab9b..cded837b1d 100644
--- a/keystone/values_overrides/tls.yaml
+++ b/keystone/values_overrides/tls.yaml
@@ -87,4 +87,8 @@ endpoints:
         default: 15680
 manifests:
   certificates: true
+tls:
+  identity: true
+  oslo_messaging: true
+  oslo_db: true
 ...
diff --git a/releasenotes/notes/barbican.yaml b/releasenotes/notes/barbican.yaml
index d08f1d5b66..c24de3b72c 100644
--- a/releasenotes/notes/barbican.yaml
+++ b/releasenotes/notes/barbican.yaml
@@ -31,4 +31,5 @@ barbican:
   - 0.3.5 Add Ubuntu Jammy overrides
   - 0.3.6 Add 2023.2 Ubuntu Jammy overrides
   - 0.3.7 Fix TLS connection to rabbitmq, and generate barbican certificate
+  - 0.3.8 Make barbican TLS configuration granular
 ...
diff --git a/releasenotes/notes/keystone.yaml b/releasenotes/notes/keystone.yaml
index b537ceb1b5..cae533ab15 100644
--- a/releasenotes/notes/keystone.yaml
+++ b/releasenotes/notes/keystone.yaml
@@ -53,4 +53,5 @@ keystone:
   - 0.3.4 Add Ubuntu Jammy overrides
   - 0.3.5 Add 2023.2 Ubuntu Jammy overrides
   - 0.3.6 Use region option in keystone endpoint-update.py
+  - 0.3.7 Make keystone TLS configuration granular
 ...