Support TLS for identtiy endpoint in Rally
Change-Id: I37dddb76ef1b96fe0daf630d0d8a2c843de0a6a2
This commit is contained in:
parent
ced30abead
commit
85943e2433
@ -14,7 +14,7 @@ apiVersion: v1
|
|||||||
appVersion: v1.0.0
|
appVersion: v1.0.0
|
||||||
description: OpenStack-Helm rally
|
description: OpenStack-Helm rally
|
||||||
name: rally
|
name: rally
|
||||||
version: 0.2.6
|
version: 0.2.7
|
||||||
home: https://docs.openstack.org/developer/rally
|
home: https://docs.openstack.org/developer/rally
|
||||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/rally/OpenStack_Project_rally_vertical.png
|
icon: https://www.openstack.org/themes/openstack/images/project-mascots/rally/OpenStack_Project_rally_vertical.png
|
||||||
sources:
|
sources:
|
||||||
|
@ -21,6 +21,11 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- $serviceAccountName := "rally-bootstrap" }}
|
{{- $serviceAccountName := "rally-bootstrap" }}
|
||||||
{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
|
||||||
|
{{- $tlsSecret := "" -}}
|
||||||
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||||
|
{{- $tlsSecret = .Values.secrets.tls.identity.api.internal | default "" -}}
|
||||||
|
{{- end -}}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -45,7 +50,7 @@ spec:
|
|||||||
{{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
@ -57,6 +62,7 @@ spec:
|
|||||||
mountPath: /tmp/bootstrap.sh
|
mountPath: /tmp/bootstrap.sh
|
||||||
subPath: bootstrap.sh
|
subPath: bootstrap.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_rally_bootstrap.volumeMounts }}{{ toYaml $mounts_rally_bootstrap.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_rally_bootstrap.volumeMounts }}{{ toYaml $mounts_rally_bootstrap.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -65,6 +71,7 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: rally-bin
|
name: rally-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
|
{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_rally_bootstrap.volumes }}{{ toYaml $mounts_rally_bootstrap.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_rally_bootstrap.volumes }}{{ toYaml $mounts_rally_bootstrap.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -18,6 +18,10 @@ limitations under the License.
|
|||||||
{{- $serviceAccountName := "rally-ks-endpoints" }}
|
{{- $serviceAccountName := "rally-ks-endpoints" }}
|
||||||
{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
|
{{- $tlsSecret := "" -}}
|
||||||
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||||
|
{{- $tlsSecret = .Values.secrets.tls.identity.api.internal | default "" -}}
|
||||||
|
{{- end }}
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
@ -55,8 +59,9 @@ spec:
|
|||||||
mountPath: /tmp/ks-endpoints.sh
|
mountPath: /tmp/ks-endpoints.sh
|
||||||
subPath: ks-endpoints.sh
|
subPath: ks-endpoints.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: OS_SVC_ENDPOINT
|
- name: OS_SVC_ENDPOINT
|
||||||
@ -76,4 +81,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: rally-bin
|
name: rally-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
|
{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -18,6 +18,10 @@ limitations under the License.
|
|||||||
{{- $serviceAccountName := "rally-ks-service" }}
|
{{- $serviceAccountName := "rally-ks-service" }}
|
||||||
{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
|
{{- $tlsSecret := "" -}}
|
||||||
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||||
|
{{- $tlsSecret = .Values.secrets.tls.identity.api.internal | default "" -}}
|
||||||
|
{{- end }}
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
@ -54,8 +58,9 @@ spec:
|
|||||||
mountPath: /tmp/ks-service.sh
|
mountPath: /tmp/ks-service.sh
|
||||||
subPath: ks-service.sh
|
subPath: ks-service.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: OS_SERVICE_NAME
|
- name: OS_SERVICE_NAME
|
||||||
@ -70,4 +75,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: rally-bin
|
name: rally-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
|
{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -20,6 +20,10 @@ helm.sh/hook-weight: "1"
|
|||||||
{{- if .Values.manifests.job_ks_user }}
|
{{- if .Values.manifests.job_ks_user }}
|
||||||
{{- $ksUserJob := dict "envAll" . "serviceName" "rally" -}}
|
{{- $ksUserJob := dict "envAll" . "serviceName" "rally" -}}
|
||||||
|
|
||||||
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||||
|
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
{{- if .Values.helm3_hook }}
|
{{- if .Values.helm3_hook }}
|
||||||
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
|
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -65,6 +65,11 @@ spec:
|
|||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||||
|
- name: REQUESTS_CA_BUNDLE
|
||||||
|
value: "/etc/rally/certs/ca.crt"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: ENABLED_TESTS
|
- name: ENABLED_TESTS
|
||||||
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.enabled_tasks }}
|
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.enabled_tasks }}
|
||||||
@ -89,6 +94,7 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: rally-reports
|
- name: rally-reports
|
||||||
mountPath: /var/lib/rally/data
|
mountPath: /var/lib/rally/data
|
||||||
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.identity.api.internal "path" "/etc/rally/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
@ -112,4 +118,5 @@ spec:
|
|||||||
- name: rally-reports
|
- name: rally-reports
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: {{ .Values.pvc.name }}
|
claimName: {{ .Values.pvc.name }}
|
||||||
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -207,6 +207,11 @@ secrets:
|
|||||||
rally: rally-db-user
|
rally: rally-db-user
|
||||||
oci_image_registry:
|
oci_image_registry:
|
||||||
rally: rally-oci-image-registry
|
rally: rally-oci-image-registry
|
||||||
|
tls:
|
||||||
|
identity:
|
||||||
|
api:
|
||||||
|
public: keystone-tls-public
|
||||||
|
internal: keystone-tls-api
|
||||||
|
|
||||||
endpoints:
|
endpoints:
|
||||||
cluster_domain_suffix: cluster.local
|
cluster_domain_suffix: cluster.local
|
||||||
@ -4022,6 +4027,9 @@ conf:
|
|||||||
# set helm3_hook: false when using the helm2 binary.
|
# set helm3_hook: false when using the helm2 binary.
|
||||||
helm3_hook: true
|
helm3_hook: true
|
||||||
|
|
||||||
|
tls:
|
||||||
|
identity: false
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
|
14
rally/values_overrides/tls-offloading.yaml
Normal file
14
rally/values_overrides/tls-offloading.yaml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
endpoints:
|
||||||
|
identity:
|
||||||
|
auth:
|
||||||
|
admin:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
rally:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
test:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
|
||||||
|
tls:
|
||||||
|
identity: true
|
||||||
|
...
|
@ -9,4 +9,5 @@ rally:
|
|||||||
- 0.2.4 Migrated PodDisruptionBudget resource to policy/v1 API version
|
- 0.2.4 Migrated PodDisruptionBudget resource to policy/v1 API version
|
||||||
- 0.2.5 Add helm hook for jobs
|
- 0.2.5 Add helm hook for jobs
|
||||||
- 0.2.6 Added OCI registry authentication
|
- 0.2.6 Added OCI registry authentication
|
||||||
|
- 0.2.7 Support TLS for identity endpoint
|
||||||
...
|
...
|
||||||
|
Loading…
x
Reference in New Issue
Block a user