openstack/openstack-helm
Code Issues Proposed changes

Merge "Add tls support for ldap"

Browse Source
This commit is contained in:
Zuul 2018-03-17 02:16:23 +00:00 committed by Gerrit Code Review
commit ac2b8a090b
3 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
keystone/templates/deployment-api.yaml
View File

@ -106,6 +106,12 @@ spec:
mountPath: /tmp/keystone-api.sh mountPath: /tmp/keystone-api.sh
subPath: keystone-api.sh subPath: keystone-api.sh
readOnly: true readOnly: true
{{- if .Values.endpoints.ldap.auth.client.tls.ca }}
- name: keystone-ldap-tls
mountPath: /etc/certs/ldap-certs.cert
subPath: ldap-certs.cert
readOnly: true
{{- end }}
{{- if eq .Values.conf.keystone.token.provider "fernet" }} {{- if eq .Values.conf.keystone.token.provider "fernet" }}
- name: keystone-fernet-keys - name: keystone-fernet-keys
mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }} mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
@ -126,6 +132,11 @@ spec:
configMap: configMap:
name: keystone-bin name: keystone-bin
defaultMode: 0555 defaultMode: 0555
{{- if .Values.endpoints.ldap.auth.client.tls.ca }}
- name: keystone-ldap-tls
secret:
secretName: keystone-ldap-tls
{{- end }}
{{- if eq .Values.conf.keystone.token.provider "fernet" }} {{- if eq .Values.conf.keystone.token.provider "fernet" }}
- name: keystone-fernet-keys - name: keystone-fernet-keys
secret: secret:

26
keystone/templates/secret-ldap-tls.yaml Normal file
View File

@ -0,0 +1,26 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.manifests.secret_ldap_tls .Values.endpoints.ldap.auth.client.tls.ca }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.secrets.ldap.tls }}
type: Opaque
data:
ldap-certs.cert: {{ .Values.endpoints.ldap.auth.client.tls.ca | default "" | b64enc }}
{{- end }}

16
keystone/values.yaml
View File

@ -747,6 +747,8 @@ secrets:
oslo_messaging: oslo_messaging:
admin: keystone-rabbitmq-admin admin: keystone-rabbitmq-admin
keystone: keystone-rabbitmq-user keystone: keystone-rabbitmq-user
ldap:
tls: keystone-ldap-tls
# typically overriden by environmental # typically overriden by environmental
# values, but should include all endpoints # values, but should include all endpoints
@ -833,6 +835,19 @@ endpoints:
port: port:
memcache: memcache:
default: 11211 default: 11211
ldap:
auth:
client:
tls:
# NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
# /etc/certs/ldap-certs.cert. To ensure keystone uses LDAPS, the
# following key will need to be overrided under section [ldap] or the
# correct domain-specific setting, else it will not be enabled:
#
# use_tls: true
# tls_req_cert: allow # Valid values: demand, never, allow
# tls_cacertfile: /etc/certs/ldap-certs.cert # abs path to the CA cert
ca: null
manifests: manifests:
configmap_bin: true configmap_bin: true
@ -856,5 +871,6 @@ manifests:
secret_fernet_keys: true secret_fernet_keys: true
secret_keystone: true secret_keystone: true
secret_rabbitmq: true secret_rabbitmq: true
secret_ldap_tls: false
service_ingress_api: true service_ingress_api: true
service_api: true service_api: true