Merge "Add tls support for ldap"

2018-03-17 02:16:23 +00:00 · 2018-03-17 02:16:23 +00:00 · ac2b8a090b
commit ac2b8a090b
parent c8af030287 90b6aa9d78
3 changed files with 53 additions and 0 deletions
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@ -106,6 +106,12 @@ spec:
            mountPath: /tmp/keystone-api.sh
            subPath: keystone-api.sh
            readOnly: true
+{{- if .Values.endpoints.ldap.auth.client.tls.ca }}
+          - name: keystone-ldap-tls
+            mountPath: /etc/certs/ldap-certs.cert
+            subPath: ldap-certs.cert
+            readOnly: true
+{{- end }}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
          - name: keystone-fernet-keys
            mountPath: {{ .Values.conf.keystone.fernet_tokens.key_repository }}
@ -126,6 +132,11 @@ spec:
        configMap:
          name: keystone-bin
          defaultMode: 0555
+{{- if .Values.endpoints.ldap.auth.client.tls.ca }}
+      - name: keystone-ldap-tls
+        secret:
+          secretName: keystone-ldap-tls
+{{- end }}
 {{- if eq .Values.conf.keystone.token.provider "fernet" }}
      - name: keystone-fernet-keys
        secret:
--- a/keystone/templates/secret-ldap-tls.yaml
+++ b/keystone/templates/secret-ldap-tls.yaml
@ -0,0 +1,26 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_ldap_tls .Values.endpoints.ldap.auth.client.tls.ca }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secrets.ldap.tls }}
+type: Opaque
+data:
+  ldap-certs.cert: {{ .Values.endpoints.ldap.auth.client.tls.ca | default "" | b64enc }}
+{{- end }}
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -747,6 +747,8 @@ secrets:
  oslo_messaging:
    admin: keystone-rabbitmq-admin
    keystone: keystone-rabbitmq-user
+  ldap:
+    tls: keystone-ldap-tls

 # typically overriden by environmental
 # values, but should include all endpoints
@ -833,6 +835,19 @@ endpoints:
    port:
      memcache:
        default: 11211
+  ldap:
+    auth:
+      client:
+        tls:
+          # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
+          # /etc/certs/ldap-certs.cert.  To ensure keystone uses LDAPS, the
+          # following key will need to be overrided under section [ldap] or the
+          # correct domain-specific setting, else it will not be enabled:
+          #
+          #   use_tls: true
+          #   tls_req_cert: allow # Valid values: demand, never, allow
+          #   tls_cacertfile: /etc/certs/ldap-certs.cert # abs path to the CA cert
+          ca: null

 manifests:
  configmap_bin: true
@ -856,5 +871,6 @@ manifests:
  secret_fernet_keys: true
  secret_keystone: true
  secret_rabbitmq: true
+  secret_ldap_tls: false
  service_ingress_api: true
  service_api: true