From c900712f3011fa83ed6dc0b0d1987284d9641937 Mon Sep 17 00:00:00 2001 From: "Haider, Nafiz (nh532m)" Date: Thu, 28 Jan 2021 00:10:36 -0600 Subject: [PATCH] feat(tls): Make openstack services compatible with rabbitmq TLS Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/770678 Co-authored-by: Sangeet Gupta Change-Id: I11e9ad3f4079b0e12e498f9ed57e5b87ae9dc66a --- cinder/Chart.yaml | 2 +- cinder/templates/deployment-api.yaml | 2 ++ cinder/templates/deployment-backup.yaml | 2 ++ cinder/templates/deployment-scheduler.yaml | 2 ++ cinder/templates/deployment-volume.yaml | 2 ++ cinder/templates/job-rabbit-init.yaml | 3 +++ cinder/values.yaml | 3 +++ cinder/values_overrides/tls.yaml | 5 +++++ glance/Chart.yaml | 2 +- glance/templates/deployment-api.yaml | 6 ++++-- glance/templates/deployment-registry.yaml | 2 ++ glance/templates/job-rabbit-init.yaml | 3 +++ glance/templates/secret-rabbitmq.yaml | 1 + glance/values.yaml | 3 +++ glance/values_overrides/tls.yaml | 10 ++++++++++ heat/Chart.yaml | 2 +- heat/templates/deployment-api.yaml | 2 ++ heat/templates/deployment-engine.yaml | 2 ++ heat/templates/job-rabbit-init.yaml | 3 +++ heat/values.yaml | 3 +++ heat/values_overrides/tls.yaml | 5 +++++ keystone/Chart.yaml | 2 +- keystone/templates/deployment-api.yaml | 2 ++ keystone/templates/job-db-sync.yaml | 2 ++ keystone/templates/job-rabbit-init.yaml | 3 +++ keystone/values.yaml | 3 +++ keystone/values_overrides/tls.yaml | 6 ++++++ neutron/Chart.yaml | 2 +- neutron/templates/daemonset-dhcp-agent.yaml | 2 ++ neutron/templates/daemonset-l2gw-agent.yaml | 2 ++ neutron/templates/daemonset-l3-agent.yaml | 2 ++ neutron/templates/daemonset-lb-agent.yaml | 2 ++ neutron/templates/daemonset-metadata-agent.yaml | 2 ++ neutron/templates/daemonset-ovs-agent.yaml | 2 ++ neutron/templates/daemonset-sriov-agent.yaml | 2 ++ neutron/templates/deployment-ironic-agent.yaml | 2 ++ neutron/templates/deployment-server.yaml | 2 ++ neutron/templates/job-rabbit-init.yaml | 3 +++ neutron/values.yaml | 3 +++ neutron/values_overrides/tls.yaml | 5 +++++ nova/Chart.yaml | 2 +- nova/templates/daemonset-compute.yaml | 2 ++ nova/templates/deployment-api-osapi.yaml | 2 ++ nova/templates/deployment-conductor.yaml | 2 ++ nova/templates/deployment-scheduler.yaml | 2 ++ nova/templates/job-rabbit-init.yaml | 3 +++ nova/values.yaml | 3 +++ nova/values_overrides/tls.yaml | 5 +++++ releasenotes/notes/cinder.yaml | 1 + releasenotes/notes/glance.yaml | 1 + releasenotes/notes/heat.yaml | 1 + releasenotes/notes/keystone.yaml | 1 + releasenotes/notes/neutron.yaml | 1 + releasenotes/notes/nova.yaml | 1 + 54 files changed, 133 insertions(+), 8 deletions(-) diff --git a/cinder/Chart.yaml b/cinder/Chart.yaml index 18cfb5ea49..aaff4fa38f 100644 --- a/cinder/Chart.yaml +++ b/cinder/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Cinder name: cinder -version: 0.2.1 +version: 0.2.2 home: https://docs.openstack.org/cinder/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png sources: diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index b4d4618df7..50e091f26c 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -154,6 +154,7 @@ spec: {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -176,5 +177,6 @@ spec: {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml index 6fb482e51e..91683e29e2 100755 --- a/cinder/templates/deployment-backup.yaml +++ b/cinder/templates/deployment-backup.yaml @@ -268,6 +268,7 @@ spec: subPath: iscsiadm {{- end }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_backup.volumeMounts }}{{ toYaml $mounts_cinder_backup.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -333,5 +334,6 @@ spec: emptyDir: {} {{- end }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_backup.volumes }}{{ toYaml $mounts_cinder_backup.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml index 5ab9ccdb6e..2c8abfa0a4 100644 --- a/cinder/templates/deployment-scheduler.yaml +++ b/cinder/templates/deployment-scheduler.yaml @@ -106,6 +106,7 @@ spec: {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -126,5 +127,6 @@ spec: {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index ecc6c6115a..f3555f6bed 100755 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -268,6 +268,7 @@ spec: {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -330,5 +331,6 @@ spec: {{- end }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/cinder/templates/job-rabbit-init.yaml b/cinder/templates/job-rabbit-init.yaml index ca92cb21bf..bae46c284e 100644 --- a/cinder/templates/job-rabbit-init.yaml +++ b/cinder/templates/job-rabbit-init.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if .Values.manifests.job_rabbit_init }} {{- $rmqUserJob := dict "envAll" . "serviceName" "cinder" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} {{- end }} diff --git a/cinder/values.yaml b/cinder/values.yaml index 6d3099f452..25b635dcfd 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -1422,6 +1422,9 @@ endpoints: admin: username: rabbitmq password: password + secret: + tls: + internal: rabbitmq-tls-direct cinder: username: cinder password: password diff --git a/cinder/values_overrides/tls.yaml b/cinder/values_overrides/tls.yaml index 9b97c7c3b3..27c90d2763 100644 --- a/cinder/values_overrides/tls.yaml +++ b/cinder/values_overrides/tls.yaml @@ -63,6 +63,11 @@ conf: glance_ca_certificates_file: /etc/cinder/certs/ca.crt keystone_authtoken: cafile: /etc/cinder/certs/ca.crt + oslo_messaging_rabbit: + ssl: true + ssl_ca_file: /etc/rabbitmq/certs/ca.crt + ssl_cert_file: /etc/rabbitmq/certs/tls.crt + ssl_key_file: /etc/rabbitmq/certs/tls.key endpoints: identity: diff --git a/glance/Chart.yaml b/glance/Chart.yaml index de8f110ee8..c0f322725a 100644 --- a/glance/Chart.yaml +++ b/glance/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Glance name: glance -version: 0.2.1 +version: 0.2.2 home: https://docs.openstack.org/glance/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png sources: diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml index 37bdd3ab8e..095065963e 100644 --- a/glance/templates/deployment-api.yaml +++ b/glance/templates/deployment-api.yaml @@ -220,7 +220,8 @@ spec: readOnly: true {{- end }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -255,6 +256,7 @@ spec: secretName: {{ .Values.secrets.rbd | quote }} {{- end }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml index af789b7d4d..6d00585407 100644 --- a/glance/templates/deployment-registry.yaml +++ b/glance/templates/deployment-registry.yaml @@ -109,6 +109,7 @@ spec: subPath: policy.json readOnly: true {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -124,5 +125,6 @@ spec: secretName: glance-etc defaultMode: 0444 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/glance/templates/job-rabbit-init.yaml b/glance/templates/job-rabbit-init.yaml index 7550f0f8fe..e557dab4ff 100644 --- a/glance/templates/job-rabbit-init.yaml +++ b/glance/templates/job-rabbit-init.yaml @@ -13,5 +13,8 @@ limitations under the License. */}} {{- if .Values.manifests.job_rabbit_init }} {{- $rmqUserJob := dict "envAll" . "serviceName" "glance" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} {{- end }} diff --git a/glance/templates/secret-rabbitmq.yaml b/glance/templates/secret-rabbitmq.yaml index 96ce3e4c17..56a84f472b 100644 --- a/glance/templates/secret-rabbitmq.yaml +++ b/glance/templates/secret-rabbitmq.yaml @@ -16,6 +16,7 @@ limitations under the License. {{- $envAll := . }} {{- range $key1, $userClass := tuple "admin" "glance" }} {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} +{{- $connection := tuple "oslo_messaging" "internal" $userClass "http" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} --- apiVersion: v1 kind: Secret diff --git a/glance/values.yaml b/glance/values.yaml index be29f490ef..2d939d243c 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -718,6 +718,9 @@ endpoints: admin: username: rabbitmq password: password + secret: + tls: + internal: rabbitmq-tls-direct glance: username: glance password: password diff --git a/glance/values_overrides/tls.yaml b/glance/values_overrides/tls.yaml index b96d1e7ee0..f02f3df35b 100644 --- a/glance/values_overrides/tls.yaml +++ b/glance/values_overrides/tls.yaml @@ -11,9 +11,19 @@ conf: glance_store: https_ca_certificates_file: /etc/glance/certs/ca.crt swift_store_cacert: /etc/glance/certs/ca.crt + oslo_messaging_rabbit: + ssl: true + ssl_ca_file: /etc/rabbitmq/certs/ca.crt + ssl_cert_file: /etc/rabbitmq/certs/tls.crt + ssl_key_file: /etc/rabbitmq/certs/tls.key glance_registry: keystone_authtoken: cafile: /etc/glance/certs/ca.crt + oslo_messaging_rabbit: + ssl: true + ssl_ca_file: /etc/rabbitmq/certs/ca.crt + ssl_cert_file: /etc/rabbitmq/certs/tls.crt + ssl_key_file: /etc/rabbitmq/certs/tls.key nginx: | worker_processes 1; daemon off; diff --git a/heat/Chart.yaml b/heat/Chart.yaml index 03cd1ccf24..bb8a02c986 100644 --- a/heat/Chart.yaml +++ b/heat/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Heat name: heat -version: 0.2.0 +version: 0.2.1 home: https://docs.openstack.org/heat/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png sources: diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml index d6ada3736e..4f78246c71 100644 --- a/heat/templates/deployment-api.yaml +++ b/heat/templates/deployment-api.yaml @@ -122,6 +122,7 @@ spec: readOnly: true {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -139,5 +140,6 @@ spec: secretName: heat-etc defaultMode: 0444 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml index 2546e7eb02..f4cf496f65 100644 --- a/heat/templates/deployment-engine.yaml +++ b/heat/templates/deployment-engine.yaml @@ -101,6 +101,7 @@ spec: readOnly: true {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -117,5 +118,6 @@ spec: defaultMode: 0444 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/heat/templates/job-rabbit-init.yaml b/heat/templates/job-rabbit-init.yaml index aeefe41cab..0870358997 100644 --- a/heat/templates/job-rabbit-init.yaml +++ b/heat/templates/job-rabbit-init.yaml @@ -13,5 +13,8 @@ limitations under the License. */}} {{- if .Values.manifests.job_rabbit_init }} {{- $rmqUserJob := dict "envAll" . "serviceName" "heat" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} {{- end }} diff --git a/heat/values.yaml b/heat/values.yaml index 68f57d34f6..0dc0e00073 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -973,6 +973,9 @@ endpoints: admin: username: rabbitmq password: password + secret: + tls: + internal: rabbitmq-tls-direct heat: username: heat password: password diff --git a/heat/values_overrides/tls.yaml b/heat/values_overrides/tls.yaml index ddeb59dfaf..38fff06408 100644 --- a/heat/values_overrides/tls.yaml +++ b/heat/values_overrides/tls.yaml @@ -93,6 +93,11 @@ conf: ca_file: /etc/heat/certs/ca.crt clients_keystone: ca_file: /etc/heat/certs/ca.crt + oslo_messaging_rabbit: + ssl: true + ssl_ca_file: /etc/rabbitmq/certs/ca.crt + ssl_cert_file: /etc/rabbitmq/certs/tls.crt + ssl_key_file: /etc/rabbitmq/certs/tls.key network: api: diff --git a/keystone/Chart.yaml b/keystone/Chart.yaml index 69279cd03a..85340b98a4 100644 --- a/keystone/Chart.yaml +++ b/keystone/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Keystone name: keystone -version: 0.2.2 +version: 0.2.3 home: https://docs.openstack.org/keystone/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png sources: diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml index af9a14d06c..e1e8c3fba3 100644 --- a/keystone/templates/deployment-api.yaml +++ b/keystone/templates/deployment-api.yaml @@ -149,6 +149,7 @@ spec: mountPath: {{ .Values.conf.keystone.credential.key_repository }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -184,5 +185,6 @@ spec: secretName: keystone-credential-keys {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml index 8700ce1355..e5ed0fe3c3 100644 --- a/keystone/templates/job-db-sync.yaml +++ b/keystone/templates/job-db-sync.yaml @@ -50,6 +50,7 @@ volumeMounts: mountPath: {{ $envAll.Values.conf.keystone.fernet_tokens.key_repository }} readOnly: true {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }} {{- end }} {{- define "keystone.templates._job_db_sync.pod_vols" -}} @@ -59,6 +60,7 @@ volumes: secret: secretName: keystone-fernet-keys {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }} {{- end }} {{- if .Values.manifests.job_db_sync }} diff --git a/keystone/templates/job-rabbit-init.yaml b/keystone/templates/job-rabbit-init.yaml index 7208d33b6e..61c0bfdfd7 100644 --- a/keystone/templates/job-rabbit-init.yaml +++ b/keystone/templates/job-rabbit-init.yaml @@ -19,5 +19,8 @@ helm.sh/hook-weight: "-4" {{- if .Values.manifests.job_rabbit_init }} {{- $rmqUserJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} {{- end }} diff --git a/keystone/values.yaml b/keystone/values.yaml index 9e8c04c9d9..e825303178 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -1153,6 +1153,9 @@ endpoints: admin: username: rabbitmq password: password + secret: + tls: + internal: rabbitmq-tls-direct keystone: username: keystone password: password diff --git a/keystone/values_overrides/tls.yaml b/keystone/values_overrides/tls.yaml index 7b19d4fad9..6c708c0582 100644 --- a/keystone/values_overrides/tls.yaml +++ b/keystone/values_overrides/tls.yaml @@ -19,6 +19,12 @@ conf: apache2: a2enmod: - ssl + keystone: + oslo_messaging_rabbit: + ssl: true + ssl_ca_file: /etc/rabbitmq/certs/ca.crt + ssl_cert_file: /etc/rabbitmq/certs/tls.crt + ssl_key_file: /etc/rabbitmq/certs/tls.key wsgi_keystone: | {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }} {{- $vh := tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} diff --git a/neutron/Chart.yaml b/neutron/Chart.yaml index 37055bc30b..e3b13c14fd 100644 --- a/neutron/Chart.yaml +++ b/neutron/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Neutron name: neutron -version: 0.2.0 +version: 0.2.1 home: https://docs.openstack.org/neutron/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png sources: diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml index 0e268b7250..e7f863f86c 100644 --- a/neutron/templates/daemonset-dhcp-agent.yaml +++ b/neutron/templates/daemonset-dhcp-agent.yaml @@ -239,6 +239,7 @@ spec: mountPath: /run/netns mountPropagation: Bidirectional {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_neutron_dhcp_agent.volumeMounts }}{{ toYaml $mounts_neutron_dhcp_agent.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -263,6 +264,7 @@ spec: hostPath: path: /run/netns {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_neutron_dhcp_agent.volumes }}{{ toYaml $mounts_neutron_dhcp_agent.volumes | indent 8 }}{{ end }} {{- end }} {{- end }} diff --git a/neutron/templates/daemonset-l2gw-agent.yaml b/neutron/templates/daemonset-l2gw-agent.yaml index f564bab910..d2149b73a1 100644 --- a/neutron/templates/daemonset-l2gw-agent.yaml +++ b/neutron/templates/daemonset-l2gw-agent.yaml @@ -132,6 +132,7 @@ spec: mountPath: /etc/neutron/l2gw_agent.ini subPath: l2gw_agent.ini readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_neutron_l2gw_agent.volumeMounts }}{{ toYaml $mounts_neutron_l2gw_agent.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -146,6 +147,7 @@ spec: secret: secretName: {{ $configMapName }} defaultMode: 0444 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_neutron_l2gw_agent.volumes }}{{ toYaml $mounts_neutron_l2gw_agent.volumes | indent 8 }}{{ end }} {{- end }} {{- end }} diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml index 46216d8b94..b59402a1bd 100644 --- a/neutron/templates/daemonset-l3-agent.yaml +++ b/neutron/templates/daemonset-l3-agent.yaml @@ -241,6 +241,7 @@ spec: mountPath: /run/netns mountPropagation: Bidirectional {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_neutron_l3_agent.volumeMounts }}{{ toYaml $mounts_neutron_l3_agent.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -271,6 +272,7 @@ spec: hostPath: path: /run/netns {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_neutron_l3_agent.volumes }}{{ toYaml $mounts_neutron_l3_agent.volumes | indent 8 }}{{ end }} {{- end }} {{- end }} diff --git a/neutron/templates/daemonset-lb-agent.yaml b/neutron/templates/daemonset-lb-agent.yaml index 0e93b8f139..9c5f298a7d 100644 --- a/neutron/templates/daemonset-lb-agent.yaml +++ b/neutron/templates/daemonset-lb-agent.yaml @@ -195,6 +195,7 @@ spec: {{- end }} - name: run mountPath: /run +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -217,6 +218,7 @@ spec: - name: host-rootfs hostPath: path: / +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_neutron_lb_agent.volumes }}{{ toYaml $mounts_neutron_lb_agent.volumes | indent 8 }}{{ end }} {{- end }} {{- end }} diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml index 258d558774..af035e8bd1 100644 --- a/neutron/templates/daemonset-metadata-agent.yaml +++ b/neutron/templates/daemonset-metadata-agent.yaml @@ -190,6 +190,7 @@ spec: mountPropagation: Bidirectional {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -213,6 +214,7 @@ spec: path: /run/netns {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }} {{- end }} {{- end }} diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml index b98e25735e..80403c38e5 100644 --- a/neutron/templates/daemonset-ovs-agent.yaml +++ b/neutron/templates/daemonset-ovs-agent.yaml @@ -262,6 +262,7 @@ spec: {{- end }} - name: run mountPath: /run +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -292,6 +293,7 @@ spec: path: /sys/bus/pci/devices type: Directory {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_neutron_ovs_agent.volumes }}{{ toYaml $mounts_neutron_ovs_agent.volumes | indent 8 }}{{ end }} {{- end }} {{- end }} diff --git a/neutron/templates/daemonset-sriov-agent.yaml b/neutron/templates/daemonset-sriov-agent.yaml index 9a00d2455b..8f32221a2f 100644 --- a/neutron/templates/daemonset-sriov-agent.yaml +++ b/neutron/templates/daemonset-sriov-agent.yaml @@ -209,6 +209,7 @@ spec: {{- end }} - name: run mountPath: /run +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }} volumes: - name: host-sys-class-net @@ -234,6 +235,7 @@ spec: - name: run hostPath: path: /run +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_neutron_sriov_agent.volumes }}{{ toYaml $mounts_neutron_sriov_agent.volumes | indent 8 }}{{ end }} {{- end }} {{- end }} diff --git a/neutron/templates/deployment-ironic-agent.yaml b/neutron/templates/deployment-ironic-agent.yaml index 3fb0f1d65a..7e9e328334 100644 --- a/neutron/templates/deployment-ironic-agent.yaml +++ b/neutron/templates/deployment-ironic-agent.yaml @@ -93,6 +93,7 @@ spec: mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini subPath: ml2_conf.ini readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_neutron_ironic_agent.volumeMounts }}{{ toYaml $mounts_neutron_ironic_agent.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -107,5 +108,6 @@ spec: secret: secretName: neutron-etc defaultMode: 0444 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_neutron_ironic_agent.volumes }}{{ toYaml $mounts_neutron_ironic_agent.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml index 6f254a2c55..36fa6d5b43 100644 --- a/neutron/templates/deployment-server.yaml +++ b/neutron/templates/deployment-server.yaml @@ -239,6 +239,7 @@ spec: readOnly: true {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -263,5 +264,6 @@ spec: {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/neutron/templates/job-rabbit-init.yaml b/neutron/templates/job-rabbit-init.yaml index a35b2fca10..2bb7fc8ca7 100644 --- a/neutron/templates/job-rabbit-init.yaml +++ b/neutron/templates/job-rabbit-init.yaml @@ -19,5 +19,8 @@ helm.sh/hook-weight: "-4" {{- if .Values.manifests.job_rabbit_init }} {{- $rmqUserJob := dict "envAll" . "serviceName" "neutron" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} {{- end }} diff --git a/neutron/values.yaml b/neutron/values.yaml index 1b13b91e50..f4c8f51048 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -2245,6 +2245,9 @@ endpoints: admin: username: rabbitmq password: password + secret: + tls: + internal: rabbitmq-tls-direct neutron: username: neutron password: password diff --git a/neutron/values_overrides/tls.yaml b/neutron/values_overrides/tls.yaml index b55a16092c..3cd198daf9 100644 --- a/neutron/values_overrides/tls.yaml +++ b/neutron/values_overrides/tls.yaml @@ -77,6 +77,11 @@ conf: cafile: /etc/neutron/certs/ca.crt keystone_authtoken: cafile: /etc/neutron/certs/ca.crt + oslo_messaging_rabbit: + ssl: true + ssl_ca_file: /etc/rabbitmq/certs/ca.crt + ssl_cert_file: /etc/rabbitmq/certs/tls.crt + ssl_key_file: /etc/rabbitmq/certs/tls.key metadata_agent: DEFAULT: auth_ca_cert: /etc/ssl/certs/openstack-helm.crt diff --git a/nova/Chart.yaml b/nova/Chart.yaml index 3e7df46210..e32bcb6783 100644 --- a/nova/Chart.yaml +++ b/nova/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Nova name: nova -version: 0.2.1 +version: 0.2.2 home: https://docs.openstack.org/nova/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png sources: diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 9d32a168ad..fe14ea3428 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -424,6 +424,7 @@ spec: readOnly: true {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} {{- if .Values.network.ssh.enabled }} - name: nova-compute-ssh @@ -536,6 +537,7 @@ spec: emptyDir: {} {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }} {{- end }} {{- end }} diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index 34827a3109..41c1faf5c2 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -128,6 +128,7 @@ spec: {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -148,5 +149,6 @@ spec: defaultMode: 0444 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index 14a9aea598..5335a4ce97 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -121,6 +121,7 @@ spec: readOnly: true {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -135,5 +136,6 @@ spec: defaultMode: 0444 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index 0e5b4d019f..b8a465ea94 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -121,6 +121,7 @@ spec: readOnly: true {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -135,5 +136,6 @@ spec: defaultMode: 0444 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/nova/templates/job-rabbit-init.yaml b/nova/templates/job-rabbit-init.yaml index 22ab928761..780a788848 100644 --- a/nova/templates/job-rabbit-init.yaml +++ b/nova/templates/job-rabbit-init.yaml @@ -13,5 +13,8 @@ limitations under the License. */}} {{- if .Values.manifests.job_rabbit_init }} {{- $rmqUserJob := dict "envAll" . "serviceName" "nova" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} {{- end }} diff --git a/nova/values.yaml b/nova/values.yaml index 1225bfcd1b..14e05617f0 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -1948,6 +1948,9 @@ endpoints: admin: username: rabbitmq password: password + secret: + tls: + internal: rabbitmq-tls-direct nova: username: nova password: password diff --git a/nova/values_overrides/tls.yaml b/nova/values_overrides/tls.yaml index 59a8e7a63c..f6e8040bd7 100644 --- a/nova/values_overrides/tls.yaml +++ b/nova/values_overrides/tls.yaml @@ -140,6 +140,11 @@ conf: cafile: /etc/nova/certs/ca.crt keystone: cafile: /etc/nova/certs/ca.crt + oslo_messaging_rabbit: + ssl: true + ssl_ca_file: /etc/rabbitmq/certs/ca.crt + ssl_cert_file: /etc/rabbitmq/certs/tls.crt + ssl_key_file: /etc/rabbitmq/certs/tls.key endpoints: identity: auth: diff --git a/releasenotes/notes/cinder.yaml b/releasenotes/notes/cinder.yaml index 0da9eeb55c..b2e1365694 100644 --- a/releasenotes/notes/cinder.yaml +++ b/releasenotes/notes/cinder.yaml @@ -18,3 +18,4 @@ cinder: - 0.1.15 Fix the problem in hostNetwork mode - 0.2.0 Remove support for releases before T - 0.2.1 Fix the ceph pool creations for openstack services + - 0.2.2 Adding rabbitmq TLS logic diff --git a/releasenotes/notes/glance.yaml b/releasenotes/notes/glance.yaml index 93f6692cd6..dc926ae00d 100644 --- a/releasenotes/notes/glance.yaml +++ b/releasenotes/notes/glance.yaml @@ -11,3 +11,4 @@ glance: - 0.1.8 Update glance default policy values - 0.2.0 Remove support for releases before T - 0.2.1 Fix the ceph pool creations for openstack services + - 0.2.2 Adding rabbitmq TLS logic diff --git a/releasenotes/notes/heat.yaml b/releasenotes/notes/heat.yaml index 552d5bb46f..d817cf2bac 100644 --- a/releasenotes/notes/heat.yaml +++ b/releasenotes/notes/heat.yaml @@ -7,3 +7,4 @@ heat: - 0.1.4 Revert - Change Issuer to ClusterIssuer - 0.1.5 Change Issuer to ClusterIssuer - 0.2.0 Remove support for releases before T + - 0.2.1 Adding rabbitmq TLS logic diff --git a/releasenotes/notes/keystone.yaml b/releasenotes/notes/keystone.yaml index 1909f89eb7..5929e76bd1 100644 --- a/releasenotes/notes/keystone.yaml +++ b/releasenotes/notes/keystone.yaml @@ -18,4 +18,5 @@ keystone: - 0.2.0 Remove support for releases before T - 0.2.1 Remove paste ini config settings - 0.2.2 Make python script PEP8 compliant + - 0.2.3 Adding rabbitmq TLS logic ... diff --git a/releasenotes/notes/neutron.yaml b/releasenotes/notes/neutron.yaml index e53a758232..082e9ca2cd 100644 --- a/releasenotes/notes/neutron.yaml +++ b/releasenotes/notes/neutron.yaml @@ -14,3 +14,4 @@ neutron: - 0.1.11 Added the helm.sh/hook, helm.sh/hook-weight annotations - 0.1.12 Removed "name" parameter from Rally tests - 0.2.0 Remove support for releases before T + - 0.2.1 Adding rabbitmq TLS logic diff --git a/releasenotes/notes/nova.yaml b/releasenotes/notes/nova.yaml index 10221ea923..c8c1218f4c 100644 --- a/releasenotes/notes/nova.yaml +++ b/releasenotes/notes/nova.yaml @@ -22,4 +22,5 @@ nova: - 0.1.19 Host resource scale adjustment about ironic - 0.2.0 Remove support for releases before T - 0.2.1 Remove unnecessary +x permission on gotpl files + - 0.2.2 Adding rabbitmq TLS logic ...