diff --git a/placement/Chart.yaml b/placement/Chart.yaml index 6dcb5f2f49..e475f6e42f 100644 --- a/placement/Chart.yaml +++ b/placement/Chart.yaml @@ -16,7 +16,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Placement name: placement -version: 0.2.12 +version: 0.2.13 home: https://docs.openstack.org/placement/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png sources: diff --git a/placement/templates/deployment.yaml b/placement/templates/deployment.yaml index 1ab24bb517..605f952000 100644 --- a/placement/templates/deployment.yaml +++ b/placement/templates/deployment.yaml @@ -64,6 +64,11 @@ spec: {{ tuple $envAll "placement" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "placement" "container" "placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/placement/certs/ca.crt" +{{- end }} command: - /tmp/placement-api.sh - start @@ -118,7 +123,7 @@ spec: subPath: wsgi-placement.conf readOnly: true {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -134,6 +139,6 @@ spec: secretName: placement-etc defaultMode: 0444 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/placement/templates/job-ks-endpoints.yaml b/placement/templates/job-ks-endpoints.yaml index 111ba33a40..bfb0bd2831 100644 --- a/placement/templates/job-ks-endpoints.yaml +++ b/placement/templates/job-ks-endpoints.yaml @@ -21,7 +21,7 @@ helm.sh/hook-weight: "1" {{- if .Values.manifests.job_ks_endpoints }} {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/placement/templates/job-ks-service.yaml b/placement/templates/job-ks-service.yaml index 10e45bd61e..3f05eb0654 100644 --- a/placement/templates/job-ks-service.yaml +++ b/placement/templates/job-ks-service.yaml @@ -21,7 +21,7 @@ helm.sh/hook-weight: "-2" {{- if .Values.manifests.job_ks_service }} {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/placement/templates/job-ks-user.yaml b/placement/templates/job-ks-user.yaml index 2c1a00232c..056938bdda 100644 --- a/placement/templates/job-ks-user.yaml +++ b/placement/templates/job-ks-user.yaml @@ -21,7 +21,7 @@ helm.sh/hook-weight: "-1" {{- if .Values.manifests.job_ks_user }} {{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/placement/values.yaml b/placement/values.yaml index 4566dca42f..198b949365 100644 --- a/placement/values.yaml +++ b/placement/values.yaml @@ -513,6 +513,11 @@ dependencies: # set helm3_hook: false when using the helm2 binary. helm3_hook: true +tls: + identity: false + oslo_messaging: false + oslo_db: false + manifests: certificates: false configmap_bin: true diff --git a/placement/values_overrides/tls-offloading.yaml b/placement/values_overrides/tls-offloading.yaml new file mode 100644 index 0000000000..ff972853ea --- /dev/null +++ b/placement/values_overrides/tls-offloading.yaml @@ -0,0 +1,12 @@ +--- +endpoints: + identity: + auth: + admin: + cacert: /etc/ssl/certs/openstack-helm.crt + placement: + cacert: /etc/ssl/certs/openstack-helm.crt + +tls: + identity: true +... diff --git a/releasenotes/notes/placement.yaml b/releasenotes/notes/placement.yaml index 081a1c6791..094f412e78 100644 --- a/releasenotes/notes/placement.yaml +++ b/releasenotes/notes/placement.yaml @@ -21,4 +21,5 @@ placement: - 0.2.10 Added OCI registry authentication - 0.2.11 Distinguish between port number of internal endpoint and binding port number - 0.2.12 Use HTTP probe instead of TCP probe + - 0.2.13 Support TLS endpoints ...