From 040aa3b774bf6f5149970dce45157550984b161d Mon Sep 17 00:00:00 2001 From: "Haider, Nafiz (nh532m)" Date: Tue, 29 Jun 2021 14:50:47 -0400 Subject: [PATCH] Allow Barbican to talk to TLS'd mariadb Barbican is NOT tls'ed, this is only for communicating with tls'd mariadb Change-Id: Ia9598095456f35585eafa68f665d2a763e208571 --- barbican/Chart.yaml | 2 +- barbican/templates/configmap-etc.yaml | 7 ++++++- barbican/templates/deployment-api.yaml | 2 ++ barbican/templates/job-db-drop.yaml | 3 +++ barbican/templates/job-db-init.yaml | 3 +++ barbican/templates/job-db-sync.yaml | 3 +++ barbican/templates/secret-db.yaml | 7 ++++++- barbican/values.yaml | 4 ++++ barbican/values_overrides/tls.yaml | 4 ++++ releasenotes/notes/barbican.yaml | 1 + 10 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 barbican/values_overrides/tls.yaml diff --git a/barbican/Chart.yaml b/barbican/Chart.yaml index f406dc7af8..e71b3e8d26 100644 --- a/barbican/Chart.yaml +++ b/barbican/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Barbican name: barbican -version: 0.2.5 +version: 0.2.6 home: https://docs.openstack.org/barbican/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png sources: diff --git a/barbican/templates/configmap-etc.yaml b/barbican/templates/configmap-etc.yaml index aa30afbbe2..44b37fa715 100644 --- a/barbican/templates/configmap-etc.yaml +++ b/barbican/templates/configmap-etc.yaml @@ -50,7 +50,12 @@ limitations under the License. {{- end -}} {{- if empty .Values.conf.barbican.DEFAULT.sql_connection -}} -{{- $_ := tuple "oslo_db" "internal" "barbican" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.barbican.DEFAULT "sql_connection" -}} +{{- $connection := tuple "oslo_db" "internal" "barbican" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.barbican.DEFAULT "sql_connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.barbican.DEFAULT "connection" $connection -}} +{{- end -}} {{- end -}} {{- if empty .Values.conf.barbican.DEFAULT.transport_url -}} diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml index 05414c02c3..4a3a6ea042 100644 --- a/barbican/templates/deployment-api.yaml +++ b/barbican/templates/deployment-api.yaml @@ -108,6 +108,7 @@ spec: mountPath: /tmp/barbican.sh subPath: barbican.sh readOnly: true +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_barbican_api.volumeMounts }}{{ toYaml $mounts_barbican_api.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -122,5 +123,6 @@ spec: configMap: name: barbican-bin defaultMode: 0555 +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_barbican_api.volumes }}{{ toYaml $mounts_barbican_api.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/barbican/templates/job-db-drop.yaml b/barbican/templates/job-db-drop.yaml index 8e2848f125..82fa3f4551 100644 --- a/barbican/templates/job-db-drop.yaml +++ b/barbican/templates/job-db-drop.yaml @@ -16,5 +16,8 @@ limitations under the License. {{- $serviceName := "barbican" -}} {{- $dbToDrop := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "DEFAULT" "configDbKey" "sql_connection" -}} {{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbToDrop" $dbToDrop -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbToDrop "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} {{- end }} diff --git a/barbican/templates/job-db-init.yaml b/barbican/templates/job-db-init.yaml index 46f7c6af97..7e9fab03f9 100644 --- a/barbican/templates/job-db-init.yaml +++ b/barbican/templates/job-db-init.yaml @@ -23,5 +23,8 @@ helm.sh/hook-weight: "-5" {{- $serviceName := "barbican" -}} {{- $dbToInit := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "DEFAULT" "configDbKey" "sql_connection" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}} {{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbToInit" $dbToInit -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} {{- end }} diff --git a/barbican/templates/job-db-sync.yaml b/barbican/templates/job-db-sync.yaml index a59a84ae76..8ec6e85b6f 100644 --- a/barbican/templates/job-db-sync.yaml +++ b/barbican/templates/job-db-sync.yaml @@ -25,5 +25,8 @@ helm.sh/hook-weight: "-4" {{- if .Values.manifests.job_db_sync }} {{- $dbSyncJob := dict "envAll" . "serviceName" "barbican" "podVolMounts" $podVolMounts "podVols" .Values.pod.mounts.barbican_db_sync.barbican_db_sync.volumes "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} {{- end }} diff --git a/barbican/templates/secret-db.yaml b/barbican/templates/secret-db.yaml index a5f88b3725..a2ac53b59f 100644 --- a/barbican/templates/secret-db.yaml +++ b/barbican/templates/secret-db.yaml @@ -16,6 +16,7 @@ limitations under the License. {{- $envAll := . }} {{- range $key1, $userClass := tuple "admin" "barbican" }} {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} --- apiVersion: v1 kind: Secret @@ -23,6 +24,10 @@ metadata: name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- if $envAll.Values.manifests.certificates }} + DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} +{{- end }} {{- end }} {{- end }} diff --git a/barbican/values.yaml b/barbican/values.yaml index c8ff66cf1e..72efd88c51 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -650,6 +650,9 @@ endpoints: admin: username: root password: password + secret: + tls: + internal: mariadb-tls-direct barbican: username: barbican password: password @@ -740,6 +743,7 @@ endpoints: default: 80 manifests: + certificates: false configmap_bin: true configmap_etc: true deployment_api: true diff --git a/barbican/values_overrides/tls.yaml b/barbican/values_overrides/tls.yaml new file mode 100644 index 0000000000..99667ca857 --- /dev/null +++ b/barbican/values_overrides/tls.yaml @@ -0,0 +1,4 @@ +--- +manifests: + certificates: true +... diff --git a/releasenotes/notes/barbican.yaml b/releasenotes/notes/barbican.yaml index a9f7340e66..17dbf75852 100644 --- a/releasenotes/notes/barbican.yaml +++ b/releasenotes/notes/barbican.yaml @@ -9,4 +9,5 @@ barbican: - 0.2.3 Add support for master kek rotation - 0.2.4 Add Ussuri release support - 0.2.5 Add Victoria and Wallaby releases support + - 0.2.6 Allow Barbican to talk to Mariadb over TLS ...