openstack/openstack-helm
Code Issues Proposed changes

Polish TLS patch set

Browse Source 
This patch set performs non-critical polish fix to [0].

[0] https://review.openstack.org/#/c/552171/

Change-Id: I5bbb64d5af65782665fd659886e55e25bac61452
Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
Tin Lam 2018-03-16 18:01:00 -05:00
parent ac2b8a090b
commit d23a77105b
3 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
keystone/templates/deployment-api.yaml
View File

@ -108,8 +108,8 @@ spec:
readOnly: true readOnly: true
{{- if .Values.endpoints.ldap.auth.client.tls.ca }} {{- if .Values.endpoints.ldap.auth.client.tls.ca }}
- name: keystone-ldap-tls - name: keystone-ldap-tls
mountPath: /etc/certs/ldap-certs.cert mountPath: /etc/keystone/ldap/tls.ca
subPath: ldap-certs.cert subPath: tls.ca
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- if eq .Values.conf.keystone.token.provider "fernet" }} {{- if eq .Values.conf.keystone.token.provider "fernet" }}

4
keystone/templates/secret-ldap-tls.yaml
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
{{- if and .Values.manifests.secret_ldap_tls .Values.endpoints.ldap.auth.client.tls.ca }} {{- if .Values.endpoints.ldap.auth.client.tls.ca }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@ -22,5 +22,5 @@ metadata:
name: {{ .Values.secrets.ldap.tls }} name: {{ .Values.secrets.ldap.tls }}
type: Opaque type: Opaque
data: data:
ldap-certs.cert: {{ .Values.endpoints.ldap.auth.client.tls.ca | default "" | b64enc }} tls.ca: {{ .Values.endpoints.ldap.auth.client.tls.ca | default "" | b64enc }}
{{- end }} {{- end }}

5
keystone/values.yaml
View File

@ -840,13 +840,13 @@ endpoints:
client: client:
tls: tls:
# NOTE(lamt): Specify a CA value here will place a LDAPS certificate at # NOTE(lamt): Specify a CA value here will place a LDAPS certificate at
# /etc/certs/ldap-certs.cert. To ensure keystone uses LDAPS, the # /etc/certs/tls.ca. To ensure keystone uses LDAPS, the
# following key will need to be overrided under section [ldap] or the # following key will need to be overrided under section [ldap] or the
# correct domain-specific setting, else it will not be enabled: # correct domain-specific setting, else it will not be enabled:
# #
# use_tls: true # use_tls: true
# tls_req_cert: allow # Valid values: demand, never, allow # tls_req_cert: allow # Valid values: demand, never, allow
# tls_cacertfile: /etc/certs/ldap-certs.cert # abs path to the CA cert # tls_cacertfile: /etc/certs/tls.ca # abs path to the CA cert
ca: null ca: null
manifests: manifests:
@ -871,6 +871,5 @@ manifests:
secret_fernet_keys: true secret_fernet_keys: true
secret_keystone: true secret_keystone: true
secret_rabbitmq: true secret_rabbitmq: true
secret_ldap_tls: false
service_ingress_api: true service_ingress_api: true
service_api: true service_api: true