918a307427
This patch set enables TLS for the following OpenStack services: keystone, horizon, glance, cinder, heat, nova, placement and neutron for s- (stein) and t- (train) release. This serves as a consolidation and clean up patch for the following patches: [0] https://review.opendev.org/#/c/733291 [1] https://review.opendev.org/#/c/735202 [2] https://review.opendev.org/#/c/733962 [3] https://review.opendev.org/#/c/733404 [4] https://review.opendev.org/#/c/734896 This also addresses comments mentioned in previous patches. Co-authored-by: Gage Hugo <gagehugo@gmail.com> Co-authored-by: sgupta <sg774j@att.com> Depends-on: https://review.opendev.org/#/c/737194/ Change-Id: Id34ace54298660b4b151522916e929a29f5731be Signed-off-by: Tin Lam <tin@irrational.io>
139 lines
3.0 KiB
YAML
139 lines
3.0 KiB
YAML
---
|
|
images:
|
|
tags:
|
|
nginx: docker.io/nginx:1.18.0
|
|
conf:
|
|
glance:
|
|
DEFAULT:
|
|
bind_host: 127.0.0.1
|
|
keystone_authtoken:
|
|
cafile: /etc/glance/certs/ca.crt
|
|
glance_store:
|
|
https_ca_certificates_file: /etc/glance/certs/ca.crt
|
|
glance_registry:
|
|
DEFAULT:
|
|
bind_host: 127.0.0.1
|
|
keystone_authtoken:
|
|
cafile: /etc/glance/certs/ca.crt
|
|
nginx: |
|
|
worker_processes 1;
|
|
daemon off;
|
|
user nginx;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
sendfile on;
|
|
keepalive_timeout 65s;
|
|
tcp_nodelay on;
|
|
|
|
log_format main '[nginx] method=$request_method path=$request_uri '
|
|
'status=$status upstream_status=$upstream_status duration=$request_time size=$body_bytes_sent '
|
|
'"$remote_user" "$http_referer" "$http_user_agent"';
|
|
|
|
access_log /dev/stdout main;
|
|
|
|
upstream websocket {
|
|
server 127.0.0.1:$PORT;
|
|
}
|
|
|
|
server {
|
|
server_name {{ printf "%s.%s.svc.%s" "${SHORTNAME}" .Release.Namespace .Values.endpoints.cluster_domain_suffix }};
|
|
listen $POD_IP:$PORT ssl;
|
|
|
|
client_max_body_size 0;
|
|
|
|
ssl_certificate /etc/nginx/certs/tls.crt;
|
|
ssl_certificate_key /etc/nginx/certs/tls.key;
|
|
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
|
|
|
location / {
|
|
proxy_pass_request_headers on;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_pass http://websocket;
|
|
proxy_read_timeout 90;
|
|
}
|
|
}
|
|
}
|
|
network:
|
|
api:
|
|
ingress:
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
|
registry:
|
|
ingress:
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
|
|
|
endpoints:
|
|
identity:
|
|
name: keystone
|
|
auth:
|
|
admin:
|
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
|
glance:
|
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
|
test:
|
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
|
scheme:
|
|
default: https
|
|
port:
|
|
api:
|
|
default: 443
|
|
image:
|
|
host_fqdn_override:
|
|
default:
|
|
tls:
|
|
secretName: glance-tls-api
|
|
issuerRef:
|
|
name: ca-issuer
|
|
scheme:
|
|
default: https
|
|
public: https
|
|
port:
|
|
api:
|
|
public: 443
|
|
image_registry:
|
|
host_fqdn_override:
|
|
default:
|
|
tls:
|
|
secretName: glance-tls-reg
|
|
issuerRef:
|
|
name: ca-issuer
|
|
scheme:
|
|
default: https
|
|
public: https
|
|
port:
|
|
api:
|
|
public: 443
|
|
dashboard:
|
|
scheme:
|
|
default: https
|
|
public: https
|
|
port:
|
|
web:
|
|
default: 80
|
|
public: 443
|
|
pod:
|
|
security_context:
|
|
glance:
|
|
pod:
|
|
runAsUser: 0
|
|
resources:
|
|
nginx:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
manifests:
|
|
certificates: true
|
|
...
|