From b823954787057d9fdda30bc06db0be205ead7d5a Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Tue, 26 Jun 2018 14:47:19 -0500 Subject: [PATCH] Ingress: Add initial TLS Support for osh-infra public endpoints Adds support for TLS on overriden fqdns for public endpoints for the services that have them in openstack-helm-infra. Currently this implementation is limited, in that it does not provide support for dynamically loading CAs into the containers, or specifying them manually via configuration. As a result only well known or CA's added manually to containers will be recognised. Change-Id: I4ab4bbe24b6544b64cd365467e8efb2a421ac3f4 --- grafana/templates/secret-ingress-tls.yaml | 19 +++++++++++++++++++ grafana/values.yaml | 12 ++++++++++++ kibana/templates/secret-ingress-tls.yaml | 19 +++++++++++++++++++ kibana/values.yaml | 12 ++++++++++++ nagios/templates/secret-ingress-tls.yaml | 19 +++++++++++++++++++ nagios/values.yaml | 12 ++++++++++++ .../templates/secret-ingress-tls.yaml | 19 +++++++++++++++++++ prometheus-alertmanager/values.yaml | 14 ++++++++++++++ prometheus/templates/secret-ingress-tls.yaml | 19 +++++++++++++++++++ prometheus/values.yaml | 14 ++++++++++++++ 10 files changed, 159 insertions(+) create mode 100644 grafana/templates/secret-ingress-tls.yaml create mode 100644 kibana/templates/secret-ingress-tls.yaml create mode 100644 nagios/templates/secret-ingress-tls.yaml create mode 100644 prometheus-alertmanager/templates/secret-ingress-tls.yaml create mode 100644 prometheus/templates/secret-ingress-tls.yaml diff --git a/grafana/templates/secret-ingress-tls.yaml b/grafana/templates/secret-ingress-tls.yaml new file mode 100644 index 000000000..09495bc39 --- /dev/null +++ b/grafana/templates/secret-ingress-tls.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ingress_tls }} +{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "grafana" ) }} +{{- end }} diff --git a/grafana/values.yaml b/grafana/values.yaml index 427a52b1a..afee5efb7 100644 --- a/grafana/values.yaml +++ b/grafana/values.yaml @@ -178,6 +178,13 @@ endpoints: public: grafana host_fqdn_override: default: null + # NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public + # endpoints using the following format: + # public: + # host: null + # tls: + # crt: null + # key: null path: default: null scheme: @@ -279,6 +286,10 @@ secrets: oslo_db_session: admin: grafana-session-db-admin user: grafana-session-db-user + tls: + grafana: + grafana: + public: grafana-tls-public manifests: configmap_bin: true @@ -294,6 +305,7 @@ manifests: secret_db: true secret_db_session: true secret_admin_creds: true + secret_ingress_tls: true service: true service_ingress: true diff --git a/kibana/templates/secret-ingress-tls.yaml b/kibana/templates/secret-ingress-tls.yaml new file mode 100644 index 000000000..2281fdff3 --- /dev/null +++ b/kibana/templates/secret-ingress-tls.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ingress_tls }} +{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "kibana" ) }} +{{- end }} diff --git a/kibana/values.yaml b/kibana/values.yaml index 91e2d4a19..6feb36067 100644 --- a/kibana/values.yaml +++ b/kibana/values.yaml @@ -78,6 +78,10 @@ pod: secrets: elasticsearch: user: kibana-elasticsearch-user + tls: + kibana: + kibana: + public: kibana-tls-public dependencies: dynamic: @@ -166,6 +170,13 @@ endpoints: public: kibana host_fqdn_override: default: null + # NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public + # endpoints using the following format: + # public: + # host: null + # tls: + # crt: null + # key: null path: default: null scheme: @@ -213,5 +224,6 @@ manifests: ingress: true job_image_repo_sync: true secret_elasticsearch: true + secret_ingress_tls: true service: true service_ingress: true diff --git a/nagios/templates/secret-ingress-tls.yaml b/nagios/templates/secret-ingress-tls.yaml new file mode 100644 index 000000000..9524cfcb1 --- /dev/null +++ b/nagios/templates/secret-ingress-tls.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ingress_tls }} +{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "nagios" ) }} +{{- end }} diff --git a/nagios/values.yaml b/nagios/values.yaml index d98cbb6cc..85baf29a0 100644 --- a/nagios/values.yaml +++ b/nagios/values.yaml @@ -56,6 +56,10 @@ dependencies: secrets: nagios: admin: nagios-admin-creds + tls: + nagios: + nagios: + public: nagios-tls-public endpoints: cluster_domain_suffix: cluster.local @@ -98,6 +102,13 @@ endpoints: public: nagios host_fqdn_override: default: null + # NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public + # endpoints using the following format: + # public: + # host: null + # tls: + # crt: null + # key: null path: default: null scheme: @@ -182,6 +193,7 @@ manifests: ingress: true job_image_repo_sync: true secret_nagios: true + secret_ingress_tls: true service: true service_ingress: true diff --git a/prometheus-alertmanager/templates/secret-ingress-tls.yaml b/prometheus-alertmanager/templates/secret-ingress-tls.yaml new file mode 100644 index 000000000..1409b0cb1 --- /dev/null +++ b/prometheus-alertmanager/templates/secret-ingress-tls.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ingress_tls }} +{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "alerts" ) }} +{{- end }} diff --git a/prometheus-alertmanager/values.yaml b/prometheus-alertmanager/values.yaml index 8d83a3f5d..d9268a3b5 100644 --- a/prometheus-alertmanager/values.yaml +++ b/prometheus-alertmanager/values.yaml @@ -101,6 +101,13 @@ endpoints: discovery: alertmanager-discovery host_fqdn_override: default: null + # NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public + # endpoints using the following format: + # public: + # host: null + # tls: + # crt: null + # key: null path: default: null scheme: @@ -142,6 +149,12 @@ network: enabled: false port: 30903 +secrets: + tls: + alerts: + alertmanager: + public: alerts-tls-public + storage: enabled: true pvc: @@ -156,6 +169,7 @@ manifests: configmap_etc: true ingress: true job_image_repo_sync: true + secret_ingress_tls: true service: true service_discovery: true service_ingress: true diff --git a/prometheus/templates/secret-ingress-tls.yaml b/prometheus/templates/secret-ingress-tls.yaml new file mode 100644 index 000000000..44501abc0 --- /dev/null +++ b/prometheus/templates/secret-ingress-tls.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ingress_tls }} +{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "monitoring" ) }} +{{- end }} diff --git a/prometheus/values.yaml b/prometheus/values.yaml index 7fc98bf91..124c0eaff 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -108,6 +108,13 @@ endpoints: public: prometheus host_fqdn_override: default: null + # NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public + # endpoints using the following format: + # public: + # host: null + # tls: + # crt: null + # key: null path: default: null scheme: @@ -172,6 +179,12 @@ network: enabled: false port: 30900 +secrets: + tls: + monitoring: + prometheus: + public: prometheus-tls-public + storage: enabled: true pvc: @@ -187,6 +200,7 @@ manifests: ingress: true helm_tests: true job_image_repo_sync: true + secret_ingress_tls: true service_ingress: true service: true statefulset_prometheus: true