Ingress: Add initial TLS Support for osh-infra public endpoints

Adds support for TLS on overriden fqdns for public endpoints for
the services that have them in openstack-helm-infra. Currently this
implementation is limited, in that it does not provide support for
dynamically loading CAs into the containers, or specifying them manually
via configuration. As a result only well known or CA's added manually
to containers will be recognised.

Change-Id: I4ab4bbe24b6544b64cd365467e8efb2a421ac3f4
This commit is contained in:
Steve Wilkerson 2018-06-26 14:47:19 -05:00
parent 82aab87442
commit b823954787
10 changed files with 159 additions and 0 deletions

View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "grafana" ) }}
{{- end }}

View File

@ -178,6 +178,13 @@ endpoints:
public: grafana
host_fqdn_override:
default: null
# NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
@ -279,6 +286,10 @@ secrets:
oslo_db_session:
admin: grafana-session-db-admin
user: grafana-session-db-user
tls:
grafana:
grafana:
public: grafana-tls-public
manifests:
configmap_bin: true
@ -294,6 +305,7 @@ manifests:
secret_db: true
secret_db_session: true
secret_admin_creds: true
secret_ingress_tls: true
service: true
service_ingress: true

View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "kibana" ) }}
{{- end }}

View File

@ -78,6 +78,10 @@ pod:
secrets:
elasticsearch:
user: kibana-elasticsearch-user
tls:
kibana:
kibana:
public: kibana-tls-public
dependencies:
dynamic:
@ -166,6 +170,13 @@ endpoints:
public: kibana
host_fqdn_override:
default: null
# NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
@ -213,5 +224,6 @@ manifests:
ingress: true
job_image_repo_sync: true
secret_elasticsearch: true
secret_ingress_tls: true
service: true
service_ingress: true

View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "nagios" ) }}
{{- end }}

View File

@ -56,6 +56,10 @@ dependencies:
secrets:
nagios:
admin: nagios-admin-creds
tls:
nagios:
nagios:
public: nagios-tls-public
endpoints:
cluster_domain_suffix: cluster.local
@ -98,6 +102,13 @@ endpoints:
public: nagios
host_fqdn_override:
default: null
# NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
@ -182,6 +193,7 @@ manifests:
ingress: true
job_image_repo_sync: true
secret_nagios: true
secret_ingress_tls: true
service: true
service_ingress: true

View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "alerts" ) }}
{{- end }}

View File

@ -101,6 +101,13 @@ endpoints:
discovery: alertmanager-discovery
host_fqdn_override:
default: null
# NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
@ -142,6 +149,12 @@ network:
enabled: false
port: 30903
secrets:
tls:
alerts:
alertmanager:
public: alerts-tls-public
storage:
enabled: true
pvc:
@ -156,6 +169,7 @@ manifests:
configmap_etc: true
ingress: true
job_image_repo_sync: true
secret_ingress_tls: true
service: true
service_discovery: true
service_ingress: true

View File

@ -0,0 +1,19 @@
{{/*
Copyright 2017-2018 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret_ingress_tls }}
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "monitoring" ) }}
{{- end }}

View File

@ -108,6 +108,13 @@ endpoints:
public: prometheus
host_fqdn_override:
default: null
# NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
@ -172,6 +179,12 @@ network:
enabled: false
port: 30900
secrets:
tls:
monitoring:
prometheus:
public: prometheus-tls-public
storage:
enabled: true
pvc:
@ -187,6 +200,7 @@ manifests:
ingress: true
helm_tests: true
job_image_repo_sync: true
secret_ingress_tls: true
service_ingress: true
service: true
statefulset_prometheus: true