From 753e43072d4a1391f8f88a1d2ee228ee9c2f30f8 Mon Sep 17 00:00:00 2001 From: josebb Date: Thu, 2 Dec 2021 19:27:56 +0200 Subject: [PATCH] Support TLS endpoints in neutron This allows neutron to consume TLS openstack endpoints. Jobs consume openstack endpoints, typically identity endpoints. And neutron itself interact with other openstack services via endpoints. Change-Id: I204b8a1a5a1fb253ea4207f5f5d76d47fac41bef --- neutron/Chart.yaml | 2 +- neutron/templates/deployment-server.yaml | 9 +++++++-- neutron/templates/job-bootstrap.yaml | 2 +- neutron/templates/job-ks-endpoints.yaml | 2 +- neutron/templates/job-ks-service.yaml | 2 +- neutron/templates/job-ks-user.yaml | 2 +- neutron/values.yaml | 5 +++++ neutron/values_overrides/tls-offloading.yaml | 14 ++++++++++++++ releasenotes/notes/neutron.yaml | 1 + 9 files changed, 32 insertions(+), 7 deletions(-) create mode 100644 neutron/values_overrides/tls-offloading.yaml diff --git a/neutron/Chart.yaml b/neutron/Chart.yaml index 59c59a2f86..4ff6edc12b 100644 --- a/neutron/Chart.yaml +++ b/neutron/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Neutron name: neutron -version: 0.2.24 +version: 0.2.25 home: https://docs.openstack.org/neutron/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png sources: diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml index 94c4e1a2d5..d7315d22d0 100644 --- a/neutron/templates/deployment-server.yaml +++ b/neutron/templates/deployment-server.yaml @@ -153,6 +153,11 @@ spec: command: - /tmp/neutron-server.sh - start +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/neutron/certs/ca.crt" +{{- end }} lifecycle: preStop: exec: @@ -241,7 +246,7 @@ spec: subPath: policy.yaml readOnly: true {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }} volumes: @@ -266,7 +271,7 @@ spec: emptyDir: {} {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/neutron/templates/job-bootstrap.yaml b/neutron/templates/job-bootstrap.yaml index 3a3faba077..ff9dbe8f44 100644 --- a/neutron/templates/job-bootstrap.yaml +++ b/neutron/templates/job-bootstrap.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "5" {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} {{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml index 39b9387f55..ec76b71dd2 100644 --- a/neutron/templates/job-ks-endpoints.yaml +++ b/neutron/templates/job-ks-endpoints.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-2" {{- if .Values.manifests.job_ks_endpoints }} {{- $ksEndpointsJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksEndpointsJob "tlsSecret" .Values.secrets.tls.network.server.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml index 84fb56d4c6..e4225c6e6d 100644 --- a/neutron/templates/job-ks-service.yaml +++ b/neutron/templates/job-ks-service.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-3" {{- if .Values.manifests.job_ks_service }} {{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml index 80a19bc92d..563ba7baf1 100644 --- a/neutron/templates/job-ks-user.yaml +++ b/neutron/templates/job-ks-user.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-1" {{- if .Values.manifests.job_ks_user }} {{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/neutron/values.yaml b/neutron/values.yaml index ee417bb072..843c5ad945 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -2544,6 +2544,11 @@ health_probe: logging: level: ERROR +tls: + identity: false + oslo_messaging: false + oslo_db: false + manifests: certificates: false configmap_bin: true diff --git a/neutron/values_overrides/tls-offloading.yaml b/neutron/values_overrides/tls-offloading.yaml new file mode 100644 index 0000000000..8b36a23ac6 --- /dev/null +++ b/neutron/values_overrides/tls-offloading.yaml @@ -0,0 +1,14 @@ +--- +endpoints: + identity: + auth: + admin: + cacert: /etc/ssl/certs/openstack-helm.crt + neutron: + cacert: /etc/ssl/certs/openstack-helm.crt + test: + cacert: /etc/ssl/certs/openstack-helm.crt + +tls: + identity: true +... diff --git a/releasenotes/notes/neutron.yaml b/releasenotes/notes/neutron.yaml index 014e457685..634cb03784 100644 --- a/releasenotes/notes/neutron.yaml +++ b/releasenotes/notes/neutron.yaml @@ -38,4 +38,5 @@ neutron: - 0.2.22 Fix /run/xtables.lock may be a directory - 0.2.23 Add neutron_netns_cleanup_cron release image override, so that the respective release image is used - 0.2.24 Added OCI registry authentication + - 0.2.25 Support TLS endpoints ...