From 11eb3b2384e4119eded9f71660961e0daca71f01 Mon Sep 17 00:00:00 2001
From: "Anselme, Schubert (sa246v)" <sa246v@att.com>
Date: Thu, 16 Nov 2023 10:56:56 -0500
Subject: [PATCH] Add barbican certificate generation

This PS adds generation of certificate for barbican, when
tls connection is enabled (manifest.certificate=true), using
values from endpoints.key_manager.host_fqdn_override.default.tls
This PS also fixes tls connection to rabbitmq.

Change-Id: I6397ce934e33975b1d91795aaade498f3a71468a
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
---
 barbican/Chart.yaml                     |  2 +-
 barbican/templates/certificates.yaml    | 17 +++++++++++++++++
 barbican/templates/job-rabbit-init.yaml |  3 +++
 barbican/values.yaml                    |  7 ++++++-
 releasenotes/notes/barbican.yaml        |  1 +
 5 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 barbican/templates/certificates.yaml

diff --git a/barbican/Chart.yaml b/barbican/Chart.yaml
index 801bf8ec87..710c046558 100644
--- a/barbican/Chart.yaml
+++ b/barbican/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Barbican
 name: barbican
-version: 0.3.6
+version: 0.3.7
 home: https://docs.openstack.org/barbican/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Barbican/OpenStack_Project_Barbican_vertical.png
 sources:
diff --git a/barbican/templates/certificates.yaml b/barbican/templates/certificates.yaml
new file mode 100644
index 0000000000..6df861d784
--- /dev/null
+++ b/barbican/templates/certificates.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{  dict "envAll" . "service" "key_manager" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
diff --git a/barbican/templates/job-rabbit-init.yaml b/barbican/templates/job-rabbit-init.yaml
index 75bb5fc120..45ca6aa871 100644
--- a/barbican/templates/job-rabbit-init.yaml
+++ b/barbican/templates/job-rabbit-init.yaml
@@ -21,6 +21,9 @@ helm.sh/hook-weight: "-4"
 
 {{- if .Values.manifests.job_rabbit_init }}
 {{- $rmqUserJob := dict "envAll" . "serviceName" "barbican" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{- if .Values.pod.tolerations.barbican.enabled -}}
 {{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
 {{- end -}}
diff --git a/barbican/values.yaml b/barbican/values.yaml
index 09e21983b9..9e6f4064b3 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -570,7 +570,12 @@ endpoints:
       default: barbican-api
       public: barbican
     host_fqdn_override:
-      default: null
+      default:
+        tls:
+          secretName: barbican-tls-internal
+          issuerRef:
+            kind: ClusterIssuer
+            name: ca-clusterissuer
     path:
       default: /
     scheme:
diff --git a/releasenotes/notes/barbican.yaml b/releasenotes/notes/barbican.yaml
index 61206cbc97..d08f1d5b66 100644
--- a/releasenotes/notes/barbican.yaml
+++ b/releasenotes/notes/barbican.yaml
@@ -30,4 +30,5 @@ barbican:
   - 0.3.4 Add 2023.1 overrides
   - 0.3.5 Add Ubuntu Jammy overrides
   - 0.3.6 Add 2023.2 Ubuntu Jammy overrides
+  - 0.3.7 Fix TLS connection to rabbitmq, and generate barbican certificate
 ...