From 702c17eb7804d28406576fa8c4956b1645d396b0 Mon Sep 17 00:00:00 2001 From: sgupta Date: Wed, 1 Jul 2020 00:25:27 +0000 Subject: [PATCH] feat(tls): Make openstack services compatible with mariadb with TLS Depends-on: https://review.opendev.org/#/c/741037/ Change-Id: I21f4ede3bd18c0af8da1eba60cd0b7b932a31410 --- cinder/templates/configmap-etc.yaml | 7 ++++++- .../cron-job-cinder-volume-usage-audit.yaml | 2 ++ cinder/templates/deployment-backup.yaml | 2 ++ cinder/templates/deployment-scheduler.yaml | 2 ++ cinder/templates/deployment-volume.yaml | 2 ++ cinder/templates/job-db-drop.yaml | 3 +++ cinder/templates/job-db-init.yaml | 3 +++ cinder/templates/job-db-sync.yaml | 3 +++ cinder/values.yaml | 3 +++ glance/templates/configmap-etc.yaml | 14 +++++++++++-- glance/templates/deployment-api.yaml | 2 ++ glance/templates/job-db-drop.yaml | 3 +++ glance/templates/job-db-init.yaml | 3 +++ glance/templates/job-db-sync.yaml | 4 +++- glance/templates/job-metadefs-load.yaml | 2 ++ glance/values.yaml | 3 +++ heat/templates/configmap-etc.yaml | 7 ++++++- heat/templates/cron-job-engine-cleaner.yaml | 2 ++ heat/templates/deployment-engine.yaml | 2 ++ heat/templates/job-db-drop.yaml | 3 +++ heat/templates/job-db-init.yaml | 3 +++ heat/templates/job-db-sync.yaml | 3 +++ heat/values.yaml | 3 +++ horizon/templates/job-db-drop.yaml | 3 +++ horizon/templates/job-db-init.yaml | 3 +++ horizon/templates/job-db-sync.yaml | 2 ++ horizon/templates/secret-db.yaml | 7 ++++++- horizon/values.yaml | 12 +++++++++++ keystone/templates/bin/_cred-clean.py.tpl | 9 ++++++-- keystone/templates/configmap-etc.yaml | 7 ++++++- keystone/templates/deployment-api.yaml | 2 ++ .../templates/job-credential-cleanup.yaml | 10 +++++++++ keystone/templates/job-db-drop.yaml | 3 +++ keystone/templates/job-db-init.yaml | 3 +++ keystone/templates/job-db-sync.yaml | 2 ++ keystone/values.yaml | 3 +++ neutron/templates/configmap-etc.yaml | 7 ++++++- neutron/templates/deployment-server.yaml | 2 ++ neutron/templates/job-db-drop.yaml | 3 +++ neutron/templates/job-db-init.yaml | 3 +++ neutron/templates/job-db-sync.yaml | 3 +++ neutron/values.yaml | 3 +++ nova/templates/configmap-etc.yaml | 21 ++++++++++++++++--- nova/templates/deployment-api-osapi.yaml | 2 ++ nova/templates/deployment-conductor.yaml | 2 ++ nova/templates/deployment-consoleauth.yaml | 2 ++ nova/templates/deployment-novncproxy.yaml | 2 ++ nova/templates/deployment-scheduler.yaml | 2 ++ nova/templates/job-cell-setup.yaml | 2 ++ nova/templates/job-db-drop.yaml | 3 +++ nova/templates/job-db-init.yaml | 3 +++ nova/templates/job-db-sync.yaml | 3 +++ nova/templates/secret-db-api.yaml | 7 ++++++- nova/templates/secret-db.yaml | 7 ++++++- nova/values.yaml | 3 +++ .../templates/bin/_mysql-migrate-db.sh.tpl | 9 +++++++- placement/templates/configmap-etc.yaml | 7 ++++++- placement/templates/job-db-drop.yaml | 3 +++ placement/templates/job-db-init.yaml | 3 +++ placement/templates/job-db-migrate.yaml | 6 ++++++ placement/templates/job-db-sync.yaml | 3 +++ placement/templates/secret-db.yaml | 7 ++++++- placement/values.yaml | 3 +++ 63 files changed, 250 insertions(+), 18 deletions(-) diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index bec953bb18..077e6f20e7 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -50,7 +50,12 @@ limitations under the License. {{- end -}} {{- if empty .Values.conf.cinder.database.connection -}} -{{- $_ := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.cinder.database "connection" -}} +{{- $connection := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.cinder.database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.cinder.database "connection" $connection -}} +{{- end -}} {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.transport_url -}} diff --git a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml index fdab9ba1df..76103fe74f 100644 --- a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml +++ b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml @@ -78,6 +78,7 @@ spec: mountPath: /tmp/volume-usage-audit.sh subPath: volume-usage-audit.sh readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} {{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }} volumes: - name: pod-tmp @@ -92,5 +93,6 @@ spec: configMap: name: cinder-bin defaultMode: 0555 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }} {{- end }} diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml index 39176fe6fe..ecfd4257bf 100755 --- a/cinder/templates/deployment-backup.yaml +++ b/cinder/templates/deployment-backup.yaml @@ -207,6 +207,7 @@ spec: mountPath: /etc/cinder/rootwrap.d/volume.filters subPath: volume.filters readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_backup.volumeMounts }}{{ toYaml $mounts_cinder_backup.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -248,5 +249,6 @@ spec: - name: cinder-coordination emptyDir: {} {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_backup.volumes }}{{ toYaml $mounts_cinder_backup.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml index 056ee13a92..9b8badb5ac 100644 --- a/cinder/templates/deployment-scheduler.yaml +++ b/cinder/templates/deployment-scheduler.yaml @@ -104,6 +104,7 @@ spec: - name: cinder-coordination mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }} {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -122,5 +123,6 @@ spec: - name: cinder-coordination emptyDir: {} {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index 9559d2f3f4..eadca43509 100755 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -211,6 +211,7 @@ spec: mountPath: /usr/local/sbin/iscsiadm subPath: iscsiadm {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -257,6 +258,7 @@ spec: - name: usrlocalsbin emptyDir: {} {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/cinder/templates/job-db-drop.yaml b/cinder/templates/job-db-drop.yaml index 9930f360c1..052d3bce4f 100644 --- a/cinder/templates/job-db-drop.yaml +++ b/cinder/templates/job-db-drop.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $dbDropJob := dict "envAll" . "serviceName" "cinder" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} {{- end }} diff --git a/cinder/templates/job-db-init.yaml b/cinder/templates/job-db-init.yaml index 9b6460827e..60540e2631 100644 --- a/cinder/templates/job-db-init.yaml +++ b/cinder/templates/job-db-init.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $dbInitJob := dict "envAll" . "serviceName" "cinder" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} {{- end }} diff --git a/cinder/templates/job-db-sync.yaml b/cinder/templates/job-db-sync.yaml index 7c2b74f935..10156b4cdb 100644 --- a/cinder/templates/job-db-sync.yaml +++ b/cinder/templates/job-db-sync.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $dbSyncJob := dict "envAll" . "serviceName" "cinder" "podVolMounts" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumeMounts "podVols" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumes -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} {{- end }} diff --git a/cinder/values.yaml b/cinder/values.yaml index a5f6342977..6b78dc62c0 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -1378,6 +1378,9 @@ endpoints: admin: username: root password: password + secret: + tls: + internal: mariadb-tls-direct cinder: username: cinder password: password diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml index 3b478a062a..32557d1035 100644 --- a/glance/templates/configmap-etc.yaml +++ b/glance/templates/configmap-etc.yaml @@ -81,10 +81,20 @@ limitations under the License. {{- end -}} {{- if empty .Values.conf.glance.database.connection -}} -{{- $_ := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.glance.database "connection" -}} +{{- $connection := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.glance.database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.glance.database "connection" $connection -}} +{{- end -}} {{- end -}} {{- if empty .Values.conf.glance_registry.connection -}} -{{- $_ := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.glance_registry.database "connection" -}} +{{- $connection := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.glance_registry.database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.glance_registry.database "connection" $connection -}} +{{- end -}} {{- end -}} {{- if empty .Values.conf.glance.DEFAULT.transport_url -}} diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml index aeaae7e1fa..4ff06c3f77 100644 --- a/glance/templates/deployment-api.yaml +++ b/glance/templates/deployment-api.yaml @@ -218,6 +218,7 @@ spec: subPath: key readOnly: true {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }} volumes: @@ -252,6 +253,7 @@ spec: secret: secretName: {{ .Values.secrets.rbd | quote }} {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/glance/templates/job-db-drop.yaml b/glance/templates/job-db-drop.yaml index 54e4232017..67ed939996 100644 --- a/glance/templates/job-db-drop.yaml +++ b/glance/templates/job-db-drop.yaml @@ -16,5 +16,8 @@ limitations under the License. {{- $serviceName := "glance" -}} {{- $dbToDrop := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}} {{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbToDrop" $dbToDrop -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbToDrop "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} {{- end }} diff --git a/glance/templates/job-db-init.yaml b/glance/templates/job-db-init.yaml index cc56f0ed87..a1cfb0a930 100644 --- a/glance/templates/job-db-init.yaml +++ b/glance/templates/job-db-init.yaml @@ -16,5 +16,8 @@ limitations under the License. {{- $serviceName := "glance" -}} {{- $dbToInit := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}} {{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbToInit" $dbToInit -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} {{- end }} diff --git a/glance/templates/job-db-sync.yaml b/glance/templates/job-db-sync.yaml index fbd706f2e6..f5ce112bfd 100644 --- a/glance/templates/job-db-sync.yaml +++ b/glance/templates/job-db-sync.yaml @@ -15,6 +15,8 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" "glance" "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" "glance" ) "image" ( index .Values.images.tags ( printf "%s_db_sync" "glance" )) ) -}} {{- $dbSyncJob := dict "envAll" . "serviceName" "glance" "podVolMounts" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumeMounts "podVols" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumes "dbToSync" $dbToSync -}} - +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} {{- end }} diff --git a/glance/templates/job-metadefs-load.yaml b/glance/templates/job-metadefs-load.yaml index afff731ee7..49b50a9a85 100644 --- a/glance/templates/job-metadefs-load.yaml +++ b/glance/templates/job-metadefs-load.yaml @@ -71,6 +71,7 @@ spec: subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }} readOnly: true {{- end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -84,4 +85,5 @@ spec: secret: secretName: glance-etc defaultMode: 0444 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/glance/values.yaml b/glance/values.yaml index 7f03db3aaf..88f3b8884d 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -672,6 +672,9 @@ endpoints: admin: username: root password: password + secret: + tls: + internal: mariadb-tls-direct glance: username: glance password: password diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml index 75ccee0bb5..0b8b3f6102 100644 --- a/heat/templates/configmap-etc.yaml +++ b/heat/templates/configmap-etc.yaml @@ -73,7 +73,12 @@ limitations under the License. {{- end -}} {{- if empty .Values.conf.heat.database.connection -}} -{{- $_ := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.heat.database "connection" -}} +{{- $connection := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.heat.database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.heat.database "connection" $connection -}} +{{- end -}} {{- end -}} {{- if empty .Values.conf.heat.DEFAULT.transport_url -}} diff --git a/heat/templates/cron-job-engine-cleaner.yaml b/heat/templates/cron-job-engine-cleaner.yaml index 6da474083f..31bfdcce9a 100644 --- a/heat/templates/cron-job-engine-cleaner.yaml +++ b/heat/templates/cron-job-engine-cleaner.yaml @@ -83,6 +83,7 @@ spec: subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }} readOnly: true {{ end }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }} {{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }} volumes: - name: pod-tmp @@ -93,6 +94,7 @@ spec: secret: secretName: heat-etc defaultMode: 0444 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} - name: heat-bin configMap: name: heat-bin diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml index e78521d46f..2546e7eb02 100644 --- a/heat/templates/deployment-engine.yaml +++ b/heat/templates/deployment-engine.yaml @@ -99,6 +99,7 @@ spec: mountPath: /etc/heat/policy.json subPath: policy.json readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }} volumes: @@ -114,6 +115,7 @@ spec: secret: secretName: heat-etc defaultMode: 0444 + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/heat/templates/job-db-drop.yaml b/heat/templates/job-db-drop.yaml index 6696e9504e..d74fa7bf43 100644 --- a/heat/templates/job-db-drop.yaml +++ b/heat/templates/job-db-drop.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $dbDropJob := dict "envAll" . "serviceName" "heat" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} {{- end }} diff --git a/heat/templates/job-db-init.yaml b/heat/templates/job-db-init.yaml index 96c5f7f963..e9b4d40da2 100644 --- a/heat/templates/job-db-init.yaml +++ b/heat/templates/job-db-init.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $dbInitJob := dict "envAll" . "serviceName" "heat" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} {{- end }} diff --git a/heat/templates/job-db-sync.yaml b/heat/templates/job-db-sync.yaml index 87845973b6..40424f571b 100644 --- a/heat/templates/job-db-sync.yaml +++ b/heat/templates/job-db-sync.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $dbSyncJob := dict "envAll" . "serviceName" "heat" "podVolMounts" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumeMounts "podVols" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumes -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} {{- end }} diff --git a/heat/values.yaml b/heat/values.yaml index 5f64051c1d..b5859a30c0 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -938,6 +938,9 @@ endpoints: admin: username: root password: password + secret: + tls: + internal: mariadb-tls-direct heat: username: heat password: password diff --git a/horizon/templates/job-db-drop.yaml b/horizon/templates/job-db-drop.yaml index 45c16cbe43..2545845279 100644 --- a/horizon/templates/job-db-drop.yaml +++ b/horizon/templates/job-db-drop.yaml @@ -15,5 +15,8 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}} {{- $dbDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} {{- end }} diff --git a/horizon/templates/job-db-init.yaml b/horizon/templates/job-db-init.yaml index e4b2f1febe..f92c1838c5 100644 --- a/horizon/templates/job-db-init.yaml +++ b/horizon/templates/job-db-init.yaml @@ -15,5 +15,8 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}} {{- $dbInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} {{- end }} diff --git a/horizon/templates/job-db-sync.yaml b/horizon/templates/job-db-sync.yaml index 4f7c69b6b3..4bdeb0093b 100644 --- a/horizon/templates/job-db-sync.yaml +++ b/horizon/templates/job-db-sync.yaml @@ -60,6 +60,7 @@ spec: mountPath: /tmp/manage.py subPath: manage.py readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 10 }} {{ if $mounts_horizon_db_sync.volumeMounts }}{{ toYaml $mounts_horizon_db_sync.volumeMounts | indent 10 }}{{ end }} volumes: - name: horizon-etc @@ -70,5 +71,6 @@ spec: configMap: name: horizon-bin defaultMode: 0555 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 6 }} {{ if $mounts_horizon_db_sync.volumes }}{{ toYaml $mounts_horizon_db_sync.volumes | indent 6 }}{{ end }} {{- end }} diff --git a/horizon/templates/secret-db.yaml b/horizon/templates/secret-db.yaml index c6e0c13327..cfc7dac0fc 100644 --- a/horizon/templates/secret-db.yaml +++ b/horizon/templates/secret-db.yaml @@ -16,6 +16,7 @@ limitations under the License. {{- $envAll := . }} {{- range $key1, $userClass := tuple "admin" "horizon" }} {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} --- apiVersion: v1 kind: Secret @@ -23,6 +24,10 @@ metadata: name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- if $envAll.Values.manifests.certificates }} + DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} +{{- end }} {{- end }} {{- end }} diff --git a/horizon/values.yaml b/horizon/values.yaml index 5c8d3093d8..2c67cc763f 100644 --- a/horizon/values.yaml +++ b/horizon/values.yaml @@ -367,6 +367,15 @@ conf: 'PASSWORD': '{{ .Values.endpoints.oslo_db.auth.horizon.password }}', 'HOST': '{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}', 'default-character-set': 'utf8', + {{- if .Values.manifests.certificates }} + 'OPTIONS':{ + 'ssl': { + 'ca': '/etc/mysql/certs/ca.crt', + 'cert': '/etc/mysql/certs/tls.crt', + 'key': '/etc/mysql/certs/tls.key' + } + }, + {{- end }} 'PORT': '{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}' } } @@ -2213,6 +2222,9 @@ endpoints: admin: username: root password: password + secret: + tls: + internal: mariadb-tls-direct horizon: username: horizon password: password diff --git a/keystone/templates/bin/_cred-clean.py.tpl b/keystone/templates/bin/_cred-clean.py.tpl index 55089c2be2..1a2339e9b6 100644 --- a/keystone/templates/bin/_cred-clean.py.tpl +++ b/keystone/templates/bin/_cred-clean.py.tpl @@ -51,6 +51,11 @@ else: logger.critical('environment variable ROOT_DB_CONNECTION not set') sys.exit(1) +mysql_x509 = os.getenv('MARIADB_X509', "") +ssl_args = {} +if mysql_x509: + ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', 'key': '/etc/mysql/certs/tls.key', 'cert': '/etc/mysql/certs/tls.crt'}} + # Get the connection string for the service db if "OPENSTACK_CONFIG_FILE" in os.environ: os_conf = os.environ['OPENSTACK_CONFIG_FILE'] @@ -91,7 +96,7 @@ try: host = root_engine_full.url.host port = root_engine_full.url.port root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) - root_engine = create_engine(root_engine_url) + root_engine = create_engine(root_engine_url, connect_args=ssl_args) connection = root_engine.connect() connection.close() logger.info("Tested connection to DB @ {0}:{1} as {2}".format( @@ -102,7 +107,7 @@ except: # User DB engine try: - user_engine = create_engine(user_db_conn) + user_engine = create_engine(user_db_conn, connect_args=ssl_args) # Get our user data out of the user_engine database = user_engine.url.database user = user_engine.url.username diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml index 6b07f31758..f97c31ced9 100644 --- a/keystone/templates/configmap-etc.yaml +++ b/keystone/templates/configmap-etc.yaml @@ -16,7 +16,12 @@ limitations under the License. {{- $envAll := . }} {{- if empty .Values.conf.keystone.database.connection -}} -{{- $_ := tuple "oslo_db" "internal" "keystone" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.keystone.database "connection" -}} +{{- $connection := tuple "oslo_db" "internal" "keystone" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.keystone.database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.keystone.database "connection" $connection -}} +{{- end -}} {{- end -}} {{- if empty .Values.conf.keystone.DEFAULT.transport_url -}} diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml index f58e42d39c..a6295aedae 100644 --- a/keystone/templates/deployment-api.yaml +++ b/keystone/templates/deployment-api.yaml @@ -147,6 +147,7 @@ spec: {{- end }} - name: keystone-credential-keys mountPath: {{ .Values.conf.keystone.credential.key_repository }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }} volumes: @@ -181,6 +182,7 @@ spec: - name: keystone-credential-keys secret: secretName: keystone-credential-keys +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/keystone/templates/job-credential-cleanup.yaml b/keystone/templates/job-credential-cleanup.yaml index d74024f1df..62dfa85d9e 100644 --- a/keystone/templates/job-credential-cleanup.yaml +++ b/keystone/templates/job-credential-cleanup.yaml @@ -67,6 +67,10 @@ spec: value: {{ $dbToClean.configDbSection | quote }} - name: OPENSTACK_CONFIG_DB_KEY value: {{ $dbToClean.configDbKey | quote }} +{{- end }} +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" {{- end }} command: - python @@ -89,6 +93,9 @@ spec: mountPath: {{ $dbToClean.logConfigFile | quote }} subPath: {{ base $dbToClean.logConfigFile | quote }} readOnly: true +{{- end }} +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- end }} volumes: - name: pod-tmp @@ -97,6 +104,9 @@ spec: configMap: name: "keystone-bin" defaultMode: 0555 +{{- if $envAll.Values.manifests.certificates }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} {{- $local := dict "configMapBinFirst" true -}} {{- $dbToCleanType := default "oslo" $dbToClean.inputType }} {{- if and (eq $dbToCleanType "oslo") $local.configMapBinFirst }} diff --git a/keystone/templates/job-db-drop.yaml b/keystone/templates/job-db-drop.yaml index e081b6b894..0da4f4edec 100644 --- a/keystone/templates/job-db-drop.yaml +++ b/keystone/templates/job-db-drop.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $dbDropJob := dict "envAll" . "serviceName" "keystone" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} {{- end }} diff --git a/keystone/templates/job-db-init.yaml b/keystone/templates/job-db-init.yaml index 78aa06ef4f..84e2ee917f 100644 --- a/keystone/templates/job-db-init.yaml +++ b/keystone/templates/job-db-init.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $dbInitJob := dict "envAll" . "serviceName" "keystone" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} {{- end }} diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml index d978c25776..31348931a2 100644 --- a/keystone/templates/job-db-sync.yaml +++ b/keystone/templates/job-db-sync.yaml @@ -42,6 +42,7 @@ volumeMounts: - name: keystone-fernet-keys mountPath: {{ $envAll.Values.conf.keystone.fernet_tokens.key_repository }} readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }} {{- end }} {{- define "keystone.templates._job_db_sync.pod_vols" -}} @@ -50,6 +51,7 @@ volumes: - name: keystone-fernet-keys secret: secretName: keystone-fernet-keys +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }} {{- end }} {{- if .Values.manifests.job_db_sync }} diff --git a/keystone/values.yaml b/keystone/values.yaml index 6a24f4fbbc..df56a3afa9 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -1159,6 +1159,9 @@ endpoints: admin: username: root password: password + secret: + tls: + internal: mariadb-tls-direct keystone: username: keystone password: password diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index f046712d9d..b888fc820d 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -52,7 +52,12 @@ limitations under the License. {{- end -}} {{- if empty $envAll.Values.conf.neutron.database.connection -}} -{{- $_ := tuple "oslo_db" "internal" "neutron" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.database "connection" -}} +{{- $connection := tuple "oslo_db" "internal" "neutron" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.neutron.database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.neutron.database "connection" $connection -}} +{{- end -}} {{- end }} {{- if empty $envAll.Values.conf.neutron.DEFAULT.transport_url -}} diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml index 6403b92fd8..a1532c2324 100644 --- a/neutron/templates/deployment-server.yaml +++ b/neutron/templates/deployment-server.yaml @@ -226,6 +226,7 @@ spec: mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini subPath: ml2_conf.ini readOnly: true +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- end }} volumes: @@ -249,6 +250,7 @@ spec: - name: neutron-plugin-shared emptyDir: {} {{- end }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/neutron/templates/job-db-drop.yaml b/neutron/templates/job-db-drop.yaml index db14737cc9..9f322bd93f 100644 --- a/neutron/templates/job-db-drop.yaml +++ b/neutron/templates/job-db-drop.yaml @@ -15,5 +15,8 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $dbDropJob := dict "envAll" . "serviceName" "neutron" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} {{- end }} diff --git a/neutron/templates/job-db-init.yaml b/neutron/templates/job-db-init.yaml index 98dd4bd1a6..d818586106 100644 --- a/neutron/templates/job-db-init.yaml +++ b/neutron/templates/job-db-init.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $dbInitJob := dict "envAll" . "serviceName" "neutron" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} {{- end }} diff --git a/neutron/templates/job-db-sync.yaml b/neutron/templates/job-db-sync.yaml index 4471ea7e74..de5dad7b94 100644 --- a/neutron/templates/job-db-sync.yaml +++ b/neutron/templates/job-db-sync.yaml @@ -14,5 +14,8 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $dbSyncJob := dict "envAll" . "serviceName" "neutron" "podVolMounts" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumeMounts "podVols" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumes -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} {{- end }} diff --git a/neutron/values.yaml b/neutron/values.yaml index 3f8c8baa1a..c031ffb3b3 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -2216,6 +2216,9 @@ endpoints: admin: username: root password: password + secret: + tls: + internal: mariadb-tls-direct neutron: username: neutron password: password diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml index 2cb202df22..84fc30a8b1 100644 --- a/nova/templates/configmap-etc.yaml +++ b/nova/templates/configmap-etc.yaml @@ -77,15 +77,30 @@ limitations under the License. {{- end -}} {{- if empty .Values.conf.nova.database.connection -}} -{{- $_ := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.nova.database "connection" -}} +{{- $connection := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.nova.database "connection" $connection -}} +{{- end -}} {{- end -}} {{- if empty .Values.conf.nova.api_database.connection -}} -{{- $_ := tuple "oslo_db_api" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.nova.api_database "connection" -}} +{{- $connection := tuple "oslo_db_api" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.api_database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.nova.api_database "connection" $connection -}} +{{- end -}} {{- end -}} {{- if empty .Values.conf.nova.cell0_database.connection -}} -{{- $_ := tuple "oslo_db_cell0" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.nova.cell0_database "connection" -}} +{{- $connection := tuple "oslo_db_cell0" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.cell0_database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.nova.cell0_database "connection" $connection -}} +{{- end -}} {{- end -}} {{- if empty .Values.conf.nova.DEFAULT.transport_url -}} diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index 998f817fe5..34827a3109 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -126,6 +126,7 @@ spec: subPath: mpm_event.conf readOnly: true {{- end }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }} volumes: @@ -145,6 +146,7 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index 01658abce0..14a9aea598 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -120,6 +120,7 @@ spec: subPath: policy.yaml readOnly: true {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -133,5 +134,6 @@ spec: secretName: nova-etc defaultMode: 0444 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml index 9acfc014a2..c4a781f232 100644 --- a/nova/templates/deployment-consoleauth.yaml +++ b/nova/templates/deployment-consoleauth.yaml @@ -115,6 +115,7 @@ spec: mountPath: /etc/nova/policy.yaml subPath: policy.yaml readOnly: true +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_consoleauth.volumeMounts }}{{ toYaml $mounts_nova_consoleauth.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -127,5 +128,6 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_consoleauth.volumes }}{{ toYaml $mounts_nova_consoleauth.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml index 81837b2035..72e3f60d2b 100644 --- a/nova/templates/deployment-novncproxy.yaml +++ b/nova/templates/deployment-novncproxy.yaml @@ -139,6 +139,7 @@ spec: readOnly: true - name: pod-shared mountPath: /tmp/pod-shared +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }} volumes: @@ -156,6 +157,7 @@ spec: emptyDir: {} - name: pod-shared emptyDir: {} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index a889c40d8d..0e5b4d019f 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -119,6 +119,7 @@ spec: mountPath: /etc/nova/policy.yaml subPath: policy.yaml readOnly: true +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }} volumes: @@ -132,6 +133,7 @@ spec: secret: secretName: nova-etc defaultMode: 0444 +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml index d0683c9b5c..72953304a5 100644 --- a/nova/templates/job-cell-setup.yaml +++ b/nova/templates/job-cell-setup.yaml @@ -84,6 +84,7 @@ spec: mountPath: /etc/nova/policy.yaml subPath: policy.yaml readOnly: true +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -97,5 +98,6 @@ spec: configMap: name: nova-bin defaultMode: 0555 +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/nova/templates/job-db-drop.yaml b/nova/templates/job-db-drop.yaml index f892b71dfe..9a6b1a0ff1 100644 --- a/nova/templates/job-db-drop.yaml +++ b/nova/templates/job-db-drop.yaml @@ -19,5 +19,8 @@ limitations under the License. {{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}} {{- $dbsToDrop := list $dbSvc $dbApi $dbCell }} {{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbsToDrop" $dbsToDrop -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} {{- end }} diff --git a/nova/templates/job-db-init.yaml b/nova/templates/job-db-init.yaml index 64d250181f..aded33c638 100644 --- a/nova/templates/job-db-init.yaml +++ b/nova/templates/job-db-init.yaml @@ -19,5 +19,8 @@ limitations under the License. {{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}} {{- $dbsToInit := list $dbSvc $dbApi $dbCell }} {{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} {{- end }} diff --git a/nova/templates/job-db-sync.yaml b/nova/templates/job-db-sync.yaml index 23d181969d..a184c4cad7 100644 --- a/nova/templates/job-db-sync.yaml +++ b/nova/templates/job-db-sync.yaml @@ -30,5 +30,8 @@ env: {{- if .Values.manifests.job_db_sync }} {{- $podEnvVars := include "nova.templates._job_db_sync.env_vars" (tuple .) | toString | fromYaml }} {{- $dbSyncJob := dict "envAll" . "serviceName" "nova" "podVolMounts" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumeMounts "podVols" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumes "podEnvVars" $podEnvVars.env -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} {{- end }} diff --git a/nova/templates/secret-db-api.yaml b/nova/templates/secret-db-api.yaml index adfc7051f3..baf75b1e0f 100644 --- a/nova/templates/secret-db-api.yaml +++ b/nova/templates/secret-db-api.yaml @@ -16,6 +16,7 @@ limitations under the License. {{- $envAll := . }} {{- range $key1, $userClass := tuple "admin" "nova" }} {{- $secretName := index $envAll.Values.secrets.oslo_db_api $userClass }} +{{- $connection := tuple "oslo_db_api" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} --- apiVersion: v1 kind: Secret @@ -23,6 +24,10 @@ metadata: name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "oslo_db_api" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- if $envAll.Values.manifests.certificates }} + DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} +{{- end }} {{- end }} {{- end }} diff --git a/nova/templates/secret-db.yaml b/nova/templates/secret-db.yaml index 4776c132df..d9cbf8f4bb 100644 --- a/nova/templates/secret-db.yaml +++ b/nova/templates/secret-db.yaml @@ -16,6 +16,7 @@ limitations under the License. {{- $envAll := . }} {{- range $key1, $userClass := tuple "admin" "nova" }} {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} --- apiVersion: v1 kind: Secret @@ -23,6 +24,10 @@ metadata: name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- if $envAll.Values.manifests.certificates }} + DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} +{{- end }} {{- end }} {{- end }} diff --git a/nova/values.yaml b/nova/values.yaml index 0f348f6645..f74d011b77 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -1897,6 +1897,9 @@ endpoints: admin: username: root password: password + secret: + tls: + internal: mariadb-tls-direct nova: username: nova password: password diff --git a/placement/templates/bin/_mysql-migrate-db.sh.tpl b/placement/templates/bin/_mysql-migrate-db.sh.tpl index 24fec1e1d5..a87ebaf4e8 100644 --- a/placement/templates/bin/_mysql-migrate-db.sh.tpl +++ b/placement/templates/bin/_mysql-migrate-db.sh.tpl @@ -90,7 +90,14 @@ function mysql_command() { command="mysql --skip-column-names" fi - $command -h$host -u$user -p$pass $db $* 2>$LAST_MYSQL_ERR + if [ ! -z "$MARIADB_X509" ]; then + local ca=/etc/mysql/certs/ca.crt + local cert=/etc/mysql/certs/tls.crt + local key=/etc/mysql/certs/tls.key + $command -h$host -u$user -p$pass $db --ssl-ca=$ca --ssl-cert=$cert --ssl-key=$key $* 2>$LAST_MYSQL_ERR + else + $command -h$host -u$user -p$pass $db $* 2>$LAST_MYSQL_ERR + fi } function show_error() { diff --git a/placement/templates/configmap-etc.yaml b/placement/templates/configmap-etc.yaml index e0c88fa2e1..c5880af245 100644 --- a/placement/templates/configmap-etc.yaml +++ b/placement/templates/configmap-etc.yaml @@ -18,7 +18,12 @@ limitations under the License. {{- $envAll := . }} {{- if empty .Values.conf.placement.placement_database.connection -}} -{{- $_ := tuple "oslo_db" "internal" "placement" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.placement.placement_database "connection" -}} +{{- $connection := tuple "oslo_db" "internal" "placement" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.placement.placement_database "connection" -}} +{{- else -}} +{{- $_ := set .Values.conf.placement.placement_database "connection" $connection -}} +{{- end -}} {{- end -}} {{- if empty .Values.conf.placement.keystone_authtoken.auth_uri -}} diff --git a/placement/templates/job-db-drop.yaml b/placement/templates/job-db-drop.yaml index efa916918e..af8cd24701 100644 --- a/placement/templates/job-db-drop.yaml +++ b/placement/templates/job-db-drop.yaml @@ -17,5 +17,8 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $serviceName := "placement" -}} {{- $dbDropJob := dict "envAll" . "serviceName" $serviceName -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} {{- end }} diff --git a/placement/templates/job-db-init.yaml b/placement/templates/job-db-init.yaml index 82cd3c5e70..c74667aad2 100644 --- a/placement/templates/job-db-init.yaml +++ b/placement/templates/job-db-init.yaml @@ -19,5 +19,8 @@ limitations under the License. {{- $dbApi := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "placement_database" "configDbKey" "connection" -}} {{- $dbsToInit := list $dbApi }} {{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} {{- end }} diff --git a/placement/templates/job-db-migrate.yaml b/placement/templates/job-db-migrate.yaml index 61ddc63faa..7178498f9c 100644 --- a/placement/templates/job-db-migrate.yaml +++ b/placement/templates/job-db-migrate.yaml @@ -58,6 +58,10 @@ spec: value: {{ .Values.endpoints.oslo_db.auth.placement.password | quote }} - name: PLACEMENT_DB_HOST value: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | quote }} +{{- if $envAll.Values.manifests.certificates }} + - name: MARIADB_X509 + value: "REQUIRE X509" +{{- end }} volumeMounts: - name: pod-tmp mountPath: /tmp @@ -74,6 +78,7 @@ spec: subPath: placement.conf readOnly: true {{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -85,5 +90,6 @@ spec: secret: secretName: placement-etc defaultMode: 0444 +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/placement/templates/job-db-sync.yaml b/placement/templates/job-db-sync.yaml index 953c776151..be791da466 100644 --- a/placement/templates/job-db-sync.yaml +++ b/placement/templates/job-db-sync.yaml @@ -16,5 +16,8 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $dbSyncJob := dict "envAll" . "serviceName" "placement" -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +{{- end -}} {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} {{- end }} diff --git a/placement/templates/secret-db.yaml b/placement/templates/secret-db.yaml index dc18506e76..91beb970ae 100644 --- a/placement/templates/secret-db.yaml +++ b/placement/templates/secret-db.yaml @@ -18,6 +18,7 @@ limitations under the License. {{- $envAll := . }} {{- range $key1, $userClass := tuple "admin" "placement" }} {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }} +{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }} --- apiVersion: v1 kind: Secret @@ -25,6 +26,10 @@ metadata: name: {{ $secretName }} type: Opaque data: - DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}} +{{- if $envAll.Values.manifests.certificates }} + DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} +{{- end }} {{- end }} {{- end }} diff --git a/placement/values.yaml b/placement/values.yaml index a0ae93e7e2..ede11ae82e 100644 --- a/placement/values.yaml +++ b/placement/values.yaml @@ -232,6 +232,9 @@ endpoints: admin: username: root password: password + secret: + tls: + internal: mariadb-tls-direct placement: username: placement password: password