Merge "Enable TLS for Ranger Agent services call to Openstack Services"

2020-08-13 18:58:24 +00:00 · 2020-08-13 18:58:24 +00:00 · fb48e46ff6
parent 74af2d0d75 7e211a6366
commit fb48e46ff6
39 changed files with 419 additions and 27 deletions
--- a/ranger-agent/templates/bin/_add-region.py.tpl
+++ b/ranger-agent/templates/bin/_add-region.py.tpl
@ -55,8 +55,10 @@ def get_token():
    }

    try:
+        verify = os.environ['CAFILE'] or False
        resp = requests.post(
-            url, data=json.dumps(data), headers=headers, timeout=120)
+            url, data=json.dumps(data), headers=headers,
+            verify=verify, timeout=120)

        if resp.status_code != 201:
            sys.stderr.write("Failed to get token for region: %s - %s\n" %
--- a/ranger-agent/templates/bin/_ranger-agent-test.py.tpl
+++ b/ranger-agent/templates/bin/_ranger-agent-test.py.tpl
@ -42,8 +42,10 @@ def get_token():
    }

    try:
+        verify = os.environ['CAFILE'] or False
        resp = requests.post(
-            url, data=json.dumps(data), headers=headers, timeout=100)
+            url, data=json.dumps(data), headers=headers,
+            verify=verify, timeout=100)

        if resp.status_code != 201:
            sys.stderr.write("Failed to get token for region: %s - %s\n" %
--- a/ranger-agent/templates/certificates.yaml
+++ b/ranger-agent/templates/certificates.yaml
@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.certificates -}}
+{{  dict "envAll" . "service" "ranger_agent" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
--- a/ranger-agent/templates/configmap-etc.yaml
+++ b/ranger-agent/templates/configmap-etc.yaml
@ -16,7 +16,12 @@ limitations under the License.
 {{- $envAll := . }}

 {{- if empty .Values.conf.ranger_agent.database.connection -}}
-{{- $_ := tuple "oslo_db" "internal" "ranger_agent" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.ranger_agent.database "connection" -}}
+{{- $connection := tuple "oslo_db" "internal" "ranger_agent" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.ranger_agent.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.ranger_agent.database "connection" $connection -}}
+{{- end -}}
 {{- end -}}
 {{- if empty .Values.conf.ranger_agent.DEFAULT.transport_url -}}
 {{- $_ := tuple "oslo_messaging" "internal" "ranger-agent" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.ranger_agent.DEFAULT "transport_url" -}}
@ -24,6 +29,9 @@ limitations under the License.
 {{- if empty .Values.conf.ranger_agent.DEFAULT.ord_server_url -}}
 {{- $_ := tuple "ranger_agent" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.ranger_agent.path.default | set .Values.conf.ranger_agent.DEFAULT "ord_server_url" -}}
 {{- end -}}
+{{- if empty .Values.conf.ranger_agent.DEFAULT.glance_api_url -}}
+{{- $_ := tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.ranger_agent.DEFAULT "glance_api_url" -}}
+{{- end -}}
 {{- if empty .Values.conf.ranger_agent.keystone_authtoken.username -}}
 {{- $_ := set .Values.conf.ranger_agent.keystone_authtoken "username" .Values.endpoints.identity.auth.ranger_agent.username -}}
 {{- end -}}
--- a/ranger-agent/templates/deployment-ranger-agent-api.yaml
+++ b/ranger-agent/templates/deployment-ranger-agent-api.yaml
@ -116,6 +116,8 @@ spec:
              mountPath: /etc/ranger-agent/api-paste.ini
              subPath: api-paste.ini
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal "path" "/etc/ranger-agent/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_ranger_agent_api.volumeMounts }}{{ toYaml $mounts_ranger_agent_api.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-etc-ranger-agent
@ -128,5 +130,7 @@ spec:
          secret:
            secretName: ranger-agent-etc
            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_ranger_agent_api.volumes}}{{ toYaml $mounts_ranger_agent_api.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/ranger-agent/templates/deployment-ranger-agent-engine.yaml
+++ b/ranger-agent/templates/deployment-ranger-agent-engine.yaml
@ -141,6 +141,8 @@ spec:
              mountPath: /etc/ranger-agent/api-paste.ini
              subPath: api-paste.ini
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal "path" "/etc/ranger-agent/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_ranger_agent_engine.volumeMounts }}{{ toYaml $mounts_ranger_agent_engine.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-etc-ranger-agent
@ -153,5 +155,7 @@ spec:
          secret:
            secretName: ranger-agent-etc
            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_ranger_agent_engine.volumes}}{{ toYaml $mounts_ranger_agent_engine.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/ranger-agent/templates/job-add-region.yaml
+++ b/ranger-agent/templates/job-add-region.yaml
@ -74,6 +74,8 @@ spec:
              value: {{ tuple "ranger_agent" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.ranger_agent.path.default }}
            - name: RMS_ENDPOINT
              value: {{ .Values.conf.region.rms_listener_endpoint }}
+            - name: CAFILE
+              value: {{ default "" .Values.conf.ranger_agent.keystone_authtoken.https_cacert }}
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.ranger_agent }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
 {{- end }}
@ -85,6 +87,7 @@ spec:
              mountPath: /tmp/add-region.py
              subPath: add-region.py
              readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal "path" "/etc/ranger-agent/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_ranger_agent_add_region.volumeMounts }}
 {{ toYaml $mounts_ranger_agent_add_region.volumeMounts | indent 12 }}
 {{ end }}
@ -93,6 +96,7 @@ spec:
          configMap:
            name: ranger-agent-bin
            defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_ranger_agent_add_region.volumes }}
 {{ toYaml $mounts_ranger_agent_add_region.volumes | indent 8 }}
 {{ end }}
--- a/ranger-agent/templates/job-db-drop.yaml
+++ b/ranger-agent/templates/job-db-drop.yaml
@ -13,6 +13,9 @@ limitations under the License.
 */}}

 {{- if .Values.manifests.job_db_drop }}
-{{- $dbInitJob := dict "envAll" . "serviceName" "ranger-agent" -}}
-{{ $dbInitJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "ranger-agent" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
--- a/ranger-agent/templates/job-db-init.yaml
+++ b/ranger-agent/templates/job-db-init.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_init }}
 {{- $dbInitJob := dict "envAll" . "serviceName" "ranger-agent" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
--- a/ranger-agent/templates/job-db-sync.yaml
+++ b/ranger-agent/templates/job-db-sync.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_sync }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "ranger-agent" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
--- a/ranger-agent/templates/job-ks-endpoints.yaml
+++ b/ranger-agent/templates/job-ks-endpoints.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "ranger-agent" "serviceTypes" ( tuple "ranger-agent" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.ranger_agent.api.internal -}}
+{{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
 {{- end }}
--- a/ranger-agent/templates/job-ks-service.yaml
+++ b/ranger-agent/templates/job-ks-service.yaml
@ -14,6 +14,9 @@ limitations under the License.

 {{- if .Values.manifests.job_ks_service }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "ranger-agent" "serviceTypes" ( tuple "ranger-agent" ) -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.ranger_agent.api.internal -}}
+{{- end -}}
 {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
 {{- end }}

--- a/ranger-agent/templates/job-ks-user-ranger-admin.yaml
+++ b/ranger-agent/templates/job-ks-user-ranger-admin.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_ks_user_ranger }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "ranger-agent" "serviceUser" "ranger_admin" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.ranger_agent.api.internal -}}
+{{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{- end }}
--- a/ranger-agent/templates/job-ks-user-ranger.yaml
+++ b/ranger-agent/templates/job-ks-user-ranger.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_ks_user_ranger }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "ranger-agent" "serviceUser" "ranger" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.ranger_agent.api.internal -}}
+{{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{- end }}
--- a/ranger-agent/templates/job-ks-user.yaml
+++ b/ranger-agent/templates/job-ks-user.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_ks_user }}
 {{- $ksUserJob := dict "envAll" . "serviceName" "ranger-agent" "serviceUser" "ranger_agent" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.ranger_agent.api.internal -}}
+{{- end -}}
 {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
 {{- end }}
--- a/ranger-agent/templates/pod-test.yaml
+++ b/ranger-agent/templates/pod-test.yaml
@ -48,6 +48,8 @@ spec:
          value: {{ tuple "ranger_agent" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
        - name: END_STATUS_KEY
          value: {{ .Values.conf.test.expected_end_status_key }}
+        - name: CAFILE
+          value: {{ default "" .Values.conf.ranger_agent.keystone_authtoken.https_cacert }}
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.ranger_agent }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
 {{- end }}
@ -59,11 +61,13 @@ spec:
          mountPath: /tmp/ranger-agent-test.py
          subPath: ranger-agent-test.py
          readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal "path" "/etc/ranger-agent/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
 {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
  volumes:
    - name: ranger-agent-bin
      configMap:
        name: ranger-agent-bin
        defaultMode: 0555
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
 {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
 {{- end }}
--- a/ranger-agent/templates/secret-db.yaml
+++ b/ranger-agent/templates/secret-db.yaml
@ -16,6 +16,7 @@ limitations under the License.
 {{- $envAll := . }}
 {{- range $key1, $userClass := tuple "admin" "ranger_agent" }}
 {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
 ---
 apiVersion: v1
 kind: Secret
@ -23,6 +24,10 @@ metadata:
  name: {{ $secretName }}
 type: Opaque
 data:
-  DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/ranger-agent/values.yaml
+++ b/ranger-agent/values.yaml
@ -26,8 +26,8 @@ images:
    ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
    ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
    rabbit_init: docker.io/rabbitmq:3.7-management
-    ranger-agent_db_sync: quay.io/attcomdev/ranger-agent:cbfd19b550b722a605f799523e51c108a8f1311a
-    ranger_agent: quay.io/attcomdev/ranger-agent:cbfd19b550b722a605f799523e51c108a8f1311a
+    ranger-agent_db_sync: quay.io/attcomdev/ranger-agent:7a994622705a949953d5d1552e4186c576fdcff9
+    ranger_agent: quay.io/attcomdev/ranger-agent:7a994622705a949953d5d1552e4186c576fdcff9
    scripted_test: docker.io/openstackhelm/heat:newton-ubuntu_xenial
  pull_policy: "IfNotPresent"
  local_registry:
@ -346,6 +346,10 @@ secrets:
    ranger_agent:
      api:
        public: ranger-agent
+        internal: ranger-agent-tls-api
+        # ranger_agent_engine:
+        #   engine:
+        #     internal: ranger-agent-tls-engine

 # typically overridden by environmental
 # values, but should include all endpoints
@ -460,6 +464,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      ranger_agent:
        username: ranger-agent
        password: password
@ -534,6 +541,7 @@ endpoints:
        public: 443

 manifests:
+  certificates: false
  configmap_bin: true
  configmap_etc: true
  deployment_ranger_agent_api: true
--- a/ranger-agent/values_overrides/tls.yaml
+++ b/ranger-agent/values_overrides/tls.yaml
@ -0,0 +1,62 @@
+---
+pod:
+  security_context:
+    ranger_agent:
+      container:
+        ranger_agent_api:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
+        ranger_agent_engine:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
+conf:
+  ranger_agent:
+    keystone_authtoken:
+      https_cacert: /etc/ranger-agent/certs/ca.crt
+endpoints:
+  identity:
+    auth:
+      admin:
+        cacert: /etc/ssl/certs/openstack-helm.crt
+    scheme:
+      default: https
+    port:
+      api:
+        default: 443
+  orchestration:
+    scheme:
+      default: https
+    port:
+      api:
+        public: 443
+  image:
+    scheme:
+      default: https
+    port:
+      api:
+        public: 443
+  ranger_agent:
+    host_fqdn_override:
+      default:
+        tls:
+          secretName: ranger-agent-tls-api
+          issuerRef:
+            name: ca-issuer
+            # Needed in TLS phase 2 to terminate call from Ranger
+            # scheme:
+            #   default: https
+            # port:
+            #   api:
+            #     public: 443
+            #
+            # TBD - only need below if separate cert for engine pod
+            # ranger_agent_engine:
+            #   host_fqdn_override:
+            #     default:
+            #       tls:
+            #         secretName: ranger-agent-tls-engine
+            #         issuerRef:
+            #           name: ca-issuer
+manifests:
+  certificates: true
+...
--- a/ranger/templates/configmap-etc.yaml
+++ b/ranger/templates/configmap-etc.yaml
@ -16,7 +16,12 @@ limitations under the License.
 {{- $envAll := . }}

 {{- if empty .Values.conf.ranger.database.connection -}}
-{{- $_ := tuple "oslo_db" "internal" "ranger" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.ranger.database "connection" -}}
+{{- $connection := tuple "oslo_db" "internal" "ranger" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.ranger.database "connection" -}}
+{{- else -}}
+{{- $_ := set .Values.conf.ranger.database "connection" $connection -}}
+{{- end -}}
 {{- end -}}
 {{- if empty .Values.conf.ranger.keystone_authtoken.username -}}
 {{- $_ := set .Values.conf.ranger.keystone_authtoken "username" .Values.endpoints.identity.auth.ranger.username -}}
--- a/ranger/templates/deployment-audit-service.yaml
+++ b/ranger/templates/deployment-audit-service.yaml
@ -115,6 +115,7 @@ spec:
              mountPath: /etc/ranger/ranger.conf
              subPath: ranger.conf
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_audit.volumeMounts }}{{ toYaml $mounts_audit.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -129,5 +130,6 @@ spec:
          secret:
            secretName: ranger-etc
            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_audit.volumes}}{{ toYaml $mounts_audit.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/ranger/templates/deployment-cms-service.yaml
+++ b/ranger/templates/deployment-cms-service.yaml
@ -115,6 +115,7 @@ spec:
              mountPath: /etc/ranger/ranger.conf
              subPath: ranger.conf
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_cms.volumeMounts }}{{ toYaml $mounts_cms.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -129,5 +130,6 @@ spec:
          secret:
            secretName: ranger-etc
            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_cms.volumes}}{{ toYaml $mounts_cms.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/ranger/templates/deployment-fms-service.yaml
+++ b/ranger/templates/deployment-fms-service.yaml
@ -115,6 +115,7 @@ spec:
              mountPath: /etc/ranger/ranger.conf
              subPath: ranger.conf
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_fms.volumeMounts }}{{ toYaml $mounts_fms.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -129,5 +130,6 @@ spec:
          secret:
            secretName: ranger-etc
            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_fms.volumes}}{{ toYaml $mounts_fms.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/ranger/templates/deployment-ims-service.yaml
+++ b/ranger/templates/deployment-ims-service.yaml
@ -115,6 +115,7 @@ spec:
              mountPath: /etc/ranger/ranger.conf
              subPath: ranger.conf
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_ims.volumeMounts }}{{ toYaml $mounts_ims.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -129,5 +130,6 @@ spec:
          secret:
            secretName: ranger-etc
            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_ims.volumes}}{{ toYaml $mounts_ims.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/ranger/templates/deployment-rds-service.yaml
+++ b/ranger/templates/deployment-rds-service.yaml
@ -162,6 +162,7 @@ spec:
              mountPath: /etc/ranger/ranger.conf
              subPath: ranger.conf
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_rds.volumeMounts }}{{ toYaml $mounts_rds.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -176,5 +177,6 @@ spec:
          secret:
            secretName: ranger-etc
            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_rds.volumes}}{{ toYaml $mounts_rds.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/ranger/templates/deployment-rms-service.yaml
+++ b/ranger/templates/deployment-rms-service.yaml
@ -115,6 +115,7 @@ spec:
              mountPath: /etc/ranger/ranger.conf
              subPath: ranger.conf
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_rms.volumeMounts }}{{ toYaml $mounts_rms.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -129,5 +130,6 @@ spec:
          secret:
            secretName: ranger-etc
            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_rms.volumes}}{{ toYaml $mounts_rms.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/ranger/templates/deployment-uuid-service.yaml
+++ b/ranger/templates/deployment-uuid-service.yaml
@ -115,6 +115,7 @@ spec:
              mountPath: /etc/ranger/ranger.conf
              subPath: ranger.conf
              readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_uuid.volumeMounts }}{{ toYaml $mounts_uuid.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
@ -129,5 +130,6 @@ spec:
          secret:
            secretName: ranger-etc
            defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_uuid.volumes}}{{ toYaml $mounts_uuid.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/ranger/templates/job-db-drop.yaml
+++ b/ranger/templates/job-db-drop.yaml
@ -13,6 +13,9 @@ limitations under the License.
 */}}

 {{- if .Values.manifests.job_db_drop }}
-{{- $dbInitJob := dict "envAll" . "serviceName" "ranger" -}}
-{{ $dbInitJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
+{{- $dbDropJob := dict "envAll" . "serviceName" "ranger" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
+{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
 {{- end }}
--- a/ranger/templates/job-db-init.yaml
+++ b/ranger/templates/job-db-init.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_init }}
 {{- $dbInitJob := dict "envAll" . "serviceName" "ranger" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
 {{- end }}
--- a/ranger/templates/job-db-sync.yaml
+++ b/ranger/templates/job-db-sync.yaml
@ -14,5 +14,8 @@ limitations under the License.

 {{- if .Values.manifests.job_db_sync }}
 {{- $dbSyncJob := dict "envAll" . "serviceName" "ranger" -}}
+{{- if .Values.manifests.certificates -}}
+{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
+{{- end -}}
 {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
 {{- end }}
--- a/ranger/templates/secret-db.yaml
+++ b/ranger/templates/secret-db.yaml
@ -16,6 +16,7 @@ limitations under the License.
 {{- $envAll := . }}
 {{- range $key1, $userClass := tuple "admin" "ranger" }}
 {{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
+{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
 ---
 apiVersion: v1
 kind: Secret
@ -23,6 +24,10 @@ metadata:
  name: {{ $secretName }}
 type: Opaque
 data:
-  DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
+{{- if $envAll.Values.manifests.certificates }}
+  DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
+{{- else }}
+  DB_CONNECTION: {{  $connection | b64enc -}}
+{{- end }}
 {{- end }}
 {{- end }}
--- a/ranger/values.yaml
+++ b/ranger/values.yaml
@ -572,6 +572,9 @@ endpoints:
      admin:
        username: root
        password: password
+        secret:
+          tls:
+            internal: mariadb-tls-direct
      ranger:
        username: ranger
        password: password
@ -717,6 +720,7 @@ network:
      port: 38090

 manifests:
+  certificates: false
  configmap_bin: true
  configmap_etc: true
  deployment_ranger_services: true
--- a/ranger/values_overrides/tls.yaml
+++ b/ranger/values_overrides/tls.yaml
@ -0,0 +1,4 @@
+---
+manifests:
+  certificates: true
+...
--- a/tools/deployment/common/get-values-overrides.sh
+++ b/tools/deployment/common/get-values-overrides.sh
@ -21,10 +21,11 @@
 set -e
 HELM_CHART="$1"
 : "${HELM_CHART_ROOT_PATH:="../openstack-helm-addons"}"
+: "${OPENSTACK_RELEASE:="ocata"}"
 : "${CONTAINER_DISTRO_NAME:="ubuntu"}"
 : "${CONTAINER_DISTRO_VERSION:="xenial"}"
 : "${FEATURE_GATES:=""}"
-OSH_FEATURE_MIX="${FEATURE_GATES},${CONTAINER_DISTRO_NAME}_${CONTAINER_DISTRO_VERSION},${CONTAINER_DISTRO_NAME}"
+OSH_FEATURE_MIX="${FEATURE_GATES},${OPENSTACK_RELEASE},${CONTAINER_DISTRO_NAME}_${CONTAINER_DISTRO_VERSION},${CONTAINER_DISTRO_NAME}"

 function echoerr () {
  echo "$@" 1>&2;
@ -72,6 +73,6 @@ function override_file_args () {
    echo "${OVERRIDE_ARGS}"
 }

-echoerr "We are going to deploy the service ${HELM_CHART}, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
+echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
 source ${HELM_CHART_ROOT_PATH}/tools/deployment/common/env-variables.sh
 override_file_args "${OSH_FEATURE_MIX}"
--- a/tools/deployment/common/setup-client.sh
+++ b/tools/deployment/common/setup-client.sh
@ -1,3 +1,5 @@
+#!/bin/bash
+
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
@ -19,19 +21,36 @@ sudo -H -E pip3 install \

 sudo -H mkdir -p /etc/openstack
 sudo -H chown -R $(id -un): /etc/openstack
-tee /etc/openstack/clouds.yaml << EOF
-clouds:
-  openstack_helm:
-    region_name: RegionOne
-    identity_api_version: 3
-    auth:
-      username: 'admin'
-      password: 'password'
-      project_name: 'admin'
-      project_domain_name: 'default'
-      user_domain_name: 'default'
-      auth_url: 'http://keystone.openstack.svc.cluster.local/v3'
+FEATURE_GATE="tls"; if [[ ${FEATURE_GATES//,/ } =~ (^|[[:space:]])${FEATURE_GATE}($|[[:space:]]) ]]; then
+  tee /etc/openstack/clouds.yaml << EOF
+  clouds:
+    openstack_helm:
+      region_name: RegionOne
+      identity_api_version: 3
+      cacert: /etc/openstack-helm/certs/ca/ca.pem
+      auth:
+        username: 'admin'
+        password: 'password'
+        project_name: 'admin'
+        project_domain_name: 'default'
+        user_domain_name: 'default'
+        auth_url: 'https://keystone.openstack.svc.cluster.local/v3'
 EOF
+else
+  tee /etc/openstack/clouds.yaml << EOF
+  clouds:
+    openstack_helm:
+      region_name: RegionOne
+      identity_api_version: 3
+      auth:
+        username: 'admin'
+        password: 'password'
+        project_name: 'admin'
+        project_domain_name: 'default'
+        user_domain_name: 'default'
+        auth_url: 'http://keystone.openstack.svc.cluster.local/v3'
+EOF
+fi

 #NOTE: Build charts
 make all
--- a/tools/deployment/component/heat/heat.sh
+++ b/tools/deployment/component/heat/heat.sh
@ -34,5 +34,12 @@ helm upgrade --install heat ${HELM_CHART_ROOT_PATH}/heat \
 #NOTE: Validate Deployment info
 helm status heat
 export OS_CLOUD=openstack_helm
+openstack service list
+openstack endpoint list
 sleep 30 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx
-openstack orchestration service list
+openstack --os-interface internal orchestration service list
+
+FEATURE_GATE="tls"; if [[ ${FEATURE_GATES//,/ } =~ (^|[[:space:]])${FEATURE_GATE}($|[[:space:]]) ]]; then
+  curl --cacert /etc/openstack-helm/certs/ca/ca.pem -L https://heat.openstack.svc.cluster.local
+  curl --cacert /etc/openstack-helm/certs/ca/ca.pem -L https://heat-api.openstack.svc.cluster.local:8004
+fi
--- a/tools/deployment/component/keystone/keystone.sh
+++ b/tools/deployment/component/keystone/keystone.sh
@ -36,3 +36,8 @@ helm status keystone
 export OS_CLOUD=openstack_helm
 sleep 30 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx
 openstack endpoint list
+
+FEATURE_GATE="tls"; if [[ ${FEATURE_GATES//,/ } =~ (^|[[:space:]])${FEATURE_GATE}($|[[:space:]]) ]]; then
+  curl --cacert /etc/openstack-helm/certs/ca/ca.pem -L https://keystone.openstack.svc.cluster.local
+  curl --cacert /etc/openstack-helm/certs/ca/ca.pem -L https://keystone-api.openstack.svc.cluster.local:5000
+fi
--- a/tools/scripts/tls/cert-manager.sh
+++ b/tools/scripts/tls/cert-manager.sh
@ -0,0 +1,173 @@
+#!/bin/bash
+
+set -eux
+
+: ${CERT_MANAGER_VERSION:="v0.15.0"}
+
+cert_path="/etc/openstack-helm"
+ca_cert_root="$cert_path/certs/ca"
+
+function check_cert {
+  # $1: the certificate file, e.g. ca.pem
+  # $2: the key file, e.g. ca-key.pem
+  local cert="$(openssl x509 -noout -modulus -in $1)"
+  local key="$(openssl rsa -noout -modulus -in $2)"
+  if ! [ "$cert" = "$key" ]; then
+    echo "Failure: tls private key does not match cert"
+    exit 1
+  else
+    echo "Pass: $cert is valid with $key"
+  fi
+}
+
+# Download cfssl and cfssljson if they are not available on the system
+if type cfssl && type cfssljson; then
+  echo "cfssl and cfssljson found - skipping installation"
+else
+  echo "installing cfssl and cfssljson"
+  temp_bin=$(mktemp --directory)
+  cd $temp_bin
+  CFSSLURL=https://pkg.cfssl.org/R1.2
+  curl -sSL -o cfssl $CFSSLURL/cfssl_linux-amd64
+  curl -sSL -o cfssljson $CFSSLURL/cfssljson_linux-amd64
+  chmod +x {cfssl,cfssljson}
+  export PATH=$PATH:$temp_bin
+fi
+
+# Sets up a directory for the certs
+sudo rm -rf $cert_path
+sudo mkdir -p $ca_cert_root
+sudo chmod -R go+w $cert_path
+
+cd $ca_cert_root
+
+cat > ca-csr.json <<EOF
+{
+  "CN": "ACME Company",
+  "key": {
+    "algo": "rsa",
+    "size": 4096
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "SomeState",
+      "ST": "SomeCity",
+      "O": "SomeOrg",
+      "OU": "SomeUnit"
+    }
+  ]
+}
+EOF
+
+cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
+check_cert ca.pem ca-key.pem
+
+
+cat > cfssl.json <<EOF
+{
+  "signing": {
+    "default": {
+      "expiry": "8760h"
+    },
+    "profiles": {
+      "intermediate_ca": {
+        "expiry": "8760h",
+        "usages": [
+          "signing",
+          "digital signature",
+          "cert sign",
+          "crl sign",
+          "key encipherment",
+          "server auth",
+          "client auth"
+        ],
+        "ca_constraint": {
+          "is_ca": true
+        }
+      }
+    }
+  }
+}
+EOF
+
+cat > intermediate-ca.json <<EOF
+{
+  "CN": "OpenStack Helm CA",
+  "key": {
+    "algo": "rsa",
+    "size": 4096
+  },
+  "names": [
+    {
+      "C": "GB",
+      "L": "Space",
+      "ST": "Earth",
+      "O": "OSH",
+      "OU": "OSH"
+    }
+  ],
+  "ca": {
+    "expiry": "8760h"
+  }
+}
+EOF
+
+cfssl gencert -initca intermediate-ca.json | cfssljson -bare intermediate-ca -
+cfssl sign -ca ca.pem -ca-key ca-key.pem -config cfssl.json -profile intermediate_ca \
+  intermediate-ca.csr | cfssljson -bare intermediate-ca
+check_cert intermediate-ca.pem intermediate-ca-key.pem
+
+kubectl create ns cert-manager
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+
+# helm 2 command
+helm install --name cert-manager --namespace cert-manager \
+  --version ${CERT_MANAGER_VERSION} jetstack/cert-manager \
+  --set installCRDs=true \
+  --set featureGates=ExperimentalCertificateControllers=true \
+  --set extraArgs[0]="--enable-certificate-owner-ref=true"
+
+# helm 3 command
+# helm install cert-manager jetstack/cert-manager --namespace cert-manager \
+#   --version ${CERT_MANAGER_VERSION} \
+#   --set installCRDs=true \
+#.  --set featureGates=ExperimentalCertificateControllers=true \
+#   --set extraArgs[0]="--enable-certificate-owner-ref=true"
+
+helm repo remove jetstack
+
+key=$(cat /etc/openstack-helm/certs/ca/ca-key.pem | base64 | tr -d "\n")
+crt=$(cat /etc/openstack-helm/certs/ca/ca.pem | base64 | tr -d "\n")
+
+cat > /tmp/ca-issuers.yaml <<EOF
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ca-key-pair
+  namespace: openstack
+data:
+  tls.crt: $crt
+  tls.key: $key
+---
+apiVersion: cert-manager.io/v1alpha3
+kind: Issuer
+metadata:
+  name: ca-issuer
+  namespace: openstack
+spec:
+  ca:
+    secretName: ca-key-pair
+EOF
+
+
+kubectl wait --for=condition=Ready pods --all -n cert-manager --timeout=180s
+
+# Per [0], put a sleep here to guard against the error - failed calling webhook "webhook.cert-manager.io"
+# [0] https://github.com/jetstack/cert-manager/issues/2602
+sleep 45
+
+kubectl create ns openstack
+kubectl apply -f /tmp/ca-issuers.yaml
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@ -68,11 +68,13 @@
        openstack_release: stein
        container_distro_name: ubuntu
        container_distro_version: bionic
+        feature_gates: tls
      gate_scripts_relative_path: ../openstack-helm-addons
      gate_scripts:
        - ./tools/deployment/common/install-packages.sh
        - ./tools/deployment/common/deploy-k8s.sh
        - ./tools/deployment/common/setup-client.sh
+        - ./tools/scripts/tls/cert-manager.sh
        - ./tools/deployment/component/common/ingress.sh
        - ./tools/deployment/component/common/mariadb.sh
        - ./tools/deployment/component/common/rabbitmq.sh