From 43e75eaa83cc6958fa0a6af55783cbe2645cfde7 Mon Sep 17 00:00:00 2001 From: sgupta Date: Wed, 9 Dec 2020 22:51:44 +0000 Subject: [PATCH] feat(tls): Change Issuer to ClusterIssuer ClusterIssuer does not belong to a single namespace (unlike Issuer) and can be referenced by Certificate resources from multiple different namespaces. When internal TLS is added to multiple namespaces, same ClusterIssuer can be used instead of one Issuer per namespace. Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/766359 Change-Id: I6585d5a8c2ccb507a5c99784c0190502b55a5bcf --- cinder/Chart.yaml | 2 +- cinder/values_overrides/tls.yaml | 3 +++ glance/Chart.yaml | 2 +- glance/values_overrides/tls.yaml | 2 ++ heat/Chart.yaml | 2 +- heat/values_overrides/tls.yaml | 4 +++- horizon/Chart.yaml | 2 +- horizon/values_overrides/tls.yaml | 1 + keystone/Chart.yaml | 2 +- keystone/values_overrides/tls.yaml | 2 +- neutron/Chart.yaml | 2 +- neutron/values_overrides/tls.yaml | 1 + nova/Chart.yaml | 2 +- nova/values_overrides/tls.yaml | 5 +++++ placement/Chart.yaml | 2 +- placement/values_overrides/tls.yaml | 1 + tools/scripts/tls/cert-manager.sh | 11 ++++------- 17 files changed, 29 insertions(+), 17 deletions(-) diff --git a/cinder/Chart.yaml b/cinder/Chart.yaml index e7bae199..e7f34695 100644 --- a/cinder/Chart.yaml +++ b/cinder/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Cinder name: cinder -version: 0.1.6 +version: 0.1.7 home: https://docs.openstack.org/cinder/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png sources: diff --git a/cinder/values_overrides/tls.yaml b/cinder/values_overrides/tls.yaml index 3849cde9..9b97c7c3 100644 --- a/cinder/values_overrides/tls.yaml +++ b/cinder/values_overrides/tls.yaml @@ -97,6 +97,7 @@ endpoints: secretName: cinder-tls-api issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https internal: https @@ -110,6 +111,7 @@ endpoints: secretName: cinder-tls-api issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https internal: https @@ -123,6 +125,7 @@ endpoints: secretName: cinder-tls-api issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https internal: https diff --git a/glance/Chart.yaml b/glance/Chart.yaml index c0fb0570..7ae9544a 100644 --- a/glance/Chart.yaml +++ b/glance/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Glance name: glance -version: 0.1.1 +version: 0.1.2 home: https://docs.openstack.org/glance/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png sources: diff --git a/glance/values_overrides/tls.yaml b/glance/values_overrides/tls.yaml index 20d8ff4b..b96d1e7e 100644 --- a/glance/values_overrides/tls.yaml +++ b/glance/values_overrides/tls.yaml @@ -92,6 +92,7 @@ endpoints: secretName: glance-tls-api issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https public: https @@ -105,6 +106,7 @@ endpoints: secretName: glance-tls-reg issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https public: https diff --git a/heat/Chart.yaml b/heat/Chart.yaml index 3abc2a7b..095ae73a 100644 --- a/heat/Chart.yaml +++ b/heat/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Heat name: heat -version: 0.1.2 +version: 0.1.3 home: https://docs.openstack.org/heat/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png sources: diff --git a/heat/values_overrides/tls.yaml b/heat/values_overrides/tls.yaml index f7f36e43..ddeb59df 100644 --- a/heat/values_overrides/tls.yaml +++ b/heat/values_overrides/tls.yaml @@ -144,6 +144,7 @@ endpoints: secretName: heat-tls-api issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https port: @@ -156,6 +157,7 @@ endpoints: secretName: heat-tls-cfn issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https port: @@ -169,7 +171,7 @@ endpoints: secretName: heat-tls-cloudwatch issuerRef: name: ca-issuer - kind: Issuer + kind: ClusterIssuer ingress: port: ingress: diff --git a/horizon/Chart.yaml b/horizon/Chart.yaml index 3b12318b..154dd4e0 100644 --- a/horizon/Chart.yaml +++ b/horizon/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Horizon name: horizon -version: 0.1.3 +version: 0.1.4 home: https://docs.openstack.org/horizon/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png sources: diff --git a/horizon/values_overrides/tls.yaml b/horizon/values_overrides/tls.yaml index 82e25d02..562962d2 100644 --- a/horizon/values_overrides/tls.yaml +++ b/horizon/values_overrides/tls.yaml @@ -93,6 +93,7 @@ endpoints: secretName: horizon-tls-web issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https public: https diff --git a/keystone/Chart.yaml b/keystone/Chart.yaml index 616da07f..f55f1e05 100644 --- a/keystone/Chart.yaml +++ b/keystone/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Keystone name: keystone -version: 0.1.3 +version: 0.1.4 home: https://docs.openstack.org/keystone/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png sources: diff --git a/keystone/values_overrides/tls.yaml b/keystone/values_overrides/tls.yaml index 5aaa7cf3..7b19d4fa 100644 --- a/keystone/values_overrides/tls.yaml +++ b/keystone/values_overrides/tls.yaml @@ -68,7 +68,7 @@ endpoints: secretName: keystone-tls-api issuerRef: name: ca-issuer - kind: Issuer + kind: ClusterIssuer scheme: default: https public: https diff --git a/neutron/Chart.yaml b/neutron/Chart.yaml index e4d452d1..f43d5f3a 100644 --- a/neutron/Chart.yaml +++ b/neutron/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Neutron name: neutron -version: 0.1.6 +version: 0.1.7 home: https://docs.openstack.org/neutron/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png sources: diff --git a/neutron/values_overrides/tls.yaml b/neutron/values_overrides/tls.yaml index e8aa3fe7..b55a1609 100644 --- a/neutron/values_overrides/tls.yaml +++ b/neutron/values_overrides/tls.yaml @@ -117,6 +117,7 @@ endpoints: secretName: neutron-tls-server issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https port: diff --git a/nova/Chart.yaml b/nova/Chart.yaml index 7e22ff87..bc04b638 100644 --- a/nova/Chart.yaml +++ b/nova/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Nova name: nova -version: 0.1.7 +version: 0.1.8 home: https://docs.openstack.org/nova/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png sources: diff --git a/nova/values_overrides/tls.yaml b/nova/values_overrides/tls.yaml index 7df4dd82..59a8e7a6 100644 --- a/nova/values_overrides/tls.yaml +++ b/nova/values_overrides/tls.yaml @@ -171,6 +171,7 @@ endpoints: secretName: nova-tls-api issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: 'https' port: @@ -183,6 +184,7 @@ endpoints: secretName: metadata-tls-metadata issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https port: @@ -195,6 +197,7 @@ endpoints: secretName: nova-novncproxy-tls-proxy issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https port: @@ -207,6 +210,7 @@ endpoints: secretName: nova-tls-spiceproxy issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https placement: @@ -216,6 +220,7 @@ endpoints: secretName: placement-tls-api issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https port: diff --git a/placement/Chart.yaml b/placement/Chart.yaml index df697b46..0c433f7e 100644 --- a/placement/Chart.yaml +++ b/placement/Chart.yaml @@ -16,7 +16,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Placement name: placement -version: 0.1.4 +version: 0.1.5 home: https://docs.openstack.org/placement/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png sources: diff --git a/placement/values_overrides/tls.yaml b/placement/values_overrides/tls.yaml index b2906032..adfd3594 100644 --- a/placement/values_overrides/tls.yaml +++ b/placement/values_overrides/tls.yaml @@ -68,6 +68,7 @@ endpoints: secretName: placement-tls-api issuerRef: name: ca-issuer + kind: ClusterIssuer scheme: default: https port: diff --git a/tools/scripts/tls/cert-manager.sh b/tools/scripts/tls/cert-manager.sh index a3ab4a1c..6590c172 100755 --- a/tools/scripts/tls/cert-manager.sh +++ b/tools/scripts/tls/cert-manager.sh @@ -2,7 +2,7 @@ set -eux -: ${CERT_MANAGER_VERSION:="v0.15.0"} +: ${CERT_MANAGER_VERSION:="v1.1.0"} cert_path="/etc/openstack-helm" ca_cert_root="$cert_path/certs/ca" @@ -126,14 +126,12 @@ helm repo update helm install --name cert-manager --namespace cert-manager \ --version ${CERT_MANAGER_VERSION} jetstack/cert-manager \ --set installCRDs=true \ - --set featureGates=ExperimentalCertificateControllers=true \ --set extraArgs[0]="--enable-certificate-owner-ref=true" # helm 3 command # helm install cert-manager jetstack/cert-manager --namespace cert-manager \ # --version ${CERT_MANAGER_VERSION} \ # --set installCRDs=true \ -#. --set featureGates=ExperimentalCertificateControllers=true \ # --set extraArgs[0]="--enable-certificate-owner-ref=true" helm repo remove jetstack @@ -147,16 +145,15 @@ apiVersion: v1 kind: Secret metadata: name: ca-key-pair - namespace: openstack + namespace: cert-manager data: tls.crt: $crt tls.key: $key --- -apiVersion: cert-manager.io/v1alpha3 -kind: Issuer +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer metadata: name: ca-issuer - namespace: openstack spec: ca: secretName: ca-key-pair