From 2a6c028a41c582e3dc9d474396aa8db94259777c Mon Sep 17 00:00:00 2001 From: "Anselme, Schubert (sa246v)" Date: Wed, 29 Nov 2023 09:44:13 -0500 Subject: [PATCH] Enable TLS for celery This PS enable TLS connection from celery to rabbitmq when TLS connection is enabled Change-Id: I49ccf159ca73e0764703a6d3c686c108143f12e2 Signed-off-by: Anselme, Schubert (sa246v) --- charts/shipyard/Chart.yaml | 2 +- charts/shipyard/templates/job-rabbit-init.yaml | 2 +- .../shipyard/templates/statefulset-airflow-worker.yaml | 2 ++ charts/shipyard/values.yaml | 9 ++++++--- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/charts/shipyard/Chart.yaml b/charts/shipyard/Chart.yaml index a50c0bcc..0cf18533 100644 --- a/charts/shipyard/Chart.yaml +++ b/charts/shipyard/Chart.yaml @@ -16,7 +16,7 @@ apiVersion: v1 description: A Helm chart for Shipyard and Airflow name: shipyard -version: 0.2.2 +version: 0.2.3 appVersion: 2.6.2 keywords: - shipyard diff --git a/charts/shipyard/templates/job-rabbit-init.yaml b/charts/shipyard/templates/job-rabbit-init.yaml index bb5ed69a..653da70c 100644 --- a/charts/shipyard/templates/job-rabbit-init.yaml +++ b/charts/shipyard/templates/job-rabbit-init.yaml @@ -16,7 +16,7 @@ limitations under the License. {{- if .Values.manifests.job_rabbit_init }} {{- $rmqJob := dict "envAll" . "serviceName" "airflow" -}} -{{- if .Values.manifests.certificates -}} +{{- if .Values.tls.oslo_messaging -}} {{- $_ := set $rmqJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} {{- end -}} {{ $rmqJob | include "helm-toolkit.manifests.job_rabbit_init" }} diff --git a/charts/shipyard/templates/statefulset-airflow-worker.yaml b/charts/shipyard/templates/statefulset-airflow-worker.yaml index 99cb8acd..3b28d98f 100644 --- a/charts/shipyard/templates/statefulset-airflow-worker.yaml +++ b/charts/shipyard/templates/statefulset-airflow-worker.yaml @@ -185,6 +185,7 @@ spec: readOnly: true - name: airflow-logs mountPath: {{ .Values.conf.airflow.logging.base_log_folder }} +{{- dict "enabled" $envAll.Values.tls.oslo_messaging "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - name: airflow-logrotate image: {{ .Values.images.tags.airflow }} imagePullPolicy: {{ .Values.images.pull_policy }} @@ -237,6 +238,7 @@ spec: configMap: name: airflow-bin defaultMode: 0555 +{{- dict "enabled" $envAll.Values.tls.oslo_messaging "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} volumeClaimTemplates: - metadata: name: airflow-logs diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml index 003352bc..1dd1cea4 100644 --- a/charts/shipyard/values.yaml +++ b/charts/shipyard/values.yaml @@ -813,9 +813,9 @@ conf: celery_config_options: airflow.config_templates.default_celery.DEFAULT_CELERY_CONFIG # TODO: Enable this for security ssl_active: "False" - ssl_key: "" - ssl_cert: "" - ssl_cacert: "" + ssl_key: /ect/rabbitmq/certs/tls.key + ssl_cert: /ect/rabbitmq/certs/tls.crt + ssl_cacert: /ect/rabbitmq/certs/ca.crt celery_broker_transport_options: visibility_timeout: 21600 dask: @@ -1234,6 +1234,9 @@ network_policy: egress: - {} +tls: + oslo_messaging: false + manifests: configmap_shipyard_bin: true configmap_shipyard_etc: true