diff --git a/glance/Chart.yaml b/glance/Chart.yaml
index f5a701bd9f..f3ff93a202 100644
--- a/glance/Chart.yaml
+++ b/glance/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Glance
name: glance
-version: 0.3.2
+version: 0.3.3
home: https://docs.openstack.org/glance/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
sources:
diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml
index 52da5a365d..24aa24b062 100644
--- a/glance/templates/configmap-etc.yaml
+++ b/glance/templates/configmap-etc.yaml
@@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
@@ -97,7 +103,7 @@ limitations under the License.
{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
{{- end -}}
diff --git a/glance/templates/pod-rally-test.yaml b/glance/templates/pod-rally-test.yaml
index 938c040d79..0ca17eb2fc 100644
--- a/glance/templates/pod-rally-test.yaml
+++ b/glance/templates/pod-rally-test.yaml
@@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
{{- if .Values.manifests.pod_rally_test }}
{{- $envAll := . }}
{{- $mounts_tests := .Values.pod.mounts.glance_tests.glance_tests }}
{{- $mounts_tests_init := .Values.pod.mounts.glance_tests.init_container }}
-{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: v1
kind: Pod
metadata:
- name: {{ print $envAll.Release.Name "-test" }}
+ name: {{ print $envAll.Chart.Name "-test" }}
labels:
{{ tuple $envAll "glance" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
@@ -79,7 +85,7 @@ spec:
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
- value: {{.Release.Name}}
+ value: {{.Chart.Name}}
command:
- /tmp/rally-test.sh
volumeMounts:
diff --git a/glance/values_overrides/netpol.yaml b/glance/values_overrides/netpol.yaml
index 4dd0d0135d..fb98f30724 100644
--- a/glance/values_overrides/netpol.yaml
+++ b/glance/values_overrides/netpol.yaml
@@ -27,8 +27,6 @@ network_policy:
matchLabels:
application: cinder
ports:
- - protocol: TCP
- port: 9191
- protocol: TCP
port: 9292
egress:
diff --git a/heat/Chart.yaml b/heat/Chart.yaml
index 8c00571b8b..9eaa83f95d 100644
--- a/heat/Chart.yaml
+++ b/heat/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Heat
name: heat
-version: 0.2.9
+version: 0.2.10
home: https://docs.openstack.org/heat/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
sources:
diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml
index d5716e1f3a..cc5da4fa0d 100644
--- a/heat/templates/configmap-etc.yaml
+++ b/heat/templates/configmap-etc.yaml
@@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
@@ -120,7 +126,7 @@ limitations under the License.
{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
{{- end -}}
diff --git a/heat/templates/pod-rally-test.yaml b/heat/templates/pod-rally-test.yaml
index 3b7d95da90..ac6c636e3c 100644
--- a/heat/templates/pod-rally-test.yaml
+++ b/heat/templates/pod-rally-test.yaml
@@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
{{- if .Values.manifests.pod_rally_test }}
{{- $envAll := . }}
{{- $mounts_tests := .Values.pod.mounts.heat_tests.heat_tests }}
{{- $mounts_tests_init := .Values.pod.mounts.heat_tests.init_container }}
-{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: v1
kind: Pod
metadata:
- name: {{ print $envAll.Release.Name "-test" }}
+ name: {{ print $envAll.deployment_name "-test" }}
labels:
{{ tuple $envAll "heat" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
@@ -40,7 +46,7 @@ spec:
serviceAccountName: {{ $serviceAccountName }}
initContainers:
{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
- - name: {{ .Release.Name }}-test-ks-user
+ - name: {{ .deployment_name }}-test-ks-user
{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
command:
@@ -65,7 +71,7 @@ spec:
- name: SERVICE_OS_ROLE
value: {{ .Values.endpoints.identity.auth.test.role | quote }}
containers:
- - name: {{ .Release.Name }}-test
+ - name: {{ .deployment_name }}-test
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
@@ -76,7 +82,7 @@ spec:
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
- value: {{.Release.Name}}
+ value: {{.deployment_name}}
command:
- /tmp/rally-test.sh
volumeMounts:
diff --git a/heat/values_overrides/ocata-ubuntu_xenial.yaml b/heat/values_overrides/ocata-ubuntu_xenial.yaml
index 8963294030..0f4e7a07b0 100644
--- a/heat/values_overrides/ocata-ubuntu_xenial.yaml
+++ b/heat/values_overrides/ocata-ubuntu_xenial.yaml
@@ -1,17 +1,18 @@
---
-images:
- tags:
- bootstrap: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- db_init: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- db_drop: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- ks_user: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- ks_service: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- ks_endpoints: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- heat_db_sync: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- heat_api: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- heat_cfn: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- heat_cloudwatch: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- heat_engine: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- heat_engine_cleaner: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
- heat_purge_deleted: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+heat:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ db_init: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ db_drop: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ ks_user: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ ks_service: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ ks_endpoints: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ heat_db_sync: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ heat_api: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ heat_cfn: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ heat_cloudwatch: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ heat_engine: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ heat_engine_cleaner: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+ heat_purge_deleted: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
...
diff --git a/keystone/Chart.yaml b/keystone/Chart.yaml
index 6d793a19ab..6e9d4ff8af 100644
--- a/keystone/Chart.yaml
+++ b/keystone/Chart.yaml
@@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Keystone
name: keystone
-version: 0.2.20
+version: 0.2.21
home: https://docs.openstack.org/keystone/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
sources:
diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml
index 4b7f04631e..cde64386e0 100644
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
@@ -35,7 +41,7 @@ limitations under the License.
{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
{{- end -}}
diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml
index c3730cc3b8..ad5b23a03e 100644
--- a/keystone/templates/pod-rally-test.yaml
+++ b/keystone/templates/pod-rally-test.yaml
@@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
{{- if .Values.manifests.pod_rally_test }}
{{- $envAll := . }}
{{- $mounts_tests := .Values.pod.mounts.keystone_tests.keystone_tests }}
{{- $mounts_tests_init := .Values.pod.mounts.keystone_tests.init_container }}
-{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: v1
kind: Pod
metadata:
- name: {{ print $envAll.Release.Name "-test" }}
+ name: {{ print $envAll.deployment_name "-test" }}
labels:
{{ tuple $envAll "keystone" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
@@ -79,7 +85,7 @@ spec:
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
- value: {{.Release.Name}}
+ value: {{.deployment_name}}
command:
- /tmp/rally-test.sh
volumeMounts:
diff --git a/keystone/values.yaml b/keystone/values.yaml
index d0f66a7bde..935f618454 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -68,7 +68,6 @@ bootstrap:
--domain="${OS_DEFAULT_DOMAIN}" \
"admin"
-
network:
api:
ingress:
diff --git a/openstack/.helmignore b/openstack/.helmignore
new file mode 100644
index 0000000000..f0c1319444
--- /dev/null
+++ b/openstack/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/openstack/Chart.yaml b/openstack/Chart.yaml
new file mode 100644
index 0000000000..ba270f9f9d
--- /dev/null
+++ b/openstack/Chart.yaml
@@ -0,0 +1,31 @@
+apiVersion: v2
+appVersion: 1.16.0
+dependencies:
+- name: helm-toolkit
+ repository: file://../../openstack-helm-infra/helm-toolkit
+ version: ">0.1.0"
+- name: mariadb
+ repository: file://../../openstack-helm-infra/mariadb
+ version: ">0.1.0"
+- name: rabbitmq
+ repository: file://../../openstack-helm-infra/rabbitmq
+ version: ">0.1.0"
+- name: memcached
+ repository: file://../../openstack-helm-infra/memcached
+ version: ">0.1.0"
+- name: keystone
+ repository: file://../keystone
+ version: ">0.1.0"
+- name: heat
+ repository: file://../heat
+ version: ">0.1.0"
+- name: glance
+ repository: file://../glance
+ version: ">0.1.0"
+
+description: A chart for openstack helm commmon deployment items
+name: openstack
+type: application
+version: 0.1.0
+maintainers:
+ - name: OpenStack-Helm Authors
diff --git a/openstack/charts/glance b/openstack/charts/glance
new file mode 120000
index 0000000000..b01e3db18c
--- /dev/null
+++ b/openstack/charts/glance
@@ -0,0 +1 @@
+../../glance/
\ No newline at end of file
diff --git a/openstack/charts/heat b/openstack/charts/heat
new file mode 120000
index 0000000000..16e7cb9710
--- /dev/null
+++ b/openstack/charts/heat
@@ -0,0 +1 @@
+../../heat
\ No newline at end of file
diff --git a/openstack/charts/helm-toolkit b/openstack/charts/helm-toolkit
new file mode 120000
index 0000000000..cd43e5f9ab
--- /dev/null
+++ b/openstack/charts/helm-toolkit
@@ -0,0 +1 @@
+../../../openstack-helm-infra/helm-toolkit
\ No newline at end of file
diff --git a/openstack/charts/keystone b/openstack/charts/keystone
new file mode 120000
index 0000000000..f3098a8aa0
--- /dev/null
+++ b/openstack/charts/keystone
@@ -0,0 +1 @@
+../../keystone/
\ No newline at end of file
diff --git a/openstack/charts/mariadb b/openstack/charts/mariadb
new file mode 120000
index 0000000000..ab5d9adf57
--- /dev/null
+++ b/openstack/charts/mariadb
@@ -0,0 +1 @@
+../../../openstack-helm-infra/mariadb
\ No newline at end of file
diff --git a/openstack/charts/memcached b/openstack/charts/memcached
new file mode 120000
index 0000000000..2b9f3188eb
--- /dev/null
+++ b/openstack/charts/memcached
@@ -0,0 +1 @@
+../../../openstack-helm-infra/memcached/
\ No newline at end of file
diff --git a/openstack/charts/rabbitmq b/openstack/charts/rabbitmq
new file mode 120000
index 0000000000..0439d46360
--- /dev/null
+++ b/openstack/charts/rabbitmq
@@ -0,0 +1 @@
+../../../openstack-helm-infra/rabbitmq/
\ No newline at end of file
diff --git a/openstack/values.yaml b/openstack/values.yaml
new file mode 100644
index 0000000000..ce61966b37
--- /dev/null
+++ b/openstack/values.yaml
@@ -0,0 +1,42 @@
+---
+# default values for openstack umbrella chart
+# Global overrides for subcharts
+
+global:
+ subchart_release_name: true
+
+helm-toolkit:
+ enabled: true
+
+rabbitmq:
+ enabled: true
+ volume:
+ enabled: false
+ pod:
+ replicas:
+ server: 1
+
+mariadb:
+ enabled: true
+ pod:
+ replicas:
+ server: 1
+ volume:
+ enabled: false
+ use_local_path_for_single_pod_cluster:
+ enabled: true
+
+memcached:
+ enabled: true
+
+keystone:
+ enabled: true
+
+heat:
+ enabled: true
+
+glance:
+ enabled: true
+ storage: pvc
+ volume:
+ class_name: standard
diff --git a/openstack/values_overrides/glance/apparmor.yaml b/openstack/values_overrides/glance/apparmor.yaml
new file mode 100644
index 0000000000..8b135c7a55
--- /dev/null
+++ b/openstack/values_overrides/glance/apparmor.yaml
@@ -0,0 +1,23 @@
+---
+glance:
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ glance-api:
+ glance-api: runtime/default
+ glance-perms: runtime/default
+ init: runtime/default
+ nginx: runtime/default
+ glance-metadefs-load:
+ init: runtime/default
+ glance-metadefs-load: runtime/default
+ glance-storage-init:
+ init: runtime/default
+ glance-storage-init: runtime/default
+ glance-test:
+ init: runtime/default
+ glance-test: runtime/default
+ glance-test-ks-user: runtime/default
+ manifests:
+ certificates: true
+...
diff --git a/openstack/values_overrides/glance/netpol.yaml b/openstack/values_overrides/glance/netpol.yaml
new file mode 100644
index 0000000000..dd2124636c
--- /dev/null
+++ b/openstack/values_overrides/glance/netpol.yaml
@@ -0,0 +1,46 @@
+---
+glance:
+ manifests:
+ network_policy: true
+ network_policy:
+ glance:
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: glance
+ - podSelector:
+ matchLabels:
+ application: nova
+ - podSelector:
+ matchLabels:
+ application: horizon
+ - podSelector:
+ matchLabels:
+ application: ingress
+ - podSelector:
+ matchLabels:
+ application: heat
+ - podSelector:
+ matchLabels:
+ application: ironic
+ - podSelector:
+ matchLabels:
+ application: cinder
+ ports:
+ - protocol: TCP
+ port: 9292
+ egress:
+ - to:
+ ports:
+ - protocol: TCP
+ port: 80
+ - protocol: TCP
+ port: 443
+ - to:
+ - ipBlock:
+ cidr: %%%REPLACE_API_ADDR%%%/32
+ ports:
+ - protocol: TCP
+ port: %%%REPLACE_API_PORT%%%
+...
diff --git a/openstack/values_overrides/glance/tls.yaml b/openstack/values_overrides/glance/tls.yaml
new file mode 100644
index 0000000000..13c4d5cfe1
--- /dev/null
+++ b/openstack/values_overrides/glance/tls.yaml
@@ -0,0 +1,128 @@
+---
+glance:
+ images:
+ tags:
+ nginx: docker.io/nginx:1.18.0
+ conf:
+ glance:
+ DEFAULT:
+ bind_host: 127.0.0.1
+ keystone_authtoken:
+ cafile: /etc/glance/certs/ca.crt
+ glance_store:
+ https_ca_certificates_file: /etc/glance/certs/ca.crt
+ swift_store_cacert: /etc/glance/certs/ca.crt
+ oslo_messaging_rabbit:
+ ssl: true
+ ssl_ca_file: /etc/rabbitmq/certs/ca.crt
+ ssl_cert_file: /etc/rabbitmq/certs/tls.crt
+ ssl_key_file: /etc/rabbitmq/certs/tls.key
+ nginx: |
+ worker_processes 1;
+ daemon off;
+ user nginx;
+
+ events {
+ worker_connections 1024;
+ }
+
+ http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ sendfile on;
+ keepalive_timeout 65s;
+ tcp_nodelay on;
+
+ log_format main '[nginx] method=$request_method path=$request_uri '
+ 'status=$status upstream_status=$upstream_status duration=$request_time size=$body_bytes_sent '
+ '"$remote_user" "$http_referer" "$http_user_agent"';
+
+ access_log /dev/stdout main;
+
+ upstream websocket {
+ server 127.0.0.1:$PORT;
+ }
+
+ server {
+ server_name {{ printf "%s.%s.svc.%s" "${SHORTNAME}" .Release.Namespace .Values.endpoints.cluster_domain_suffix }};
+ listen $POD_IP:$PORT ssl;
+
+ client_max_body_size 0;
+
+ ssl_certificate /etc/nginx/certs/tls.crt;
+ ssl_certificate_key /etc/nginx/certs/tls.key;
+ ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+
+ location / {
+ proxy_pass_request_headers on;
+
+ proxy_http_version 1.1;
+ proxy_pass http://websocket;
+ proxy_read_timeout 90;
+ }
+ }
+ }
+ network:
+ api:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+
+ endpoints:
+ identity:
+ name: keystone
+ auth:
+ admin:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ glance:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ test:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ scheme:
+ default: https
+ port:
+ api:
+ default: 443
+ image:
+ host_fqdn_override:
+ default:
+ tls:
+ secretName: glance-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ scheme:
+ default: https
+ public: https
+ port:
+ api:
+ public: 443
+ dashboard:
+ scheme:
+ default: https
+ public: https
+ port:
+ web:
+ default: 80
+ public: 443
+ oslo_messaging:
+ port:
+ https:
+ default: 15680
+ pod:
+ security_context:
+ glance:
+ pod:
+ runAsUser: 0
+ resources:
+ nginx:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ manifests:
+ certificates: true
+...
diff --git a/openstack/values_overrides/glance/train-ubuntu_bionic.yaml b/openstack/values_overrides/glance/train-ubuntu_bionic.yaml
new file mode 100644
index 0000000000..89339cffc6
--- /dev/null
+++ b/openstack/values_overrides/glance/train-ubuntu_bionic.yaml
@@ -0,0 +1,15 @@
+---
+glance:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ ks_service: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ ks_endpoints: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ glance_db_sync: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
+ glance_api: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
+ glance_metadefs_load: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
+ glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
+...
diff --git a/openstack/values_overrides/glance/ussuri-ubuntu_bionic.yaml b/openstack/values_overrides/glance/ussuri-ubuntu_bionic.yaml
new file mode 100644
index 0000000000..5f5b129a72
--- /dev/null
+++ b/openstack/values_overrides/glance/ussuri-ubuntu_bionic.yaml
@@ -0,0 +1,15 @@
+---
+glance:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ ks_service: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ ks_endpoints: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ glance_db_sync: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
+ glance_api: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
+ glance_metadefs_load: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
+ glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
+...
diff --git a/openstack/values_overrides/glance/victoria-ubuntu_focal.yaml b/openstack/values_overrides/glance/victoria-ubuntu_focal.yaml
new file mode 100644
index 0000000000..684de516a8
--- /dev/null
+++ b/openstack/values_overrides/glance/victoria-ubuntu_focal.yaml
@@ -0,0 +1,15 @@
+---
+glance:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ ks_service: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ ks_endpoints: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ glance_db_sync: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
+ glance_api: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
+ glance_metadefs_load: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
+ glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
+...
diff --git a/openstack/values_overrides/glance/wallaby-ubuntu_focal.yaml b/openstack/values_overrides/glance/wallaby-ubuntu_focal.yaml
new file mode 100644
index 0000000000..a48640cbc0
--- /dev/null
+++ b/openstack/values_overrides/glance/wallaby-ubuntu_focal.yaml
@@ -0,0 +1,15 @@
+---
+glance:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ ks_service: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ ks_endpoints: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ glance_db_sync: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
+ glance_api: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
+ glance_metadefs_load: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
+ glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
+...
diff --git a/openstack/values_overrides/heat/apparmor.yaml b/openstack/values_overrides/heat/apparmor.yaml
new file mode 100644
index 0000000000..8b54188c87
--- /dev/null
+++ b/openstack/values_overrides/heat/apparmor.yaml
@@ -0,0 +1,27 @@
+---
+heat:
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ heat-api:
+ heat-api: runtime/default
+ init: runtime/default
+ heat-cfn:
+ heat-cfn: runtime/default
+ init: runtime/default
+ heat-engine:
+ heat-engine: runtime/default
+ init: runtime/default
+ heat-engine-cleaner:
+ heat-engine-cleaner: runtime/default
+ init: runtime/default
+ heat-domain-ks-user:
+ heat-ks-domain-user: runtime/default
+ init: runtime/default
+ heat-trusts:
+ heat-trusts: runtime/default
+ init: runtime/default
+ heat-purge-deleted:
+ heat-purge-deleted: runtime/default
+ init: runtime/default
+...
diff --git a/openstack/values_overrides/heat/netpol.yaml b/openstack/values_overrides/heat/netpol.yaml
new file mode 100644
index 0000000000..cc9e887050
--- /dev/null
+++ b/openstack/values_overrides/heat/netpol.yaml
@@ -0,0 +1,48 @@
+---
+heat:
+ manifests:
+ network_policy: true
+ network_policy:
+ heat:
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: heat
+ - podSelector:
+ matchLabels:
+ application: ingress
+ - podSelector:
+ matchLabels:
+ application: horizon
+ ports:
+ - protocol: TCP
+ port: 8000
+ - protocol: TCP
+ port: 8003
+ - protocol: TCP
+ port: 8004
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ application: neutron
+ - to:
+ - podSelector:
+ matchLabels:
+ application: nova
+ - to:
+ - podSelector:
+ matchLabels:
+ application: glance
+ - to:
+ - podSelector:
+ matchLabels:
+ application: cinder
+ - to:
+ - ipBlock:
+ cidr: %%%REPLACE_API_ADDR%%%/32
+ ports:
+ - protocol: TCP
+ port: %%%REPLACE_API_PORT%%%
+...
diff --git a/openstack/values_overrides/heat/tls.yaml b/openstack/values_overrides/heat/tls.yaml
new file mode 100644
index 0000000000..a00c7df30b
--- /dev/null
+++ b/openstack/values_overrides/heat/tls.yaml
@@ -0,0 +1,191 @@
+---
+heat:
+ conf:
+ software:
+ apache2:
+ binary: apache2
+ start_parameters: -DFOREGROUND
+ site_dir: /etc/apache2/sites-enabled
+ conf_dir: /etc/apache2/conf-enabled
+ mods_dir: /etc/apache2/mods-available
+ a2enmod:
+ - ssl
+ a2dismod: null
+ mpm_event: |
+
+ ServerLimit 1024
+ StartServers 32
+ MinSpareThreads 32
+ MaxSpareThreads 256
+ ThreadsPerChild 25
+ MaxRequestsPerChild 128
+ ThreadLimit 720
+
+ wsgi_heat: |
+ {{- $portInt := tuple "orchestration" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ Listen {{ $portInt }}
+
+ ServerName {{ printf "%s.%s.svc.%s" "heat-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
+ WSGIDaemonProcess heat-api processes=1 threads=1 user=heat display-name=%{GROUP}
+ WSGIProcessGroup heat-api
+ WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ AllowEncodedSlashes On
+ = 2.4>
+ ErrorLogFormat "%{cu}t %M"
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ ErrorLog /dev/stdout
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+
+ SSLEngine on
+ SSLCertificateFile /etc/heat/certs/tls.crt
+ SSLCertificateKeyFile /etc/heat/certs/tls.key
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+ SSLHonorCipherOrder on
+
+
+ wsgi_cfn: |
+ {{- $portInt := tuple "cloudformation" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ Listen {{ $portInt }}
+
+ ServerName {{ printf "%s.%s.svc.%s" "heat-api-cfn" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
+ WSGIDaemonProcess heat-api-cfn processes=1 threads=1 user=heat display-name=%{GROUP}
+ WSGIProcessGroup heat-api-cfn
+ WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api-cfn
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ AllowEncodedSlashes On
+ = 2.4>
+ ErrorLogFormat "%{cu}t %M"
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ ErrorLog /dev/stdout
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+
+ SSLEngine on
+ SSLCertificateFile /etc/heat/certs/tls.crt
+ SSLCertificateKeyFile /etc/heat/certs/tls.key
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+ SSLHonorCipherOrder on
+
+
+ heat:
+ clients_neutron:
+ ca_file: /etc/heat/certs/ca.crt
+ clients_cinder:
+ ca_file: /etc/heat/certs/ca.crt
+ clients_glance:
+ ca_file: /etc/heat/certs/ca.crt
+ clients_nova:
+ ca_file: /etc/heat/certs/ca.crt
+ clients_swift:
+ ca_file: /etc/heat/certs/ca.crt
+ ssl:
+ ca_file: /etc/heat/certs/ca.crt
+ keystone_authtoken:
+ cafile: /etc/heat/certs/ca.crt
+ clients:
+ ca_file: /etc/heat/certs/ca.crt
+ clients_keystone:
+ ca_file: /etc/heat/certs/ca.crt
+ oslo_messaging_rabbit:
+ ssl: true
+ ssl_ca_file: /etc/rabbitmq/certs/ca.crt
+ ssl_cert_file: /etc/rabbitmq/certs/tls.crt
+ ssl_key_file: /etc/rabbitmq/certs/tls.key
+
+ network:
+ api:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ cfn:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ cloudwatch:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+
+ pod:
+ security_context:
+ heat:
+ container:
+ heat_api:
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+ heat_cfn:
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ endpoints:
+ identity:
+ auth:
+ admin:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ heat:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ heat_trustee:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ heat_stack_user:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ test:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ scheme:
+ default: https
+ port:
+ api:
+ default: 443
+ orchestration:
+ host_fqdn_override:
+ default:
+ tls:
+ secretName: heat-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ scheme:
+ default: https
+ port:
+ api:
+ public: 443
+ cloudformation:
+ host_fqdn_override:
+ default:
+ tls:
+ secretName: heat-tls-cfn
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ scheme:
+ default: https
+ port:
+ api:
+ public: 443
+ # Cloudwatch does not get an entry in the keystone service catalog
+ cloudwatch:
+ host_fqdn_override:
+ default:
+ tls:
+ secretName: heat-tls-cloudwatch
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ ingress:
+ port:
+ ingress:
+ default: 443
+ oslo_messaging:
+ port:
+ https:
+ default: 15680
+ manifests:
+ certificates: true
+...
diff --git a/openstack/values_overrides/heat/train-ubuntu_bionic.yaml b/openstack/values_overrides/heat/train-ubuntu_bionic.yaml
new file mode 100644
index 0000000000..aa89ee1c06
--- /dev/null
+++ b/openstack/values_overrides/heat/train-ubuntu_bionic.yaml
@@ -0,0 +1,18 @@
+---
+heat:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ ks_service: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ ks_endpoints: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ heat_db_sync: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ heat_api: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ heat_cfn: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ heat_cloudwatch: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ heat_engine: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ heat_engine_cleaner: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ heat_purge_deleted: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+...
diff --git a/openstack/values_overrides/heat/ussuri-ubuntu_bionic.yaml b/openstack/values_overrides/heat/ussuri-ubuntu_bionic.yaml
new file mode 100644
index 0000000000..654241ffd1
--- /dev/null
+++ b/openstack/values_overrides/heat/ussuri-ubuntu_bionic.yaml
@@ -0,0 +1,18 @@
+---
+heat:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ ks_service: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ ks_endpoints: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ heat_db_sync: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ heat_api: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ heat_cfn: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ heat_cloudwatch: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ heat_engine: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ heat_engine_cleaner: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ heat_purge_deleted: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+...
diff --git a/openstack/values_overrides/heat/victoria-ubuntu_focal.yaml b/openstack/values_overrides/heat/victoria-ubuntu_focal.yaml
new file mode 100644
index 0000000000..012d708757
--- /dev/null
+++ b/openstack/values_overrides/heat/victoria-ubuntu_focal.yaml
@@ -0,0 +1,18 @@
+---
+heat:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ ks_service: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ ks_endpoints: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ heat_db_sync: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ heat_api: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ heat_cfn: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ heat_cloudwatch: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ heat_engine: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ heat_engine_cleaner: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ heat_purge_deleted: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+...
diff --git a/openstack/values_overrides/heat/wallaby-ubuntu_focal.yaml b/openstack/values_overrides/heat/wallaby-ubuntu_focal.yaml
new file mode 100644
index 0000000000..6cc277a4fa
--- /dev/null
+++ b/openstack/values_overrides/heat/wallaby-ubuntu_focal.yaml
@@ -0,0 +1,18 @@
+---
+heat:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ ks_service: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ ks_endpoints: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ heat_db_sync: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ heat_api: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ heat_cfn: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ heat_cloudwatch: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ heat_engine: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ heat_engine_cleaner: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ heat_purge_deleted: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+...
diff --git a/openstack/values_overrides/keystone/apparmor.yaml b/openstack/values_overrides/keystone/apparmor.yaml
new file mode 100644
index 0000000000..d7148d2d18
--- /dev/null
+++ b/openstack/values_overrides/keystone/apparmor.yaml
@@ -0,0 +1,21 @@
+---
+keystone:
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ keystone-api:
+ keystone-api: runtime/default
+ keystone-credential-setup:
+ keystone-credential-setup: runtime/default
+ keystone-fernet-setup:
+ keystone-fernet-setup: runtime/default
+ keystone-credential-cleanup:
+ keystone-credential-cleanup: runtime/default
+ keystone-domain-manage:
+ keystone-domain-manage: runtime/default
+ keystone-domain-manage-init: runtime/default
+ keystone-test:
+ init: runtime/default
+ keystone-test: runtime/default
+ keystone-test-ks-user: runtime/default
+...
diff --git a/openstack/values_overrides/keystone/ldap.yaml b/openstack/values_overrides/keystone/ldap.yaml
new file mode 100644
index 0000000000..a2e0900cc0
--- /dev/null
+++ b/openstack/values_overrides/keystone/ldap.yaml
@@ -0,0 +1,59 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+keystone:
+ conf:
+ keystone:
+ identity:
+ driver: sql
+ default_domain_id: default
+ domain_specific_drivers_enabled: True
+ domain_configurations_from_database: True
+ domain_config_dir: /etc/keystone/domains
+ ks_domains:
+ ldapdomain:
+ identity:
+ driver: ldap
+ ldap:
+ url: "ldap://ldap.openstack.svc.cluster.local:389"
+ user: "cn=admin,dc=cluster,dc=local"
+ password: password
+ suffix: "dc=cluster,dc=local"
+ user_attribute_ignore: "enabled,email,tenants,default_project_id"
+ query_scope: sub
+ user_enabled_emulation: True
+ user_enabled_emulation_dn: "cn=overwatch,ou=Groups,dc=cluster,dc=local"
+ user_tree_dn: "ou=People,dc=cluster,dc=local"
+ user_enabled_mask: 2
+ user_enabled_default: 512
+ user_name_attribute: cn
+ user_id_attribute: sn
+ user_mail_attribute: mail
+ user_pass_attribute: userPassword
+ group_tree_dn: "ou=Groups,dc=cluster,dc=local"
+ group_filter: ""
+ group_objectclass: posixGroup
+ group_id_attribute: cn
+ group_name_attribute: cn
+ group_desc_attribute: description
+ group_member_attribute: memberUID
+ use_pool: true
+ pool_size: 27
+ pool_retry_max: 3
+ pool_retry_delay: 0.1
+ pool_connection_timeout: 15
+ pool_connection_lifetime: 600
+ use_auth_pool: true
+ auth_pool_size: 100
+ auth_pool_connection_lifetime: 60
+...
diff --git a/openstack/values_overrides/keystone/netpol.yaml b/openstack/values_overrides/keystone/netpol.yaml
new file mode 100644
index 0000000000..535861dbf8
--- /dev/null
+++ b/openstack/values_overrides/keystone/netpol.yaml
@@ -0,0 +1,70 @@
+---
+keystone:
+ manifests:
+ network_policy: true
+ network_policy:
+ keystone:
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: ceph
+ - podSelector:
+ matchLabels:
+ application: ingress
+ - podSelector:
+ matchLabels:
+ application: keystone
+ - podSelector:
+ matchLabels:
+ application: heat
+ - podSelector:
+ matchLabels:
+ application: glance
+ - podSelector:
+ matchLabels:
+ application: cinder
+ - podSelector:
+ matchLabels:
+ application: barbican
+ - podSelector:
+ matchLabels:
+ application: ceilometer
+ - podSelector:
+ matchLabels:
+ application: horizon
+ - podSelector:
+ matchLabels:
+ application: ironic
+ - podSelector:
+ matchLabels:
+ application: magnum
+ - podSelector:
+ matchLabels:
+ application: mistral
+ - podSelector:
+ matchLabels:
+ application: nova
+ - podSelector:
+ matchLabels:
+ application: neutron
+ - podSelector:
+ matchLabels:
+ application: senlin
+ - podSelector:
+ matchLabels:
+ application: placement
+ - podSelector:
+ matchLabels:
+ application: prometheus-openstack-exporter
+ ports:
+ - protocol: TCP
+ port: 5000
+ egress:
+ - to:
+ - ipBlock:
+ cidr: %%%REPLACE_API_ADDR%%%/32
+ ports:
+ - protocol: TCP
+ port: %%%REPLACE_API_PORT%%%
+...
diff --git a/openstack/values_overrides/keystone/tls.yaml b/openstack/values_overrides/keystone/tls.yaml
new file mode 100644
index 0000000000..d950679b15
--- /dev/null
+++ b/openstack/values_overrides/keystone/tls.yaml
@@ -0,0 +1,91 @@
+---
+keystone:
+ network:
+ api:
+ ingress:
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: null
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ pod:
+ security_context:
+ keystone:
+ pod:
+ runAsUser: 0
+ container:
+ keystone_api:
+ readOnlyRootFilesystem: false
+ allowPrivilegeEscalation: false
+ conf:
+ software:
+ apache2:
+ a2enmod:
+ - ssl
+ keystone:
+ oslo_messaging_rabbit:
+ ssl: true
+ ssl_ca_file: /etc/rabbitmq/certs/ca.crt
+ ssl_cert_file: /etc/rabbitmq/certs/tls.crt
+ ssl_key_file: /etc/rabbitmq/certs/tls.key
+ wsgi_keystone: |
+ {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{- $vh := tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+
+ Listen 0.0.0.0:{{ $portInt }}
+
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+
+
+ ServerName {{ printf "%s.%s.svc.%s" "keystone-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
+ WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ WSGIProcessGroup keystone-public
+ WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIPassAuthorization On
+ = 2.4>
+ ErrorLogFormat "%{cu}t %M"
+
+ ErrorLog /dev/stdout
+
+ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+ CustomLog /dev/stdout combined env=!forwarded
+ CustomLog /dev/stdout proxy env=forwarded
+
+ SSLEngine on
+ SSLCertificateFile /etc/keystone/certs/tls.crt
+ SSLCertificateKeyFile /etc/keystone/certs/tls.key
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+ SSLHonorCipherOrder on
+
+ endpoints:
+ identity:
+ auth:
+ admin:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ test:
+ cacert: /etc/ssl/certs/openstack-helm.crt
+ host_fqdn_override:
+ default:
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ scheme:
+ default: https
+ public: https
+ port:
+ api:
+ default: 443
+ oslo_messaging:
+ port:
+ https:
+ default: 15680
+ manifests:
+ certificates: true
+...
diff --git a/openstack/values_overrides/keystone/train-ubuntu_bionic.yaml b/openstack/values_overrides/keystone/train-ubuntu_bionic.yaml
new file mode 100644
index 0000000000..42f56658a2
--- /dev/null
+++ b/openstack/values_overrides/keystone/train-ubuntu_bionic.yaml
@@ -0,0 +1,17 @@
+---
+keystone:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ keystone_api: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+ keystone_bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+ keystone_credential_rotate: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+ keystone_credential_setup: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+ keystone_db_sync: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+ keystone_domain_manage: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+ keystone_fernet_rotate: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+ keystone_fernet_setup: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+ ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+...
diff --git a/openstack/values_overrides/keystone/ussuri-ubuntu_bionic.yaml b/openstack/values_overrides/keystone/ussuri-ubuntu_bionic.yaml
new file mode 100644
index 0000000000..e3eb9ba19d
--- /dev/null
+++ b/openstack/values_overrides/keystone/ussuri-ubuntu_bionic.yaml
@@ -0,0 +1,17 @@
+---
+keystone:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ keystone_api: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+ keystone_bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+ keystone_credential_rotate: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+ keystone_credential_setup: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+ keystone_db_sync: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+ keystone_domain_manage: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+ keystone_fernet_rotate: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+ keystone_fernet_setup: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+ ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+...
diff --git a/openstack/values_overrides/keystone/victoria-ubuntu_focal.yaml b/openstack/values_overrides/keystone/victoria-ubuntu_focal.yaml
new file mode 100644
index 0000000000..e2354395e9
--- /dev/null
+++ b/openstack/values_overrides/keystone/victoria-ubuntu_focal.yaml
@@ -0,0 +1,17 @@
+---
+keystone:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ keystone_api: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+ keystone_bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+ keystone_credential_rotate: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+ keystone_credential_setup: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+ keystone_db_sync: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+ keystone_domain_manage: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+ keystone_fernet_rotate: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+ keystone_fernet_setup: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+ ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+...
diff --git a/openstack/values_overrides/keystone/wallaby-ubuntu_focal.yaml b/openstack/values_overrides/keystone/wallaby-ubuntu_focal.yaml
new file mode 100644
index 0000000000..48e018ec97
--- /dev/null
+++ b/openstack/values_overrides/keystone/wallaby-ubuntu_focal.yaml
@@ -0,0 +1,17 @@
+---
+keystone:
+ images:
+ tags:
+ bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ keystone_api: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+ keystone_bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+ keystone_credential_rotate: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+ keystone_credential_setup: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+ keystone_db_sync: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+ keystone_domain_manage: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+ keystone_fernet_rotate: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+ keystone_fernet_setup: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+ ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+...
diff --git a/openstack/values_overrides/mariadb/apparmor.yaml b/openstack/values_overrides/mariadb/apparmor.yaml
new file mode 100644
index 0000000000..c77a75e8f5
--- /dev/null
+++ b/openstack/values_overrides/mariadb/apparmor.yaml
@@ -0,0 +1,35 @@
+---
+mariadb:
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ mariadb-ingress-error-pages:
+ init: runtime/default
+ ingress-error-pages: runtime/default
+ mariadb-ingress:
+ init: runtime/default
+ ingress: runtime/default
+ mariadb-server:
+ init: runtime/default
+ mariadb-perms: runtime/default
+ mariadb: runtime/default
+ mariadb-backup:
+ init: runtime/default
+ mariadb-backup: runtime/default
+ mariadb-test:
+ init: runtime/default
+ mariadb-test: runtime/default
+ prometheus-mysql-exporter:
+ init: runtime/default
+ mysql-exporter: runtime/default
+ create-sql-user:
+ init: runtime/default
+ exporter-create-sql-user: runtime/default
+
+ monitoring:
+ prometheus:
+ enabled: true
+
+ manifests:
+ cron_job_mariadb_backup: true
+...
diff --git a/openstack/values_overrides/mariadb/local-storage.yaml b/openstack/values_overrides/mariadb/local-storage.yaml
new file mode 100644
index 0000000000..ba99d6c645
--- /dev/null
+++ b/openstack/values_overrides/mariadb/local-storage.yaml
@@ -0,0 +1,12 @@
+---
+mariadb:
+ pod:
+ replicas:
+ server: 1
+ volume:
+ size: 1Gi
+ class_name: local-storage
+ monitoring:
+ prometheus:
+ enabled: false
+...
diff --git a/openstack/values_overrides/mariadb/netpol.yaml b/openstack/values_overrides/mariadb/netpol.yaml
new file mode 100644
index 0000000000..e27f494aed
--- /dev/null
+++ b/openstack/values_overrides/mariadb/netpol.yaml
@@ -0,0 +1,85 @@
+---
+mariadb:
+ manifests:
+ network_policy: true
+ network_policy:
+ mariadb:
+ egress:
+ - to:
+ - ipBlock:
+ cidr: %%%REPLACE_API_ADDR%%%/32
+ ports:
+ - protocol: TCP
+ port: %%%REPLACE_API_PORT%%%
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ - podSelector:
+ matchLabels:
+ application: heat
+ - podSelector:
+ matchLabels:
+ application: glance
+ - podSelector:
+ matchLabels:
+ application: cinder
+ - podSelector:
+ matchLabels:
+ application: aodh
+ - podSelector:
+ matchLabels:
+ application: barbican
+ - podSelector:
+ matchLabels:
+ application: ceilometer
+ - podSelector:
+ matchLabels:
+ application: designate
+ - podSelector:
+ matchLabels:
+ application: horizon
+ - podSelector:
+ matchLabels:
+ application: ironic
+ - podSelector:
+ matchLabels:
+ application: magnum
+ - podSelector:
+ matchLabels:
+ application: mistral
+ - podSelector:
+ matchLabels:
+ application: nova
+ - podSelector:
+ matchLabels:
+ application: neutron
+ - podSelector:
+ matchLabels:
+ application: rally
+ - podSelector:
+ matchLabels:
+ application: senlin
+ - podSelector:
+ matchLabels:
+ application: placement
+ - podSelector:
+ matchLabels:
+ application: prometheus-mysql-exporter
+ - podSelector:
+ matchLabels:
+ application: mariadb
+ - podSelector:
+ matchLabels:
+ application: mariadb-backup
+ ports:
+ - protocol: TCP
+ port: 3306
+ - protocol: TCP
+ port: 4567
+ - protocol: TCP
+ port: 80
+ - protocol: TCP
+ port: 8080
+...
diff --git a/openstack/values_overrides/mariadb/tls.yaml b/openstack/values_overrides/mariadb/tls.yaml
new file mode 100644
index 0000000000..86f4692513
--- /dev/null
+++ b/openstack/values_overrides/mariadb/tls.yaml
@@ -0,0 +1,24 @@
+---
+mariadb:
+ pod:
+ security_context:
+ server:
+ container:
+ perms:
+ readOnlyRootFilesystem: false
+ mariadb:
+ runAsUser: 0
+ allowPrivilegeEscalation: true
+ readOnlyRootFilesystem: false
+ endpoints:
+ oslo_db:
+ host_fqdn_override:
+ default:
+ tls:
+ secretName: mariadb-tls-direct
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ manifests:
+ certificates: true
+...
diff --git a/openstack/values_overrides/memcached/apparmor.yaml b/openstack/values_overrides/memcached/apparmor.yaml
new file mode 100644
index 0000000000..4c9512b997
--- /dev/null
+++ b/openstack/values_overrides/memcached/apparmor.yaml
@@ -0,0 +1,16 @@
+---
+memcached:
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ prometheus_memcached_exporter:
+ init: runtime/default
+ memcached-exporter: runtime/default
+ memcached:
+ init: runtime/default
+ memcached: runtime/default
+
+ monitoring:
+ prometheus:
+ enabled: false
+...
diff --git a/openstack/values_overrides/memcached/netpol.yaml b/openstack/values_overrides/memcached/netpol.yaml
new file mode 100644
index 0000000000..5758097cf1
--- /dev/null
+++ b/openstack/values_overrides/memcached/netpol.yaml
@@ -0,0 +1,81 @@
+---
+memcached:
+ manifests:
+ network_policy: true
+ network_policy:
+ memcached:
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: ingress
+ - podSelector:
+ matchLabels:
+ application: keystone
+ - podSelector:
+ matchLabels:
+ application: heat
+ - podSelector:
+ matchLabels:
+ application: glance
+ - podSelector:
+ matchLabels:
+ application: cinder
+ - podSelector:
+ matchLabels:
+ application: barbican
+ - podSelector:
+ matchLabels:
+ application: ceilometer
+ - podSelector:
+ matchLabels:
+ application: horizon
+ - podSelector:
+ matchLabels:
+ application: ironic
+ - podSelector:
+ matchLabels:
+ application: magnum
+ - podSelector:
+ matchLabels:
+ application: mistral
+ - podSelector:
+ matchLabels:
+ application: nova
+ - podSelector:
+ matchLabels:
+ application: neutron
+ - podSelector:
+ matchLabels:
+ application: senlin
+ - podSelector:
+ matchLabels:
+ application: placement
+ - podSelector:
+ matchLabels:
+ application: prometheus_memcached_exporter
+ - podSelector:
+ matchLabels:
+ application: aodh
+ - podSelector:
+ matchLabels:
+ application: rally
+ - podSelector:
+ matchLabels:
+ application: memcached
+ - podSelector:
+ matchLabels:
+ application: gnocchi
+ ports:
+ - port: 11211
+ protocol: TCP
+ - port: 9150
+ protocol: TCP
+ egress:
+ - to:
+ - ipBlock:
+ cidr: %%%REPLACE_API_ADDR%%%/32
+ ports:
+ - protocol: TCP
+ port: %%%REPLACE_API_PORT%%%
+...
diff --git a/openstack/values_overrides/rabbitmq/apparmor.yaml b/openstack/values_overrides/rabbitmq/apparmor.yaml
new file mode 100644
index 0000000000..1b80d853a0
--- /dev/null
+++ b/openstack/values_overrides/rabbitmq/apparmor.yaml
@@ -0,0 +1,26 @@
+---
+rabbitmq:
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ rabbitmq-cluster-wait:
+ init: runtime/default
+ rabbitmq-cookie: runtime/default
+ rabbitmq-rabbitmq-cluster-wait: runtime/default
+ rabbitmq:
+ init: runtime/default
+ rabbitmq-password: runtime/default
+ rabbitmq-cookie: runtime/default
+ rabbitmq-perms: runtime/default
+ rabbitmq: runtime/default
+ prometheus-rabbitmq-exporter:
+ init: runtime/default
+ rabbitmq-exporter: runtime/default
+ rabbitmq-rabbitmq-test:
+ rabbitmq-rabbitmq-test: runtime/default
+ init: runtime/default
+
+ monitoring:
+ prometheus:
+ enabled: true
+...
diff --git a/openstack/values_overrides/rabbitmq/netpol.yaml b/openstack/values_overrides/rabbitmq/netpol.yaml
new file mode 100644
index 0000000000..41114e429d
--- /dev/null
+++ b/openstack/values_overrides/rabbitmq/netpol.yaml
@@ -0,0 +1,106 @@
+---
+rabbitmq:
+ network_policy:
+ rabbitmq:
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ - podSelector:
+ matchLabels:
+ application: heat
+ - podSelector:
+ matchLabels:
+ application: glance
+ - podSelector:
+ matchLabels:
+ application: cinder
+ - podSelector:
+ matchLabels:
+ application: aodh
+ - podSelector:
+ matchLabels:
+ application: barbican
+ - podSelector:
+ matchLabels:
+ application: ceilometer
+ - podSelector:
+ matchLabels:
+ application: designate
+ - podSelector:
+ matchLabels:
+ application: ironic
+ - podSelector:
+ matchLabels:
+ application: magnum
+ - podSelector:
+ matchLabels:
+ application: mistral
+ - podSelector:
+ matchLabels:
+ application: nova
+ - podSelector:
+ matchLabels:
+ application: neutron
+ - podSelector:
+ matchLabels:
+ application: senlin
+ - podSelector:
+ matchLabels:
+ application: placement
+ - podSelector:
+ matchLabels:
+ application: rabbitmq
+ - podSelector:
+ matchLabels:
+ application: prometheus_rabbitmq_exporter
+ ports:
+ # AMQP port
+ - protocol: TCP
+ port: 5672
+ # HTTP API ports
+ - protocol: TCP
+ port: 15672
+ - protocol: TCP
+ port: 80
+ - from:
+ - podSelector:
+ matchLabels:
+ application: rabbitmq
+ ports:
+ # Clustering port AMQP + 20000
+ - protocol: TCP
+ port: 25672
+ # Erlang Port Mapper Daemon (epmd)
+ - protocol: TCP
+ port: 4369
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ application: rabbitmq
+ ports:
+ # Erlang port mapper daemon (epmd)
+ - protocol: TCP
+ port: 4369
+ # Rabbit clustering port AMQP + 20000
+ - protocol: TCP
+ port: 25672
+ # NOTE(lamt): Set by inet_dist_listen_{min/max}. Firewalls must
+ # permit traffic in this range to pass between clustered nodes.
+ # - protocol: TCP
+ # port: 35197
+ - to:
+ - ipBlock:
+ cidr: %%%REPLACE_API_ADDR%%%/32
+ ports:
+ - protocol: TCP
+ port: %%%REPLACE_API_PORT%%%
+
+ manifests:
+ monitoring:
+ prometheus:
+ network_policy_exporter: true
+ network_policy: true
+...
diff --git a/openstack/values_overrides/rabbitmq/tls.yaml b/openstack/values_overrides/rabbitmq/tls.yaml
new file mode 100644
index 0000000000..a4976bad43
--- /dev/null
+++ b/openstack/values_overrides/rabbitmq/tls.yaml
@@ -0,0 +1,31 @@
+---
+rabbitmq:
+ conf:
+ rabbitmq:
+ ssl_options:
+ cacertfile: "/etc/rabbitmq/certs/ca.crt"
+ certfile: "/etc/rabbitmq/certs/tls.crt"
+ keyfile: "/etc/rabbitmq/certs/tls.key"
+ verify: verify_peer
+ fail_if_no_peer_cert: false
+ management:
+ ssl:
+ cacertfile: "/etc/rabbitmq/certs/ca.crt"
+ certfile: "/etc/rabbitmq/certs/tls.crt"
+ keyfile: "/etc/rabbitmq/certs/tls.key"
+ endpoints:
+ oslo_messaging:
+ host_fqdn_override:
+ default:
+ tls:
+ secretName: rabbitmq-tls-direct
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ port:
+ https:
+ default: 15680
+ public: 443
+ manifests:
+ certificates: true
+...
diff --git a/releasenotes/notes/glance.yaml b/releasenotes/notes/glance.yaml
index f506af2752..bda942fba0 100644
--- a/releasenotes/notes/glance.yaml
+++ b/releasenotes/notes/glance.yaml
@@ -23,4 +23,5 @@ glance:
- 0.3.0 Remove glance registry
- 0.3.1 Enable taint toleration for Openstack services
- 0.3.2 Decrease terminationGracePeriodSeconds on glance-api
+ - 0.3.3 Update naming for subchart compatibility
...
diff --git a/releasenotes/notes/heat.yaml b/releasenotes/notes/heat.yaml
index 699f0537d0..0162568239 100644
--- a/releasenotes/notes/heat.yaml
+++ b/releasenotes/notes/heat.yaml
@@ -16,4 +16,5 @@ heat:
- 0.2.7 Helm 3 - Fix Job Labels
- 0.2.8 Update htk requirements repo
- 0.2.9 Enable taint toleration for Openstack services
+ - 0.2.10 Updated naming for subchart compatibility
...
diff --git a/releasenotes/notes/keystone.yaml b/releasenotes/notes/keystone.yaml
index f49ebb62cd..14d12cc2fb 100644
--- a/releasenotes/notes/keystone.yaml
+++ b/releasenotes/notes/keystone.yaml
@@ -36,4 +36,5 @@ keystone:
- 0.2.18 Remove default policy
- 0.2.19 Revert Reduce log chattiness
- 0.2.20 Enable taint toleration for Openstack services
+ - 0.2.21 Updated naming for subchart compatibility
...
diff --git a/releasenotes/notes/openstack.yaml b/releasenotes/notes/openstack.yaml
new file mode 100644
index 0000000000..277cae1260
--- /dev/null
+++ b/releasenotes/notes/openstack.yaml
@@ -0,0 +1,4 @@
+---
+openstack:
+ - 0.1.0 Initial Chart
+...
diff --git a/tools/deployment/common/get-values-overrides.sh b/tools/deployment/common/get-values-overrides.sh
index 4efa59aecd..1e4d68d734 100755
--- a/tools/deployment/common/get-values-overrides.sh
+++ b/tools/deployment/common/get-values-overrides.sh
@@ -20,6 +20,7 @@
set -e
HELM_CHART="$1"
+SUBCHART="$2"
: "${HELM_CHART_ROOT_PATH:="../openstack-helm"}"
: "${OPENSTACK_RELEASE:="train"}"
: "${CONTAINER_DISTRO_NAME:="ubuntu"}"
@@ -61,18 +62,33 @@ function replace_variables() {
function override_file_args () {
OVERRIDE_ARGS=""
- echoerr "We will attempt to use values-override files with the following paths:"
- for FILE in $(combination ${1//,/ } | uniq | tac); do
- FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml"
- if [ -f "${FILE_PATH}" ]; then
- replace_variables ${FILE_PATH}
- OVERRIDE_ARGS+=" --values=${FILE_PATH} "
- fi
- echoerr "${FILE_PATH}"
- done
+ if [ -z "$SUBCHART" ];then
+ echoerr "We will attempt to use values-override files with the following paths:"
+ for FILE in $(combination ${1//,/ } | uniq | tac); do
+ FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml"
+ if [ -f "${FILE_PATH}" ]; then
+ replace_variables ${FILE_PATH}
+ OVERRIDE_ARGS+=" --values=${FILE_PATH} "
+ fi
+ echoerr "${FILE_PATH}"
+ done
+ else
+ echoerr "running as subchart"
+ echoerr "We will attempt to use values-override files with the following paths:"
+ for FILE in $(combination ${1//,/ } | uniq | tac); do
+ FILE_PATH="${HELM_CHART_ROOT_PATH}/values_overrides/${HELM_CHART}/${FILE}.yaml"
+ if [ -f "${FILE_PATH}" ]; then
+ replace_variables ${FILE_PATH}
+ OVERRIDE_ARGS+=" --values=${FILE_PATH} "
+ fi
+ echoerr "${FILE_PATH}"
+ done
+ fi
+
echo "${OVERRIDE_ARGS}"
}
+
echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
source ../openstack-helm/tools/deployment/common/env-variables.sh
override_file_args "${OSH_FEATURE_MIX}"
diff --git a/tools/deployment/common/wait-for-pods.sh b/tools/deployment/common/wait-for-pods.sh
index 5930fcb7a1..42adc8e40c 100755
--- a/tools/deployment/common/wait-for-pods.sh
+++ b/tools/deployment/common/wait-for-pods.sh
@@ -12,11 +12,14 @@
# License for the specific language governing permissions and limitations
# under the License.
set -e
+if [[ "$2" -gt 0 ]];then
+ seconds=$2
+else
+ seconds=900
+fi
-# From Kolla-Kubernetes, orginal authors Kevin Fox & Serguei Bezverkhi
-# Default wait timeout is 900 seconds
end=$(date +%s)
-timeout=${2:-900}
+timeout=${2:-$seconds}
end=$((end + timeout))
while true; do
kubectl get pods --namespace=$1 -o json | jq -r \
diff --git a/tools/deployment/component/common/openstack.sh b/tools/deployment/component/common/openstack.sh
new file mode 100755
index 0000000000..756df8e56e
--- /dev/null
+++ b/tools/deployment/component/common/openstack.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+set -xe
+namespace=openstack
+chart=$namespace
+export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../openstack-helm/openstack"}"}"
+: ${OSH_EXTRA_HELM_ARGS_MARIADB:="$(./tools/deployment/common/get-values-overrides.sh mariadb subchart)"}
+: ${OSH_EXTRA_HELM_ARGS_RABBITMQ:="$(./tools/deployment/common/get-values-overrides.sh rabbitmq subchart)"}
+: ${OSH_EXTRA_HELM_ARGS_MEMCACHED:="$(./tools/deployment/common/get-values-overrides.sh memcached subchart)"}
+: ${OSH_EXTRA_HELM_ARGS_KEYSTONE:="$(./tools/deployment/common/get-values-overrides.sh keystone subchart)"}
+: ${OSH_EXTRA_HELM_ARGS_HEAT:="$(./tools/deployment/common/get-values-overrides.sh heat subchart)"}
+: ${OSH_EXTRA_HELM_ARGS_GLANCE:="$(./tools/deployment/common/get-values-overrides.sh glance subchart)"}
+
+#NOTE: Lint and package chart
+make -C ${HELM_CHART_ROOT_PATH} .
+
+echo "helm installing ..."
+helm upgrade --install $chart $chart/ \
+ ${OSH_EXTRA_HELM_ARGS_MARIADB} \
+ ${OSH_EXTRA_HELM_ARGS_RABBITMQ} \
+ ${OSH_EXTRA_HELM_ARGS_MEMCACHED} \
+ ${OSH_EXTRA_HELM_ARGS_KEYSTONE} \
+ ${OSH_EXTRA_HELM_ARGS_HEAT} \
+ ${OSH_EXTRA_HELM_ARGS_GLANCE} \
+ ${OSH_EXTRA_HELM_ARGS:=} \
+ --namespace=$namespace
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh $namespace 1800