openstack/openstack-helm
Code Issues Proposed changes

Nova Configuration Override (#319)

Browse Source 
* Initial Commit of Nova Configuration Overrides

This commit is an evolution of the initial keystone configuration
overrides work

It expands upon that work by introducing many of the same concepts
into nova.  It differs in that a few concepts were changed.  Namely
the helm-toolkit/_oslo.tpl concept was abandoned, as there are too
many unique oslo paths for configuration elements, so dynamic oslo
setting mechanism was moved locally into configmap-etc.yaml, where
it is generally used.

Secondly, in nova the mount override effort was altered to instead
provide mount "append" capability.  Keeping the manifest mounts
closer to the actual pod, and keeping values.yaml a tad smaller.
This still allows the original flexibility of operators adding
mounts, but they cannot "undo" any of the charts built in mounts.

There were several manual tweaks that needd to be done to _nova.conf.tpl
after the oslo-config-gen process this time.  This is because there is a
bug in the newton version of generating this file. It does not include
the proper service authentication credentials in the [keystone_authtoken]
section.  Future releases have a separate service credentials section
so future config generations will likely not need these added lines.

* Remove unused values.yaml parameters

Fix references to removed helm-toolkit oslo macro

* resolve nova feedback

* bugfix nova-etc/nova-bin swap
This commit is contained in:
Alan Meadows 2017-04-10 12:41:41 -07:00 committed by Pete Birley
parent 04a215e7a2
commit 16508c32ee
19 changed files with 11408 additions and 350 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
helm-toolkit/templates/_oslo.tpl
View File

@ -1,39 +0,0 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#-----------------------------------------------
# oslo settings we will dynamically manufacture
#-----------------------------------------------
{{- define "helm-toolkit.oslo_values_setup" -}}
{{ $obj := index . 0 }}
{{ $root := index . 1 }}
# generate database uri and set $conf.conf.oslo.db.connection
{{- if empty $obj.database.oslo.db.connection -}}
{{- tuple "oslo_db" "internal" "user" "mysql" $root | include "helm-toolkit.authenticated_endpoint_uri_lookup"| set $obj.database.oslo.db "connection" -}}
{{- end -}}
# generate amqp transport uri and set $conf.endpoints.messaging
{{- if empty $obj.default.oslo.messaging.transport_url -}}
{{- tuple "oslo_messaging" "internal" "user" "amqp" $root | include "helm-toolkit.authenticated_endpoint_uri_lookup" | set $obj.default.oslo.messaging "transport_url" -}}
{{- end -}}
# generate memcache host:port and set $conf.endpoints.memcache
{{- if empty $obj.cache.oslo.cache -}}
{{- tuple "oslo_cache" "internal" "memcache" $root | include "helm-toolkit.hostname_endpoint_uri_lookup" | set $obj.cache.oslo.cache "memcache_servers" -}}
{{- end -}}
{{- end -}}

2
keystone/templates/configmap-bin.yaml
View File

@ -12,8 +12,6 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
{{ tuple .Values.conf.keystone . | include "helm-toolkit.oslo_values_setup" | trunc 0 }}
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:

28
keystone/templates/configmap-etc.yaml
View File

@ -12,7 +12,19 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
{{ tuple .Values.conf.keystone . | include "helm-toolkit.oslo_values_setup" | trunc 0 }} {{- include "keystone.conf.keystone_values_skeleton" .Values.conf.keystone | trunc 0 -}}
{{- if empty .Values.conf.keystone.database.oslo.db.connection -}}
{{- tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.authenticated_endpoint_uri_lookup"| set .Values.conf.keystone.database.oslo.db "connection" | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.keystone.default.oslo.messaging.transport_url -}}
{{- tuple "oslo_messaging" "internal" "user" "amqp" . | include "helm-toolkit.authenticated_endpoint_uri_lookup" | set .Values.conf.keystone.default.oslo.messaging "transport_url" | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.keystone.cache.oslo.cache -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.hostname_endpoint_uri_lookup" | set .Values.conf.keystone.cache.oslo.cache "memcache_servers" | quote | trunc 0 -}}
{{- end -}}
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -21,31 +33,31 @@ metadata:
data: data:
keystone.conf: |+ keystone.conf: |+
{{ if .Values.conf.keystone.override -}} {{ if .Values.conf.keystone.override -}}
{{ .Values.conf.keystone.override }} {{ .Values.conf.keystone.override | indent 4 }}
{{- else -}} {{- else -}}
{{- if .Values.conf.keystone.prefix -}} {{- if .Values.conf.keystone.prefix -}}
{{ .Values.conf.keystone.prefix }} {{ .Values.conf.keystone.prefix | indent 4 }}
{{- end }} {{- end }}
{{ tuple "etc/_keystone.conf.tpl" . | include "helm-toolkit.template" | indent 4 }} {{ tuple "etc/_keystone.conf.tpl" . | include "helm-toolkit.template" | indent 4 }}
{{- end }} {{- end }}
{{- if .Values.conf.keystone.append -}} {{- if .Values.conf.keystone.append -}}
{{ .Values.conf.keystone.append }} {{ .Values.conf.keystone.append | indent 4 }}
{{- end }} {{- end }}
keystone-paste.ini: |+ keystone-paste.ini: |+
{{ if .Values.conf.paste.override -}} {{ if .Values.conf.paste.override -}}
{{ .Values.conf.paste.override }} {{ .Values.conf.paste.override | indent 4 }}
{{- else -}} {{- else -}}
{{- if .Values.conf.paste.prefix -}} {{- if .Values.conf.paste.prefix -}}
{{ .Values.conf.paste.prefix }} {{ .Values.conf.paste.prefix | indent 4 }}
{{- end }} {{- end }}
{{ tuple "etc/_keystone-paste.ini.tpl" . | include "helm-toolkit.template" | indent 4 }} {{ tuple "etc/_keystone-paste.ini.tpl" . | include "helm-toolkit.template" | indent 4 }}
{{- end }} {{- end }}
{{- if .Values.conf.paste.append -}} {{- if .Values.conf.paste.append -}}
{{ .Values.conf.paste.append }} {{ .Values.conf.paste.append | indent 4 }}
{{- end }} {{- end }}
policy.json: |+ policy.json: |+
{{ if .Values.conf.policy.override -}} {{ if .Values.conf.policy.override -}}
{{ .Values.conf.policy.override }} {{ .Values.conf.policy.override | indent 4 }}
{{- else -}} {{- else -}}
{{ tuple "etc/_policy.json.tpl" . | include "helm-toolkit.template" | indent 4 }} {{ tuple "etc/_policy.json.tpl" . | include "helm-toolkit.template" | indent 4 }}
{{- end }} {{- end }}

62
nova/templates/bin/_init.sh.tpl
View File

@ -18,32 +18,42 @@
set -ex set -ex
export HOME=/tmp export HOME=/tmp
ansible localhost -vvv -m mysql_db -a "login_host='{{ include "helm-toolkit.mariadb_host" . }}' \ # standard database
login_port='{{ .Values.database.port }}' \
login_user='{{ .Values.database.root_user }}' \
login_password='{{ .Values.database.root_password }}' \
name='{{ .Values.database.nova_database_name }}'"
ansible localhost -vvv -m mysql_user -a "login_host='{{ include "helm-toolkit.mariadb_host" . }}' \ ansible localhost -vvv \
login_port='{{ .Values.database.port }}' \ -m mysql_db -a "login_host='{{ .Values.endpoints.oslo_db.hosts.internal | default .Values.endpoints.oslo_db.hosts.default }}' \
login_user='{{ .Values.database.root_user }}' \ login_port='{{ .Values.endpoints.oslo_db.port.mysql }}' \
login_password='{{ .Values.database.root_password }}' \ login_user='{{ .Values.endpoints.oslo_db.auth.admin.username }}' \
name='{{ .Values.database.nova_user }}' \ login_password='{{ .Values.endpoints.oslo_db.auth.admin.password }}' \
password='{{ .Values.database.nova_password }}' \ name='{{ .Values.endpoints.oslo_db.path | trimAll "/" }}'"
host='%' \
priv='{{ .Values.database.nova_database_name }}.*:ALL' append_privs='yes'"
ansible localhost -vvv -m mysql_db -a "login_host='{{ include "helm-toolkit.mariadb_host" . }}' \ ansible localhost -vvv \
login_port='{{ .Values.database.port }}' \ -m mysql_user -a "login_host='{{ .Values.endpoints.oslo_db.hosts.internal | default .Values.endpoints.oslo_db.hosts.default }}' \
login_user='{{ .Values.database.root_user }}' \ login_port='{{ .Values.endpoints.oslo_db.port.mysql }}' \
login_password='{{ .Values.database.root_password }}' \ login_user='{{ .Values.endpoints.oslo_db.auth.admin.username }}' \
name='{{ .Values.database.nova_api_database_name }}'" login_password='{{ .Values.endpoints.oslo_db.auth.admin.password }}' \
name='{{ .Values.endpoints.oslo_db.auth.user.username }}' \
password='{{ .Values.endpoints.oslo_db.auth.user.password }}' \
host='%' \
priv='{{ .Values.endpoints.oslo_db.path | trimAll "/" }}.*:ALL' \
append_privs='yes'"
ansible localhost -vvv -m mysql_user -a "login_host='{{ include "helm-toolkit.mariadb_host" . }}' \ # api database
login_port='{{ .Values.database.port }}' \
login_user='{{ .Values.database.root_user }}' \ ansible localhost -vvv \
login_password='{{ .Values.database.root_password }}' \ -m mysql_db -a "login_host='{{ .Values.endpoints.oslo_db_api.hosts.internal | default .Values.endpoints.oslo_db_api.hosts.default }}' \
name='{{ .Values.database.nova_user }}' \ login_port='{{ .Values.endpoints.oslo_db_api.port.mysql }}' \
password='{{ .Values.database.nova_password }}' \ login_user='{{ .Values.endpoints.oslo_db_api.auth.admin.username }}' \
host='%' \ login_password='{{ .Values.endpoints.oslo_db_api.auth.admin.password }}' \
priv='{{ .Values.database.nova_api_database_name }}.*:ALL' append_privs='yes'" name='{{ .Values.endpoints.oslo_db_api.path | trimAll "/" }}'"
ansible localhost -vvv \
-m mysql_user -a "login_host='{{ .Values.endpoints.oslo_db_api.hosts.internal | default .Values.endpoints.oslo_db_api.hosts.default }}' \
login_port='{{ .Values.endpoints.oslo_db_api.port.mysql }}' \
login_user='{{ .Values.endpoints.oslo_db_api.auth.admin.username }}' \
login_password='{{ .Values.endpoints.oslo_db_api.auth.admin.password }}' \
name='{{ .Values.endpoints.oslo_db_api.auth.user.username }}' \
password='{{ .Values.endpoints.oslo_db_api.auth.user.password }}' \
host='%' \
priv='{{ .Values.endpoints.oslo_db_api.path | trimAll "/" }}.*:ALL' \
append_privs='yes'"

71
nova/templates/configmap-etc.yaml
View File

@ -12,13 +12,84 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
{{- include "nova.conf.nova_values_skeleton" .Values.conf.nova | trunc 0 -}}
{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.auth_uri -}}
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup"| set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "auth_uri" | quote | trunc 0 -}}
{{- end -}}
# FIXME(alanmeadows) fix for broken keystonemiddleware oslo config gen in newton - will remove in future
{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.auth_url -}}
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup"| set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.hostname_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.nova.database.oslo.db.connection -}}
{{- tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.authenticated_endpoint_uri_lookup"| set .Values.conf.nova.database.oslo.db "connection" | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.nova.api_database.nova.conf.connection -}}
{{- tuple "oslo_db_api" "internal" "user" "mysql" . | include "helm-toolkit.authenticated_endpoint_uri_lookup"| set .Values.conf.nova.api_database.nova.conf "connection" | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.nova.default.oslo.messaging.transport_url -}}
{{- tuple "oslo_messaging" "internal" "user" "amqp" . | include "helm-toolkit.authenticated_endpoint_uri_lookup" | set .Values.conf.nova.default.oslo.messaging "transport_url" | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.nova.glance.nova.conf.api_servers -}}
{{- tuple "image" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup"| set .Values.conf.nova.glance.nova.conf "api_servers" | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.nova.neutron.nova.conf.url -}}
{{- tuple "network" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup"| set .Values.conf.nova.neutron.nova.conf "url" | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.nova.neutron.nova.conf.auth_url -}}
{{- tuple "identity" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup"| set .Values.conf.nova.neutron.nova.conf "auth_url" | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.nova.cache.nova.conf.memcache_servers -}}
{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.hostname_endpoint_uri_lookup" | set .Values.conf.nova.cache.nova.conf "memcache_servers" | quote | trunc 0 -}}
{{- end -}}
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: nova-etc name: nova-etc
data: data:
nova.conf: |+ nova.conf: |+
{{ if .Values.conf.nova.override -}}
{{ .Values.conf.nova.override | indent 4 }}
{{- else -}}
{{- if .Values.conf.nova.prefix -}}
{{ .Values.conf.nova.prefix | indent 4 }}
{{- end }}
{{ tuple "etc/_nova.conf.tpl" . | include "helm-toolkit.template" | indent 4 }} {{ tuple "etc/_nova.conf.tpl" . | include "helm-toolkit.template" | indent 4 }}
{{- end }}
{{- if .Values.conf.nova.append -}}
{{ .Values.conf.nova.append | indent 4 }}
{{- end }}
api-paste.ini: |+
{{ if .Values.conf.paste.override -}}
{{ .Values.conf.paste.override | indent 4 }}
{{- else -}}
{{- if .Values.conf.paste.prefix -}}
{{ .Values.conf.paste.prefix | indent 4 }}
{{- end }}
{{ tuple "etc/_api-paste.ini.tpl" . | include "helm-toolkit.template" | indent 4 }}
{{- end }}
{{- if .Values.conf.paste.append -}}
{{ .Values.conf.paste.append | indent 4 }}
{{- end }}
policy.yaml: |+
{{ if .Values.conf.policy.override -}}
{{ .Values.conf.policy.override | indent 4 }}
{{- else -}}
{{ tuple "etc/_policy.yaml.tpl" . | include "helm-toolkit.template" | indent 4 }}
{{- end }}
ceph.client.cinder.keyring.yaml: |+ ceph.client.cinder.keyring.yaml: |+
{{ tuple "etc/_ceph.client.cinder.keyring.yaml.tpl" . | include "helm-toolkit.template" | indent 4 }} {{ tuple "etc/_ceph.client.cinder.keyring.yaml.tpl" . | include "helm-toolkit.template" | indent 4 }}
resolv.conf: |+ resolv.conf: |+

70
nova/templates/daemonset-compute.yaml
View File

@ -14,6 +14,9 @@
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.compute }} {{- $dependencies := .Values.dependencies.compute }}
{{- $mounts_nova_compute := .Values.mounts.nova_compute.nova_compute }}
{{- $mounts_nova_compute_init := .Values.mounts.nova_compute.init_container }}
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
@ -27,7 +30,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
pod.beta.kubernetes.io/init-containers: '[ pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} {{ tuple $envAll $dependencies $mounts_nova_compute_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
]' ]'
spec: spec:
nodeSelector: nodeSelector:
@ -57,44 +60,34 @@ spec:
- --config-file - --config-file
- /etc/nova/nova.conf - /etc/nova/nova.conf
volumeMounts: volumeMounts:
- name: novaconf - name: nova-etc
mountPath: /etc/nova/nova.conf mountPath: /etc/nova/nova.conf
subPath: nova.conf subPath: nova.conf
- name: nova-etc
mountPath: /etc/resolv.conf
subPath: resolv.conf
- name: nova-etc
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
- name: nova-etc
mountPath: /etc/ceph/ceph.client.keyring
subPath: ceph.client.keyring
- mountPath: /lib/modules - mountPath: /lib/modules
name: libmodules name: libmodules
readOnly: true readOnly: true
- mountPath: /var/lib/nova - name: varlibnova
name: varlibnova mountPath: /var/lib/nova
- mountPath: /var/lib/libvirt - name: varliblibvirt
name: varliblibvirt mountPath: /var/lib/libvirt
- mountPath: /run - name: run
name: run mountPath: /run
- mountPath: /sys/fs/cgroup - name: cgroup
name: cgroup mountPath: /sys/fs/cgroup
- mountPath: /etc/resolv.conf {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
name: resolvconf
subPath: resolv.conf
{{- if .Values.ceph.enabled }}
- name: cephconf
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
- name: cephclientcinderkeyring
mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.cinder_user }}.keyring
subPath: ceph.client.{{ .Values.ceph.cinder_user }}.keyring
{{- end }}
volumes: volumes:
- name: novaconf - name: nova-etc
configMap: configMap:
name: nova-etc name: nova-etc
items:
- key: nova.conf
path: nova.conf
- name: resolvconf
configMap:
name: nova-etc
items:
- key: resolv.conf
path: resolv.conf
- name: libmodules - name: libmodules
hostPath: hostPath:
path: /lib/modules path: /lib/modules
@ -110,17 +103,4 @@ spec:
- name: cgroup - name: cgroup
hostPath: hostPath:
path: /sys/fs/cgroup path: /sys/fs/cgroup
{{- if .Values.ceph.enabled }} {{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
- name: cephconf
configMap:
name: nova-etc
items:
- key: ceph.conf
path: ceph.conf
- name: cephclientcinderkeyring
configMap:
name: nova-etc
items:
- key: ceph.client.cinder.keyring.yaml
path: ceph.client.cinder.keyring.yaml
{{- end }}

76
nova/templates/daemonset-libvirt.yaml
View File

@ -14,6 +14,8 @@
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.libvirt }} {{- $dependencies := .Values.dependencies.libvirt }}
{{- $mounts_nova_libvirt := .Values.mounts.nova_libvirt.nova_libvirt }}
{{- $mounts_nova_libvirt_init := .Values.mounts.nova_libvirt.init_container }}
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
@ -27,7 +29,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
pod.beta.kubernetes.io/init-containers: '[ pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} {{ tuple $envAll $dependencies $mounts_nova_libvirt_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
]' ]'
spec: spec:
nodeSelector: nodeSelector:
@ -55,53 +57,42 @@ spec:
- bash - bash
- /tmp/libvirt.sh - /tmp/libvirt.sh
volumeMounts: volumeMounts:
- name: libvirtdconf - name: nova-etc
mountPath: /etc/libvirt/libvirtd.conf mountPath: /etc/libvirt/libvirtd.conf
subPath: libvirtd.conf subPath: libvirtd.conf
- name: libvirtsh - name: nova-bin
mountPath: /tmp/libvirt.sh mountPath: /tmp/libvirt.sh
subPath: libvirt.sh subPath: libvirt.sh
- name: nova-etc
mountPath: /etc/nova/nova.conf
subPath: nova.conf
- name: nova-etc
mountPath: /etc/resolv.conf
subPath: resolv.conf
- mountPath: /lib/modules - mountPath: /lib/modules
name: libmodules name: libmodules
readOnly: true readOnly: true
- mountPath: /var/lib/nova - name: varlibnova
name: varlibnova mountPath: /var/lib/nova
- mountPath: /var/lib/libvirt - name: varliblibvirt
name: varliblibvirt mountPath: /var/lib/libvirt
- mountPath: /run - name: run
name: run mountPath: /run
- mountPath: /sys/fs/cgroup - name: cgroup
name: cgroup mountPath: /sys/fs/cgroup
- mountPath: /etc/resolv.conf
name: resolvconf
subPath: resolv.conf
{{- if .Values.ceph.enabled }} {{- if .Values.ceph.enabled }}
- name: cephconf - name: nova-etc
mountPath: /etc/ceph/ceph.conf mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf subPath: ceph.conf
- name: cephclientcinderkeyring - name: nova-etc
mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.cinder_user }}.keyring mountPath: /etc/ceph/ceph.client.keyring
subPath: ceph.client.{{ .Values.ceph.cinder_user }}.keyring subPath: ceph.client.keyring
{{- end }} {{- end }}
{{ if $mounts_nova_libvirt.volumeMounts }}{{ toYaml $mounts_nova_libvirt.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: libvirtdconf - name: nova-etc
configMap: configMap:
name: nova-etc name: nova-etc
items:
- key: libvirtd.conf
path: libvirtd.conf
- name: libvirtsh
configMap:
name: nova-bin
items:
- key: libvirt.sh
path: libvirt.sh
- name: resolvconf
configMap:
name: nova-etc
items:
- key: resolv.conf
path: resolv.conf
- name: libmodules - name: libmodules
hostPath: hostPath:
path: /lib/modules path: /lib/modules
@ -116,18 +107,5 @@ spec:
path: /run path: /run
- name: cgroup - name: cgroup
hostPath: hostPath:
path: /sys/fs/cgroup path: /sys/fs/cgroup
{{- if .Values.ceph.enabled }} {{ if $mounts_nova_libvirt.volumes }}{{ toYaml $mounts_nova_libvirt.volumes | indent 8 }}{{ end }}
- name: cephconf
configMap:
name: nova-etc
items:
- key: ceph.conf
path: ceph.conf
- name: cephclientcinderkeyring
configMap:
name: nova-etc
items:
- key: ceph.client.cinder.keyring.yaml
path: ceph.client.cinder.keyring.yaml
{{- end }}

15
nova/templates/deployment-api-metadata.yaml
View File

@ -14,6 +14,8 @@
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.api }} {{- $dependencies := .Values.dependencies.api }}
{{- $mounts_nova_api_metadata := .Values.mounts.nova_api_metadata.nova_api_metadata }}
{{- $mounts_nova_api_metadata_init := .Values.mounts.nova_api_metadata.init_container }}
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
metadata: metadata:
@ -36,7 +38,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
pod.beta.kubernetes.io/init-containers: '[ pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} {{ tuple $envAll $dependencies $mounts_nova_api_metadata_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
]' ]'
spec: spec:
nodeSelector: nodeSelector:
@ -68,13 +70,12 @@ spec:
tcpSocket: tcpSocket:
port: {{ .Values.network.metadata.port }} port: {{ .Values.network.metadata.port }}
volumeMounts: volumeMounts:
- name: novaconf - name: nova-etc
mountPath: /etc/nova/nova.conf mountPath: /etc/nova/nova.conf
subPath: nova.conf subPath: nova.conf
{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: novaconf - name: nova-etc
configMap: configMap:
name: nova-etc name: nova-etc
items: {{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
- key: nova.conf
path: nova.conf

19
nova/templates/deployment-api-osapi.yaml
View File

@ -14,6 +14,8 @@
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.api }} {{- $dependencies := .Values.dependencies.api }}
{{- $mounts_nova_api_osapi := .Values.mounts.nova_api_osapi.nova_api_osapi }}
{{- $mounts_nova_api_osapi_init := .Values.mounts.nova_api_osapi.init_container }}
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
metadata: metadata:
@ -31,12 +33,12 @@ spec:
template: template:
metadata: metadata:
labels: labels:
app: nova-osapi app: nova-api-osapi
annotations: annotations:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
pod.beta.kubernetes.io/init-containers: '[ pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} {{ tuple $envAll $dependencies $mounts_nova_api_osapi_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
]' ]'
spec: spec:
nodeSelector: nodeSelector:
@ -67,13 +69,12 @@ spec:
tcpSocket: tcpSocket:
port: {{ .Values.network.osapi.port }} port: {{ .Values.network.osapi.port }}
volumeMounts: volumeMounts:
- name: novaconf - name: nova-etc
mountPath: /etc/nova/nova.conf mountPath: /etc/nova/nova.conf
subPath: nova.conf subPath: nova.conf
{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: novaconf - name: nova-etc
configMap: configMap:
name: nova-etc name: nova-etc
items: {{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
- key: nova.conf
path: nova.conf

15
nova/templates/deployment-conductor.yaml
View File

@ -14,6 +14,8 @@
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.conductor }} {{- $dependencies := .Values.dependencies.conductor }}
{{- $mounts_nova_conductor := .Values.mounts.nova_conductor.nova_conductor }}
{{- $mounts_nova_conductor_init := .Values.mounts.nova_conductor.init_container }}
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
metadata: metadata:
@ -36,7 +38,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
pod.beta.kubernetes.io/init-containers: '[ pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} {{ tuple $envAll $dependencies $mounts_nova_conductor_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
]' ]'
spec: spec:
nodeSelector: nodeSelector:
@ -59,13 +61,12 @@ spec:
- --config-file - --config-file
- /etc/nova/nova.conf - /etc/nova/nova.conf
volumeMounts: volumeMounts:
- name: novaconf - name: nova-etc
mountPath: /etc/nova/nova.conf mountPath: /etc/nova/nova.conf
subPath: nova.conf subPath: nova.conf
{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: novaconf - name: nova-etc
configMap: configMap:
name: nova-etc name: nova-etc
items: {{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
- key: nova.conf
path: nova.conf

14
nova/templates/deployment-consoleauth.yaml
View File

@ -14,6 +14,9 @@
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.consoleauth }} {{- $dependencies := .Values.dependencies.consoleauth }}
{{- $mounts_nova_consoleauth := .Values.mounts.nova_consoleauth.nova_conductor }}
{{- $mounts_nova_consoleauth_init := .Values.mounts.nova_consoleauth.init_container }}
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
metadata: metadata:
@ -36,7 +39,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
pod.beta.kubernetes.io/init-containers: '[ pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} {{ tuple $envAll $dependencies $mounts_nova_consoleauth_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
]' ]'
spec: spec:
nodeSelector: nodeSelector:
@ -59,13 +62,12 @@ spec:
- --config-file - --config-file
- /etc/nova/nova.conf - /etc/nova/nova.conf
volumeMounts: volumeMounts:
- name: novaconf - name: nova-etc
mountPath: /etc/nova/nova.conf mountPath: /etc/nova/nova.conf
subPath: nova.conf subPath: nova.conf
{{ if $mounts_nova_consoleauth.volumeMounts }}{{ toYaml $mounts_nova_consoleauth.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: novaconf - name: nova-etc
configMap: configMap:
name: nova-etc name: nova-etc
items: {{ if $mounts_nova_consoleauth.volumes }}{{ toYaml $mounts_nova_consoleauth.volumes | indent 8 }}{{ end }}
- key: nova.conf
path: nova.conf

14
nova/templates/deployment-scheduler.yaml
View File

@ -14,6 +14,9 @@
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.scheduler }} {{- $dependencies := .Values.dependencies.scheduler }}
{{- $mounts_nova_scheduler := .Values.mounts.nova_scheduler.nova_conductor }}
{{- $mounts_nova_scheduler_init := .Values.mounts.nova_scheduler.init_container }}
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
metadata: metadata:
@ -36,7 +39,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
pod.beta.kubernetes.io/init-containers: '[ pod.beta.kubernetes.io/init-containers: '[
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} {{ tuple $envAll $dependencies $mounts_nova_scheduler_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
]' ]'
spec: spec:
nodeSelector: nodeSelector:
@ -59,13 +62,12 @@ spec:
- --config-file - --config-file
- /etc/nova/nova.conf - /etc/nova/nova.conf
volumeMounts: volumeMounts:
- name: novaconf - name: nova-etc
mountPath: /etc/nova/nova.conf mountPath: /etc/nova/nova.conf
subPath: nova.conf subPath: nova.conf
{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: novaconf - name: nova-etc
configMap: configMap:
name: nova-etc name: nova-etc
items: {{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
- key: nova.conf
path: nova.conf

81
nova/templates/etc/_api-paste.ini.tpl Normal file
View File

@ -0,0 +1,81 @@
############
# Metadata #
############
[composite:metadata]
use = egg:Paste#urlmap
/: meta
[pipeline:meta]
pipeline = cors metaapp
[app:metaapp]
paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
#############
# OpenStack #
#############
[composite:osapi_compute]
use = call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
# v21 is an exactly feature match for v2, except it has more stringent
# input validation on the wsgi surface (prevents fuzzing early on the
# API). It also provides new features via API microversions which are
# opt into for clients. Unaware clients will receive the same frozen
# v2 API feature set, but with some relaxed validation
/v2: openstack_compute_api_v21_legacy_v2_compatible
/v2.1: openstack_compute_api_v21
[composite:openstack_compute_api_v21]
use = call:nova.api.auth:pipeline_factory_v21
noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
keystone = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
[composite:openstack_compute_api_v21_legacy_v2_compatible]
use = call:nova.api.auth:pipeline_factory_v21
noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
keystone = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
[filter:request_id]
paste.filter_factory = oslo_middleware:RequestId.factory
[filter:compute_req_id]
paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory
[filter:faultwrap]
paste.filter_factory = nova.api.openstack:FaultWrapper.factory
[filter:noauth2]
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
[filter:sizelimit]
paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory
[filter:http_proxy_to_wsgi]
paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
[filter:legacy_v2_compatible]
paste.filter_factory = nova.api.openstack:LegacyV2CompatibleWrapper.factory
[app:osapi_compute_app_v21]
paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory
[pipeline:oscomputeversions]
pipeline = faultwrap http_proxy_to_wsgi oscomputeversionapp
[app:oscomputeversionapp]
paste.app_factory = nova.api.openstack.compute.versions:Versions.factory
##########
# Shared #
##########
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = nova
[filter:keystonecontext]
paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory

2
nova/templates/etc/_libvirtd.conf.tpl
View File

@ -17,4 +17,4 @@ auth_tcp = "none"
ca_file = "" ca_file = ""
log_level = 2 log_level = 2
log_outputs = "2:stderr" log_outputs = "2:stderr"
listen_addr = "{{ .Values.network.ip_address }}" listen_addr = "{{ .Values.libvirt.listen_addr }}"

10475
nova/templates/etc/_nova.conf.tpl
View File

File diff suppressed because it is too large Load Diff

514
nova/templates/etc/_policy.yaml.tpl Normal file
View File

@ -0,0 +1,514 @@
#
"os_compute_api:os-admin-actions:discoverable": "@"
#
"os_compute_api:os-admin-actions:reset_state": "rule:admin_api"
#
"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api"
#
"os_compute_api:os-admin-actions": "rule:admin_api"
#
"os_compute_api:os-admin-actions:reset_network": "rule:admin_api"
#
"os_compute_api:os-admin-password:discoverable": "@"
#
"os_compute_api:os-admin-password": "rule:admin_or_owner"
#
"os_compute_api:os-agents": "rule:admin_api"
#
"os_compute_api:os-agents:discoverable": "@"
#
"os_compute_api:os-aggregates:set_metadata": "rule:admin_api"
#
"os_compute_api:os-aggregates:add_host": "rule:admin_api"
#
"os_compute_api:os-aggregates:discoverable": "@"
#
"os_compute_api:os-aggregates:create": "rule:admin_api"
#
"os_compute_api:os-aggregates:remove_host": "rule:admin_api"
#
"os_compute_api:os-aggregates:update": "rule:admin_api"
#
"os_compute_api:os-aggregates:index": "rule:admin_api"
#
"os_compute_api:os-aggregates:delete": "rule:admin_api"
#
"os_compute_api:os-aggregates:show": "rule:admin_api"
#
"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api"
#
"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api"
#
"os_compute_api:os-assisted-volume-snapshots:discoverable": "@"
#
"os_compute_api:os-attach-interfaces": "rule:admin_or_owner"
#
"os_compute_api:os-attach-interfaces:discoverable": "@"
# Controls who can attach an interface to an instance
"os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner"
# Controls who can detach an interface from an instance
"os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner"
#
"os_compute_api:os-availability-zone:list": "rule:admin_or_owner"
#
"os_compute_api:os-availability-zone:discoverable": "@"
#
"os_compute_api:os-availability-zone:detail": "rule:admin_api"
#
"os_compute_api:os-baremetal-nodes:discoverable": "@"
#
"os_compute_api:os-baremetal-nodes": "rule:admin_api"
#
"context_is_admin": "role:admin"
#
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
#
"admin_api": "is_admin:True"
#
"network:attach_external_network": "is_admin:True"
#
"os_compute_api:os-block-device-mapping:discoverable": "@"
#
"os_compute_api:os-block-device-mapping-v1:discoverable": "@"
#
"os_compute_api:os-cells:discoverable": "@"
#
"os_compute_api:os-cells:update": "rule:admin_api"
#
"os_compute_api:os-cells:create": "rule:admin_api"
#
"os_compute_api:os-cells": "rule:admin_api"
#
"os_compute_api:os-cells:sync_instances": "rule:admin_api"
#
"os_compute_api:os-cells:delete": "rule:admin_api"
#
"cells_scheduler_filter:DifferentCellFilter": "is_admin:True"
#
"cells_scheduler_filter:TargetCellFilter": "is_admin:True"
#
"os_compute_api:os-certificates:discoverable": "@"
#
"os_compute_api:os-certificates:create": "rule:admin_or_owner"
#
"os_compute_api:os-certificates:show": "rule:admin_or_owner"
#
"os_compute_api:os-cloudpipe": "rule:admin_api"
#
"os_compute_api:os-cloudpipe:discoverable": "@"
#
"os_compute_api:os-config-drive:discoverable": "@"
#
"os_compute_api:os-config-drive": "rule:admin_or_owner"
#
"os_compute_api:os-console-auth-tokens:discoverable": "@"
#
"os_compute_api:os-console-auth-tokens": "rule:admin_api"
#
"os_compute_api:os-console-output:discoverable": "@"
#
"os_compute_api:os-console-output": "rule:admin_or_owner"
#
"os_compute_api:os-consoles:create": "rule:admin_or_owner"
#
"os_compute_api:os-consoles:show": "rule:admin_or_owner"
#
"os_compute_api:os-consoles:delete": "rule:admin_or_owner"
#
"os_compute_api:os-consoles:discoverable": "@"
#
"os_compute_api:os-consoles:index": "rule:admin_or_owner"
#
"os_compute_api:os-create-backup:discoverable": "@"
#
"os_compute_api:os-create-backup": "rule:admin_or_owner"
#
"os_compute_api:os-deferred-delete:discoverable": "@"
#
"os_compute_api:os-deferred-delete": "rule:admin_or_owner"
#
"os_compute_api:os-evacuate:discoverable": "@"
#
"os_compute_api:os-evacuate": "rule:admin_api"
#
"os_compute_api:os-extended-availability-zone": "rule:admin_or_owner"
#
"os_compute_api:os-extended-availability-zone:discoverable": "@"
#
"os_compute_api:os-extended-server-attributes": "rule:admin_api"
#
"os_compute_api:os-extended-server-attributes:discoverable": "@"
#
"os_compute_api:os-extended-status:discoverable": "@"
#
"os_compute_api:os-extended-status": "rule:admin_or_owner"
#
"os_compute_api:os-extended-volumes": "rule:admin_or_owner"
#
"os_compute_api:os-extended-volumes:discoverable": "@"
#
"os_compute_api:extension_info:discoverable": "@"
#
"os_compute_api:extensions": "rule:admin_or_owner"
#
"os_compute_api:extensions:discoverable": "@"
#
"os_compute_api:os-fixed-ips:discoverable": "@"
#
"os_compute_api:os-fixed-ips": "rule:admin_api"
#
"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api"
#
"os_compute_api:os-flavor-access:discoverable": "@"
#
"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api"
#
"os_compute_api:os-flavor-access": "rule:admin_or_owner"
#
"os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner"
#
"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api"
#
"os_compute_api:os-flavor-extra-specs:discoverable": "@"
#
"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api"
#
"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api"
#
"os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner"
#
"os_compute_api:os-flavor-manage": "rule:admin_api"
#
"os_compute_api:os-flavor-manage:discoverable": "@"
#
"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner"
#
"os_compute_api:os-flavor-rxtx:discoverable": "@"
#
"os_compute_api:flavors:discoverable": "@"
#
"os_compute_api:flavors": "rule:admin_or_owner"
#
"os_compute_api:os-floating-ip-dns": "rule:admin_or_owner"
#
"os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api"
#
"os_compute_api:os-floating-ip-dns:discoverable": "@"
#
"os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api"
#
"os_compute_api:os-floating-ip-pools:discoverable": "@"
#
"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner"
#
"os_compute_api:os-floating-ips": "rule:admin_or_owner"
#
"os_compute_api:os-floating-ips:discoverable": "@"
#
"os_compute_api:os-floating-ips-bulk:discoverable": "@"
#
"os_compute_api:os-floating-ips-bulk": "rule:admin_api"
#
"os_compute_api:os-fping:all_tenants": "rule:admin_api"
#
"os_compute_api:os-fping:discoverable": "@"
#
"os_compute_api:os-fping": "rule:admin_or_owner"
#
"os_compute_api:os-hide-server-addresses:discoverable": "@"
#
"os_compute_api:os-hide-server-addresses": "is_admin:False"
#
"os_compute_api:os-hosts:discoverable": "@"
#
"os_compute_api:os-hosts": "rule:admin_api"
#
"os_compute_api:os-hypervisors:discoverable": "@"
#
"os_compute_api:os-hypervisors": "rule:admin_api"
#
"os_compute_api:image-metadata:discoverable": "@"
#
"os_compute_api:image-size:discoverable": "@"
#
"os_compute_api:image-size": "rule:admin_or_owner"
#
"os_compute_api:images:discoverable": "@"
#
"os_compute_api:os-instance-actions:events": "rule:admin_api"
#
"os_compute_api:os-instance-actions": "rule:admin_or_owner"
#
"os_compute_api:os-instance-actions:discoverable": "@"
#
"os_compute_api:os-instance-usage-audit-log": "rule:admin_api"
#
"os_compute_api:os-instance-usage-audit-log:discoverable": "@"
#
"os_compute_api:ips:discoverable": "@"
#
"os_compute_api:ips:show": "rule:admin_or_owner"
#
"os_compute_api:ips:index": "rule:admin_or_owner"
#
"os_compute_api:os-keypairs:discoverable": "@"
#
"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s"
#
"os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s"
#
"os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s"
#
"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s"
#
"os_compute_api:os-keypairs": "rule:admin_or_owner"
#
"os_compute_api:limits:discoverable": "@"
#
"os_compute_api:limits": "rule:admin_or_owner"
#
"os_compute_api:os-lock-server:discoverable": "@"
#
"os_compute_api:os-lock-server:lock": "rule:admin_or_owner"
#
"os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api"
#
"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner"
#
"os_compute_api:os-migrate-server:migrate": "rule:admin_api"
#
"os_compute_api:os-migrate-server:discoverable": "@"
#
"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api"
#
"os_compute_api:os-migrations:index": "rule:admin_api"
#
"os_compute_api:os-migrations:discoverable": "@"
#
"os_compute_api:os-multinic": "rule:admin_or_owner"
#
"os_compute_api:os-multinic:discoverable": "@"
#
"os_compute_api:os-multiple-create:discoverable": "@"
#
"os_compute_api:os-networks:discoverable": "@"
#
"os_compute_api:os-networks": "rule:admin_api"
#
"os_compute_api:os-networks:view": "rule:admin_or_owner"
#
"os_compute_api:os-networks-associate": "rule:admin_api"
#
"os_compute_api:os-networks-associate:discoverable": "@"
#
"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner"
#
"os_compute_api:os-pause-server:discoverable": "@"
#
"os_compute_api:os-pause-server:pause": "rule:admin_or_owner"
#
"os_compute_api:os-pci:index": "rule:admin_api"
#
"os_compute_api:os-pci:detail": "rule:admin_api"
#
"os_compute_api:os-pci:pci_servers": "rule:admin_or_owner"
#
"os_compute_api:os-pci:show": "rule:admin_api"
#
"os_compute_api:os-pci:discoverable": "@"
#
"os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s"
#
"os_compute_api:os-quota-class-sets:discoverable": "@"
#
"os_compute_api:os-quota-class-sets:update": "rule:admin_api"
#
"os_compute_api:os-quota-sets:update": "rule:admin_api"
#
"os_compute_api:os-quota-sets:defaults": "@"
#
"os_compute_api:os-quota-sets:show": "rule:admin_or_owner"
#
"os_compute_api:os-quota-sets:delete": "rule:admin_api"
#
"os_compute_api:os-quota-sets:discoverable": "@"
#
"os_compute_api:os-quota-sets:detail": "rule:admin_api"
#
"os_compute_api:os-remote-consoles": "rule:admin_or_owner"
#
"os_compute_api:os-remote-consoles:discoverable": "@"
#
"os_compute_api:os-rescue:discoverable": "@"
#
"os_compute_api:os-rescue": "rule:admin_or_owner"
#
"os_compute_api:os-scheduler-hints:discoverable": "@"
#
"os_compute_api:os-security-group-default-rules:discoverable": "@"
#
"os_compute_api:os-security-group-default-rules": "rule:admin_api"
#
"os_compute_api:os-security-groups": "rule:admin_or_owner"
#
"os_compute_api:os-security-groups:discoverable": "@"
#
"os_compute_api:os-server-diagnostics": "rule:admin_api"
#
"os_compute_api:os-server-diagnostics:discoverable": "@"
#
"os_compute_api:os-server-external-events:create": "rule:admin_api"
#
"os_compute_api:os-server-external-events:discoverable": "@"
#
"os_compute_api:os-server-groups:discoverable": "@"
#
"os_compute_api:os-server-groups": "rule:admin_or_owner"
#
"os_compute_api:server-metadata:index": "rule:admin_or_owner"
#
"os_compute_api:server-metadata:show": "rule:admin_or_owner"
#
"os_compute_api:server-metadata:create": "rule:admin_or_owner"
#
"os_compute_api:server-metadata:discoverable": "@"
#
"os_compute_api:server-metadata:update_all": "rule:admin_or_owner"
#
"os_compute_api:server-metadata:delete": "rule:admin_or_owner"
#
"os_compute_api:server-metadata:update": "rule:admin_or_owner"
#
"os_compute_api:os-server-password": "rule:admin_or_owner"
#
"os_compute_api:os-server-password:discoverable": "@"
#
"os_compute_api:os-server-tags:delete_all": "@"
#
"os_compute_api:os-server-tags:index": "@"
#
"os_compute_api:os-server-tags:update_all": "@"
#
"os_compute_api:os-server-tags:delete": "@"
#
"os_compute_api:os-server-tags:update": "@"
#
"os_compute_api:os-server-tags:show": "@"
#
"os_compute_api:os-server-tags:discoverable": "@"
#
"os_compute_api:os-server-usage": "rule:admin_or_owner"
#
"os_compute_api:os-server-usage:discoverable": "@"
#
"os_compute_api:servers:index": "rule:admin_or_owner"
#
"os_compute_api:servers:detail": "rule:admin_or_owner"
#
"os_compute_api:servers:detail:get_all_tenants": "rule:admin_api"
#
"os_compute_api:servers:index:get_all_tenants": "rule:admin_api"
#
"os_compute_api:servers:show": "rule:admin_or_owner"
#
"os_compute_api:servers:show:host_status": "rule:admin_api"
#
"os_compute_api:servers:create": "rule:admin_or_owner"
#
"os_compute_api:servers:create:forced_host": "rule:admin_api"
#
"os_compute_api:servers:create:attach_volume": "rule:admin_or_owner"
#
"os_compute_api:servers:create:attach_network": "rule:admin_or_owner"
#
"os_compute_api:servers:delete": "rule:admin_or_owner"
#
"os_compute_api:servers:update": "rule:admin_or_owner"
#
"os_compute_api:servers:confirm_resize": "rule:admin_or_owner"
#
"os_compute_api:servers:revert_resize": "rule:admin_or_owner"
#
"os_compute_api:servers:reboot": "rule:admin_or_owner"
#
"os_compute_api:servers:resize": "rule:admin_or_owner"
#
"os_compute_api:servers:rebuild": "rule:admin_or_owner"
#
"os_compute_api:servers:create_image": "rule:admin_or_owner"
#
"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner"
#
"os_compute_api:servers:start": "rule:admin_or_owner"
#
"os_compute_api:servers:stop": "rule:admin_or_owner"
#
"os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner"
#
"os_compute_api:servers:discoverable": "@"
#
"os_compute_api:servers:migrations:show": "rule:admin_api"
#
"os_compute_api:servers:migrations:force_complete": "rule:admin_api"
#
"os_compute_api:servers:migrations:delete": "rule:admin_api"
#
"os_compute_api:servers:migrations:index": "rule:admin_api"
#
"os_compute_api:server-migrations:discoverable": "@"
#
"os_compute_api:os-services": "rule:admin_api"
#
"os_compute_api:os-services:discoverable": "@"
#
"os_compute_api:os-shelve:shelve": "rule:admin_or_owner"
#
"os_compute_api:os-shelve:unshelve": "rule:admin_or_owner"
#
"os_compute_api:os-shelve:shelve_offload": "rule:admin_api"
#
"os_compute_api:os-shelve:discoverable": "@"
#
"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner"
#
"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api"
#
"os_compute_api:os-simple-tenant-usage:discoverable": "@"
#
"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner"
#
"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner"
#
"os_compute_api:os-suspend-server:discoverable": "@"
#
"os_compute_api:os-tenant-networks": "rule:admin_or_owner"
#
"os_compute_api:os-tenant-networks:discoverable": "@"
#
"os_compute_api:os-used-limits:discoverable": "@"
#
"os_compute_api:os-used-limits": "rule:admin_api"
#
"os_compute_api:os-user-data:discoverable": "@"
#
"os_compute_api:versions:discoverable": "@"
#
"os_compute_api:os-virtual-interfaces:discoverable": "@"
#
"os_compute_api:os-virtual-interfaces": "rule:admin_or_owner"
#
"os_compute_api:os-volumes:discoverable": "@"
#
"os_compute_api:os-volumes": "rule:admin_or_owner"
#
"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner"
#
"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner"
#
"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner"
#
"os_compute_api:os-volumes-attachments:discoverable": "@"
#
"os_compute_api:os-volumes-attachments:update": "rule:admin_api"
#
"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"

12
nova/templates/secret-keystone-user.env.yaml
View File

@ -21,14 +21,14 @@ data:
OS_AUTH_URL: | OS_AUTH_URL: |
{{ tuple "identity" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup" | b64enc | indent 4 }} {{ tuple "identity" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
OS_REGION_NAME: | OS_REGION_NAME: |
{{ .Values.keystone.nova_region_name | b64enc | indent 4 }} {{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }}
OS_PROJECT_DOMAIN_NAME: | OS_PROJECT_DOMAIN_NAME: |
{{ .Values.keystone.nova_project_domain | b64enc | indent 4 }} {{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }}
OS_PROJECT_NAME: | OS_PROJECT_NAME: |
{{ .Values.keystone.nova_project_name | b64enc | indent 4 }} {{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }}
OS_USER_DOMAIN_NAME: | OS_USER_DOMAIN_NAME: |
{{ .Values.keystone.nova_user_domain | b64enc | indent 4 }} {{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }}
OS_USERNAME: | OS_USERNAME: |
{{ .Values.keystone.nova_user | b64enc | indent 4 }} {{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }}
OS_PASSWORD: | OS_PASSWORD: |
{{ .Values.keystone.nova_password | b64enc | indent 4 }} {{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.password | b64enc | indent 4 }}

8
nova/templates/service-osapi.yaml
View File

@ -21,13 +21,13 @@ metadata:
name: nova-api name: nova-api
spec: spec:
ports: ports:
- name: nova-osapi - name: nova-api-osapi
port: {{ .Values.network.osapi.port }} port: {{ .Values.network.osapi.port }}
{{ if .Values.network.osapi.node_port.enabled }} {{ if .Values.network.osapi.node_port.enabled }}
nodePort: {{ .Values.network.osapi.node_port.port }} nodePort: {{ .Values.network.osapi.node_port.port }}
{{ end }} {{ end }}
selector: selector:
app: nova-osapi app: nova-api-osapi
{{ if .Values.network.osapi.node_port.enabled }} {{ if .Values.network.osapi.node_port.enabled }}
type: NodePort type: NodePort
{{ end }} {{ end }}

241
nova/values.yaml
View File

@ -86,11 +86,6 @@ bootstrap:
vcpus: 1 vcpus: 1
network: network:
ip_address: "0.0.0.0"
# TODO(DTadrzak): move external IPs to common, this variable should be shared with
# horizon service
external_ips: ""
minion_interface_name: "eno1"
dns: dns:
servers: servers:
- "10.96.0.10" - "10.96.0.10"
@ -113,25 +108,6 @@ network:
name: "nova-novncproxy" name: "nova-novncproxy"
port: 6080 port: 6080
nova:
default:
debug: false
osapi_workers: 8
metadata_workers: 8
conductor_workers: 8
force_config_drive: True
database:
address: "mariadb"
port: 3306
root_user: "root"
root_password: "password"
nova_user: "nova"
nova_password: "password"
nova_database_name: "nova"
nova_api_database_name: "nova_api"
keystone: keystone:
admin_user: "admin" admin_user: "admin"
admin_user_domain: "default" admin_user_domain: "default"
@ -139,28 +115,8 @@ keystone:
admin_project_name: "admin" admin_project_name: "admin"
admin_project_domain: "default" admin_project_domain: "default"
admin_region_name: "RegionOne" admin_region_name: "RegionOne"
neutron_user: "neutron"
neutron_user_domain: "default"
neutron_user_role: "admin"
neutron_password: "password"
neutron_project_name: "service"
neutron_project_domain: "default"
neutron_region_name: "RegionOne"
nova_user: "nova"
nova_user_domain: "default"
nova_user_role: "admin" nova_user_role: "admin"
nova_password: "password"
nova_project_name: "service"
nova_project_domain: "default"
nova_region_name: "RegionOne"
rabbitmq:
address: "rabbitmq"
admin_user: "rabbitmq"
admin_password: "password"
port: 5672
ceph: ceph:
enabled: false enabled: false
@ -170,12 +126,8 @@ ceph:
nova_pool: "vms" nova_pool: "vms"
secret_uuid: "" secret_uuid: ""
neutron: libvirt:
metadata_secret: "password" listen_addr: 0.0.0.0
memcached:
host: memcached
port: 11211
dependencies: dependencies:
api: api:
@ -240,10 +192,198 @@ dependencies:
service: service:
- mariadb - mariadb
mounts:
nova_compute:
init_container: null
nova_compute:
nova_libvirt:
init_container: null
nova_libvirt:
nova_api_metadata:
init_container: null
nova_api_metadata:
nova_api_osapi:
init_container: null
nova_api_osapi:
nova_consoleauth:
init_container: null
nova_consoleauth:
nova_conductor:
init_container: null
nova_conductor:
nova_scheduler:
init_container: null
nova_scheduler:
conf:
paste:
override:
append:
policy:
override:
append:
nova:
override:
append:
default:
nova:
conf:
default_ephemeral_format: ext4
ram_allocation_ratio: 1.0
disk_allocation_ratio: 1.0
cpu_allocation_ratio: 3.0
force_config_drive: true
state_path: /var/lib/nova
osapi_compute_listen: 0.0.0.0
osapi_compute_listen_port: 8774
osapi_compute_workers: 1
metadata_workers: 1
use_neutron: true
firewall_driver: nova.virt.firewall.NoopFirewallDriver
linuxnet_interface_driver: openvswitch
allow_resize_to_same_host: true
compute_driver: libvirt.LibvirtDriver
my_ip: 0.0.0.0
vnc:
nova:
conf:
novncproxy_host: 0.0.0.0
novncproxy_port: 6080
vncserver_listen: 0.0.0.0
vncserver_proxyclient_address: 0.0.0.0
# FIXME(ALANMEADOWS)
novncproxy_base_url: http://0.0.0.0:6080/no_vnc.html
conductor:
nova:
conf:
workers: 1
oslo_policy:
oslo:
policy:
policy_file: policy.yaml
oslo_concurrency:
oslo:
concurrency:
lock_path: /var/lib/nova/tmp
glance:
nova:
conf:
num_retries: 3
cinder:
nova:
conf:
catalog_info: volumev2:cinderv2:internalURL
neutron:
nova:
conf:
metadata_proxy_shared_secret: "password"
service_metadata_proxy: True
auth_type: password
auth_version: v3
region_name: RegionOne
domain_name: default
project_name: service
project_domain_name: default
user_domain_name: default
username: neutron
password: password
database:
oslo:
db:
max_retries: -1
api_database:
oslo:
db:
max_retries: -1
keystone_authtoken:
keystonemiddleware:
auth_token:
auth_type: password
auth_version: v3
region_name: RegionOne
project_name: service
project_domain_name: default
user_domain_name: default
username: nova
password: password
libvirt:
nova:
conf:
connecton_uri: qemu+tcp://127.0.0.1/system
images_type: qcow2
images_rbd_pool: vms
images_rbd_ceph_conf: /etc/ceph/ceph.conf
rbd_user: cinder
rbd_secret_uuid: null
disk_cachemodes: "network=writeback"
hw_disk_discard: unmap
upgrade_levels:
nova:
conf:
compute: auto
cache:
nova:
conf:
enabled: true
backend: oslo_cache.memcache_pool
wsgi:
nova:
conf:
api_paste_config: /etc/nova/api-paste.ini
# typically overriden by environmental # typically overriden by environmental
# values, but should include all endpoints # values, but should include all endpoints
# required by this chart # required by this chart
endpoints: endpoints:
oslo_db:
auth:
admin:
username: root
password: password
user:
username: nova
password: password
hosts:
default: mariadb
path: /nova
scheme: mysql+pymysql
port:
mysql: 3306
oslo_db_api:
auth:
admin:
username: root
password: password
user:
username: nova
password: password
hosts:
default: mariadb
path: /nova_api
scheme: mysql+pymysql
port:
mysql: 3306
oslo_messaging:
auth:
admin:
username: admin
password: password
user:
username: rabbitmq
password: password
hosts:
default: rabbitmq
path: /
scheme: rabbit
port:
amqp: 5672
oslo_cache:
hosts:
default: memcache
port:
memcache: 11211
compute: compute:
name: nova name: nova
hosts: hosts:
@ -281,6 +421,7 @@ endpoints:
port: port:
api: 9696 api: 9696
resources: resources:
enabled: false enabled: false
nova_compute: nova_compute: