Nova Configuration Override (#319)

* Initial Commit of Nova Configuration Overrides This commit is an evolution of the initial keystone configuration overrides work It expands upon that work by introducing many of the same concepts into nova. It differs in that a few concepts were changed. Namely the helm-toolkit/_oslo.tpl concept was abandoned, as there are too many unique oslo paths for configuration elements, so dynamic oslo setting mechanism was moved locally into configmap-etc.yaml, where it is generally used. Secondly, in nova the mount override effort was altered to instead provide mount "append" capability. Keeping the manifest mounts closer to the actual pod, and keeping values.yaml a tad smaller. This still allows the original flexibility of operators adding mounts, but they cannot "undo" any of the charts built in mounts. There were several manual tweaks that needd to be done to _nova.conf.tpl after the oslo-config-gen process this time. This is because there is a bug in the newton version of generating this file. It does not include the proper service authentication credentials in the [keystone_authtoken] section. Future releases have a separate service credentials section so future config generations will likely not need these added lines. * Remove unused values.yaml parameters Fix references to removed helm-toolkit oslo macro * resolve nova feedback * bugfix nova-etc/nova-bin swap
2017-04-10 12:41:41 -07:00 · 2017-04-10 12:41:41 -07:00 · 16508c32ee
commit 16508c32ee
parent 04a215e7a2
19 changed files with 11408 additions and 350 deletions
--- a/helm-toolkit/templates/_oslo.tpl
+++ b/helm-toolkit/templates/_oslo.tpl
@ -1,39 +0,0 @@
-# Copyright 2017 The Openstack-Helm Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#-----------------------------------------------
-# oslo settings we will dynamically manufacture
-#-----------------------------------------------
-
-{{- define "helm-toolkit.oslo_values_setup" -}}
-
-{{ $obj := index . 0 }}
-{{ $root := index . 1 }}
-
-# generate database uri and set $conf.conf.oslo.db.connection
-{{- if empty $obj.database.oslo.db.connection -}}
-{{- tuple "oslo_db" "internal" "user" "mysql" $root | include "helm-toolkit.authenticated_endpoint_uri_lookup"| set $obj.database.oslo.db "connection" -}}
-{{- end -}}
-
-# generate amqp transport uri and set $conf.endpoints.messaging
-{{- if empty $obj.default.oslo.messaging.transport_url -}}
-{{- tuple "oslo_messaging" "internal" "user" "amqp" $root | include "helm-toolkit.authenticated_endpoint_uri_lookup" | set $obj.default.oslo.messaging "transport_url" -}}
-{{- end -}}
-
-# generate memcache host:port and set $conf.endpoints.memcache
-{{- if empty $obj.cache.oslo.cache -}}
-{{- tuple "oslo_cache" "internal" "memcache" $root | include "helm-toolkit.hostname_endpoint_uri_lookup" | set $obj.cache.oslo.cache "memcache_servers" -}}
-{{- end -}}
-
-{{- end -}}
--- a/keystone/templates/configmap-bin.yaml
+++ b/keystone/templates/configmap-bin.yaml
@ -12,8 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-{{ tuple .Values.conf.keystone . | include "helm-toolkit.oslo_values_setup" | trunc 0 }}
-
 apiVersion: v1
 kind: ConfigMap
 metadata:
--- a/keystone/templates/configmap-etc.yaml
+++ b/keystone/templates/configmap-etc.yaml
@ -12,7 +12,19 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-{{ tuple .Values.conf.keystone . | include "helm-toolkit.oslo_values_setup" | trunc 0 }}
+{{- include "keystone.conf.keystone_values_skeleton" .Values.conf.keystone | trunc 0 -}}
+
+{{- if empty .Values.conf.keystone.database.oslo.db.connection -}}
+{{- tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.authenticated_endpoint_uri_lookup"| set .Values.conf.keystone.database.oslo.db "connection" | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.keystone.default.oslo.messaging.transport_url -}}
+{{- tuple "oslo_messaging" "internal" "user" "amqp" . | include "helm-toolkit.authenticated_endpoint_uri_lookup" | set .Values.conf.keystone.default.oslo.messaging "transport_url" | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.keystone.cache.oslo.cache -}}
+{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.hostname_endpoint_uri_lookup" | set .Values.conf.keystone.cache.oslo.cache "memcache_servers" | quote | trunc 0 -}}
+{{- end -}}

 apiVersion: v1
 kind: ConfigMap
@ -21,31 +33,31 @@ metadata:
 data:
  keystone.conf: |+
 {{ if .Values.conf.keystone.override -}}
-{{ .Values.conf.keystone.override }}
+{{ .Values.conf.keystone.override | indent 4 }}
 {{- else -}}
 {{- if .Values.conf.keystone.prefix -}}
-{{ .Values.conf.keystone.prefix }}
+{{ .Values.conf.keystone.prefix | indent 4 }}
 {{- end }}
 {{ tuple "etc/_keystone.conf.tpl" . | include "helm-toolkit.template" | indent 4 }}
 {{- end }}
 {{- if .Values.conf.keystone.append -}}
-{{ .Values.conf.keystone.append }}
+{{ .Values.conf.keystone.append | indent 4 }}
 {{- end }}
  keystone-paste.ini: |+
 {{ if .Values.conf.paste.override -}}
-{{ .Values.conf.paste.override }}
+{{ .Values.conf.paste.override | indent 4 }}
 {{- else -}}
 {{- if .Values.conf.paste.prefix -}}
-{{ .Values.conf.paste.prefix }}
+{{ .Values.conf.paste.prefix | indent 4 }}
 {{- end }}
 {{ tuple "etc/_keystone-paste.ini.tpl" . | include "helm-toolkit.template" | indent 4 }}
 {{- end }}
 {{- if .Values.conf.paste.append -}}
-{{ .Values.conf.paste.append }}
+{{ .Values.conf.paste.append | indent 4 }}
 {{- end }}
  policy.json: |+
 {{ if .Values.conf.policy.override -}}
-{{ .Values.conf.policy.override }}
+{{ .Values.conf.policy.override | indent 4 }}
 {{- else -}}
 {{ tuple "etc/_policy.json.tpl" . | include "helm-toolkit.template" | indent 4 }}
 {{- end }}
--- a/nova/templates/bin/_init.sh.tpl
+++ b/nova/templates/bin/_init.sh.tpl
@ -18,32 +18,42 @@
 set -ex
 export HOME=/tmp

-ansible localhost -vvv -m mysql_db -a "login_host='{{ include "helm-toolkit.mariadb_host" . }}' \
-login_port='{{ .Values.database.port }}' \
-login_user='{{ .Values.database.root_user }}' \
-login_password='{{ .Values.database.root_password }}' \
-name='{{ .Values.database.nova_database_name }}'"
+# standard database

-ansible localhost -vvv -m mysql_user -a "login_host='{{ include "helm-toolkit.mariadb_host" . }}' \
-login_port='{{ .Values.database.port }}' \
-login_user='{{ .Values.database.root_user }}' \
-login_password='{{ .Values.database.root_password }}' \
-name='{{ .Values.database.nova_user }}' \
-password='{{ .Values.database.nova_password }}' \
-host='%' \
-priv='{{ .Values.database.nova_database_name }}.*:ALL' append_privs='yes'"
+ansible localhost -vvv \
+  -m mysql_db -a "login_host='{{ .Values.endpoints.oslo_db.hosts.internal | default .Values.endpoints.oslo_db.hosts.default }}' \
+                  login_port='{{ .Values.endpoints.oslo_db.port.mysql }}' \
+                  login_user='{{ .Values.endpoints.oslo_db.auth.admin.username }}' \
+                  login_password='{{ .Values.endpoints.oslo_db.auth.admin.password }}' \
+                  name='{{ .Values.endpoints.oslo_db.path | trimAll "/" }}'"

-ansible localhost -vvv -m mysql_db -a "login_host='{{ include "helm-toolkit.mariadb_host" . }}' \
-login_port='{{ .Values.database.port }}' \
-login_user='{{ .Values.database.root_user }}' \
-login_password='{{ .Values.database.root_password }}' \
-name='{{ .Values.database.nova_api_database_name }}'"
+ansible localhost -vvv \
+  -m mysql_user -a "login_host='{{ .Values.endpoints.oslo_db.hosts.internal | default .Values.endpoints.oslo_db.hosts.default }}' \
+                    login_port='{{ .Values.endpoints.oslo_db.port.mysql }}' \
+                    login_user='{{ .Values.endpoints.oslo_db.auth.admin.username }}' \
+                    login_password='{{ .Values.endpoints.oslo_db.auth.admin.password }}' \
+                    name='{{ .Values.endpoints.oslo_db.auth.user.username }}' \
+                    password='{{ .Values.endpoints.oslo_db.auth.user.password }}' \
+                    host='%' \
+                    priv='{{ .Values.endpoints.oslo_db.path | trimAll "/" }}.*:ALL' \
+                    append_privs='yes'"

-ansible localhost -vvv -m mysql_user -a "login_host='{{ include "helm-toolkit.mariadb_host" . }}' \
-login_port='{{ .Values.database.port }}' \
-login_user='{{ .Values.database.root_user }}' \
-login_password='{{ .Values.database.root_password }}' \
-name='{{ .Values.database.nova_user }}' \
-password='{{ .Values.database.nova_password }}' \
-host='%' \
-priv='{{ .Values.database.nova_api_database_name }}.*:ALL' append_privs='yes'"
+# api database
+
+ansible localhost -vvv \
+  -m mysql_db -a "login_host='{{ .Values.endpoints.oslo_db_api.hosts.internal | default .Values.endpoints.oslo_db_api.hosts.default }}' \
+                  login_port='{{ .Values.endpoints.oslo_db_api.port.mysql }}' \
+                  login_user='{{ .Values.endpoints.oslo_db_api.auth.admin.username }}' \
+                  login_password='{{ .Values.endpoints.oslo_db_api.auth.admin.password }}' \
+                  name='{{ .Values.endpoints.oslo_db_api.path | trimAll "/" }}'"
+
+ansible localhost -vvv \
+  -m mysql_user -a "login_host='{{ .Values.endpoints.oslo_db_api.hosts.internal | default .Values.endpoints.oslo_db_api.hosts.default }}' \
+                    login_port='{{ .Values.endpoints.oslo_db_api.port.mysql }}' \
+                    login_user='{{ .Values.endpoints.oslo_db_api.auth.admin.username }}' \
+                    login_password='{{ .Values.endpoints.oslo_db_api.auth.admin.password }}' \
+                    name='{{ .Values.endpoints.oslo_db_api.auth.user.username }}' \
+                    password='{{ .Values.endpoints.oslo_db_api.auth.user.password }}' \
+                    host='%' \
+                    priv='{{ .Values.endpoints.oslo_db_api.path | trimAll "/" }}.*:ALL' \
+                    append_privs='yes'"
--- a/nova/templates/configmap-etc.yaml
+++ b/nova/templates/configmap-etc.yaml
@ -12,13 +12,84 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+{{- include "nova.conf.nova_values_skeleton" .Values.conf.nova | trunc 0 -}}
+
+{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.auth_uri -}}
+{{- tuple "identity" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup"| set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "auth_uri" | quote | trunc 0 -}}
+{{- end -}}
+
+# FIXME(alanmeadows) fix for broken keystonemiddleware oslo config gen in newton - will remove in future
+{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.auth_url -}}
+{{- tuple "identity" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup"| set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "auth_url" | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.memcached_servers -}}
+{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.hostname_endpoint_uri_lookup" | set .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token "memcached_servers" | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.database.oslo.db.connection -}}
+{{- tuple "oslo_db" "internal" "user" "mysql" . | include "helm-toolkit.authenticated_endpoint_uri_lookup"| set .Values.conf.nova.database.oslo.db "connection" | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.api_database.nova.conf.connection -}}
+{{- tuple "oslo_db_api" "internal" "user" "mysql" . | include "helm-toolkit.authenticated_endpoint_uri_lookup"| set .Values.conf.nova.api_database.nova.conf "connection" | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.default.oslo.messaging.transport_url -}}
+{{- tuple "oslo_messaging" "internal" "user" "amqp" . | include "helm-toolkit.authenticated_endpoint_uri_lookup" | set .Values.conf.nova.default.oslo.messaging "transport_url" | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.glance.nova.conf.api_servers -}}
+{{- tuple "image" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup"| set .Values.conf.nova.glance.nova.conf "api_servers" | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.neutron.nova.conf.url -}}
+{{- tuple "network" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup"| set .Values.conf.nova.neutron.nova.conf "url" | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.neutron.nova.conf.auth_url -}}
+{{- tuple "identity" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup"| set .Values.conf.nova.neutron.nova.conf "auth_url" | quote | trunc 0 -}}
+{{- end -}}
+
+{{- if empty .Values.conf.nova.cache.nova.conf.memcache_servers -}}
+{{- tuple "oslo_cache" "internal" "memcache" . | include "helm-toolkit.hostname_endpoint_uri_lookup" | set .Values.conf.nova.cache.nova.conf "memcache_servers" | quote | trunc 0 -}}
+{{- end -}}
+
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: nova-etc
 data:
  nova.conf: |+
+{{ if .Values.conf.nova.override -}}
+{{ .Values.conf.nova.override | indent 4 }}
+{{- else -}}
+{{- if .Values.conf.nova.prefix -}}
+{{ .Values.conf.nova.prefix | indent 4 }}
+{{- end }}
 {{ tuple "etc/_nova.conf.tpl" . | include "helm-toolkit.template" | indent 4 }}
+{{- end }}
+{{- if .Values.conf.nova.append -}}
+{{ .Values.conf.nova.append | indent 4 }}
+{{- end }}
+  api-paste.ini: |+
+{{ if .Values.conf.paste.override -}}
+{{ .Values.conf.paste.override | indent 4 }}
+{{- else -}}
+{{- if .Values.conf.paste.prefix -}}
+{{ .Values.conf.paste.prefix | indent 4 }}
+{{- end }}
+{{ tuple "etc/_api-paste.ini.tpl" . | include "helm-toolkit.template" | indent 4 }}
+{{- end }}
+{{- if .Values.conf.paste.append -}}
+{{ .Values.conf.paste.append | indent 4 }}
+{{- end }}
+  policy.yaml: |+
+{{ if .Values.conf.policy.override -}}
+{{ .Values.conf.policy.override | indent 4 }}
+{{- else -}}
+{{ tuple "etc/_policy.yaml.tpl" . | include "helm-toolkit.template" | indent 4 }}
+{{- end }}
  ceph.client.cinder.keyring.yaml: |+
 {{ tuple "etc/_ceph.client.cinder.keyring.yaml.tpl" . | include "helm-toolkit.template" | indent 4 }}
  resolv.conf: |+
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@ -14,6 +14,9 @@

 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.compute }}
+{{- $mounts_nova_compute := .Values.mounts.nova_compute.nova_compute }}
+{{- $mounts_nova_compute_init := .Values.mounts.nova_compute.init_container }}
+
 apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
@ -27,7 +30,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
        pod.beta.kubernetes.io/init-containers: '[
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
+{{ tuple $envAll $dependencies $mounts_nova_compute_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
        ]'
    spec:
      nodeSelector:
@ -57,44 +60,34 @@ spec:
            - --config-file
            - /etc/nova/nova.conf
          volumeMounts:
-            - name: novaconf
+            - name: nova-etc
              mountPath: /etc/nova/nova.conf
              subPath: nova.conf
+            - name: nova-etc
+              mountPath: /etc/resolv.conf
+              subPath: resolv.conf
+            - name: nova-etc
+              mountPath: /etc/ceph/ceph.conf
+              subPath: ceph.conf
+            - name: nova-etc
+              mountPath: /etc/ceph/ceph.client.keyring
+              subPath: ceph.client.keyring
            - mountPath: /lib/modules
              name: libmodules
              readOnly: true
-            - mountPath: /var/lib/nova
-              name: varlibnova
-            - mountPath: /var/lib/libvirt
-              name: varliblibvirt
-            - mountPath: /run
-              name: run
-            - mountPath: /sys/fs/cgroup
-              name: cgroup
-            - mountPath: /etc/resolv.conf
-              name: resolvconf
-              subPath: resolv.conf
-            {{- if .Values.ceph.enabled }}
-            - name: cephconf
-              mountPath: /etc/ceph/ceph.conf
-              subPath: ceph.conf
-            - name: cephclientcinderkeyring
-              mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.cinder_user }}.keyring
-              subPath: ceph.client.{{ .Values.ceph.cinder_user }}.keyring
-            {{- end }}
+            - name: varlibnova
+              mountPath: /var/lib/nova
+            - name: varliblibvirt
+              mountPath: /var/lib/libvirt
+            - name: run
+              mountPath: /run
+            - name: cgroup
+              mountPath: /sys/fs/cgroup
+{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
      volumes:
-        - name: novaconf
+        - name: nova-etc
          configMap:
            name: nova-etc
-            items:
-            - key: nova.conf
-              path: nova.conf
-        - name: resolvconf
-          configMap:
-            name: nova-etc
-            items:
-            - key: resolv.conf
-              path: resolv.conf
        - name: libmodules
          hostPath:
            path: /lib/modules
@ -110,17 +103,4 @@ spec:
        - name: cgroup
          hostPath:
            path: /sys/fs/cgroup
-        {{- if .Values.ceph.enabled }}
-        - name: cephconf
-          configMap:
-            name: nova-etc
-            items:
-            - key: ceph.conf
-              path: ceph.conf
-        - name: cephclientcinderkeyring
-          configMap:
-            name: nova-etc
-            items:
-            - key: ceph.client.cinder.keyring.yaml
-              path: ceph.client.cinder.keyring.yaml
-        {{- end }}
+{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
--- a/nova/templates/daemonset-libvirt.yaml
+++ b/nova/templates/daemonset-libvirt.yaml
@ -14,6 +14,8 @@

 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.libvirt }}
+{{- $mounts_nova_libvirt := .Values.mounts.nova_libvirt.nova_libvirt }}
+{{- $mounts_nova_libvirt_init := .Values.mounts.nova_libvirt.init_container }}
 apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
@ -27,7 +29,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
        pod.beta.kubernetes.io/init-containers: '[
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
+{{ tuple $envAll $dependencies $mounts_nova_libvirt_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
        ]'
    spec:
      nodeSelector:
@ -55,53 +57,42 @@ spec:
            - bash
            - /tmp/libvirt.sh
          volumeMounts:
-            - name: libvirtdconf
+            - name: nova-etc
              mountPath: /etc/libvirt/libvirtd.conf
              subPath: libvirtd.conf
-            - name: libvirtsh
+            - name: nova-bin
              mountPath: /tmp/libvirt.sh
              subPath: libvirt.sh
+            - name: nova-etc
+              mountPath: /etc/nova/nova.conf
+              subPath: nova.conf
+            - name: nova-etc
+              mountPath: /etc/resolv.conf
+              subPath: resolv.conf
            - mountPath: /lib/modules
              name: libmodules
              readOnly: true
-            - mountPath: /var/lib/nova
-              name: varlibnova
-            - mountPath: /var/lib/libvirt
-              name: varliblibvirt
-            - mountPath: /run
-              name: run
-            - mountPath: /sys/fs/cgroup
-              name: cgroup
-            - mountPath: /etc/resolv.conf
-              name: resolvconf
-              subPath: resolv.conf
+            - name: varlibnova
+              mountPath: /var/lib/nova
+            - name: varliblibvirt
+              mountPath: /var/lib/libvirt
+            - name: run
+              mountPath: /run
+            - name: cgroup
+              mountPath: /sys/fs/cgroup
            {{- if .Values.ceph.enabled }}
-            - name: cephconf
+            - name: nova-etc
              mountPath: /etc/ceph/ceph.conf
              subPath: ceph.conf
-            - name: cephclientcinderkeyring
-              mountPath: /etc/ceph/ceph.client.{{ .Values.ceph.cinder_user }}.keyring
-              subPath: ceph.client.{{ .Values.ceph.cinder_user }}.keyring
+            - name: nova-etc
+              mountPath: /etc/ceph/ceph.client.keyring
+              subPath: ceph.client.keyring
            {{- end }}
+{{ if $mounts_nova_libvirt.volumeMounts }}{{ toYaml $mounts_nova_libvirt.volumeMounts | indent 12 }}{{ end }}
      volumes:
-        - name: libvirtdconf
+        - name: nova-etc
          configMap:
            name: nova-etc
-            items:
-            - key: libvirtd.conf
-              path: libvirtd.conf
-        - name: libvirtsh
-          configMap:
-            name: nova-bin
-            items:
-            - key: libvirt.sh
-              path: libvirt.sh
-        - name: resolvconf
-          configMap:
-            name: nova-etc
-            items:
-            - key: resolv.conf
-              path: resolv.conf
        - name: libmodules
          hostPath:
            path: /lib/modules
@ -117,17 +108,4 @@ spec:
        - name: cgroup
          hostPath:
            path: /sys/fs/cgroup        
-        {{- if .Values.ceph.enabled }}
-        - name: cephconf
-          configMap:
-            name: nova-etc
-            items:
-            - key: ceph.conf
-              path: ceph.conf
-        - name: cephclientcinderkeyring
-          configMap:
-            name: nova-etc
-            items:
-            - key: ceph.client.cinder.keyring.yaml
-              path: ceph.client.cinder.keyring.yaml
-          {{- end }}
+{{ if $mounts_nova_libvirt.volumes }}{{ toYaml $mounts_nova_libvirt.volumes | indent 8 }}{{ end }}
--- a/nova/templates/deployment-api-metadata.yaml
+++ b/nova/templates/deployment-api-metadata.yaml
@ -14,6 +14,8 @@

 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.api }}
+{{- $mounts_nova_api_metadata := .Values.mounts.nova_api_metadata.nova_api_metadata }}
+{{- $mounts_nova_api_metadata_init := .Values.mounts.nova_api_metadata.init_container }}
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@ -36,7 +38,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}        
        pod.beta.kubernetes.io/init-containers: '[
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
+{{ tuple $envAll $dependencies $mounts_nova_api_metadata_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
        ]'
    spec:
      nodeSelector:
@ -68,13 +70,12 @@ spec:
            tcpSocket:
              port: {{ .Values.network.metadata.port }}
          volumeMounts:
-            - name: novaconf
+            - name: nova-etc
              mountPath: /etc/nova/nova.conf
              subPath: nova.conf
+{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
      volumes:
-        - name: novaconf
+        - name: nova-etc
          configMap:
            name: nova-etc        
-            items:
-            - key: nova.conf
-              path: nova.conf
+{{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
--- a/nova/templates/deployment-api-osapi.yaml
+++ b/nova/templates/deployment-api-osapi.yaml
@ -14,6 +14,8 @@

 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.api }}
+{{- $mounts_nova_api_osapi := .Values.mounts.nova_api_osapi.nova_api_osapi }}
+{{- $mounts_nova_api_osapi_init := .Values.mounts.nova_api_osapi.init_container }}
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@ -31,12 +33,12 @@ spec:
  template:
    metadata:
      labels:
-        app: nova-osapi
+        app: nova-api-osapi
      annotations:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
        pod.beta.kubernetes.io/init-containers: '[
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
+{{ tuple $envAll $dependencies $mounts_nova_api_osapi_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
        ]'
    spec:
      nodeSelector:
@ -67,13 +69,12 @@ spec:
            tcpSocket:
              port: {{ .Values.network.osapi.port }}
          volumeMounts:
-            - name: novaconf
+            - name: nova-etc
              mountPath: /etc/nova/nova.conf
              subPath: nova.conf                 
+{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
      volumes:
-        - name: novaconf
+        - name: nova-etc
          configMap:
            name: nova-etc        
-            items:
-            - key: nova.conf
-              path: nova.conf
+{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
--- a/nova/templates/deployment-conductor.yaml
+++ b/nova/templates/deployment-conductor.yaml
@ -14,6 +14,8 @@

 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.conductor }}
+{{- $mounts_nova_conductor := .Values.mounts.nova_conductor.nova_conductor }}
+{{- $mounts_nova_conductor_init := .Values.mounts.nova_conductor.init_container }}
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@ -36,7 +38,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
        pod.beta.kubernetes.io/init-containers: '[
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
+{{ tuple $envAll $dependencies $mounts_nova_conductor_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
        ]'
    spec:
      nodeSelector:
@ -59,13 +61,12 @@ spec:
            - --config-file
            - /etc/nova/nova.conf
          volumeMounts:
-            - name: novaconf
+            - name: nova-etc
              mountPath: /etc/nova/nova.conf
              subPath: nova.conf                    
+{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
      volumes:
-        - name: novaconf
+        - name: nova-etc
          configMap:
            name: nova-etc
-            items:
-            - key: nova.conf
-              path: nova.conf
+{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
--- a/nova/templates/deployment-consoleauth.yaml
+++ b/nova/templates/deployment-consoleauth.yaml
@ -14,6 +14,9 @@

 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.consoleauth }}
+{{- $mounts_nova_consoleauth := .Values.mounts.nova_consoleauth.nova_conductor }}
+{{- $mounts_nova_consoleauth_init := .Values.mounts.nova_consoleauth.init_container }}
+
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@ -36,7 +39,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
        pod.beta.kubernetes.io/init-containers: '[
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
+{{ tuple $envAll $dependencies $mounts_nova_consoleauth_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
        ]'
    spec:
      nodeSelector:
@ -59,13 +62,12 @@ spec:
            - --config-file
            - /etc/nova/nova.conf
          volumeMounts:
-            - name: novaconf
+            - name: nova-etc
              mountPath: /etc/nova/nova.conf
              subPath: nova.conf
+{{ if $mounts_nova_consoleauth.volumeMounts }}{{ toYaml $mounts_nova_consoleauth.volumeMounts | indent 12 }}{{ end }}            
      volumes:
-        - name: novaconf
+        - name: nova-etc
          configMap:
            name: nova-etc
-            items:
-            - key: nova.conf
-              path: nova.conf
+{{ if $mounts_nova_consoleauth.volumes }}{{ toYaml $mounts_nova_consoleauth.volumes | indent 8 }}{{ end }}     
--- a/nova/templates/deployment-scheduler.yaml
+++ b/nova/templates/deployment-scheduler.yaml
@ -14,6 +14,9 @@

 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.scheduler }}
+{{- $mounts_nova_scheduler := .Values.mounts.nova_scheduler.nova_conductor }}
+{{- $mounts_nova_scheduler_init := .Values.mounts.nova_scheduler.init_container }}
+
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@ -36,7 +39,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }}
        pod.beta.kubernetes.io/init-containers: '[
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
+{{ tuple $envAll $dependencies $mounts_nova_scheduler_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }}
        ]'
    spec:
      nodeSelector:
@ -59,13 +62,12 @@ spec:
            - --config-file
            - /etc/nova/nova.conf
          volumeMounts:
-            - name: novaconf
+            - name: nova-etc
              mountPath: /etc/nova/nova.conf
              subPath: nova.conf
+{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}            
      volumes:
-        - name: novaconf
+        - name: nova-etc
          configMap:
            name: nova-etc
-            items:
-            - key: nova.conf
-              path: nova.conf
+{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
--- a/nova/templates/etc/_api-paste.ini.tpl
+++ b/nova/templates/etc/_api-paste.ini.tpl
@ -0,0 +1,81 @@
+############
+# Metadata #
+############
+[composite:metadata]
+use = egg:Paste#urlmap
+/: meta
+
+[pipeline:meta]
+pipeline = cors metaapp
+
+[app:metaapp]
+paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
+
+#############
+# OpenStack #
+#############
+
+[composite:osapi_compute]
+use = call:nova.api.openstack.urlmap:urlmap_factory
+/: oscomputeversions
+# v21 is an exactly feature match for v2, except it has more stringent
+# input validation on the wsgi surface (prevents fuzzing early on the
+# API). It also provides new features via API microversions which are
+# opt into for clients. Unaware clients will receive the same frozen
+# v2 API feature set, but with some relaxed validation
+/v2: openstack_compute_api_v21_legacy_v2_compatible
+/v2.1: openstack_compute_api_v21
+
+[composite:openstack_compute_api_v21]
+use = call:nova.api.auth:pipeline_factory_v21
+noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
+keystone = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
+
+[composite:openstack_compute_api_v21_legacy_v2_compatible]
+use = call:nova.api.auth:pipeline_factory_v21
+noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
+keystone = cors http_proxy_to_wsgi compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
+
+[filter:request_id]
+paste.filter_factory = oslo_middleware:RequestId.factory
+
+[filter:compute_req_id]
+paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory
+
+[filter:faultwrap]
+paste.filter_factory = nova.api.openstack:FaultWrapper.factory
+
+[filter:noauth2]
+paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
+
+[filter:sizelimit]
+paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+
+[filter:legacy_v2_compatible]
+paste.filter_factory = nova.api.openstack:LegacyV2CompatibleWrapper.factory
+
+[app:osapi_compute_app_v21]
+paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory
+
+[pipeline:oscomputeversions]
+pipeline = faultwrap http_proxy_to_wsgi oscomputeversionapp
+
+[app:oscomputeversionapp]
+paste.app_factory = nova.api.openstack.compute.versions:Versions.factory
+
+##########
+# Shared #
+##########
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = nova
+
+[filter:keystonecontext]
+paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
--- a/nova/templates/etc/_libvirtd.conf.tpl
+++ b/nova/templates/etc/_libvirtd.conf.tpl
@ -17,4 +17,4 @@ auth_tcp = "none"
 ca_file = ""
 log_level = 2
 log_outputs = "2:stderr"
-listen_addr = "{{ .Values.network.ip_address }}"
+listen_addr = "{{ .Values.libvirt.listen_addr }}"
--- a/nova/templates/etc/_nova.conf.tpl
+++ b/nova/templates/etc/_nova.conf.tpl
--- a/nova/templates/etc/_policy.yaml.tpl
+++ b/nova/templates/etc/_policy.yaml.tpl
@ -0,0 +1,514 @@
+#
+"os_compute_api:os-admin-actions:discoverable": "@"
+#
+"os_compute_api:os-admin-actions:reset_state": "rule:admin_api"
+#
+"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api"
+#
+"os_compute_api:os-admin-actions": "rule:admin_api"
+#
+"os_compute_api:os-admin-actions:reset_network": "rule:admin_api"
+#
+"os_compute_api:os-admin-password:discoverable": "@"
+#
+"os_compute_api:os-admin-password": "rule:admin_or_owner"
+#
+"os_compute_api:os-agents": "rule:admin_api"
+#
+"os_compute_api:os-agents:discoverable": "@"
+#
+"os_compute_api:os-aggregates:set_metadata": "rule:admin_api"
+#
+"os_compute_api:os-aggregates:add_host": "rule:admin_api"
+#
+"os_compute_api:os-aggregates:discoverable": "@"
+#
+"os_compute_api:os-aggregates:create": "rule:admin_api"
+#
+"os_compute_api:os-aggregates:remove_host": "rule:admin_api"
+#
+"os_compute_api:os-aggregates:update": "rule:admin_api"
+#
+"os_compute_api:os-aggregates:index": "rule:admin_api"
+#
+"os_compute_api:os-aggregates:delete": "rule:admin_api"
+#
+"os_compute_api:os-aggregates:show": "rule:admin_api"
+#
+"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api"
+#
+"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api"
+#
+"os_compute_api:os-assisted-volume-snapshots:discoverable": "@"
+#
+"os_compute_api:os-attach-interfaces": "rule:admin_or_owner"
+#
+"os_compute_api:os-attach-interfaces:discoverable": "@"
+# Controls who can attach an interface to an instance
+"os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner"
+# Controls who can detach an interface from an instance
+"os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner"
+#
+"os_compute_api:os-availability-zone:list": "rule:admin_or_owner"
+#
+"os_compute_api:os-availability-zone:discoverable": "@"
+#
+"os_compute_api:os-availability-zone:detail": "rule:admin_api"
+#
+"os_compute_api:os-baremetal-nodes:discoverable": "@"
+#
+"os_compute_api:os-baremetal-nodes": "rule:admin_api"
+#
+"context_is_admin": "role:admin"
+#
+"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
+#
+"admin_api": "is_admin:True"
+#
+"network:attach_external_network": "is_admin:True"
+#
+"os_compute_api:os-block-device-mapping:discoverable": "@"
+#
+"os_compute_api:os-block-device-mapping-v1:discoverable": "@"
+#
+"os_compute_api:os-cells:discoverable": "@"
+#
+"os_compute_api:os-cells:update": "rule:admin_api"
+#
+"os_compute_api:os-cells:create": "rule:admin_api"
+#
+"os_compute_api:os-cells": "rule:admin_api"
+#
+"os_compute_api:os-cells:sync_instances": "rule:admin_api"
+#
+"os_compute_api:os-cells:delete": "rule:admin_api"
+#
+"cells_scheduler_filter:DifferentCellFilter": "is_admin:True"
+#
+"cells_scheduler_filter:TargetCellFilter": "is_admin:True"
+#
+"os_compute_api:os-certificates:discoverable": "@"
+#
+"os_compute_api:os-certificates:create": "rule:admin_or_owner"
+#
+"os_compute_api:os-certificates:show": "rule:admin_or_owner"
+#
+"os_compute_api:os-cloudpipe": "rule:admin_api"
+#
+"os_compute_api:os-cloudpipe:discoverable": "@"
+#
+"os_compute_api:os-config-drive:discoverable": "@"
+#
+"os_compute_api:os-config-drive": "rule:admin_or_owner"
+#
+"os_compute_api:os-console-auth-tokens:discoverable": "@"
+#
+"os_compute_api:os-console-auth-tokens": "rule:admin_api"
+#
+"os_compute_api:os-console-output:discoverable": "@"
+#
+"os_compute_api:os-console-output": "rule:admin_or_owner"
+#
+"os_compute_api:os-consoles:create": "rule:admin_or_owner"
+#
+"os_compute_api:os-consoles:show": "rule:admin_or_owner"
+#
+"os_compute_api:os-consoles:delete": "rule:admin_or_owner"
+#
+"os_compute_api:os-consoles:discoverable": "@"
+#
+"os_compute_api:os-consoles:index": "rule:admin_or_owner"
+#
+"os_compute_api:os-create-backup:discoverable": "@"
+#
+"os_compute_api:os-create-backup": "rule:admin_or_owner"
+#
+"os_compute_api:os-deferred-delete:discoverable": "@"
+#
+"os_compute_api:os-deferred-delete": "rule:admin_or_owner"
+#
+"os_compute_api:os-evacuate:discoverable": "@"
+#
+"os_compute_api:os-evacuate": "rule:admin_api"
+#
+"os_compute_api:os-extended-availability-zone": "rule:admin_or_owner"
+#
+"os_compute_api:os-extended-availability-zone:discoverable": "@"
+#
+"os_compute_api:os-extended-server-attributes": "rule:admin_api"
+#
+"os_compute_api:os-extended-server-attributes:discoverable": "@"
+#
+"os_compute_api:os-extended-status:discoverable": "@"
+#
+"os_compute_api:os-extended-status": "rule:admin_or_owner"
+#
+"os_compute_api:os-extended-volumes": "rule:admin_or_owner"
+#
+"os_compute_api:os-extended-volumes:discoverable": "@"
+#
+"os_compute_api:extension_info:discoverable": "@"
+#
+"os_compute_api:extensions": "rule:admin_or_owner"
+#
+"os_compute_api:extensions:discoverable": "@"
+#
+"os_compute_api:os-fixed-ips:discoverable": "@"
+#
+"os_compute_api:os-fixed-ips": "rule:admin_api"
+#
+"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api"
+#
+"os_compute_api:os-flavor-access:discoverable": "@"
+#
+"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api"
+#
+"os_compute_api:os-flavor-access": "rule:admin_or_owner"
+#
+"os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner"
+#
+"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api"
+#
+"os_compute_api:os-flavor-extra-specs:discoverable": "@"
+#
+"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api"
+#
+"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api"
+#
+"os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner"
+#
+"os_compute_api:os-flavor-manage": "rule:admin_api"
+#
+"os_compute_api:os-flavor-manage:discoverable": "@"
+#
+"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner"
+#
+"os_compute_api:os-flavor-rxtx:discoverable": "@"
+#
+"os_compute_api:flavors:discoverable": "@"
+#
+"os_compute_api:flavors": "rule:admin_or_owner"
+#
+"os_compute_api:os-floating-ip-dns": "rule:admin_or_owner"
+#
+"os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api"
+#
+"os_compute_api:os-floating-ip-dns:discoverable": "@"
+#
+"os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api"
+#
+"os_compute_api:os-floating-ip-pools:discoverable": "@"
+#
+"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner"
+#
+"os_compute_api:os-floating-ips": "rule:admin_or_owner"
+#
+"os_compute_api:os-floating-ips:discoverable": "@"
+#
+"os_compute_api:os-floating-ips-bulk:discoverable": "@"
+#
+"os_compute_api:os-floating-ips-bulk": "rule:admin_api"
+#
+"os_compute_api:os-fping:all_tenants": "rule:admin_api"
+#
+"os_compute_api:os-fping:discoverable": "@"
+#
+"os_compute_api:os-fping": "rule:admin_or_owner"
+#
+"os_compute_api:os-hide-server-addresses:discoverable": "@"
+#
+"os_compute_api:os-hide-server-addresses": "is_admin:False"
+#
+"os_compute_api:os-hosts:discoverable": "@"
+#
+"os_compute_api:os-hosts": "rule:admin_api"
+#
+"os_compute_api:os-hypervisors:discoverable": "@"
+#
+"os_compute_api:os-hypervisors": "rule:admin_api"
+#
+"os_compute_api:image-metadata:discoverable": "@"
+#
+"os_compute_api:image-size:discoverable": "@"
+#
+"os_compute_api:image-size": "rule:admin_or_owner"
+#
+"os_compute_api:images:discoverable": "@"
+#
+"os_compute_api:os-instance-actions:events": "rule:admin_api"
+#
+"os_compute_api:os-instance-actions": "rule:admin_or_owner"
+#
+"os_compute_api:os-instance-actions:discoverable": "@"
+#
+"os_compute_api:os-instance-usage-audit-log": "rule:admin_api"
+#
+"os_compute_api:os-instance-usage-audit-log:discoverable": "@"
+#
+"os_compute_api:ips:discoverable": "@"
+#
+"os_compute_api:ips:show": "rule:admin_or_owner"
+#
+"os_compute_api:ips:index": "rule:admin_or_owner"
+#
+"os_compute_api:os-keypairs:discoverable": "@"
+#
+"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s"
+#
+"os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s"
+#
+"os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s"
+#
+"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s"
+#
+"os_compute_api:os-keypairs": "rule:admin_or_owner"
+#
+"os_compute_api:limits:discoverable": "@"
+#
+"os_compute_api:limits": "rule:admin_or_owner"
+#
+"os_compute_api:os-lock-server:discoverable": "@"
+#
+"os_compute_api:os-lock-server:lock": "rule:admin_or_owner"
+#
+"os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api"
+#
+"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner"
+#
+"os_compute_api:os-migrate-server:migrate": "rule:admin_api"
+#
+"os_compute_api:os-migrate-server:discoverable": "@"
+#
+"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api"
+#
+"os_compute_api:os-migrations:index": "rule:admin_api"
+#
+"os_compute_api:os-migrations:discoverable": "@"
+#
+"os_compute_api:os-multinic": "rule:admin_or_owner"
+#
+"os_compute_api:os-multinic:discoverable": "@"
+#
+"os_compute_api:os-multiple-create:discoverable": "@"
+#
+"os_compute_api:os-networks:discoverable": "@"
+#
+"os_compute_api:os-networks": "rule:admin_api"
+#
+"os_compute_api:os-networks:view": "rule:admin_or_owner"
+#
+"os_compute_api:os-networks-associate": "rule:admin_api"
+#
+"os_compute_api:os-networks-associate:discoverable": "@"
+#
+"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner"
+#
+"os_compute_api:os-pause-server:discoverable": "@"
+#
+"os_compute_api:os-pause-server:pause": "rule:admin_or_owner"
+#
+"os_compute_api:os-pci:index": "rule:admin_api"
+#
+"os_compute_api:os-pci:detail": "rule:admin_api"
+#
+"os_compute_api:os-pci:pci_servers": "rule:admin_or_owner"
+#
+"os_compute_api:os-pci:show": "rule:admin_api"
+#
+"os_compute_api:os-pci:discoverable": "@"
+#
+"os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s"
+#
+"os_compute_api:os-quota-class-sets:discoverable": "@"
+#
+"os_compute_api:os-quota-class-sets:update": "rule:admin_api"
+#
+"os_compute_api:os-quota-sets:update": "rule:admin_api"
+#
+"os_compute_api:os-quota-sets:defaults": "@"
+#
+"os_compute_api:os-quota-sets:show": "rule:admin_or_owner"
+#
+"os_compute_api:os-quota-sets:delete": "rule:admin_api"
+#
+"os_compute_api:os-quota-sets:discoverable": "@"
+#
+"os_compute_api:os-quota-sets:detail": "rule:admin_api"
+#
+"os_compute_api:os-remote-consoles": "rule:admin_or_owner"
+#
+"os_compute_api:os-remote-consoles:discoverable": "@"
+#
+"os_compute_api:os-rescue:discoverable": "@"
+#
+"os_compute_api:os-rescue": "rule:admin_or_owner"
+#
+"os_compute_api:os-scheduler-hints:discoverable": "@"
+#
+"os_compute_api:os-security-group-default-rules:discoverable": "@"
+#
+"os_compute_api:os-security-group-default-rules": "rule:admin_api"
+#
+"os_compute_api:os-security-groups": "rule:admin_or_owner"
+#
+"os_compute_api:os-security-groups:discoverable": "@"
+#
+"os_compute_api:os-server-diagnostics": "rule:admin_api"
+#
+"os_compute_api:os-server-diagnostics:discoverable": "@"
+#
+"os_compute_api:os-server-external-events:create": "rule:admin_api"
+#
+"os_compute_api:os-server-external-events:discoverable": "@"
+#
+"os_compute_api:os-server-groups:discoverable": "@"
+#
+"os_compute_api:os-server-groups": "rule:admin_or_owner"
+#
+"os_compute_api:server-metadata:index": "rule:admin_or_owner"
+#
+"os_compute_api:server-metadata:show": "rule:admin_or_owner"
+#
+"os_compute_api:server-metadata:create": "rule:admin_or_owner"
+#
+"os_compute_api:server-metadata:discoverable": "@"
+#
+"os_compute_api:server-metadata:update_all": "rule:admin_or_owner"
+#
+"os_compute_api:server-metadata:delete": "rule:admin_or_owner"
+#
+"os_compute_api:server-metadata:update": "rule:admin_or_owner"
+#
+"os_compute_api:os-server-password": "rule:admin_or_owner"
+#
+"os_compute_api:os-server-password:discoverable": "@"
+#
+"os_compute_api:os-server-tags:delete_all": "@"
+#
+"os_compute_api:os-server-tags:index": "@"
+#
+"os_compute_api:os-server-tags:update_all": "@"
+#
+"os_compute_api:os-server-tags:delete": "@"
+#
+"os_compute_api:os-server-tags:update": "@"
+#
+"os_compute_api:os-server-tags:show": "@"
+#
+"os_compute_api:os-server-tags:discoverable": "@"
+#
+"os_compute_api:os-server-usage": "rule:admin_or_owner"
+#
+"os_compute_api:os-server-usage:discoverable": "@"
+#
+"os_compute_api:servers:index": "rule:admin_or_owner"
+#
+"os_compute_api:servers:detail": "rule:admin_or_owner"
+#
+"os_compute_api:servers:detail:get_all_tenants": "rule:admin_api"
+#
+"os_compute_api:servers:index:get_all_tenants": "rule:admin_api"
+#
+"os_compute_api:servers:show": "rule:admin_or_owner"
+#
+"os_compute_api:servers:show:host_status": "rule:admin_api"
+#
+"os_compute_api:servers:create": "rule:admin_or_owner"
+#
+"os_compute_api:servers:create:forced_host": "rule:admin_api"
+#
+"os_compute_api:servers:create:attach_volume": "rule:admin_or_owner"
+#
+"os_compute_api:servers:create:attach_network": "rule:admin_or_owner"
+#
+"os_compute_api:servers:delete": "rule:admin_or_owner"
+#
+"os_compute_api:servers:update": "rule:admin_or_owner"
+#
+"os_compute_api:servers:confirm_resize": "rule:admin_or_owner"
+#
+"os_compute_api:servers:revert_resize": "rule:admin_or_owner"
+#
+"os_compute_api:servers:reboot": "rule:admin_or_owner"
+#
+"os_compute_api:servers:resize": "rule:admin_or_owner"
+#
+"os_compute_api:servers:rebuild": "rule:admin_or_owner"
+#
+"os_compute_api:servers:create_image": "rule:admin_or_owner"
+#
+"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner"
+#
+"os_compute_api:servers:start": "rule:admin_or_owner"
+#
+"os_compute_api:servers:stop": "rule:admin_or_owner"
+#
+"os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner"
+#
+"os_compute_api:servers:discoverable": "@"
+#
+"os_compute_api:servers:migrations:show": "rule:admin_api"
+#
+"os_compute_api:servers:migrations:force_complete": "rule:admin_api"
+#
+"os_compute_api:servers:migrations:delete": "rule:admin_api"
+#
+"os_compute_api:servers:migrations:index": "rule:admin_api"
+#
+"os_compute_api:server-migrations:discoverable": "@"
+#
+"os_compute_api:os-services": "rule:admin_api"
+#
+"os_compute_api:os-services:discoverable": "@"
+#
+"os_compute_api:os-shelve:shelve": "rule:admin_or_owner"
+#
+"os_compute_api:os-shelve:unshelve": "rule:admin_or_owner"
+#
+"os_compute_api:os-shelve:shelve_offload": "rule:admin_api"
+#
+"os_compute_api:os-shelve:discoverable": "@"
+#
+"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner"
+#
+"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api"
+#
+"os_compute_api:os-simple-tenant-usage:discoverable": "@"
+#
+"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner"
+#
+"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner"
+#
+"os_compute_api:os-suspend-server:discoverable": "@"
+#
+"os_compute_api:os-tenant-networks": "rule:admin_or_owner"
+#
+"os_compute_api:os-tenant-networks:discoverable": "@"
+#
+"os_compute_api:os-used-limits:discoverable": "@"
+#
+"os_compute_api:os-used-limits": "rule:admin_api"
+#
+"os_compute_api:os-user-data:discoverable": "@"
+#
+"os_compute_api:versions:discoverable": "@"
+#
+"os_compute_api:os-virtual-interfaces:discoverable": "@"
+#
+"os_compute_api:os-virtual-interfaces": "rule:admin_or_owner"
+#
+"os_compute_api:os-volumes:discoverable": "@"
+#
+"os_compute_api:os-volumes": "rule:admin_or_owner"
+#
+"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner"
+#
+"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner"
+#
+"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner"
+#
+"os_compute_api:os-volumes-attachments:discoverable": "@"
+#
+"os_compute_api:os-volumes-attachments:update": "rule:admin_api"
+#
+"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"
--- a/nova/templates/secret-keystone-user.env.yaml
+++ b/nova/templates/secret-keystone-user.env.yaml
@ -21,14 +21,14 @@ data:
  OS_AUTH_URL: |
 {{ tuple "identity" "internal" "api" . | include "helm-toolkit.keystone_endpoint_uri_lookup" | b64enc | indent 4 }}
  OS_REGION_NAME: |
-{{ .Values.keystone.nova_region_name  | b64enc | indent 4 }}
+{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.region_name | b64enc | indent 4 }}
  OS_PROJECT_DOMAIN_NAME: |
-{{ .Values.keystone.nova_project_domain  | b64enc | indent 4 }}
+{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_domain_name | b64enc | indent 4 }}
  OS_PROJECT_NAME: |
-{{ .Values.keystone.nova_project_name  | b64enc | indent 4 }}
+{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.project_name | b64enc | indent 4 }}
  OS_USER_DOMAIN_NAME: |
-{{ .Values.keystone.nova_user_domain  | b64enc | indent 4 }}
+{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.user_domain_name | b64enc | indent 4 }}
  OS_USERNAME: |
-{{ .Values.keystone.nova_user  | b64enc | indent 4 }}
+{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.username | b64enc | indent 4 }}
  OS_PASSWORD: |
-{{ .Values.keystone.nova_password  | b64enc | indent 4 }}
+{{ .Values.conf.nova.keystone_authtoken.keystonemiddleware.auth_token.password  | b64enc | indent 4 }}
--- a/nova/templates/service-osapi.yaml
+++ b/nova/templates/service-osapi.yaml
@ -21,13 +21,13 @@ metadata:
  name: nova-api
 spec:
  ports:
-  - name: nova-osapi
+  - name: nova-api-osapi
    port: {{ .Values.network.osapi.port }}
    {{ if .Values.network.osapi.node_port.enabled }}
-      nodePort: {{ .Values.network.osapi.node_port.port }}
+    nodePort: {{ .Values.network.osapi.node_port.port }}
    {{ end }}
  selector:
-    app: nova-osapi
+    app: nova-api-osapi
  {{ if .Values.network.osapi.node_port.enabled }}
  type: NodePort
  {{ end }}
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -86,11 +86,6 @@ bootstrap:
        vcpus: 1

 network:
-  ip_address: "0.0.0.0"
-  # TODO(DTadrzak): move external IPs to common, this variable should be shared with
-  # horizon service
-  external_ips: ""
-  minion_interface_name: "eno1"
  dns:
    servers:
      - "10.96.0.10"
@ -113,25 +108,6 @@ network:
    name: "nova-novncproxy"
    port: 6080

-nova:
-  default:
-    debug: false
-    osapi_workers: 8
-    metadata_workers: 8
-    conductor_workers: 8
-    force_config_drive: True
-
-database:
-  address: "mariadb"
-  port: 3306
-  root_user: "root"
-  root_password: "password"
-
-  nova_user: "nova"
-  nova_password: "password"
-  nova_database_name: "nova"
-  nova_api_database_name: "nova_api"
-
 keystone:
  admin_user: "admin"
  admin_user_domain: "default"
@ -139,28 +115,8 @@ keystone:
  admin_project_name: "admin"
  admin_project_domain: "default"
  admin_region_name: "RegionOne"
-
-  neutron_user: "neutron"
-  neutron_user_domain: "default"
-  neutron_user_role: "admin"
-  neutron_password: "password"
-  neutron_project_name: "service"
-  neutron_project_domain: "default"
-  neutron_region_name: "RegionOne"
-
-  nova_user: "nova"
-  nova_user_domain: "default"
  nova_user_role: "admin"
-  nova_password: "password"
-  nova_project_name: "service"
-  nova_project_domain: "default"
-  nova_region_name: "RegionOne"

-rabbitmq:
-  address: "rabbitmq"
-  admin_user: "rabbitmq"
-  admin_password: "password"
-  port: 5672

 ceph:
  enabled: false
@ -170,12 +126,8 @@ ceph:
  nova_pool: "vms"
  secret_uuid: ""

-neutron:
-  metadata_secret: "password"
-
-memcached:
-  host: memcached
-  port: 11211
+libvirt:
+  listen_addr: 0.0.0.0

 dependencies:
  api:
@ -240,10 +192,198 @@ dependencies:
    service:
    - mariadb

+mounts:
+  nova_compute:
+    init_container: null
+    nova_compute:
+  nova_libvirt:
+    init_container: null
+    nova_libvirt:
+  nova_api_metadata:
+    init_container: null
+    nova_api_metadata:
+  nova_api_osapi:
+    init_container: null
+    nova_api_osapi:
+  nova_consoleauth:
+    init_container: null
+    nova_consoleauth:
+  nova_conductor:
+    init_container: null
+    nova_conductor:
+  nova_scheduler:
+    init_container: null
+    nova_scheduler:
+
+conf:
+  paste:
+    override:
+    append:
+  policy:
+    override:
+    append:
+  nova:
+    override:
+    append:
+    default:
+      nova:
+        conf:
+          default_ephemeral_format: ext4
+          ram_allocation_ratio: 1.0
+          disk_allocation_ratio: 1.0
+          cpu_allocation_ratio: 3.0
+          force_config_drive: true
+          state_path: /var/lib/nova
+          osapi_compute_listen: 0.0.0.0
+          osapi_compute_listen_port: 8774
+          osapi_compute_workers: 1
+          metadata_workers: 1
+          use_neutron: true
+          firewall_driver: nova.virt.firewall.NoopFirewallDriver
+          linuxnet_interface_driver: openvswitch
+          allow_resize_to_same_host: true
+          compute_driver: libvirt.LibvirtDriver
+          my_ip: 0.0.0.0
+    vnc:
+      nova:
+        conf:
+          novncproxy_host: 0.0.0.0
+          novncproxy_port: 6080
+          vncserver_listen: 0.0.0.0
+          vncserver_proxyclient_address: 0.0.0.0
+          # FIXME(ALANMEADOWS)
+          novncproxy_base_url: http://0.0.0.0:6080/no_vnc.html 
+    conductor:
+      nova:
+        conf:
+          workers: 1
+    oslo_policy:
+      oslo:
+        policy:
+          policy_file: policy.yaml
+    oslo_concurrency:
+      oslo:
+        concurrency:
+          lock_path: /var/lib/nova/tmp
+    glance:
+      nova:
+        conf:
+          num_retries: 3
+    cinder:
+      nova:
+        conf:
+          catalog_info: volumev2:cinderv2:internalURL
+    neutron:
+      nova:
+        conf:
+          metadata_proxy_shared_secret: "password"
+          service_metadata_proxy: True
+          auth_type: password
+          auth_version: v3
+          region_name: RegionOne
+          domain_name: default
+          project_name: service
+          project_domain_name: default
+          user_domain_name: default
+          username: neutron
+          password: password          
+    database:
+      oslo:
+        db:
+          max_retries: -1
+    api_database:
+      oslo:
+        db:
+          max_retries: -1   
+    keystone_authtoken:
+      keystonemiddleware:
+        auth_token:
+          auth_type: password
+          auth_version: v3
+          region_name: RegionOne
+          project_name: service
+          project_domain_name: default
+          user_domain_name: default
+          username: nova
+          password: password
+        
+    libvirt:
+      nova:
+        conf:
+          connecton_uri: qemu+tcp://127.0.0.1/system
+          images_type: qcow2
+          images_rbd_pool: vms
+          images_rbd_ceph_conf: /etc/ceph/ceph.conf
+          rbd_user: cinder
+          rbd_secret_uuid: null
+          disk_cachemodes: "network=writeback"
+          hw_disk_discard: unmap
+    upgrade_levels:
+      nova:
+        conf:
+          compute: auto
+    cache:
+      nova:
+        conf:
+          enabled: true
+          backend: oslo_cache.memcache_pool
+    wsgi:
+      nova:
+        conf:
+          api_paste_config: /etc/nova/api-paste.ini
+
+
 # typically overriden by environmental
 # values, but should include all endpoints
 # required by this chart
 endpoints:
+  oslo_db:
+    auth:
+      admin:
+        username: root
+        password: password
+      user:
+        username: nova
+        password: password
+    hosts:
+      default: mariadb
+    path: /nova
+    scheme: mysql+pymysql
+    port:
+      mysql: 3306
+  oslo_db_api:
+    auth:
+      admin:
+        username: root
+        password: password
+      user:
+        username: nova
+        password: password
+    hosts:
+      default: mariadb
+    path: /nova_api
+    scheme: mysql+pymysql
+    port:
+      mysql: 3306   
+  oslo_messaging:
+    auth:
+      admin:
+        username: admin
+        password: password
+      user:
+        username: rabbitmq
+        password: password
+    hosts:
+      default: rabbitmq
+    path: /
+    scheme: rabbit
+    port:
+      amqp: 5672  
+  oslo_cache:
+    hosts:
+      default: memcache
+    port:
+      memcache: 11211  
  compute:
    name: nova
    hosts:
@ -281,6 +421,7 @@ endpoints:
    port:
      api: 9696

+
 resources:
  enabled: false
  nova_compute: