diff --git a/barbican/values.yaml b/barbican/values.yaml index c18d193955..8380638086 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -551,6 +551,7 @@ endpoints: port: api: default: 80 + internal: 5000 key_manager: name: barbican hosts: diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml index 48804fdaa0..5e7a12e01f 100644 --- a/ceilometer/values.yaml +++ b/ceilometer/values.yaml @@ -1712,6 +1712,7 @@ endpoints: port: api: default: 80 + internal: 5000 metering: name: ceilometer hosts: diff --git a/ceph-client/values.yaml b/ceph-client/values.yaml index 35679253e5..2f5039b8cc 100644 --- a/ceph-client/values.yaml +++ b/ceph-client/values.yaml @@ -456,6 +456,7 @@ endpoints: port: api: default: 80 + internal: 5000 object_store: name: swift namespace: null diff --git a/cinder/values.yaml b/cinder/values.yaml index d5a27b0c2d..4d9fbc176a 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -1075,6 +1075,7 @@ endpoints: port: api: default: 80 + internal: 5000 image: name: glance hosts: diff --git a/congress/values.yaml b/congress/values.yaml index c07bc0f138..8266293968 100644 --- a/congress/values.yaml +++ b/congress/values.yaml @@ -250,6 +250,7 @@ endpoints: port: api: default: 80 + internal: 5000 policy: name: congress hosts: diff --git a/glance/values.yaml b/glance/values.yaml index b1840f1142..8066a912f8 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -580,6 +580,7 @@ endpoints: port: api: default: 80 + internal: 5000 image: name: glance hosts: diff --git a/gnocchi/values.yaml b/gnocchi/values.yaml index 82117a2ac7..98b38098ee 100644 --- a/gnocchi/values.yaml +++ b/gnocchi/values.yaml @@ -491,6 +491,7 @@ endpoints: port: api: default: 80 + internal: 5000 metric: name: gnocchi hosts: diff --git a/heat/values.yaml b/heat/values.yaml index d5e15f3216..ba26b0e326 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -817,6 +817,7 @@ endpoints: port: api: default: 80 + internal: 5000 orchestration: name: heat hosts: diff --git a/horizon/values.yaml b/horizon/values.yaml index 4354b97fc3..16af9a0af5 100644 --- a/horizon/values.yaml +++ b/horizon/values.yaml @@ -2010,7 +2010,7 @@ endpoints: port: api: default: 80 - admin: 35357 + internal: 5000 oslo_cache: hosts: default: memcached diff --git a/ironic/values.yaml b/ironic/values.yaml index 44107e97a9..2a27e3e10e 100644 --- a/ironic/values.yaml +++ b/ironic/values.yaml @@ -405,6 +405,7 @@ endpoints: port: api: default: 80 + internal: 5000 baremetal: name: ironic hosts: diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml index 56359ea8ca..b837f5180c 100644 --- a/keystone/templates/configmap-etc.yaml +++ b/keystone/templates/configmap-etc.yaml @@ -61,6 +61,7 @@ data: {{- tuple .Values.conf.mpm_event "etc/_mpm_event.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} wsgi-keystone.conf: | {{- tuple .Values.conf.wsgi_keystone "etc/_wsgi-keystone.conf.tpl" . | include "helm-toolkit.utils.configmap_templater" }} + ports.conf: "" sso_callback_template.html: | {{- tuple .Values.conf.sso_callback_template "etc/_sso_callback_template.html.tpl" . | include "helm-toolkit.utils.configmap_templater" }} {{- range $k, $v := .Values.conf.ks_domains }} diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml index beb6d11ccb..cff41c61c8 100644 --- a/keystone/templates/deployment-api.yaml +++ b/keystone/templates/deployment-api.yaml @@ -55,6 +55,8 @@ spec: - name: keystone-api {{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + runAsUser: {{ .Values.pod.user.keystone.uid }} command: - /tmp/keystone-api.sh - start @@ -78,12 +80,20 @@ spec: volumeMounts: - name: etckeystone mountPath: /etc/keystone + - name: logs-apache + mountPath: /var/log/apache2 + - name: run-apache + mountPath: /var/run/apache2 - name: wsgi-keystone mountPath: /var/www/cgi-bin/keystone - name: keystone-etc mountPath: /etc/keystone/keystone.conf subPath: keystone.conf readOnly: true + - name: keystone-etc + mountPath: /etc/apache2/ports.conf + subPath: ports.conf + readOnly: true - name: keystone-etc mountPath: {{ .Values.conf.keystone.DEFAULT.log_config_append }} subPath: {{ base .Values.conf.keystone.DEFAULT.log_config_append }} @@ -130,6 +140,10 @@ spec: emptyDir: {} - name: wsgi-keystone emptyDir: {} + - name: logs-apache + emptyDir: {} + - name: run-apache + emptyDir: {} - name: keystone-etc configMap: name: keystone-etc diff --git a/keystone/values.yaml b/keystone/values.yaml index dfa0c7cc5c..2c7c5109b1 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -161,6 +161,9 @@ dependencies: service: local_image_registry pod: + user: + keystone: + uid: 42424 affinity: anti: type: @@ -926,6 +929,9 @@ endpoints: port: api: default: 80 + # NOTE(portdirect): to retain portability accross images, and allow + # running under a unprivileged user simply, we default to a port > 1000. + internal: 5000 oslo_db: namespace: null auth: diff --git a/magnum/values.yaml b/magnum/values.yaml index e42413f38c..ac66da5555 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -363,6 +363,7 @@ endpoints: port: api: default: 80 + internal: 5000 container_infra: name: magnum hosts: diff --git a/mistral/values.yaml b/mistral/values.yaml index 42c68b2ecb..3d135ba232 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -247,6 +247,7 @@ endpoints: port: api: default: 80 + internal: 5000 workflowv2: name: mistral hosts: diff --git a/neutron/values.yaml b/neutron/values.yaml index ae36c5c0a6..e45226428d 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -1781,6 +1781,7 @@ endpoints: port: api: default: 80 + internal: 5000 network: name: neutron hosts: diff --git a/nova/values.yaml b/nova/values.yaml index 3cc3a8edd9..efb187df8f 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -1791,6 +1791,7 @@ endpoints: port: api: default: 80 + internal: 5000 image: name: glance hosts: diff --git a/rally/values.yaml b/rally/values.yaml index b20abf273f..57b152fd54 100644 --- a/rally/values.yaml +++ b/rally/values.yaml @@ -260,6 +260,7 @@ endpoints: port: api: default: 80 + internal: 5000 benchmark: name: rally hosts: diff --git a/senlin/values.yaml b/senlin/values.yaml index 9a1856ca39..0d0aeaa178 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -412,6 +412,7 @@ endpoints: port: api: default: 80 + internal: 5000 clustering: name: senlin hosts: diff --git a/tempest/values.yaml b/tempest/values.yaml index 57b387b8eb..3dcd83a4ca 100644 --- a/tempest/values.yaml +++ b/tempest/values.yaml @@ -255,6 +255,7 @@ endpoints: port: api: default: 80 + internal: 5000 manifests: configmap_bin: true diff --git a/tools/overrides/releases/newton/kolla.yaml b/tools/overrides/releases/newton/kolla.yaml index ae64444ead..25185ad650 100644 --- a/tools/overrides/releases/newton/kolla.yaml +++ b/tools/overrides/releases/newton/kolla.yaml @@ -87,6 +87,8 @@ images: test: 'docker.io/kolla/ubuntu-source-rally:4.0.0' pod: user: + keystone: + uid: 1000 barbican: uid: 1000 cinder: diff --git a/tools/overrides/releases/ocata/kolla.yaml b/tools/overrides/releases/ocata/kolla.yaml index 73c1ce25de..1e643e1587 100644 --- a/tools/overrides/releases/ocata/kolla.yaml +++ b/tools/overrides/releases/ocata/kolla.yaml @@ -85,6 +85,8 @@ images: pod: #NOTE(portdirect): see https://github.com/openstack/kolla/blob/f62f5ae2fa5e7808722f9b37b48a50b39c20b46d/kolla/common/config.py#L695-L998 user: + keystone: + uid: 42425 barbican: uid: 42403 cinder: diff --git a/tools/overrides/releases/pike/kolla.yaml b/tools/overrides/releases/pike/kolla.yaml index 6a559b0dff..b628f75299 100644 --- a/tools/overrides/releases/pike/kolla.yaml +++ b/tools/overrides/releases/pike/kolla.yaml @@ -85,6 +85,8 @@ images: pod: #NOTE(portdirect): see https://github.com/openstack/kolla/blob/f62f5ae2fa5e7808722f9b37b48a50b39c20b46d/kolla/common/config.py#L695-L998 user: + keystone: + uid: 42425 barbican: uid: 42403 cinder: