feat(tls): Make openstack services compatible with mariadb with TLS
Depends-on: https://review.opendev.org/#/c/741037/ Change-Id: I21f4ede3bd18c0af8da1eba60cd0b7b932a31410
This commit is contained in:
sgupta
parent
61a61d9de1
commit
702c17eb78
@ -50,7 +50,12 @@ limitations under the License.
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.cinder.database.connection -}}
|
||||
{{- $_ := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.cinder.database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.cinder.database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.cinder.database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.cinder.DEFAULT.transport_url -}}
|
||||
|
||||
@ -78,6 +78,7 @@ spec:
|
||||
mountPath: /tmp/volume-usage-audit.sh
|
||||
subPath: volume-usage-audit.sh
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
||||
{{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -92,5 +93,6 @@ spec:
|
||||
configMap:
|
||||
name: cinder-bin
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -207,6 +207,7 @@ spec:
|
||||
mountPath: /etc/cinder/rootwrap.d/volume.filters
|
||||
subPath: volume.filters
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_cinder_backup.volumeMounts }}{{ toYaml $mounts_cinder_backup.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -248,5 +249,6 @@ spec:
|
||||
- name: cinder-coordination
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_cinder_backup.volumes }}{{ toYaml $mounts_cinder_backup.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -104,6 +104,7 @@ spec:
|
||||
- name: cinder-coordination
|
||||
mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
|
||||
{{- end }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -122,5 +123,6 @@ spec:
|
||||
- name: cinder-coordination
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -211,6 +211,7 @@ spec:
|
||||
mountPath: /usr/local/sbin/iscsiadm
|
||||
subPath: iscsiadm
|
||||
{{- end }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -257,6 +258,7 @@ spec:
|
||||
- name: usrlocalsbin
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -14,5 +14,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_drop }}
|
||||
{{- $dbDropJob := dict "envAll" . "serviceName" "cinder" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -14,5 +14,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_init }}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" "cinder" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -14,5 +14,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_sync }}
|
||||
{{- $dbSyncJob := dict "envAll" . "serviceName" "cinder" "podVolMounts" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumeMounts "podVols" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumes -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
|
||||
{{- end }}
|
||||
|
||||
@ -1378,6 +1378,9 @@ endpoints:
|
||||
admin:
|
||||
username: root
|
||||
password: password
|
||||
secret:
|
||||
tls:
|
||||
internal: mariadb-tls-direct
|
||||
cinder:
|
||||
username: cinder
|
||||
password: password
|
||||
|
||||
@ -81,10 +81,20 @@ limitations under the License.
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.glance.database.connection -}}
|
||||
{{- $_ := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.glance.database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.glance.database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.glance.database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.glance_registry.connection -}}
|
||||
{{- $_ := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.glance_registry.database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.glance_registry.database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.glance_registry.database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.glance.DEFAULT.transport_url -}}
|
||||
|
||||
@ -218,6 +218,7 @@ spec:
|
||||
subPath: key
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
@ -252,6 +253,7 @@ spec:
|
||||
secret:
|
||||
secretName: {{ .Values.secrets.rbd | quote }}
|
||||
{{- end }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -16,5 +16,8 @@ limitations under the License.
|
||||
{{- $serviceName := "glance" -}}
|
||||
{{- $dbToDrop := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
|
||||
{{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbToDrop" $dbToDrop -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbToDrop "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -16,5 +16,8 @@ limitations under the License.
|
||||
{{- $serviceName := "glance" -}}
|
||||
{{- $dbToInit := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbToInit" $dbToInit -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -15,6 +15,8 @@ limitations under the License.
|
||||
{{- if .Values.manifests.job_db_sync }}
|
||||
{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" "glance" "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" "glance" ) "image" ( index .Values.images.tags ( printf "%s_db_sync" "glance" )) ) -}}
|
||||
{{- $dbSyncJob := dict "envAll" . "serviceName" "glance" "podVolMounts" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumeMounts "podVols" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumes "dbToSync" $dbToSync -}}
|
||||
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
|
||||
{{- end }}
|
||||
|
||||
@ -71,6 +71,7 @@ spec:
|
||||
subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -84,4 +85,5 @@ spec:
|
||||
secret:
|
||||
secretName: glance-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
|
||||
@ -672,6 +672,9 @@ endpoints:
|
||||
admin:
|
||||
username: root
|
||||
password: password
|
||||
secret:
|
||||
tls:
|
||||
internal: mariadb-tls-direct
|
||||
glance:
|
||||
username: glance
|
||||
password: password
|
||||
|
||||
@ -73,7 +73,12 @@ limitations under the License.
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.heat.database.connection -}}
|
||||
{{- $_ := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.heat.database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.heat.database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.heat.database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.heat.DEFAULT.transport_url -}}
|
||||
|
||||
@ -83,6 +83,7 @@ spec:
|
||||
subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
|
||||
readOnly: true
|
||||
{{ end }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
|
||||
{{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -93,6 +94,7 @@ spec:
|
||||
secret:
|
||||
secretName: heat-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
- name: heat-bin
|
||||
configMap:
|
||||
name: heat-bin
|
||||
|
||||
@ -99,6 +99,7 @@ spec:
|
||||
mountPath: /etc/heat/policy.json
|
||||
subPath: policy.json
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
@ -114,6 +115,7 @@ spec:
|
||||
secret:
|
||||
secretName: heat-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -14,5 +14,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_drop }}
|
||||
{{- $dbDropJob := dict "envAll" . "serviceName" "heat" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -14,5 +14,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_init }}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" "heat" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -14,5 +14,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_sync }}
|
||||
{{- $dbSyncJob := dict "envAll" . "serviceName" "heat" "podVolMounts" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumeMounts "podVols" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumes -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
|
||||
{{- end }}
|
||||
|
||||
@ -938,6 +938,9 @@ endpoints:
|
||||
admin:
|
||||
username: root
|
||||
password: password
|
||||
secret:
|
||||
tls:
|
||||
internal: mariadb-tls-direct
|
||||
heat:
|
||||
username: heat
|
||||
password: password
|
||||
|
||||
@ -15,5 +15,8 @@ limitations under the License.
|
||||
{{- if .Values.manifests.job_db_drop }}
|
||||
{{- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}}
|
||||
{{- $dbDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -15,5 +15,8 @@ limitations under the License.
|
||||
{{- if .Values.manifests.job_db_init }}
|
||||
{{- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -60,6 +60,7 @@ spec:
|
||||
mountPath: /tmp/manage.py
|
||||
subPath: manage.py
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 10 }}
|
||||
{{ if $mounts_horizon_db_sync.volumeMounts }}{{ toYaml $mounts_horizon_db_sync.volumeMounts | indent 10 }}{{ end }}
|
||||
volumes:
|
||||
- name: horizon-etc
|
||||
@ -70,5 +71,6 @@ spec:
|
||||
configMap:
|
||||
name: horizon-bin
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 6 }}
|
||||
{{ if $mounts_horizon_db_sync.volumes }}{{ toYaml $mounts_horizon_db_sync.volumes | indent 6 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -16,6 +16,7 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- range $key1, $userClass := tuple "admin" "horizon" }}
|
||||
{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
|
||||
{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
@ -23,6 +24,10 @@ metadata:
|
||||
name: {{ $secretName }}
|
||||
type: Opaque
|
||||
data:
|
||||
DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
|
||||
{{- else }}
|
||||
DB_CONNECTION: {{ $connection | b64enc -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -367,6 +367,15 @@ conf:
|
||||
'PASSWORD': '{{ .Values.endpoints.oslo_db.auth.horizon.password }}',
|
||||
'HOST': '{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}',
|
||||
'default-character-set': 'utf8',
|
||||
{{- if .Values.manifests.certificates }}
|
||||
'OPTIONS':{
|
||||
'ssl': {
|
||||
'ca': '/etc/mysql/certs/ca.crt',
|
||||
'cert': '/etc/mysql/certs/tls.crt',
|
||||
'key': '/etc/mysql/certs/tls.key'
|
||||
}
|
||||
},
|
||||
{{- end }}
|
||||
'PORT': '{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}'
|
||||
}
|
||||
}
|
||||
@ -2213,6 +2222,9 @@ endpoints:
|
||||
admin:
|
||||
username: root
|
||||
password: password
|
||||
secret:
|
||||
tls:
|
||||
internal: mariadb-tls-direct
|
||||
horizon:
|
||||
username: horizon
|
||||
password: password
|
||||
|
||||
@ -51,6 +51,11 @@ else:
|
||||
logger.critical('environment variable ROOT_DB_CONNECTION not set')
|
||||
sys.exit(1)
|
||||
|
||||
mysql_x509 = os.getenv('MARIADB_X509', "")
|
||||
ssl_args = {}
|
||||
if mysql_x509:
|
||||
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', 'key': '/etc/mysql/certs/tls.key', 'cert': '/etc/mysql/certs/tls.crt'}}
|
||||
|
||||
# Get the connection string for the service db
|
||||
if "OPENSTACK_CONFIG_FILE" in os.environ:
|
||||
os_conf = os.environ['OPENSTACK_CONFIG_FILE']
|
||||
@ -91,7 +96,7 @@ try:
|
||||
host = root_engine_full.url.host
|
||||
port = root_engine_full.url.port
|
||||
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
|
||||
root_engine = create_engine(root_engine_url)
|
||||
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
|
||||
connection = root_engine.connect()
|
||||
connection.close()
|
||||
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
|
||||
@ -102,7 +107,7 @@ except:
|
||||
|
||||
# User DB engine
|
||||
try:
|
||||
user_engine = create_engine(user_db_conn)
|
||||
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
|
||||
# Get our user data out of the user_engine
|
||||
database = user_engine.url.database
|
||||
user = user_engine.url.username
|
||||
|
||||
@ -16,7 +16,12 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
|
||||
{{- if empty .Values.conf.keystone.database.connection -}}
|
||||
{{- $_ := tuple "oslo_db" "internal" "keystone" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.keystone.database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db" "internal" "keystone" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.keystone.database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.keystone.database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.keystone.DEFAULT.transport_url -}}
|
||||
|
||||
@ -147,6 +147,7 @@ spec:
|
||||
{{- end }}
|
||||
- name: keystone-credential-keys
|
||||
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
@ -181,6 +182,7 @@ spec:
|
||||
- name: keystone-credential-keys
|
||||
secret:
|
||||
secretName: keystone-credential-keys
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -67,6 +67,10 @@ spec:
|
||||
value: {{ $dbToClean.configDbSection | quote }}
|
||||
- name: OPENSTACK_CONFIG_DB_KEY
|
||||
value: {{ $dbToClean.configDbKey | quote }}
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: MARIADB_X509
|
||||
value: "REQUIRE X509"
|
||||
{{- end }}
|
||||
command:
|
||||
- python
|
||||
@ -89,6 +93,9 @@ spec:
|
||||
mountPath: {{ $dbToClean.logConfigFile | quote }}
|
||||
subPath: {{ base $dbToClean.logConfigFile | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -97,6 +104,9 @@ spec:
|
||||
configMap:
|
||||
name: "keystone-bin"
|
||||
defaultMode: 0555
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- $local := dict "configMapBinFirst" true -}}
|
||||
{{- $dbToCleanType := default "oslo" $dbToClean.inputType }}
|
||||
{{- if and (eq $dbToCleanType "oslo") $local.configMapBinFirst }}
|
||||
|
||||
@ -14,5 +14,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_drop }}
|
||||
{{- $dbDropJob := dict "envAll" . "serviceName" "keystone" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -14,5 +14,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_init }}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" "keystone" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -42,6 +42,7 @@ volumeMounts:
|
||||
- name: keystone-fernet-keys
|
||||
mountPath: {{ $envAll.Values.conf.keystone.fernet_tokens.key_repository }}
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "keystone.templates._job_db_sync.pod_vols" -}}
|
||||
@ -50,6 +51,7 @@ volumes:
|
||||
- name: keystone-fernet-keys
|
||||
secret:
|
||||
secretName: keystone-fernet-keys
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.job_db_sync }}
|
||||
|
||||
@ -1159,6 +1159,9 @@ endpoints:
|
||||
admin:
|
||||
username: root
|
||||
password: password
|
||||
secret:
|
||||
tls:
|
||||
internal: mariadb-tls-direct
|
||||
keystone:
|
||||
username: keystone
|
||||
password: password
|
||||
|
||||
@ -52,7 +52,12 @@ limitations under the License.
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty $envAll.Values.conf.neutron.database.connection -}}
|
||||
{{- $_ := tuple "oslo_db" "internal" "neutron" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set $envAll.Values.conf.neutron.database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db" "internal" "neutron" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.neutron.database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.neutron.database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
|
||||
{{- if empty $envAll.Values.conf.neutron.DEFAULT.transport_url -}}
|
||||
|
||||
@ -226,6 +226,7 @@ spec:
|
||||
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
|
||||
subPath: ml2_conf.ini
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
@ -249,6 +250,7 @@ spec:
|
||||
- name: neutron-plugin-shared
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -15,5 +15,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_drop }}
|
||||
{{- $dbDropJob := dict "envAll" . "serviceName" "neutron" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -14,5 +14,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_init }}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" "neutron" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -14,5 +14,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_sync }}
|
||||
{{- $dbSyncJob := dict "envAll" . "serviceName" "neutron" "podVolMounts" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumeMounts "podVols" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumes -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
|
||||
{{- end }}
|
||||
|
||||
@ -2216,6 +2216,9 @@ endpoints:
|
||||
admin:
|
||||
username: root
|
||||
password: password
|
||||
secret:
|
||||
tls:
|
||||
internal: mariadb-tls-direct
|
||||
neutron:
|
||||
username: neutron
|
||||
password: password
|
||||
|
||||
@ -77,15 +77,30 @@ limitations under the License.
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.nova.database.connection -}}
|
||||
{{- $_ := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.nova.database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.nova.database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.nova.api_database.connection -}}
|
||||
{{- $_ := tuple "oslo_db_api" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.nova.api_database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db_api" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.api_database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.nova.api_database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.nova.cell0_database.connection -}}
|
||||
{{- $_ := tuple "oslo_db_cell0" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.nova.cell0_database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db_cell0" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.cell0_database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.nova.cell0_database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.nova.DEFAULT.transport_url -}}
|
||||
|
||||
@ -126,6 +126,7 @@ spec:
|
||||
subPath: mpm_event.conf
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
@ -145,6 +146,7 @@ spec:
|
||||
secret:
|
||||
secretName: nova-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -120,6 +120,7 @@ spec:
|
||||
subPath: policy.yaml
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -133,5 +134,6 @@ spec:
|
||||
secretName: nova-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -115,6 +115,7 @@ spec:
|
||||
mountPath: /etc/nova/policy.yaml
|
||||
subPath: policy.yaml
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_nova_consoleauth.volumeMounts }}{{ toYaml $mounts_nova_consoleauth.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -127,5 +128,6 @@ spec:
|
||||
secret:
|
||||
secretName: nova-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_nova_consoleauth.volumes }}{{ toYaml $mounts_nova_consoleauth.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -139,6 +139,7 @@ spec:
|
||||
readOnly: true
|
||||
- name: pod-shared
|
||||
mountPath: /tmp/pod-shared
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
@ -156,6 +157,7 @@ spec:
|
||||
emptyDir: {}
|
||||
- name: pod-shared
|
||||
emptyDir: {}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -119,6 +119,7 @@ spec:
|
||||
mountPath: /etc/nova/policy.yaml
|
||||
subPath: policy.yaml
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
@ -132,6 +133,7 @@ spec:
|
||||
secret:
|
||||
secretName: nova-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
||||
@ -84,6 +84,7 @@ spec:
|
||||
mountPath: /etc/nova/policy.yaml
|
||||
subPath: policy.yaml
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -97,5 +98,6 @@ spec:
|
||||
configMap:
|
||||
name: nova-bin
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
|
||||
@ -19,5 +19,8 @@ limitations under the License.
|
||||
{{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}}
|
||||
{{- $dbsToDrop := list $dbSvc $dbApi $dbCell }}
|
||||
{{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbsToDrop" $dbsToDrop -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -19,5 +19,8 @@ limitations under the License.
|
||||
{{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}}
|
||||
{{- $dbsToInit := list $dbSvc $dbApi $dbCell }}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -30,5 +30,8 @@ env:
|
||||
{{- if .Values.manifests.job_db_sync }}
|
||||
{{- $podEnvVars := include "nova.templates._job_db_sync.env_vars" (tuple .) | toString | fromYaml }}
|
||||
{{- $dbSyncJob := dict "envAll" . "serviceName" "nova" "podVolMounts" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumeMounts "podVols" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumes "podEnvVars" $podEnvVars.env -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
|
||||
{{- end }}
|
||||
|
||||
@ -16,6 +16,7 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- range $key1, $userClass := tuple "admin" "nova" }}
|
||||
{{- $secretName := index $envAll.Values.secrets.oslo_db_api $userClass }}
|
||||
{{- $connection := tuple "oslo_db_api" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
@ -23,6 +24,10 @@ metadata:
|
||||
name: {{ $secretName }}
|
||||
type: Opaque
|
||||
data:
|
||||
DB_CONNECTION: {{ tuple "oslo_db_api" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
|
||||
{{- else }}
|
||||
DB_CONNECTION: {{ $connection | b64enc -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -16,6 +16,7 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- range $key1, $userClass := tuple "admin" "nova" }}
|
||||
{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
|
||||
{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
@ -23,6 +24,10 @@ metadata:
|
||||
name: {{ $secretName }}
|
||||
type: Opaque
|
||||
data:
|
||||
DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
|
||||
{{- else }}
|
||||
DB_CONNECTION: {{ $connection | b64enc -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -1897,6 +1897,9 @@ endpoints:
|
||||
admin:
|
||||
username: root
|
||||
password: password
|
||||
secret:
|
||||
tls:
|
||||
internal: mariadb-tls-direct
|
||||
nova:
|
||||
username: nova
|
||||
password: password
|
||||
|
||||
@ -90,7 +90,14 @@ function mysql_command() {
|
||||
command="mysql --skip-column-names"
|
||||
fi
|
||||
|
||||
$command -h$host -u$user -p$pass $db $* 2>$LAST_MYSQL_ERR
|
||||
if [ ! -z "$MARIADB_X509" ]; then
|
||||
local ca=/etc/mysql/certs/ca.crt
|
||||
local cert=/etc/mysql/certs/tls.crt
|
||||
local key=/etc/mysql/certs/tls.key
|
||||
$command -h$host -u$user -p$pass $db --ssl-ca=$ca --ssl-cert=$cert --ssl-key=$key $* 2>$LAST_MYSQL_ERR
|
||||
else
|
||||
$command -h$host -u$user -p$pass $db $* 2>$LAST_MYSQL_ERR
|
||||
fi
|
||||
}
|
||||
|
||||
function show_error() {
|
||||
|
||||
@ -18,7 +18,12 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
|
||||
{{- if empty .Values.conf.placement.placement_database.connection -}}
|
||||
{{- $_ := tuple "oslo_db" "internal" "placement" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | set .Values.conf.placement.placement_database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db" "internal" "placement" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.placement.placement_database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.placement.placement_database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if empty .Values.conf.placement.keystone_authtoken.auth_uri -}}
|
||||
|
||||
@ -17,5 +17,8 @@ limitations under the License.
|
||||
{{- if .Values.manifests.job_db_drop }}
|
||||
{{- $serviceName := "placement" -}}
|
||||
{{- $dbDropJob := dict "envAll" . "serviceName" $serviceName -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -19,5 +19,8 @@ limitations under the License.
|
||||
{{- $dbApi := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "placement_database" "configDbKey" "connection" -}}
|
||||
{{- $dbsToInit := list $dbApi }}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
|
||||
{{- end }}
|
||||
|
||||
@ -58,6 +58,10 @@ spec:
|
||||
value: {{ .Values.endpoints.oslo_db.auth.placement.password | quote }}
|
||||
- name: PLACEMENT_DB_HOST
|
||||
value: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | quote }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: MARIADB_X509
|
||||
value: "REQUIRE X509"
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
@ -74,6 +78,7 @@ spec:
|
||||
subPath: placement.conf
|
||||
readOnly: true
|
||||
{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -85,5 +90,6 @@ spec:
|
||||
secret:
|
||||
secretName: placement-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
|
||||
@ -16,5 +16,8 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_db_sync }}
|
||||
{{- $dbSyncJob := dict "envAll" . "serviceName" "placement" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
|
||||
{{- end }}
|
||||
|
||||
@ -18,6 +18,7 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- range $key1, $userClass := tuple "admin" "placement" }}
|
||||
{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
|
||||
{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
@ -25,6 +26,10 @@ metadata:
|
||||
name: {{ $secretName }}
|
||||
type: Opaque
|
||||
data:
|
||||
DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
|
||||
{{- else }}
|
||||
DB_CONNECTION: {{ $connection | b64enc -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@ -232,6 +232,9 @@ endpoints:
|
||||
admin:
|
||||
username: root
|
||||
password: password
|
||||
secret:
|
||||
tls:
|
||||
internal: mariadb-tls-direct
|
||||
placement:
|
||||
username: placement
|
||||
password: password
|
||||
|
||||
Loading…
Reference in New Issue
Block a user