feat(tls): add tls support to openstack services

This patch set enables TLS for the following OpenStack services: keystone,
horizon, glance, cinder, heat, nova, placement and neutron for s- (stein)
and t- (train) release. This serves as a consolidation and clean up patch
for the following patches:

[0] https://review.opendev.org/#/c/733291
[1] https://review.opendev.org/#/c/735202
[2] https://review.opendev.org/#/c/733962
[3] https://review.opendev.org/#/c/733404
[4] https://review.opendev.org/#/c/734896

This also addresses comments mentioned in previous patches.

Co-authored-by: Gage Hugo <gagehugo@gmail.com>
Co-authored-by: sgupta <sg774j@att.com>

Depends-on: https://review.opendev.org/#/c/737194/

Change-Id: Id34ace54298660b4b151522916e929a29f5731be
Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
Tin Lam 2020-06-03 12:40:40 -05:00
parent 6027ac0c0c
commit 918a307427
125 changed files with 2307 additions and 65 deletions

View File

@ -18,12 +18,52 @@ set -ex
COMMAND="${@:-start}" COMMAND="${@:-start}"
function start () { function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in cinder-wsgi; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/cinder/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec cinder-api \ exec cinder-api \
--config-file /etc/cinder/cinder.conf --config-file /etc/cinder/cinder.conf
{{- end }}
} }
function stop () { function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1 kill -TERM 1
{{- end }}
} }
$COMMAND $COMMAND

View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "volumev3" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -117,6 +117,10 @@ data:
backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }} backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }}
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }} api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
policy.yaml: {{ toYaml .Values.conf.policy | b64enc }} policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cinder "key" "wsgi-cinder.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }} api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }} cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }} rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}

View File

@ -100,6 +100,8 @@ spec:
volumeMounts: volumeMounts:
- name: pod-tmp - name: pod-tmp
mountPath: /tmp mountPath: /tmp
- name: wsgi-cinder
mountPath: /var/www/cgi-bin/cinder
- name: cinder-bin - name: cinder-bin
mountPath: /tmp/cinder-api.sh mountPath: /tmp/cinder-api.sh
subPath: cinder-api.sh subPath: cinder-api.sh
@ -130,14 +132,33 @@ spec:
mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }} mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
subPath: resource_filters.json subPath: resource_filters.json
readOnly: true readOnly: true
{{- if .Values.conf.security }}
- name: cinder-etc
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
subPath: security.conf
readOnly: true
{{- end }}
{{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }} {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
- name: cinder-coordination - name: cinder-coordination
mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }} mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
{{- end }} {{- end }}
{{- if .Values.manifests.certificates }}
- name: cinder-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/cinder-api.conf
subPath: wsgi-cinder.conf
readOnly: true
- name: cinder-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
- name: wsgi-cinder
emptyDir: {}
- name: cinder-bin - name: cinder-bin
configMap: configMap:
name: cinder-bin name: cinder-bin
@ -152,5 +173,6 @@ spec:
- name: cinder-coordination - name: cinder-coordination
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }} {{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -111,19 +111,18 @@ spec:
readOnly: true readOnly: true
- name: pod-shared - name: pod-shared
mountPath: /tmp/pod-shared mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env: env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }} {{- end }}
- name: INTERNAL_PROJECT_NAME - name: INTERNAL_PROJECT_NAME
value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }} value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }}
- name: INTERNAL_USER_NAME - name: INTERNAL_USER_NAME
value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }} value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }}
{{- with $env := dict "ksUserSecret" (index .Values.secrets.identity "cinder" ) }} {{- with $env := dict "ksUserSecret" (index .Values.secrets.identity "cinder" ) }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }} {{- end }}
containers: containers:
- name: cinder-volume - name: cinder-volume
{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -259,5 +258,6 @@ spec:
- name: usrlocalsbin - name: usrlocalsbin
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }} {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "volume" "backendPort" "c-api" -}} {{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volume" "backendPort" "c-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.volume.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volume.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append -}} {{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }} {{- end }}

View File

@ -54,8 +54,9 @@ spec:
mountPath: /tmp/create-internal-tenant.sh mountPath: /tmp/create-internal-tenant.sh
subPath: create-internal-tenant.sh subPath: create-internal-tenant.sh
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env: env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }} {{- end }}
- name: SERVICE_OS_SERVICE_NAME - name: SERVICE_OS_SERVICE_NAME
@ -82,4 +83,5 @@ spec:
configMap: configMap:
name: {{ $configMapBin | quote }} name: {{ $configMapBin | quote }}
defaultMode: 0555 defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end -}} {{- end -}}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }} {{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}} {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }} {{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}} {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }} {{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}} {{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }} {{- end }}

View File

@ -50,8 +50,9 @@ spec:
mountPath: /tmp/ks-user.sh mountPath: /tmp/ks-user.sh
subPath: ks-user.sh subPath: ks-user.sh
readOnly: true readOnly: true
{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env: env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }} {{- end }}
- name: SERVICE_OS_SERVICE_NAME - name: SERVICE_OS_SERVICE_NAME
@ -66,7 +67,7 @@ spec:
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env: env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }} {{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -89,6 +90,7 @@ spec:
readOnly: true readOnly: true
- name: rally-db - name: rally-db
mountPath: /var/lib/rally mountPath: /var/lib/rally
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -103,5 +105,6 @@ spec:
defaultMode: 0555 defaultMode: 0555
- name: rally-db - name: rally-db
emptyDir: {} emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }} {{- end }}

View File

@ -1196,7 +1196,7 @@ secrets:
volume: volume:
api: api:
public: cinder-tls-public public: cinder-tls-public
internal: cinder-tls-api
# We use a different layout of the endpoints here to account for versioning # We use a different layout of the endpoints here to account for versioning
# this swaps the service name and type, and should be rolled out to other # this swaps the service name and type, and should be rolled out to other
# services. # services.
@ -1449,6 +1449,7 @@ network_policy:
- {} - {}
manifests: manifests:
certificates: false
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
cron_volume_usage_audit: true cron_volume_usage_audit: true

View File

@ -0,0 +1,136 @@
---
pod:
security_context:
cinder_api:
container:
cinder_api:
runAsUser: 0
readOnlyRootFilesystem: false
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
site_dir: /etc/apache2/sites-enabled
conf_dir: /etc/apache2/conf-enabled
mods_dir: /etc/apache2/mods-available
a2enmod:
- ssl
a2dismod: null
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_cinder: |
{{- $portInt := tuple "volume" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "cinder-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess cinder-api processes=1 threads=1 user=cinder display-name=%{GROUP}
WSGIProcessGroup cinder-api
WSGIScriptAlias / /var/www/cgi-bin/cinder/cinder-wsgi
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/cinder/certs/tls.crt
SSLCertificateKeyFile /etc/cinder/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
cinder:
keystone_authtoken:
cafile: /etc/cinder/certs/ca.crt
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
cinder:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
image:
scheme:
default: https
port:
api:
public: 443
image_registry:
scheme:
default: https
port:
api:
public: 443
volume:
host_fqdn_override:
default:
tls:
secretName: cinder-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
internal: https
port:
api:
public: 443
volumev2:
host_fqdn_override:
default:
tls:
secretName: cinder-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
internal: https
port:
api:
public: 443
volumev3:
host_fqdn_override:
default:
tls:
secretName: cinder-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
internal: https
port:
api:
public: 443
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

View File

@ -0,0 +1,17 @@
#!/bin/bash
set -xe
COMMAND="${@:-start}"
function start () {
envsubst < /etc/nginx/nginx.conf > /tmp/nginx.conf
cat /tmp/nginx.conf
nginx -t -c /tmp/nginx.conf
exec nginx -c /tmp/nginx.conf
}
function stop () {
nginx -s stop
}
$COMMAND

View File

@ -0,0 +1,18 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "image" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{ dict "envAll" . "service" "image_registry" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -61,4 +61,8 @@ data:
{{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rabbit-init.sh: | rabbit-init.sh: |
{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }} {{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
{{- if .Values.manifests.certificates }}
nginx.sh: |
{{ tuple "bin/_nginx.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
{{- end }} {{- end }}

View File

@ -188,4 +188,5 @@ data:
policy.json: {{ toJson .Values.conf.policy | b64enc }} policy.json: {{ toJson .Values.conf.policy | b64enc }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }} api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }} {{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }}
{{- end }} {{- end }}

View File

@ -92,6 +92,45 @@ spec:
readOnly: true readOnly: true
{{ end }} {{ end }}
containers: containers:
{{- if $envAll.Values.manifests.certificates }}
- name: nginx
{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
ports:
- name: g-api
containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
env:
- name: PORT
value: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SHORTNAME
value: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
readinessProbe:
tcpSocket:
port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
command:
- /tmp/nginx.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/nginx.sh
- stop
volumeMounts:
- name: glance-bin
mountPath: /tmp/nginx.sh
subPath: nginx.sh
readOnly: true
- name: glance-etc
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
- name: glance-api - name: glance-api
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@ -105,6 +144,21 @@ spec:
command: command:
- /tmp/glance-api.sh - /tmp/glance-api.sh
- stop - stop
{{- if $envAll.Values.manifests.certificates }}
readinessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
livenessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
initialDelaySeconds: 30
{{- else }}
ports: ports:
- name: g-api - name: g-api
containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -114,7 +168,7 @@ spec:
livenessProbe: livenessProbe:
tcpSocket: tcpSocket:
port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 30 {{- end }}
volumeMounts: volumeMounts:
- name: pod-tmp - name: pod-tmp
mountPath: /tmp mountPath: /tmp
@ -164,6 +218,7 @@ spec:
subPath: key subPath: key
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -197,5 +252,6 @@ spec:
secret: secret:
secretName: {{ .Values.secrets.rbd | quote }} secretName: {{ .Values.secrets.rbd | quote }}
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }} {{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -55,6 +55,45 @@ spec:
initContainers: initContainers:
{{ tuple $envAll "registry" $mounts_glance_registry_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ tuple $envAll "registry" $mounts_glance_registry_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers: containers:
{{- if $envAll.Values.manifests.certificates }}
- name: nginx
{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
ports:
- name: g-reg
containerPort: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
env:
- name: PORT
value: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SHORTNAME
value: {{ tuple "image_registry" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
readinessProbe:
tcpSocket:
port: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
command:
- /tmp/nginx.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/nginx.sh
- stop
volumeMounts:
- name: glance-bin
mountPath: /tmp/nginx.sh
subPath: nginx.sh
readOnly: true
- name: glance-etc
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
- name: glance-registry - name: glance-registry
{{ tuple $envAll "glance_registry" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "glance_registry" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@ -68,6 +107,21 @@ spec:
command: command:
- /tmp/glance-registry.sh - /tmp/glance-registry.sh
- stop - stop
{{- if $envAll.Values.manifests.certificates }}
readinessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
livenessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
initialDelaySeconds: 30
{{- else }}
ports: ports:
- name: g-reg - name: g-reg
containerPort: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} containerPort: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -77,7 +131,7 @@ spec:
livenessProbe: livenessProbe:
tcpSocket: tcpSocket:
port: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 30 {{- end }}
volumeMounts: volumeMounts:
- name: pod-tmp - name: pod-tmp
mountPath: /tmp mountPath: /tmp
@ -109,6 +163,7 @@ spec:
mountPath: /etc/glance/policy.json mountPath: /etc/glance/policy.json
subPath: policy.json subPath: policy.json
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -123,5 +178,6 @@ spec:
secret: secret:
secretName: glance-etc secretName: glance-etc
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }} {{ if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "image" "backendPort" "g-api" -}} {{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "image" "backendPort" "g-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.image.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_registry .Values.network.registry.ingress.public }} {{- if and .Values.manifests.ingress_registry .Values.network.registry.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "registry" "backendServiceType" "image_registry" "backendPort" "g-reg" -}} {{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "registry" "backendServiceType" "image_registry" "backendPort" "g-reg" -}}
{{- $secretName := $envAll.Values.secrets.tls.image_registry.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image_registry.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -25,5 +25,8 @@ volumes:
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }} {{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}} {{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }} {{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}} {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }} {{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}} {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }} {{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}} {{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }} {{- end }}

View File

@ -569,7 +569,10 @@ secrets:
image: image:
api: api:
public: glance-tls-public public: glance-tls-public
internal: glance-tls-api
image_registry:
api:
internal: glance-tls-reg
# typically overridden by environmental # typically overridden by environmental
# values, but should include all endpoints # values, but should include all endpoints
@ -991,6 +994,7 @@ pod:
cpu: "2000m" cpu: "2000m"
manifests: manifests:
certificates: false
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
deployment_api: true deployment_api: true

View File

@ -0,0 +1,138 @@
---
images:
tags:
nginx: docker.io/nginx:1.18.0
conf:
glance:
DEFAULT:
bind_host: 127.0.0.1
keystone_authtoken:
cafile: /etc/glance/certs/ca.crt
glance_store:
https_ca_certificates_file: /etc/glance/certs/ca.crt
glance_registry:
DEFAULT:
bind_host: 127.0.0.1
keystone_authtoken:
cafile: /etc/glance/certs/ca.crt
nginx: |
worker_processes 1;
daemon off;
user nginx;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65s;
tcp_nodelay on;
log_format main '[nginx] method=$request_method path=$request_uri '
'status=$status upstream_status=$upstream_status duration=$request_time size=$body_bytes_sent '
'"$remote_user" "$http_referer" "$http_user_agent"';
access_log /dev/stdout main;
upstream websocket {
server 127.0.0.1:$PORT;
}
server {
server_name {{ printf "%s.%s.svc.%s" "${SHORTNAME}" .Release.Namespace .Values.endpoints.cluster_domain_suffix }};
listen $POD_IP:$PORT ssl;
client_max_body_size 0;
ssl_certificate /etc/nginx/certs/tls.crt;
ssl_certificate_key /etc/nginx/certs/tls.key;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
location / {
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_pass http://websocket;
proxy_read_timeout 90;
}
}
}
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
registry:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
endpoints:
identity:
name: keystone
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
glance:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
image:
host_fqdn_override:
default:
tls:
secretName: glance-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
public: https
port:
api:
public: 443
image_registry:
host_fqdn_override:
default:
tls:
secretName: glance-tls-reg
issuerRef:
name: ca-issuer
scheme:
default: https
public: https
port:
api:
public: 443
dashboard:
scheme:
default: https
public: https
port:
web:
default: 80
public: 443
pod:
security_context:
glance:
pod:
runAsUser: 0
resources:
nginx:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
certificates: true
...

View File

@ -18,12 +18,48 @@ set -ex
COMMAND="${@:-start}" COMMAND="${@:-start}"
function start () { function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in heat-wsgi-api; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec heat-api \ exec heat-api \
--config-file /etc/heat/heat.conf --config-file /etc/heat/heat.conf
{{- end }}
} }
function stop () { function stop () {
{{- if .Values.manifests.certificates }}
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1 kill -TERM 1
{{- end }}
} }
$COMMAND $COMMAND

View File

@ -18,12 +18,49 @@ set -ex
COMMAND="${@:-start}" COMMAND="${@:-start}"
function start () { function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in heat-wsgi-api-cfn; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec heat-api-cfn \ exec heat-api-cfn \
--config-file /etc/heat/heat.conf --config-file /etc/heat/heat.conf
{{- end }}
} }
function stop () { function stop () {
{{- if .Values.manifests.certificates }}
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1 kill -TERM 1
{{- end }}
} }
$COMMAND $COMMAND

View File

@ -0,0 +1,18 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "orchestration" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{ dict "envAll" . "service" "cloudformation" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -136,6 +136,11 @@ data:
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }} logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }} api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
policy.json: {{ toJson .Values.conf.policy | b64enc }} policy.json: {{ toJson .Values.conf.policy | b64enc }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_heat "key" "wsgi-heat.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cfn "key" "wsgi-cnf.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }} api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
{{- range $key, $value := $envAll.Values.conf.rally_tests.templates }} {{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
{{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }} {{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }}

View File

@ -83,6 +83,8 @@ spec:
mountPath: /tmp mountPath: /tmp
- name: pod-etc-heat - name: pod-etc-heat
mountPath: /etc/heat mountPath: /etc/heat
- name: wsgi-heat
mountPath: /var/www/cgi-bin/heat
- name: heat-bin - name: heat-bin
mountPath: /tmp/heat-api.sh mountPath: /tmp/heat-api.sh
subPath: heat-api.sh subPath: heat-api.sh
@ -109,12 +111,25 @@ spec:
mountPath: /etc/heat/api_audit_map.conf mountPath: /etc/heat/api_audit_map.conf
subPath: api_audit_map.conf subPath: api_audit_map.conf
readOnly: true readOnly: true
{{- if .Values.manifests.certificates }}
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api.conf
subPath: wsgi-heat.conf
readOnly: true
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
- name: pod-etc-heat - name: pod-etc-heat
emptyDir: {} emptyDir: {}
- name: wsgi-heat
emptyDir: {}
- name: heat-bin - name: heat-bin
configMap: configMap:
name: heat-bin name: heat-bin
@ -123,5 +138,6 @@ spec:
secret: secret:
secretName: heat-etc secretName: heat-etc
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }} {{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -83,6 +83,8 @@ spec:
mountPath: /tmp mountPath: /tmp
- name: pod-etc-heat - name: pod-etc-heat
mountPath: /etc/heat mountPath: /etc/heat
- name: wsgi-heat
mountPath: /var/www/cgi-bin/heat
- name: heat-bin - name: heat-bin
mountPath: /tmp/heat-cfn.sh mountPath: /tmp/heat-cfn.sh
subPath: heat-cfn.sh subPath: heat-cfn.sh
@ -109,12 +111,25 @@ spec:
mountPath: /etc/heat/api_audit_map.conf mountPath: /etc/heat/api_audit_map.conf
subPath: api_audit_map.conf subPath: api_audit_map.conf
readOnly: true readOnly: true
{{- if .Values.manifests.certificates }}
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api-cfn.conf
subPath: wsgi-cnf.conf
readOnly: true
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
- name: pod-etc-heat - name: pod-etc-heat
emptyDir: {} emptyDir: {}
- name: wsgi-heat
emptyDir: {}
- name: heat-bin - name: heat-bin
configMap: configMap:
name: heat-bin name: heat-bin
@ -123,5 +138,6 @@ spec:
secret: secret:
secretName: heat-etc secretName: heat-etc
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }} {{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -99,6 +99,7 @@ spec:
mountPath: /etc/heat/policy.json mountPath: /etc/heat/policy.json
subPath: policy.json subPath: policy.json
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -113,5 +114,6 @@ spec:
secret: secret:
secretName: heat-etc secretName: heat-etc
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }} {{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "orchestration" "backendPort" "h-api" -}} {{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "orchestration" "backendPort" "h-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.orchestration.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.orchestration.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_cfn .Values.network.cfn.ingress.public }} {{- if and .Values.manifests.ingress_cfn .Values.network.cfn.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}} {{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}}
{{- $secretName := $envAll.Values.secrets.tls.cloudformation.cfn.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.cloudformation.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -15,5 +15,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}} {{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }} {{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}} {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }} {{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}} {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }} {{- end }}

View File

@ -53,8 +53,9 @@ spec:
mountPath: /tmp/ks-domain-user.sh mountPath: /tmp/ks-domain-user.sh
subPath: ks-domain-user.sh subPath: ks-domain-user.sh
readOnly: true readOnly: true
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env: env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }} {{- end }}
- name: SERVICE_OS_SERVICE_NAME - name: SERVICE_OS_SERVICE_NAME
@ -88,4 +89,5 @@ spec:
configMap: configMap:
name: heat-bin name: heat-bin
defaultMode: 0555 defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user_trustee }} {{- if .Values.manifests.job_ks_user_trustee }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}} {{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }} {{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}} {{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }} {{- end }}

View File

@ -57,9 +57,10 @@ spec:
mountPath: /tmp/trusts.sh mountPath: /tmp/trusts.sh
subPath: trusts.sh subPath: trusts.sh
readOnly: true readOnly: true
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
env: env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }} {{- end }}
- name: SERVICE_OS_ROLES - name: SERVICE_OS_ROLES
@ -75,4 +76,5 @@ spec:
configMap: configMap:
name: heat-bin name: heat-bin
defaultMode: 0555 defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }} {{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}

View File

@ -49,8 +49,9 @@ spec:
mountPath: /tmp/ks-user.sh mountPath: /tmp/ks-user.sh
subPath: ks-user.sh subPath: ks-user.sh
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env: env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }} {{- end }}
- name: SERVICE_OS_SERVICE_NAME - name: SERVICE_OS_SERVICE_NAME
@ -65,7 +66,7 @@ spec:
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env: env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }} {{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -94,6 +95,7 @@ spec:
subPath: {{ printf "test_template_%d" $key }} subPath: {{ printf "test_template_%d" $key }}
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -108,5 +110,6 @@ spec:
defaultMode: 0555 defaultMode: 0555
- name: rally-db - name: rally-db
emptyDir: {} emptyDir: {}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }} {{- end }}

View File

@ -797,10 +797,11 @@ secrets:
orchestration: orchestration:
api: api:
public: heat-tls-public public: heat-tls-public
internal: heat-tls-api
cloudformation: cloudformation:
cfn: cfn:
public: cloudformation-tls-public public: cloudformation-tls-public
internal: heat-tls-cfn
# typically overridden by environmental # typically overridden by environmental
# values, but should include all endpoints # values, but should include all endpoints
# required by this chart # required by this chart
@ -1262,6 +1263,7 @@ network_policy:
- {} - {}
manifests: manifests:
certificates: false
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
cron_job_engine_cleaner: true cron_job_engine_cleaner: true

View File

@ -0,0 +1,182 @@
---
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
site_dir: /etc/apache2/sites-enabled
conf_dir: /etc/apache2/conf-enabled
mods_dir: /etc/apache2/mods-available
a2enmod:
- ssl
a2dismod: null
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_heat: |
{{- $portInt := tuple "orchestration" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "heat-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess heat-api processes=1 threads=1 user=heat display-name=%{GROUP}
WSGIProcessGroup heat-api
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/heat/certs/tls.crt
SSLCertificateKeyFile /etc/heat/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
wsgi_cfn: |
{{- $portInt := tuple "cloudformation" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "heat-api-cfn" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess heat-api-cfn processes=1 threads=1 user=heat display-name=%{GROUP}
WSGIProcessGroup heat-api-cfn
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api-cfn
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/heat/certs/tls.crt
SSLCertificateKeyFile /etc/heat/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
heat:
clients_neutron:
ca_file: /etc/heat/certs/ca.crt
clients_cinder:
ca_file: /etc/heat/certs/ca.crt
clients_glance:
ca_file: /etc/heat/certs/ca.crt
clients_nova:
ca_file: /etc/heat/certs/ca.crt
clients_swift:
ca_file: /etc/heat/certs/ca.crt
ssl:
ca_file: /etc/heat/certs/ca.crt
keystone_authtoken:
cafile: /etc/heat/certs/ca.crt
clients:
ca_file: /etc/heat/certs/ca.crt
clients_heat:
ca_file: /etc/heat/certs/ca.crt
clients_keystone:
ca_file: /etc/heat/certs/ca.crt
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
cfn:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
cloudwatch:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
pod:
security_context:
heat:
container:
heat_api:
readOnlyRootFilesystem: false
runAsUser: 0
heat_cfn:
readOnlyRootFilesystem: false
runAsUser: 0
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
heat:
cacert: /etc/ssl/certs/openstack-helm.crt
heat_trustee:
cacert: /etc/ssl/certs/openstack-helm.crt
heat_stack_user:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
orchestration:
host_fqdn_override:
default:
tls:
secretName: heat-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
port:
api:
public: 443
cloudformation:
host_fqdn_override:
default:
tls:
secretName: heat-tls-cfn
issuerRef:
name: ca-issuer
scheme:
default: https
port:
api:
public: 443
# Cloudwatch does not get an entry in the keystone service catalog
cloudwatch:
host_fqdn_override:
default:
tls:
secretName: heat-tls-cloudwatch
issuerRef:
name: ca-issuer
kind: Issuer
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "dashboard" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -78,14 +78,14 @@ spec:
containerPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} containerPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
readinessProbe: readinessProbe:
httpGet: httpGet:
scheme: HTTP scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
path: / path: /
port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 15 initialDelaySeconds: 15
periodSeconds: 10 periodSeconds: 10
livenessProbe: livenessProbe:
httpGet: httpGet:
scheme: HTTP scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
path: / path: /
port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 180 initialDelaySeconds: 180
@ -129,6 +129,7 @@ spec:
subPath: {{ base $policyFile }} subPath: {{ base $policyFile }}
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal "path" "/etc/openstack-dashboard/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -145,5 +146,6 @@ spec:
secret: secret:
secretName: horizon-etc secretName: horizon-etc
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }} {{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_api .Values.network.dashboard.ingress.public }} {{- if and .Values.manifests.ingress_api .Values.network.dashboard.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}} {{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}}
{{- $secretName := $envAll.Values.secrets.tls.dashboard.dashboard.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.dashboard.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -183,6 +183,7 @@ conf:
# values will not work # values will not work
horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
debug: "False" debug: "False"
use_ssl: "False"
keystone_multidomain_support: "True" keystone_multidomain_support: "True"
keystone_default_domain: Default keystone_default_domain: Default
disable_password_reveal: "True" disable_password_reveal: "True"
@ -266,6 +267,7 @@ conf:
# If Horizon is being served through SSL, then uncomment the following two # If Horizon is being served through SSL, then uncomment the following two
# settings to better secure the cookies from security exploits # settings to better secure the cookies from security exploits
USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }}
CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }} CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }} SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
@ -425,8 +427,10 @@ conf:
# Disable SSL certificate checks (useful for self-signed certificates): # Disable SSL certificate checks (useful for self-signed certificates):
#OPENSTACK_SSL_NO_VERIFY = True #OPENSTACK_SSL_NO_VERIFY = True
{{- if .Values.manifests.certificates }}
# The CA certificate to use to verify SSL connections # The CA certificate to use to verify SSL connections
#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' OPENSTACK_SSL_CACERT = '/etc/openstack-dashboard/certs/ca.crt'
{{- end }}
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
# capabilities of the auth backend for Keystone. # capabilities of the auth backend for Keystone.
@ -2133,6 +2137,7 @@ secrets:
dashboard: dashboard:
dashboard: dashboard:
public: horizon-tls-public public: horizon-tls-public
internal: horizon-tls-web
# typically overridden by environmental # typically overridden by environmental
# values, but should include all endpoints # values, but should include all endpoints
@ -2253,6 +2258,7 @@ network_policy:
- {} - {}
manifests: manifests:
certificates: false
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
deployment: true deployment: true

View File

@ -0,0 +1,109 @@
---
network:
dashboard:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
conf:
software:
apache2:
a2enmod:
- headers
- rewrite
- ssl
horizon:
apache: |
<IfVersion < 2.4>
Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
</IfVersion>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:80>
ServerName horizon-int.openstack.svc.cluster.local
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</Virtualhost>
<VirtualHost *:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
ServerName horizon-int.openstack.svc.cluster.local
WSGIScriptReloading On
WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
WSGIProcessGroup horizon-http
WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
WSGIPassAuthorization On
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH)
RewriteRule .* - [F]
<Location "/">
Require all granted
</Location>
Alias /static /var/www/html/horizon
<Location "/static">
SetHandler static
</Location>
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
TransferLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
ErrorLog /dev/stdout
SSLEngine on
SSLCertificateFile /etc/openstack-dashboard/certs/tls.crt
SSLCertificateKeyFile /etc/openstack-dashboard/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
local_settings:
config:
use_ssl: "True"
csrf_cookie_secure: "True"
enforce_password_check: "True"
session_cookie_secure: "True"
session_cookie_httponly: "True"
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
dashboard:
host_fqdn_override:
default:
tls:
secretName: horizon-tls-web
issuerRef:
name: ca-issuer
scheme:
default: https
public: https
port:
web:
default: 443
public: 443
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

View File

@ -51,6 +51,10 @@ function start () {
} }
function stop () { function stop () {
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop {{ .Values.conf.software.apache2.binary }} -k graceful-stop
} }

View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "identity" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -14,7 +14,7 @@ limitations under the License.
{{- define "apiProbeTemplate" }} {{- define "apiProbeTemplate" }}
httpGet: httpGet:
scheme: HTTP scheme: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
path: /v3/ path: /v3/
port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }} {{- end }}
@ -147,6 +147,7 @@ spec:
{{- end }} {{- end }}
- name: keystone-credential-keys - name: keystone-credential-keys
mountPath: {{ .Values.conf.keystone.credential.key_repository }} mountPath: {{ .Values.conf.keystone.credential.key_repository }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -180,5 +181,6 @@ spec:
- name: keystone-credential-keys - name: keystone-credential-keys
secret: secret:
secretName: keystone-credential-keys secretName: keystone-credential-keys
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }} {{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "identity" "backendPort" "ks-pub" -}} {{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "identity" "backendPort" "ks-pub" -}}
{{- $secretName := $envAll.Values.secrets.tls.identity.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.identity.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append -}} {{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }} {{- end }}

View File

@ -50,8 +50,9 @@ spec:
mountPath: /tmp/ks-user.sh mountPath: /tmp/ks-user.sh
subPath: ks-user.sh subPath: ks-user.sh
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env: env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }} {{- end }}
- name: SERVICE_OS_SERVICE_NAME - name: SERVICE_OS_SERVICE_NAME
@ -66,7 +67,7 @@ spec:
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env: env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }} {{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -89,6 +90,7 @@ spec:
readOnly: true readOnly: true
- name: rally-db - name: rally-db
mountPath: /var/lib/rally mountPath: /var/lib/rally
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -103,5 +105,6 @@ spec:
defaultMode: 0555 defaultMode: 0555
- name: rally-db - name: rally-db
emptyDir: {} emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }} {{- end }}

View File

@ -1070,6 +1070,7 @@ secrets:
identity: identity:
api: api:
public: keystone-tls-public public: keystone-tls-public
internal: keystone-tls-api
# typically overridden by environmental # typically overridden by environmental
# values, but should include all endpoints # values, but should include all endpoints
@ -1235,6 +1236,7 @@ endpoints:
default: 80 default: 80
manifests: manifests:
certificates: false
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
cron_credential_rotate: true cron_credential_rotate: true

View File

@ -0,0 +1,80 @@
---
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: null
nginx.ingress.kubernetes.io/backend-protocol: "https"
pod:
security_context:
keystone:
pod:
runAsUser: 0
container:
keystone_api:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
conf:
software:
apache2:
a2enmod:
- ssl
wsgi_keystone: |
{{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $vh := tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
Listen 0.0.0.0:{{ $portInt }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:{{ tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
ServerName {{ printf "%s.%s.svc.%s" "keystone-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/keystone/certs/tls.crt
SSLCertificateKeyFile /etc/keystone/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
host_fqdn_override:
default:
tls:
secretName: keystone-tls-api
issuerRef:
name: ca-issuer
kind: Issuer
scheme:
default: https
public: https
port:
api:
default: 443
manifests:
certificates: true
...

View File

@ -0,0 +1,30 @@
#!/bin/bash
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
COMMAND="${@:-start}"
function start () {
exec neutron-rpc-server \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini
}
function stop () {
kill -TERM 1
}
$COMMAND

View File

@ -18,6 +18,55 @@ set -ex
COMMAND="${@:-start}" COMMAND="${@:-start}"
function start () { function start () {
{{- if .Values.manifests.certificates }}
add_config=""
{{- if .Values.conf.plugins.taas.taas.enabled }}
add_config+='taas_plugin.ini;'
{{- end }}
{{- if ( has "sriov" .Values.network.backend ) }}
add_config+='sriov_agent.ini;'
{{- end }}
{{- if .Values.conf.plugins.l2gateway }}
add_config+='l2gw_plugin.ini;'
{{- end }}
export OS_NEUTRON_CONFIG_FILES=${add_config}
for WSGI_SCRIPT in neutron-api; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/neutron/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2ensite }}
{{- range .Values.conf.software.apache2.a2ensite }}
a2ensite {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec neutron-server \ exec neutron-server \
--config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/neutron.conf \
{{- if ( has "tungstenfabric" .Values.network.backend ) }} {{- if ( has "tungstenfabric" .Values.network.backend ) }}
@ -34,10 +83,18 @@ function start () {
{{- if .Values.conf.plugins.l2gateway }} \ {{- if .Values.conf.plugins.l2gateway }} \
--config-file /etc/neutron/l2gw_plugin.ini --config-file /etc/neutron/l2gw_plugin.ini
{{- end }} {{- end }}
{{- end }}
} }
function stop () { function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1 kill -TERM 1
{{- end }}
} }
$COMMAND $COMMAND

View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "network" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -81,6 +81,10 @@ data:
{{ tuple "bin/_neutron-bagpipe-bgp.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_neutron-bagpipe-bgp.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-bagpipe-bgp-init.sh: | neutron-bagpipe-bgp-init.sh: |
{{ tuple "bin/_neutron-bagpipe-bgp-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_neutron-bagpipe-bgp-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- if .Values.manifests.certificates }}
neutron-rpc-server.sh: |
{{ tuple "bin/_neutron-rpc-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
neutron-server.sh: | neutron-server.sh: |
{{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-ironic-agent.sh: | neutron-ironic-agent.sh: |

View File

@ -272,6 +272,10 @@ data:
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }} rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
auto_bridge_add: {{ toJson $envAll.Values.conf.auto_bridge_add | b64enc }} auto_bridge_add: {{ toJson $envAll.Values.conf.auto_bridge_add | b64enc }}
dpdk.conf: {{ toJson $envAll.Values.conf.ovs_dpdk | b64enc }} dpdk.conf: {{ toJson $envAll.Values.conf.ovs_dpdk | b64enc }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_neutron_server "key" "wsgi-server.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- $filePrefix := replace "_" "-" $key }} {{- $filePrefix := replace "_" "-" $key }}
{{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }} {{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}

View File

@ -189,6 +189,7 @@ spec:
mountPath: /run/netns mountPath: /run/netns
mountPropagation: Bidirectional mountPropagation: Bidirectional
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -211,6 +212,7 @@ spec:
hostPath: hostPath:
path: /run/netns path: /run/netns
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }} {{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

View File

@ -177,10 +177,64 @@ spec:
mountPath: /etc/neutron/policy.json mountPath: /etc/neutron/policy.json
subPath: policy.json subPath: policy.json
readOnly: true readOnly: true
{{- if .Values.manifests.certificates }}
- name: wsgi-neutron
mountPath: /var/www/cgi-bin/neutron
- name: neutron-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/wsgi-server.conf
subPath: wsgi-server.conf
readOnly: true
- name: neutron-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{ end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.manifests.certificates }}
- name: neutron-rpc-server
{{ tuple $envAll "neutron_rpc_server" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.rpc_server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "neutron_server" "container" "neutron_rpc_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "readiness" "probeTemplate" (include "serverReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "liveness" "probeTemplate" (include "serverLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
command:
- /tmp/neutron-rpc-server.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/neutron-rpc-server.sh
- stop
volumeMounts:
- name: neutron-bin
mountPath: /tmp/neutron-rpc-server.sh
subPath: neutron-rpc-server.sh
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
readOnly: true
{{- end }}
- name: neutron-etc
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
subPath: ml2_conf.ini
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
{{- if .Values.manifests.certificates }}
- name: wsgi-neutron
emptyDir: {}
{{- end }}
- name: pod-var-neutron - name: pod-var-neutron
emptyDir: {} emptyDir: {}
- name: neutron-bin - name: neutron-bin
@ -195,5 +249,6 @@ spec:
- name: neutron-plugin-shared - name: neutron-plugin-shared
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }} {{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_server .Values.network.server.ingress.public }} {{- if and .Values.manifests.ingress_server .Values.network.server.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}} {{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.network.server.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.network.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}} {{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }} {{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}} {{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }} {{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}} {{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }} {{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}} {{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }} {{- end }}

View File

@ -51,8 +51,9 @@ spec:
mountPath: /tmp/ks-user.sh mountPath: /tmp/ks-user.sh
subPath: ks-user.sh subPath: ks-user.sh
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env: env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }} {{- end }}
- name: SERVICE_OS_SERVICE_NAME - name: SERVICE_OS_SERVICE_NAME
@ -66,7 +67,7 @@ spec:
- name: {{ .Release.Name }}-reset - name: {{ .Release.Name }}-reset
{{ tuple $envAll "purge_test" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll "purge_test" | include "helm-toolkit.snippets.image" | indent 6 }}
env: env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }} {{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -95,13 +96,14 @@ spec:
readOnly: true readOnly: true
- name: pod-tmp - name: pod-tmp
mountPath: /tmp/pod-tmp mountPath: /tmp/pod-tmp
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ end }} {{ end }}
containers: containers:
- name: neutron-test - name: neutron-test
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env: env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }} {{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -124,6 +126,7 @@ spec:
readOnly: true readOnly: true
- name: rally-db - name: rally-db
mountPath: /var/lib/rally mountPath: /var/lib/rally
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -138,5 +141,6 @@ spec:
defaultMode: 0555 defaultMode: 0555
- name: rally-db - name: rally-db
emptyDir: {} emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }} {{- end }}

View File

@ -31,6 +31,7 @@ images:
ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_rpc_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
@ -473,6 +474,7 @@ pod:
capabilities: capabilities:
add: add:
- SYS_MODULE - SYS_MODULE
- SYS_CHROOT
runAsUser: 0 runAsUser: 0
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
neutron_lb_agent_init: neutron_lb_agent_init:
@ -497,6 +499,7 @@ pod:
capabilities: capabilities:
add: add:
- SYS_MODULE - SYS_MODULE
- SYS_CHROOT
runAsUser: 0 runAsUser: 0
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
neutron_ovs_agent_init: neutron_ovs_agent_init:
@ -2179,9 +2182,13 @@ secrets:
admin: neutron-rabbitmq-admin admin: neutron-rabbitmq-admin
neutron: neutron-rabbitmq-user neutron: neutron-rabbitmq-user
tls: tls:
compute_metadata:
metadata:
internal: metadata-tls-metadata
network: network:
server: server:
public: neutron-tls-public public: neutron-tls-public
internal: neutron-tls-server
# typically overridden by environmental # typically overridden by environmental
# values, but should include all endpoints # values, but should include all endpoints
@ -2468,6 +2475,7 @@ network_policy:
- {} - {}
manifests: manifests:
certificates: false
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
daemonset_dhcp_agent: true daemonset_dhcp_agent: true

View File

@ -16,5 +16,6 @@ images:
neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_rpc_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
... ...

View File

@ -0,0 +1,145 @@
---
network:
server:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
pod:
security_context:
neutron_server:
pod:
runAsUser: 0
container:
neutron_server:
readOnlyRootFilesystem: false
neutron_rpc_server:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
resources:
rpc_server:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
conf_dir: /etc/apache2/conf-enabled
site_dir: /etc/apache2/sites-available
mods_dir: /etc/apache2/mods-available
a2enmod:
- ssl
a2dismod: null
a2ensite:
- wsgi-server
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_neutron_server: |
<Directory /usr/local/bin>
Require all granted
</Directory>
{{- $portInt := tuple "network" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "neutron-server" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess neutron-server processes=1 threads=1 user=neutron display-name=%{GROUP}
WSGIProcessGroup neutron-server
WSGIScriptAlias / /var/www/cgi-bin/neutron/neutron-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/neutron/certs/tls.crt
SSLCertificateKeyFile /etc/neutron/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
Alias /networking /var/www/cgi-bin/neutron/neutron-api
<Location /networking>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup neutron-server
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
WSGISocketPrefix /var/run/apache2
neutron:
nova:
cafile: /etc/neutron/certs/ca.crt
keystone_authtoken:
cafile: /etc/neutron/certs/ca.crt
metadata_agent:
DEFAULT:
auth_ca_cert: /etc/ssl/certs/openstack-helm.crt
nova_metadata_port: 443
nova_metadata_protocol: https
endpoints:
compute:
scheme:
default: https
port:
api:
public: 443
compute_metadata:
scheme:
default: https
port:
metadata:
public: 443
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
neutron:
cacert: /etc/ssl/certs/openstack-helm.crt
nova:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
network:
host_fqdn_override:
default:
tls:
secretName: neutron-tls-server
issuerRef:
name: ca-issuer
scheme:
default: https
port:
api:
public: 443
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

View File

@ -15,5 +15,6 @@ images:
neutron_metadata: "docker.io/openstackhelm/neutron:train-ubuntu_bionic" neutron_metadata: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:train-ubuntu_bionic" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_server: "docker.io/openstackhelm/neutron:train-ubuntu_bionic" neutron_server: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_rpc_server: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:train-ubuntu_bionic" neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
... ...

View File

@ -18,13 +18,51 @@ set -ex
COMMAND="${@:-start}" COMMAND="${@:-start}"
function start () { function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in nova-metadata-wsgi; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec nova-api-metadata \ exec nova-api-metadata \
--config-file /etc/nova/nova.conf \ --config-file /etc/nova/nova.conf \
--config-file /tmp/pod-shared/nova-api-metadata.ini --config-file /tmp/pod-shared/nova-api-metadata.ini
{{- end }}
} }
function stop () { function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1 kill -TERM 1
{{- end }}
} }
$COMMAND $COMMAND

View File

@ -18,12 +18,51 @@ set -ex
COMMAND="${@:-start}" COMMAND="${@:-start}"
function start () { function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in nova-api-wsgi; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec nova-api-os-compute \ exec nova-api-os-compute \
--config-file /etc/nova/nova.conf --config-file /etc/nova/nova.conf
{{- end }}
} }
function stop () { function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1 kill -TERM 1
{{- end }}
} }
$COMMAND $COMMAND

View File

@ -46,6 +46,9 @@ function start () {
} }
function stop () { function stop () {
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop {{ .Values.conf.software.apache2.binary }} -k graceful-stop
} }

View File

@ -0,0 +1,27 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "compute" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- if .Values.manifests.deployment_novncproxy }}
{{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
{{- if .Values.manifests.deployment_placement }}
{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
{{ dict "envAll" . "service" "compute_metadata" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- if .Values.manifests.deployment_spiceproxy }}
{{ dict "envAll" . "service" "compute_spice_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
{{- end -}}

View File

@ -265,6 +265,11 @@ data:
nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }} nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }} {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config" "format" "Secret" ) | indent 2 }} {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config" "format" "Secret" ) | indent 2 }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_api "key" "wsgi-api.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_metadata "key" "wsgi-metadata.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
{{- if .Values.conf.security }} {{- if .Values.conf.security }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }} {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
{{- end }} {{- end }}

View File

@ -53,7 +53,7 @@ spec:
{{ tuple $envAll "nova_service_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }} {{ tuple $envAll "nova_service_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
env: env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova }} {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" .Values.manifests.certificates}}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }}
{{- end }} {{- end }}
command: command:

View File

@ -240,6 +240,10 @@ spec:
value: "{{ .Values.pod.probes.rpc_timeout }}" value: "{{ .Values.pod.probes.rpc_timeout }}"
- name: RPC_PROBE_RETRIES - name: RPC_PROBE_RETRIES
value: "{{ .Values.pod.probes.rpc_retries }}" value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} {{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} {{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
command: command:
@ -377,6 +381,7 @@ spec:
subPath: tf-plugin.pth subPath: tf-plugin.pth
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.network.sshd.enabled }} {{- if .Values.network.sshd.enabled }}
- name: nova-compute-ssh - name: nova-compute-ssh
@ -390,6 +395,10 @@ spec:
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }} value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }}
- name: SSH_PORT - name: SSH_PORT
value: {{ .Values.network.ssh.port | quote }} value: {{ .Values.network.ssh.port | quote }}
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
ports: ports:
- containerPort: {{ .Values.network.ssh.port }} - containerPort: {{ .Values.network.ssh.port }}
command: command:
@ -412,6 +421,7 @@ spec:
mountPath: /tmp/ssh-start.sh mountPath: /tmp/ssh-start.sh
subPath: ssh-start.sh subPath: ssh-start.sh
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ end }} {{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -481,6 +491,7 @@ spec:
- name: tf-plugin-bin - name: tf-plugin-bin
emptyDir: {} emptyDir: {}
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }} {{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

View File

@ -166,10 +166,27 @@ spec:
- name: pod-shared - name: pod-shared
mountPath: /tmp/pod-shared mountPath: /tmp/pod-shared
readOnly: true readOnly: true
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
mountPath: /var/www/cgi-bin/nova
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-metadata.conf
subPath: wsgi-metadata.conf
readOnly: true
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
emptyDir: {}
{{- end }}
- name: nova-bin - name: nova-bin
configMap: configMap:
name: nova-bin name: nova-bin
@ -180,5 +197,6 @@ spec:
defaultMode: 0444 defaultMode: 0444
- name: pod-shared - name: pod-shared
emptyDir: {} emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }} {{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -114,10 +114,27 @@ spec:
mountPath: /etc/nova/api_audit_map.conf mountPath: /etc/nova/api_audit_map.conf
subPath: api_audit_map.conf subPath: api_audit_map.conf
readOnly: true readOnly: true
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
mountPath: /var/www/cgi-bin/nova
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-api.conf
subPath: wsgi-api.conf
readOnly: true
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
emptyDir: {}
{{- end }}
- name: pod-var-nova - name: pod-var-nova
emptyDir: {} emptyDir: {}
- name: nova-bin - name: nova-bin
@ -128,5 +145,6 @@ spec:
secret: secret:
secretName: nova-etc secretName: nova-etc
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }} {{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -88,6 +88,10 @@ spec:
value: "{{ .Values.pod.probes.rpc_timeout }}" value: "{{ .Values.pod.probes.rpc_timeout }}"
- name: RPC_PROBE_RETRIES - name: RPC_PROBE_RETRIES
value: "{{ .Values.pod.probes.rpc_retries }}" value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
command: command:
- /tmp/nova-conductor.sh - /tmp/nova-conductor.sh
volumeMounts: volumeMounts:
@ -115,6 +119,7 @@ spec:
mountPath: /etc/nova/policy.yaml mountPath: /etc/nova/policy.yaml
subPath: policy.yaml subPath: policy.yaml
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -127,5 +132,6 @@ spec:
secret: secret:
secretName: nova-etc secretName: nova-etc
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }} {{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -139,6 +139,7 @@ spec:
readOnly: true readOnly: true
- name: pod-shared - name: pod-shared
mountPath: /tmp/pod-shared mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -155,5 +156,6 @@ spec:
emptyDir: {} emptyDir: {}
- name: pod-shared - name: pod-shared
emptyDir: {} emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }} {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -120,6 +120,7 @@ spec:
subPath: security.conf subPath: security.conf
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -134,5 +135,6 @@ spec:
secret: secret:
secretName: nova-etc secretName: nova-etc
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }} {{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -88,6 +88,10 @@ spec:
value: "{{ .Values.pod.probes.rpc_timeout }}" value: "{{ .Values.pod.probes.rpc_timeout }}"
- name: RPC_PROBE_RETRIES - name: RPC_PROBE_RETRIES
value: "{{ .Values.pod.probes.rpc_retries }}" value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
command: command:
- /tmp/nova-scheduler.sh - /tmp/nova-scheduler.sh
volumeMounts: volumeMounts:
@ -115,6 +119,7 @@ spec:
mountPath: /etc/nova/policy.yaml mountPath: /etc/nova/policy.yaml
subPath: policy.yaml subPath: policy.yaml
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -127,5 +132,6 @@ spec:
secret: secret:
secretName: nova-etc secretName: nova-etc
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }} {{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -138,6 +138,7 @@ spec:
readOnly: true readOnly: true
- name: pod-shared - name: pod-shared
mountPath: /tmp/pod-shared mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -154,5 +155,6 @@ spec:
emptyDir: {} emptyDir: {}
- name: pod-shared - name: pod-shared
emptyDir: {} emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }} {{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_metadata .Values.network.metadata.ingress.public }} {{- if and .Values.manifests.ingress_metadata .Values.network.metadata.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}} {{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}}
{{- $secretName := $envAll.Values.secrets.tls.compute_metadata.metadata.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_metadata.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public }} {{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}} {{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
{{- $secretName := $envAll.Values.secrets.tls.compute_novnc_proxy.novncproxy.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_novnc_proxy.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_osapi .Values.network.osapi.ingress.public }} {{- if and .Values.manifests.ingress_osapi .Values.network.osapi.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}} {{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.compute.osapi.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}} */}}
{{- if and .Values.manifests.ingress_placement .Values.network.placement.ingress.public }} {{- if and .Values.manifests.ingress_placement .Values.network.placement.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}} {{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.placement.placement.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -63,7 +63,7 @@ spec:
imagePullPolicy: {{ $envAll.Values.images.pull_policy }} imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env: env:
{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }} {{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }} {{- end }}
- name: WAIT_PERCENTAGE - name: WAIT_PERCENTAGE
@ -91,6 +91,7 @@ spec:
mountPath: {{ $logConfigFile | quote }} mountPath: {{ $logConfigFile | quote }}
subPath: {{ base $logConfigFile | quote }} subPath: {{ base $logConfigFile | quote }}
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -104,6 +105,7 @@ spec:
secret: secret:
secretName: {{ $configMapEtc | quote }} secretName: {{ $configMapEtc | quote }}
defaultMode: 0444 defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
--- ---
kind: ClusterRole kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1

View File

@ -42,7 +42,7 @@ spec:
{{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env: env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }} {{- end }}
command: command:
@ -54,6 +54,7 @@ spec:
mountPath: /tmp/cell-setup-init.sh mountPath: /tmp/cell-setup-init.sh
subPath: cell-setup-init.sh subPath: cell-setup-init.sh
readOnly: true readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
containers: containers:
- name: nova-cell-setup - name: nova-cell-setup
{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -96,4 +97,5 @@ spec:
configMap: configMap:
name: nova-bin name: nova-bin
defaultMode: 0555 defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }} {{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_placement_endpoints }} {{- if .Values.manifests.job_ks_placement_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}} {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }} {{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_placement_service }} {{- if .Values.manifests.job_ks_placement_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}} {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }} {{- end }}

Some files were not shown because too many files have changed in this diff Show More