feat(tls): add tls support to openstack services
This patch set enables TLS for the following OpenStack services: keystone, horizon, glance, cinder, heat, nova, placement and neutron for s- (stein) and t- (train) release. This serves as a consolidation and clean up patch for the following patches: [0] https://review.opendev.org/#/c/733291 [1] https://review.opendev.org/#/c/735202 [2] https://review.opendev.org/#/c/733962 [3] https://review.opendev.org/#/c/733404 [4] https://review.opendev.org/#/c/734896 This also addresses comments mentioned in previous patches. Co-authored-by: Gage Hugo <gagehugo@gmail.com> Co-authored-by: sgupta <sg774j@att.com> Depends-on: https://review.opendev.org/#/c/737194/ Change-Id: Id34ace54298660b4b151522916e929a29f5731be Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
parent
6027ac0c0c
commit
918a307427
@ -18,12 +18,52 @@ set -ex
|
|||||||
COMMAND="${@:-start}"
|
COMMAND="${@:-start}"
|
||||||
|
|
||||||
function start () {
|
function start () {
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
for WSGI_SCRIPT in cinder-wsgi; do
|
||||||
|
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/cinder/
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
# Loading Apache2 ENV variables
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
mkdir -p ${APACHE_RUN_DIR}
|
||||||
|
fi
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2enmod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2enmod }}
|
||||||
|
a2enmod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2dismod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2dismod }}
|
||||||
|
a2dismod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
if [ -f /var/run/apache2/apache2.pid ]; then
|
||||||
|
# Remove the stale pid for debian/ubuntu images
|
||||||
|
rm -f /var/run/apache2/apache2.pid
|
||||||
|
fi
|
||||||
|
# Starts Apache2
|
||||||
|
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
|
||||||
|
{{- else }}
|
||||||
exec cinder-api \
|
exec cinder-api \
|
||||||
--config-file /etc/cinder/cinder.conf
|
--config-file /etc/cinder/cinder.conf
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
function stop () {
|
function stop () {
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
# Loading Apache2 ENV variables
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
mkdir -p ${APACHE_RUN_DIR}
|
||||||
|
fi
|
||||||
|
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
||||||
|
{{- else }}
|
||||||
kill -TERM 1
|
kill -TERM 1
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
$COMMAND
|
$COMMAND
|
||||||
|
17
cinder/templates/certificates.yaml
Normal file
17
cinder/templates/certificates.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{/*
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{ dict "envAll" . "service" "volumev3" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- end -}}
|
@ -117,6 +117,10 @@ data:
|
|||||||
backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }}
|
backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }}
|
||||||
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
|
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
|
||||||
policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
|
policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cinder "key" "wsgi-cinder.conf" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- end }}
|
||||||
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
|
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
|
||||||
cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
|
cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
|
||||||
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
|
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
|
||||||
|
@ -100,6 +100,8 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
mountPath: /tmp
|
mountPath: /tmp
|
||||||
|
- name: wsgi-cinder
|
||||||
|
mountPath: /var/www/cgi-bin/cinder
|
||||||
- name: cinder-bin
|
- name: cinder-bin
|
||||||
mountPath: /tmp/cinder-api.sh
|
mountPath: /tmp/cinder-api.sh
|
||||||
subPath: cinder-api.sh
|
subPath: cinder-api.sh
|
||||||
@ -130,14 +132,33 @@ spec:
|
|||||||
mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
|
mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
|
||||||
subPath: resource_filters.json
|
subPath: resource_filters.json
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- if .Values.conf.security }}
|
||||||
|
- name: cinder-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
|
||||||
|
subPath: security.conf
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
{{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
|
{{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
|
||||||
- name: cinder-coordination
|
- name: cinder-coordination
|
||||||
mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
|
mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: cinder-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.site_dir }}/cinder-api.conf
|
||||||
|
subPath: wsgi-cinder.conf
|
||||||
|
readOnly: true
|
||||||
|
- name: cinder-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
|
||||||
|
subPath: mpm_event.conf
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
- name: wsgi-cinder
|
||||||
|
emptyDir: {}
|
||||||
- name: cinder-bin
|
- name: cinder-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: cinder-bin
|
name: cinder-bin
|
||||||
@ -152,5 +173,6 @@ spec:
|
|||||||
- name: cinder-coordination
|
- name: cinder-coordination
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -111,19 +111,18 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: pod-shared
|
- name: pod-shared
|
||||||
mountPath: /tmp/pod-shared
|
mountPath: /tmp/pod-shared
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: INTERNAL_PROJECT_NAME
|
- name: INTERNAL_PROJECT_NAME
|
||||||
value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }}
|
value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }}
|
||||||
- name: INTERNAL_USER_NAME
|
- name: INTERNAL_USER_NAME
|
||||||
value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }}
|
value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }}
|
||||||
|
|
||||||
{{- with $env := dict "ksUserSecret" (index .Values.secrets.identity "cinder" ) }}
|
{{- with $env := dict "ksUserSecret" (index .Values.secrets.identity "cinder" ) }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
containers:
|
containers:
|
||||||
- name: cinder-volume
|
- name: cinder-volume
|
||||||
{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
@ -259,5 +258,6 @@ spec:
|
|||||||
- name: usrlocalsbin
|
- name: usrlocalsbin
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendServiceType" "volume" "backendPort" "c-api" -}}
|
{{- $envAll := . -}}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volume" "backendPort" "c-api" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.volume.api.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName -}}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volume.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
||||||
{{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append -}}
|
{{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
|
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -54,8 +54,9 @@ spec:
|
|||||||
mountPath: /tmp/create-internal-tenant.sh
|
mountPath: /tmp/create-internal-tenant.sh
|
||||||
subPath: create-internal-tenant.sh
|
subPath: create-internal-tenant.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: SERVICE_OS_SERVICE_NAME
|
- name: SERVICE_OS_SERVICE_NAME
|
||||||
@ -82,4 +83,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: {{ $configMapBin | quote }}
|
name: {{ $configMapBin | quote }}
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_endpoints }}
|
{{- if .Values.manifests.job_ks_endpoints }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_service }}
|
{{- if .Values.manifests.job_ks_service }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_user }}
|
{{- if .Values.manifests.job_ks_user }}
|
||||||
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
|
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -50,8 +50,9 @@ spec:
|
|||||||
mountPath: /tmp/ks-user.sh
|
mountPath: /tmp/ks-user.sh
|
||||||
subPath: ks-user.sh
|
subPath: ks-user.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: SERVICE_OS_SERVICE_NAME
|
- name: SERVICE_OS_SERVICE_NAME
|
||||||
@ -66,7 +67,7 @@ spec:
|
|||||||
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
|
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
||||||
@ -89,6 +90,7 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: rally-db
|
- name: rally-db
|
||||||
mountPath: /var/lib/rally
|
mountPath: /var/lib/rally
|
||||||
|
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||||
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -103,5 +105,6 @@ spec:
|
|||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
- name: rally-db
|
- name: rally-db
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
||||||
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -1196,7 +1196,7 @@ secrets:
|
|||||||
volume:
|
volume:
|
||||||
api:
|
api:
|
||||||
public: cinder-tls-public
|
public: cinder-tls-public
|
||||||
|
internal: cinder-tls-api
|
||||||
# We use a different layout of the endpoints here to account for versioning
|
# We use a different layout of the endpoints here to account for versioning
|
||||||
# this swaps the service name and type, and should be rolled out to other
|
# this swaps the service name and type, and should be rolled out to other
|
||||||
# services.
|
# services.
|
||||||
@ -1449,6 +1449,7 @@ network_policy:
|
|||||||
- {}
|
- {}
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
|
certificates: false
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
cron_volume_usage_audit: true
|
cron_volume_usage_audit: true
|
||||||
|
136
cinder/values_overrides/tls.yaml
Normal file
136
cinder/values_overrides/tls.yaml
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
---
|
||||||
|
pod:
|
||||||
|
security_context:
|
||||||
|
cinder_api:
|
||||||
|
container:
|
||||||
|
cinder_api:
|
||||||
|
runAsUser: 0
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
network:
|
||||||
|
api:
|
||||||
|
ingress:
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||||
|
conf:
|
||||||
|
software:
|
||||||
|
apache2:
|
||||||
|
binary: apache2
|
||||||
|
start_parameters: -DFOREGROUND
|
||||||
|
site_dir: /etc/apache2/sites-enabled
|
||||||
|
conf_dir: /etc/apache2/conf-enabled
|
||||||
|
mods_dir: /etc/apache2/mods-available
|
||||||
|
a2enmod:
|
||||||
|
- ssl
|
||||||
|
a2dismod: null
|
||||||
|
mpm_event: |
|
||||||
|
<IfModule mpm_event_module>
|
||||||
|
ServerLimit 1024
|
||||||
|
StartServers 32
|
||||||
|
MinSpareThreads 32
|
||||||
|
MaxSpareThreads 256
|
||||||
|
ThreadsPerChild 25
|
||||||
|
MaxRequestsPerChild 128
|
||||||
|
ThreadLimit 720
|
||||||
|
</IfModule>
|
||||||
|
wsgi_cinder: |
|
||||||
|
{{- $portInt := tuple "volume" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
Listen {{ $portInt }}
|
||||||
|
<VirtualHost *:{{ $portInt }}>
|
||||||
|
ServerName {{ printf "%s.%s.svc.%s" "cinder-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
|
||||||
|
WSGIDaemonProcess cinder-api processes=1 threads=1 user=cinder display-name=%{GROUP}
|
||||||
|
WSGIProcessGroup cinder-api
|
||||||
|
WSGIScriptAlias / /var/www/cgi-bin/cinder/cinder-wsgi
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
AllowEncodedSlashes On
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
ErrorLogFormat "%{cu}t %M"
|
||||||
|
</IfVersion>
|
||||||
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||||
|
ErrorLog /dev/stdout
|
||||||
|
CustomLog /dev/stdout combined env=!forwarded
|
||||||
|
CustomLog /dev/stdout proxy env=forwarded
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/cinder/certs/tls.crt
|
||||||
|
SSLCertificateKeyFile /etc/cinder/certs/tls.key
|
||||||
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
|
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||||
|
SSLHonorCipherOrder on
|
||||||
|
</VirtualHost>
|
||||||
|
cinder:
|
||||||
|
keystone_authtoken:
|
||||||
|
cafile: /etc/cinder/certs/ca.crt
|
||||||
|
|
||||||
|
endpoints:
|
||||||
|
identity:
|
||||||
|
auth:
|
||||||
|
admin:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
cinder:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
test:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
default: 443
|
||||||
|
image:
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
public: 443
|
||||||
|
image_registry:
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
public: 443
|
||||||
|
volume:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: cinder-tls-api
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
internal: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
public: 443
|
||||||
|
volumev2:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: cinder-tls-api
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
internal: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
public: 443
|
||||||
|
volumev3:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: cinder-tls-api
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
internal: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
public: 443
|
||||||
|
ingress:
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 443
|
||||||
|
manifests:
|
||||||
|
certificates: true
|
||||||
|
...
|
17
glance/templates/bin/_nginx.sh.tpl
Normal file
17
glance/templates/bin/_nginx.sh.tpl
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
COMMAND="${@:-start}"
|
||||||
|
|
||||||
|
function start () {
|
||||||
|
envsubst < /etc/nginx/nginx.conf > /tmp/nginx.conf
|
||||||
|
cat /tmp/nginx.conf
|
||||||
|
nginx -t -c /tmp/nginx.conf
|
||||||
|
exec nginx -c /tmp/nginx.conf
|
||||||
|
}
|
||||||
|
|
||||||
|
function stop () {
|
||||||
|
nginx -s stop
|
||||||
|
}
|
||||||
|
|
||||||
|
$COMMAND
|
18
glance/templates/certificates.yaml
Normal file
18
glance/templates/certificates.yaml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
{{/*
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{ dict "envAll" . "service" "image" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{ dict "envAll" . "service" "image_registry" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- end -}}
|
@ -61,4 +61,8 @@ data:
|
|||||||
{{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
rabbit-init.sh: |
|
rabbit-init.sh: |
|
||||||
{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
|
{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
nginx.sh: |
|
||||||
|
{{ tuple "bin/_nginx.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -188,4 +188,5 @@ data:
|
|||||||
policy.json: {{ toJson .Values.conf.policy | b64enc }}
|
policy.json: {{ toJson .Values.conf.policy | b64enc }}
|
||||||
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
|
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
|
||||||
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
|
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -92,6 +92,45 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
{{ end }}
|
{{ end }}
|
||||||
containers:
|
containers:
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
- name: nginx
|
||||||
|
{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
ports:
|
||||||
|
- name: g-api
|
||||||
|
containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
env:
|
||||||
|
- name: PORT
|
||||||
|
value: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
||||||
|
- name: POD_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: status.podIP
|
||||||
|
- name: SHORTNAME
|
||||||
|
value: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
|
||||||
|
readinessProbe:
|
||||||
|
tcpSocket:
|
||||||
|
port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
command:
|
||||||
|
- /tmp/nginx.sh
|
||||||
|
- start
|
||||||
|
lifecycle:
|
||||||
|
preStop:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /tmp/nginx.sh
|
||||||
|
- stop
|
||||||
|
volumeMounts:
|
||||||
|
- name: glance-bin
|
||||||
|
mountPath: /tmp/nginx.sh
|
||||||
|
subPath: nginx.sh
|
||||||
|
readOnly: true
|
||||||
|
- name: glance-etc
|
||||||
|
mountPath: /etc/nginx/nginx.conf
|
||||||
|
subPath: nginx.conf
|
||||||
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
- name: glance-api
|
- name: glance-api
|
||||||
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
@ -105,6 +144,21 @@ spec:
|
|||||||
command:
|
command:
|
||||||
- /tmp/glance-api.sh
|
- /tmp/glance-api.sh
|
||||||
- stop
|
- stop
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
readinessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- python
|
||||||
|
- -c
|
||||||
|
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- python
|
||||||
|
- -c
|
||||||
|
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
|
||||||
|
initialDelaySeconds: 30
|
||||||
|
{{- else }}
|
||||||
ports:
|
ports:
|
||||||
- name: g-api
|
- name: g-api
|
||||||
containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
@ -114,7 +168,7 @@ spec:
|
|||||||
livenessProbe:
|
livenessProbe:
|
||||||
tcpSocket:
|
tcpSocket:
|
||||||
port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
initialDelaySeconds: 30
|
{{- end }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
mountPath: /tmp
|
mountPath: /tmp
|
||||||
@ -164,6 +218,7 @@ spec:
|
|||||||
subPath: key
|
subPath: key
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -197,5 +252,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: {{ .Values.secrets.rbd | quote }}
|
secretName: {{ .Values.secrets.rbd | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -55,6 +55,45 @@ spec:
|
|||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll "registry" $mounts_glance_registry_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll "registry" $mounts_glance_registry_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
- name: nginx
|
||||||
|
{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
ports:
|
||||||
|
- name: g-reg
|
||||||
|
containerPort: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
env:
|
||||||
|
- name: PORT
|
||||||
|
value: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
||||||
|
- name: POD_IP
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: status.podIP
|
||||||
|
- name: SHORTNAME
|
||||||
|
value: {{ tuple "image_registry" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
|
||||||
|
readinessProbe:
|
||||||
|
tcpSocket:
|
||||||
|
port: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
command:
|
||||||
|
- /tmp/nginx.sh
|
||||||
|
- start
|
||||||
|
lifecycle:
|
||||||
|
preStop:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /tmp/nginx.sh
|
||||||
|
- stop
|
||||||
|
volumeMounts:
|
||||||
|
- name: glance-bin
|
||||||
|
mountPath: /tmp/nginx.sh
|
||||||
|
subPath: nginx.sh
|
||||||
|
readOnly: true
|
||||||
|
- name: glance-etc
|
||||||
|
mountPath: /etc/nginx/nginx.conf
|
||||||
|
subPath: nginx.conf
|
||||||
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
- name: glance-registry
|
- name: glance-registry
|
||||||
{{ tuple $envAll "glance_registry" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "glance_registry" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
@ -68,6 +107,21 @@ spec:
|
|||||||
command:
|
command:
|
||||||
- /tmp/glance-registry.sh
|
- /tmp/glance-registry.sh
|
||||||
- stop
|
- stop
|
||||||
|
{{- if $envAll.Values.manifests.certificates }}
|
||||||
|
readinessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- python
|
||||||
|
- -c
|
||||||
|
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- python
|
||||||
|
- -c
|
||||||
|
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
|
||||||
|
initialDelaySeconds: 30
|
||||||
|
{{- else }}
|
||||||
ports:
|
ports:
|
||||||
- name: g-reg
|
- name: g-reg
|
||||||
containerPort: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
containerPort: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
@ -77,7 +131,7 @@ spec:
|
|||||||
livenessProbe:
|
livenessProbe:
|
||||||
tcpSocket:
|
tcpSocket:
|
||||||
port: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
port: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
initialDelaySeconds: 30
|
{{- end }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
mountPath: /tmp
|
mountPath: /tmp
|
||||||
@ -109,6 +163,7 @@ spec:
|
|||||||
mountPath: /etc/glance/policy.json
|
mountPath: /etc/glance/policy.json
|
||||||
subPath: policy.json
|
subPath: policy.json
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -123,5 +178,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: glance-etc
|
secretName: glance-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendServiceType" "image" "backendPort" "g-api" -}}
|
{{- $envAll := . }}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "image" "backendPort" "g-api" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.image.api.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName -}}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_registry .Values.network.registry.ingress.public }}
|
{{- if and .Values.manifests.ingress_registry .Values.network.registry.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendService" "registry" "backendServiceType" "image_registry" "backendPort" "g-reg" -}}
|
{{- $envAll := . }}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "registry" "backendServiceType" "image_registry" "backendPort" "g-reg" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.image_registry.api.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName -}}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image_registry.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -25,5 +25,8 @@ volumes:
|
|||||||
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
||||||
{{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }}
|
{{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }}
|
||||||
{{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}}
|
{{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
|
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_endpoints }}
|
{{- if .Values.manifests.job_ks_endpoints }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_service }}
|
{{- if .Values.manifests.job_ks_service }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_user }}
|
{{- if .Values.manifests.job_ks_user }}
|
||||||
{{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}}
|
{{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -569,7 +569,10 @@ secrets:
|
|||||||
image:
|
image:
|
||||||
api:
|
api:
|
||||||
public: glance-tls-public
|
public: glance-tls-public
|
||||||
|
internal: glance-tls-api
|
||||||
|
image_registry:
|
||||||
|
api:
|
||||||
|
internal: glance-tls-reg
|
||||||
|
|
||||||
# typically overridden by environmental
|
# typically overridden by environmental
|
||||||
# values, but should include all endpoints
|
# values, but should include all endpoints
|
||||||
@ -991,6 +994,7 @@ pod:
|
|||||||
cpu: "2000m"
|
cpu: "2000m"
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
|
certificates: false
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
deployment_api: true
|
deployment_api: true
|
||||||
|
138
glance/values_overrides/tls.yaml
Normal file
138
glance/values_overrides/tls.yaml
Normal file
@ -0,0 +1,138 @@
|
|||||||
|
---
|
||||||
|
images:
|
||||||
|
tags:
|
||||||
|
nginx: docker.io/nginx:1.18.0
|
||||||
|
conf:
|
||||||
|
glance:
|
||||||
|
DEFAULT:
|
||||||
|
bind_host: 127.0.0.1
|
||||||
|
keystone_authtoken:
|
||||||
|
cafile: /etc/glance/certs/ca.crt
|
||||||
|
glance_store:
|
||||||
|
https_ca_certificates_file: /etc/glance/certs/ca.crt
|
||||||
|
glance_registry:
|
||||||
|
DEFAULT:
|
||||||
|
bind_host: 127.0.0.1
|
||||||
|
keystone_authtoken:
|
||||||
|
cafile: /etc/glance/certs/ca.crt
|
||||||
|
nginx: |
|
||||||
|
worker_processes 1;
|
||||||
|
daemon off;
|
||||||
|
user nginx;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 1024;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
keepalive_timeout 65s;
|
||||||
|
tcp_nodelay on;
|
||||||
|
|
||||||
|
log_format main '[nginx] method=$request_method path=$request_uri '
|
||||||
|
'status=$status upstream_status=$upstream_status duration=$request_time size=$body_bytes_sent '
|
||||||
|
'"$remote_user" "$http_referer" "$http_user_agent"';
|
||||||
|
|
||||||
|
access_log /dev/stdout main;
|
||||||
|
|
||||||
|
upstream websocket {
|
||||||
|
server 127.0.0.1:$PORT;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name {{ printf "%s.%s.svc.%s" "${SHORTNAME}" .Release.Namespace .Values.endpoints.cluster_domain_suffix }};
|
||||||
|
listen $POD_IP:$PORT ssl;
|
||||||
|
|
||||||
|
client_max_body_size 0;
|
||||||
|
|
||||||
|
ssl_certificate /etc/nginx/certs/tls.crt;
|
||||||
|
ssl_certificate_key /etc/nginx/certs/tls.key;
|
||||||
|
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass_request_headers on;
|
||||||
|
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_pass http://websocket;
|
||||||
|
proxy_read_timeout 90;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
network:
|
||||||
|
api:
|
||||||
|
ingress:
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||||
|
registry:
|
||||||
|
ingress:
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||||
|
|
||||||
|
endpoints:
|
||||||
|
identity:
|
||||||
|
name: keystone
|
||||||
|
auth:
|
||||||
|
admin:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
glance:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
test:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
default: 443
|
||||||
|
image:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: glance-tls-api
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
public: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
public: 443
|
||||||
|
image_registry:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: glance-tls-reg
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
public: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
public: 443
|
||||||
|
dashboard:
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
public: https
|
||||||
|
port:
|
||||||
|
web:
|
||||||
|
default: 80
|
||||||
|
public: 443
|
||||||
|
pod:
|
||||||
|
security_context:
|
||||||
|
glance:
|
||||||
|
pod:
|
||||||
|
runAsUser: 0
|
||||||
|
resources:
|
||||||
|
nginx:
|
||||||
|
requests:
|
||||||
|
memory: "128Mi"
|
||||||
|
cpu: "100m"
|
||||||
|
limits:
|
||||||
|
memory: "1024Mi"
|
||||||
|
cpu: "2000m"
|
||||||
|
manifests:
|
||||||
|
certificates: true
|
||||||
|
...
|
@ -18,12 +18,48 @@ set -ex
|
|||||||
COMMAND="${@:-start}"
|
COMMAND="${@:-start}"
|
||||||
|
|
||||||
function start () {
|
function start () {
|
||||||
|
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
for WSGI_SCRIPT in heat-wsgi-api; do
|
||||||
|
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
# Loading Apache2 ENV variables
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
mkdir -p ${APACHE_RUN_DIR}
|
||||||
|
fi
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2enmod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2enmod }}
|
||||||
|
a2enmod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2dismod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2dismod }}
|
||||||
|
a2dismod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
if [ -f /var/run/apache2/apache2.pid ]; then
|
||||||
|
# Remove the stale pid for debian/ubuntu images
|
||||||
|
rm -f /var/run/apache2/apache2.pid
|
||||||
|
fi
|
||||||
|
# Starts Apache2
|
||||||
|
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
|
||||||
|
{{- else }}
|
||||||
exec heat-api \
|
exec heat-api \
|
||||||
--config-file /etc/heat/heat.conf
|
--config-file /etc/heat/heat.conf
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
function stop () {
|
function stop () {
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
||||||
|
{{- else }}
|
||||||
kill -TERM 1
|
kill -TERM 1
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
$COMMAND
|
$COMMAND
|
||||||
|
@ -18,12 +18,49 @@ set -ex
|
|||||||
COMMAND="${@:-start}"
|
COMMAND="${@:-start}"
|
||||||
|
|
||||||
function start () {
|
function start () {
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
for WSGI_SCRIPT in heat-wsgi-api-cfn; do
|
||||||
|
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
# Loading Apache2 ENV variables
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
mkdir -p ${APACHE_RUN_DIR}
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2enmod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2enmod }}
|
||||||
|
a2enmod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2dismod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2dismod }}
|
||||||
|
a2dismod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
|
||||||
|
if [ -f /var/run/apache2/apache2.pid ]; then
|
||||||
|
# Remove the stale pid for debian/ubuntu images
|
||||||
|
rm -f /var/run/apache2/apache2.pid
|
||||||
|
fi
|
||||||
|
# Starts Apache2
|
||||||
|
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
|
||||||
|
{{- else }}
|
||||||
exec heat-api-cfn \
|
exec heat-api-cfn \
|
||||||
--config-file /etc/heat/heat.conf
|
--config-file /etc/heat/heat.conf
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
function stop () {
|
function stop () {
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
||||||
|
{{- else }}
|
||||||
kill -TERM 1
|
kill -TERM 1
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
$COMMAND
|
$COMMAND
|
||||||
|
18
heat/templates/certificates.yaml
Normal file
18
heat/templates/certificates.yaml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
{{/*
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{ dict "envAll" . "service" "orchestration" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{ dict "envAll" . "service" "cloudformation" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- end -}}
|
@ -136,6 +136,11 @@ data:
|
|||||||
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
|
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
|
||||||
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
|
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
|
||||||
policy.json: {{ toJson .Values.conf.policy | b64enc }}
|
policy.json: {{ toJson .Values.conf.policy | b64enc }}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_heat "key" "wsgi-heat.conf" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cfn "key" "wsgi-cnf.conf" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- end }}
|
||||||
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
|
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
|
||||||
{{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
|
{{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
|
||||||
{{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }}
|
{{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }}
|
||||||
|
@ -83,6 +83,8 @@ spec:
|
|||||||
mountPath: /tmp
|
mountPath: /tmp
|
||||||
- name: pod-etc-heat
|
- name: pod-etc-heat
|
||||||
mountPath: /etc/heat
|
mountPath: /etc/heat
|
||||||
|
- name: wsgi-heat
|
||||||
|
mountPath: /var/www/cgi-bin/heat
|
||||||
- name: heat-bin
|
- name: heat-bin
|
||||||
mountPath: /tmp/heat-api.sh
|
mountPath: /tmp/heat-api.sh
|
||||||
subPath: heat-api.sh
|
subPath: heat-api.sh
|
||||||
@ -109,12 +111,25 @@ spec:
|
|||||||
mountPath: /etc/heat/api_audit_map.conf
|
mountPath: /etc/heat/api_audit_map.conf
|
||||||
subPath: api_audit_map.conf
|
subPath: api_audit_map.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: heat-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api.conf
|
||||||
|
subPath: wsgi-heat.conf
|
||||||
|
readOnly: true
|
||||||
|
- name: heat-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
|
||||||
|
subPath: mpm_event.conf
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: pod-etc-heat
|
- name: pod-etc-heat
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
- name: wsgi-heat
|
||||||
|
emptyDir: {}
|
||||||
- name: heat-bin
|
- name: heat-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: heat-bin
|
name: heat-bin
|
||||||
@ -123,5 +138,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: heat-etc
|
secretName: heat-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -83,6 +83,8 @@ spec:
|
|||||||
mountPath: /tmp
|
mountPath: /tmp
|
||||||
- name: pod-etc-heat
|
- name: pod-etc-heat
|
||||||
mountPath: /etc/heat
|
mountPath: /etc/heat
|
||||||
|
- name: wsgi-heat
|
||||||
|
mountPath: /var/www/cgi-bin/heat
|
||||||
- name: heat-bin
|
- name: heat-bin
|
||||||
mountPath: /tmp/heat-cfn.sh
|
mountPath: /tmp/heat-cfn.sh
|
||||||
subPath: heat-cfn.sh
|
subPath: heat-cfn.sh
|
||||||
@ -109,12 +111,25 @@ spec:
|
|||||||
mountPath: /etc/heat/api_audit_map.conf
|
mountPath: /etc/heat/api_audit_map.conf
|
||||||
subPath: api_audit_map.conf
|
subPath: api_audit_map.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: heat-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api-cfn.conf
|
||||||
|
subPath: wsgi-cnf.conf
|
||||||
|
readOnly: true
|
||||||
|
- name: heat-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
|
||||||
|
subPath: mpm_event.conf
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: pod-etc-heat
|
- name: pod-etc-heat
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
- name: wsgi-heat
|
||||||
|
emptyDir: {}
|
||||||
- name: heat-bin
|
- name: heat-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: heat-bin
|
name: heat-bin
|
||||||
@ -123,5 +138,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: heat-etc
|
secretName: heat-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -99,6 +99,7 @@ spec:
|
|||||||
mountPath: /etc/heat/policy.json
|
mountPath: /etc/heat/policy.json
|
||||||
subPath: policy.json
|
subPath: policy.json
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -113,5 +114,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: heat-etc
|
secretName: heat-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendServiceType" "orchestration" "backendPort" "h-api" -}}
|
{{- $envAll := . }}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "orchestration" "backendPort" "h-api" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.orchestration.api.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName -}}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.orchestration.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_cfn .Values.network.cfn.ingress.public }}
|
{{- if and .Values.manifests.ingress_cfn .Values.network.cfn.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}}
|
{{- $envAll := . }}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.cloudformation.cfn.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName -}}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.cloudformation.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -15,5 +15,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
||||||
{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
|
{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
|
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_endpoints }}
|
{{- if .Values.manifests.job_ks_endpoints }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_service }}
|
{{- if .Values.manifests.job_ks_service }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -53,8 +53,9 @@ spec:
|
|||||||
mountPath: /tmp/ks-domain-user.sh
|
mountPath: /tmp/ks-domain-user.sh
|
||||||
subPath: ks-domain-user.sh
|
subPath: ks-domain-user.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: SERVICE_OS_SERVICE_NAME
|
- name: SERVICE_OS_SERVICE_NAME
|
||||||
@ -88,4 +89,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: heat-bin
|
name: heat-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_user_trustee }}
|
{{- if .Values.manifests.job_ks_user_trustee }}
|
||||||
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
|
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_user }}
|
{{- if .Values.manifests.job_ks_user }}
|
||||||
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
|
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -57,9 +57,10 @@ spec:
|
|||||||
mountPath: /tmp/trusts.sh
|
mountPath: /tmp/trusts.sh
|
||||||
subPath: trusts.sh
|
subPath: trusts.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: SERVICE_OS_ROLES
|
- name: SERVICE_OS_ROLES
|
||||||
@ -75,4 +76,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: heat-bin
|
name: heat-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}
|
||||||
|
@ -49,8 +49,9 @@ spec:
|
|||||||
mountPath: /tmp/ks-user.sh
|
mountPath: /tmp/ks-user.sh
|
||||||
subPath: ks-user.sh
|
subPath: ks-user.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: SERVICE_OS_SERVICE_NAME
|
- name: SERVICE_OS_SERVICE_NAME
|
||||||
@ -65,7 +66,7 @@ spec:
|
|||||||
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
|
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
||||||
@ -94,6 +95,7 @@ spec:
|
|||||||
subPath: {{ printf "test_template_%d" $key }}
|
subPath: {{ printf "test_template_%d" $key }}
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||||
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -108,5 +110,6 @@ spec:
|
|||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
- name: rally-db
|
- name: rally-db
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
||||||
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -797,10 +797,11 @@ secrets:
|
|||||||
orchestration:
|
orchestration:
|
||||||
api:
|
api:
|
||||||
public: heat-tls-public
|
public: heat-tls-public
|
||||||
|
internal: heat-tls-api
|
||||||
cloudformation:
|
cloudformation:
|
||||||
cfn:
|
cfn:
|
||||||
public: cloudformation-tls-public
|
public: cloudformation-tls-public
|
||||||
|
internal: heat-tls-cfn
|
||||||
# typically overridden by environmental
|
# typically overridden by environmental
|
||||||
# values, but should include all endpoints
|
# values, but should include all endpoints
|
||||||
# required by this chart
|
# required by this chart
|
||||||
@ -1262,6 +1263,7 @@ network_policy:
|
|||||||
- {}
|
- {}
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
|
certificates: false
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
cron_job_engine_cleaner: true
|
cron_job_engine_cleaner: true
|
||||||
|
182
heat/values_overrides/tls.yaml
Normal file
182
heat/values_overrides/tls.yaml
Normal file
@ -0,0 +1,182 @@
|
|||||||
|
---
|
||||||
|
conf:
|
||||||
|
software:
|
||||||
|
apache2:
|
||||||
|
binary: apache2
|
||||||
|
start_parameters: -DFOREGROUND
|
||||||
|
site_dir: /etc/apache2/sites-enabled
|
||||||
|
conf_dir: /etc/apache2/conf-enabled
|
||||||
|
mods_dir: /etc/apache2/mods-available
|
||||||
|
a2enmod:
|
||||||
|
- ssl
|
||||||
|
a2dismod: null
|
||||||
|
mpm_event: |
|
||||||
|
<IfModule mpm_event_module>
|
||||||
|
ServerLimit 1024
|
||||||
|
StartServers 32
|
||||||
|
MinSpareThreads 32
|
||||||
|
MaxSpareThreads 256
|
||||||
|
ThreadsPerChild 25
|
||||||
|
MaxRequestsPerChild 128
|
||||||
|
ThreadLimit 720
|
||||||
|
</IfModule>
|
||||||
|
wsgi_heat: |
|
||||||
|
{{- $portInt := tuple "orchestration" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
Listen {{ $portInt }}
|
||||||
|
<VirtualHost *:{{ $portInt }}>
|
||||||
|
ServerName {{ printf "%s.%s.svc.%s" "heat-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
|
||||||
|
WSGIDaemonProcess heat-api processes=1 threads=1 user=heat display-name=%{GROUP}
|
||||||
|
WSGIProcessGroup heat-api
|
||||||
|
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
AllowEncodedSlashes On
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
ErrorLogFormat "%{cu}t %M"
|
||||||
|
</IfVersion>
|
||||||
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||||
|
ErrorLog /dev/stdout
|
||||||
|
CustomLog /dev/stdout combined env=!forwarded
|
||||||
|
CustomLog /dev/stdout proxy env=forwarded
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/heat/certs/tls.crt
|
||||||
|
SSLCertificateKeyFile /etc/heat/certs/tls.key
|
||||||
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
|
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||||
|
SSLHonorCipherOrder on
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
wsgi_cfn: |
|
||||||
|
{{- $portInt := tuple "cloudformation" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
Listen {{ $portInt }}
|
||||||
|
<VirtualHost *:{{ $portInt }}>
|
||||||
|
ServerName {{ printf "%s.%s.svc.%s" "heat-api-cfn" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
|
||||||
|
WSGIDaemonProcess heat-api-cfn processes=1 threads=1 user=heat display-name=%{GROUP}
|
||||||
|
WSGIProcessGroup heat-api-cfn
|
||||||
|
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api-cfn
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
AllowEncodedSlashes On
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
ErrorLogFormat "%{cu}t %M"
|
||||||
|
</IfVersion>
|
||||||
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||||
|
ErrorLog /dev/stdout
|
||||||
|
CustomLog /dev/stdout combined env=!forwarded
|
||||||
|
CustomLog /dev/stdout proxy env=forwarded
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/heat/certs/tls.crt
|
||||||
|
SSLCertificateKeyFile /etc/heat/certs/tls.key
|
||||||
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
|
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||||
|
SSLHonorCipherOrder on
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
heat:
|
||||||
|
clients_neutron:
|
||||||
|
ca_file: /etc/heat/certs/ca.crt
|
||||||
|
clients_cinder:
|
||||||
|
ca_file: /etc/heat/certs/ca.crt
|
||||||
|
clients_glance:
|
||||||
|
ca_file: /etc/heat/certs/ca.crt
|
||||||
|
clients_nova:
|
||||||
|
ca_file: /etc/heat/certs/ca.crt
|
||||||
|
clients_swift:
|
||||||
|
ca_file: /etc/heat/certs/ca.crt
|
||||||
|
ssl:
|
||||||
|
ca_file: /etc/heat/certs/ca.crt
|
||||||
|
keystone_authtoken:
|
||||||
|
cafile: /etc/heat/certs/ca.crt
|
||||||
|
clients:
|
||||||
|
ca_file: /etc/heat/certs/ca.crt
|
||||||
|
clients_heat:
|
||||||
|
ca_file: /etc/heat/certs/ca.crt
|
||||||
|
clients_keystone:
|
||||||
|
ca_file: /etc/heat/certs/ca.crt
|
||||||
|
|
||||||
|
network:
|
||||||
|
api:
|
||||||
|
ingress:
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||||
|
cfn:
|
||||||
|
ingress:
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||||
|
cloudwatch:
|
||||||
|
ingress:
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||||
|
|
||||||
|
pod:
|
||||||
|
security_context:
|
||||||
|
heat:
|
||||||
|
container:
|
||||||
|
heat_api:
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
runAsUser: 0
|
||||||
|
heat_cfn:
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
runAsUser: 0
|
||||||
|
|
||||||
|
endpoints:
|
||||||
|
identity:
|
||||||
|
auth:
|
||||||
|
admin:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
heat:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
heat_trustee:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
heat_stack_user:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
test:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
default: 443
|
||||||
|
orchestration:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: heat-tls-api
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
public: 443
|
||||||
|
cloudformation:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: heat-tls-cfn
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
public: 443
|
||||||
|
# Cloudwatch does not get an entry in the keystone service catalog
|
||||||
|
cloudwatch:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: heat-tls-cloudwatch
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
kind: Issuer
|
||||||
|
ingress:
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 443
|
||||||
|
|
||||||
|
manifests:
|
||||||
|
certificates: true
|
||||||
|
...
|
17
horizon/templates/certificates.yaml
Normal file
17
horizon/templates/certificates.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{/*
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{ dict "envAll" . "service" "dashboard" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- end -}}
|
@ -78,14 +78,14 @@ spec:
|
|||||||
containerPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
containerPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
scheme: HTTP
|
scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
|
||||||
path: /
|
path: /
|
||||||
port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
initialDelaySeconds: 15
|
initialDelaySeconds: 15
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
scheme: HTTP
|
scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
|
||||||
path: /
|
path: /
|
||||||
port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
initialDelaySeconds: 180
|
initialDelaySeconds: 180
|
||||||
@ -129,6 +129,7 @@ spec:
|
|||||||
subPath: {{ base $policyFile }}
|
subPath: {{ base $policyFile }}
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal "path" "/etc/openstack-dashboard/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -145,5 +146,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: horizon-etc
|
secretName: horizon-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_api .Values.network.dashboard.ingress.public }}
|
{{- if and .Values.manifests.ingress_api .Values.network.dashboard.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}}
|
{{- $envAll := . }}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.dashboard.dashboard.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName -}}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.dashboard.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -183,6 +183,7 @@ conf:
|
|||||||
# values will not work
|
# values will not work
|
||||||
horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
|
horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
|
||||||
debug: "False"
|
debug: "False"
|
||||||
|
use_ssl: "False"
|
||||||
keystone_multidomain_support: "True"
|
keystone_multidomain_support: "True"
|
||||||
keystone_default_domain: Default
|
keystone_default_domain: Default
|
||||||
disable_password_reveal: "True"
|
disable_password_reveal: "True"
|
||||||
@ -266,6 +267,7 @@ conf:
|
|||||||
|
|
||||||
# If Horizon is being served through SSL, then uncomment the following two
|
# If Horizon is being served through SSL, then uncomment the following two
|
||||||
# settings to better secure the cookies from security exploits
|
# settings to better secure the cookies from security exploits
|
||||||
|
USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }}
|
||||||
CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
|
CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
|
||||||
SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
|
SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
|
||||||
|
|
||||||
@ -425,8 +427,10 @@ conf:
|
|||||||
# Disable SSL certificate checks (useful for self-signed certificates):
|
# Disable SSL certificate checks (useful for self-signed certificates):
|
||||||
#OPENSTACK_SSL_NO_VERIFY = True
|
#OPENSTACK_SSL_NO_VERIFY = True
|
||||||
|
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
# The CA certificate to use to verify SSL connections
|
# The CA certificate to use to verify SSL connections
|
||||||
#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
|
OPENSTACK_SSL_CACERT = '/etc/openstack-dashboard/certs/ca.crt'
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
|
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
|
||||||
# capabilities of the auth backend for Keystone.
|
# capabilities of the auth backend for Keystone.
|
||||||
@ -2133,6 +2137,7 @@ secrets:
|
|||||||
dashboard:
|
dashboard:
|
||||||
dashboard:
|
dashboard:
|
||||||
public: horizon-tls-public
|
public: horizon-tls-public
|
||||||
|
internal: horizon-tls-web
|
||||||
|
|
||||||
# typically overridden by environmental
|
# typically overridden by environmental
|
||||||
# values, but should include all endpoints
|
# values, but should include all endpoints
|
||||||
@ -2253,6 +2258,7 @@ network_policy:
|
|||||||
- {}
|
- {}
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
|
certificates: false
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
deployment: true
|
deployment: true
|
||||||
|
109
horizon/values_overrides/tls.yaml
Normal file
109
horizon/values_overrides/tls.yaml
Normal file
@ -0,0 +1,109 @@
|
|||||||
|
---
|
||||||
|
network:
|
||||||
|
dashboard:
|
||||||
|
ingress:
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||||
|
conf:
|
||||||
|
software:
|
||||||
|
apache2:
|
||||||
|
a2enmod:
|
||||||
|
- headers
|
||||||
|
- rewrite
|
||||||
|
- ssl
|
||||||
|
horizon:
|
||||||
|
apache: |
|
||||||
|
<IfVersion < 2.4>
|
||||||
|
Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
</IfVersion>
|
||||||
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
||||||
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
|
||||||
|
|
||||||
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||||
|
CustomLog /dev/stdout combined env=!forwarded
|
||||||
|
CustomLog /dev/stdout proxy env=forwarded
|
||||||
|
|
||||||
|
<VirtualHost *:80>
|
||||||
|
ServerName horizon-int.openstack.svc.cluster.local
|
||||||
|
RewriteEngine On
|
||||||
|
RewriteCond %{HTTPS} off
|
||||||
|
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
|
||||||
|
</Virtualhost>
|
||||||
|
|
||||||
|
<VirtualHost *:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
|
||||||
|
ServerName horizon-int.openstack.svc.cluster.local
|
||||||
|
WSGIScriptReloading On
|
||||||
|
WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
|
||||||
|
WSGIProcessGroup horizon-http
|
||||||
|
WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
|
||||||
|
RewriteEngine On
|
||||||
|
RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH)
|
||||||
|
RewriteRule .* - [F]
|
||||||
|
|
||||||
|
<Location "/">
|
||||||
|
Require all granted
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
Alias /static /var/www/html/horizon
|
||||||
|
<Location "/static">
|
||||||
|
SetHandler static
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
ErrorLogFormat "%{cu}t %M"
|
||||||
|
</IfVersion>
|
||||||
|
ErrorLog /dev/stdout
|
||||||
|
TransferLog /dev/stdout
|
||||||
|
|
||||||
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||||
|
CustomLog /dev/stdout combined env=!forwarded
|
||||||
|
CustomLog /dev/stdout proxy env=forwarded
|
||||||
|
|
||||||
|
ErrorLog /dev/stdout
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/openstack-dashboard/certs/tls.crt
|
||||||
|
SSLCertificateKeyFile /etc/openstack-dashboard/certs/tls.key
|
||||||
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
|
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||||
|
SSLHonorCipherOrder on
|
||||||
|
</VirtualHost>
|
||||||
|
local_settings:
|
||||||
|
config:
|
||||||
|
use_ssl: "True"
|
||||||
|
csrf_cookie_secure: "True"
|
||||||
|
enforce_password_check: "True"
|
||||||
|
session_cookie_secure: "True"
|
||||||
|
session_cookie_httponly: "True"
|
||||||
|
endpoints:
|
||||||
|
identity:
|
||||||
|
auth:
|
||||||
|
admin:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
default: 443
|
||||||
|
dashboard:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: horizon-tls-web
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
public: https
|
||||||
|
port:
|
||||||
|
web:
|
||||||
|
default: 443
|
||||||
|
public: 443
|
||||||
|
ingress:
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 443
|
||||||
|
manifests:
|
||||||
|
certificates: true
|
||||||
|
...
|
@ -51,6 +51,10 @@ function start () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function stop () {
|
function stop () {
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
# Loading Apache2 ENV variables
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
fi
|
||||||
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
17
keystone/templates/certificates.yaml
Normal file
17
keystone/templates/certificates.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{/*
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{ dict "envAll" . "service" "identity" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- end -}}
|
@ -14,7 +14,7 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- define "apiProbeTemplate" }}
|
{{- define "apiProbeTemplate" }}
|
||||||
httpGet:
|
httpGet:
|
||||||
scheme: HTTP
|
scheme: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
|
||||||
path: /v3/
|
path: /v3/
|
||||||
port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -147,6 +147,7 @@ spec:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
- name: keystone-credential-keys
|
- name: keystone-credential-keys
|
||||||
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
|
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -180,5 +181,6 @@ spec:
|
|||||||
- name: keystone-credential-keys
|
- name: keystone-credential-keys
|
||||||
secret:
|
secret:
|
||||||
secretName: keystone-credential-keys
|
secretName: keystone-credential-keys
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendServiceType" "identity" "backendPort" "ks-pub" -}}
|
{{- $envAll := . }}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "identity" "backendPort" "ks-pub" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.identity.api.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName -}}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.identity.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
||||||
{{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append -}}
|
{{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
|
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -50,8 +50,9 @@ spec:
|
|||||||
mountPath: /tmp/ks-user.sh
|
mountPath: /tmp/ks-user.sh
|
||||||
subPath: ks-user.sh
|
subPath: ks-user.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: SERVICE_OS_SERVICE_NAME
|
- name: SERVICE_OS_SERVICE_NAME
|
||||||
@ -66,7 +67,7 @@ spec:
|
|||||||
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
|
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
||||||
@ -89,6 +90,7 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: rally-db
|
- name: rally-db
|
||||||
mountPath: /var/lib/rally
|
mountPath: /var/lib/rally
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||||
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -103,5 +105,6 @@ spec:
|
|||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
- name: rally-db
|
- name: rally-db
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
||||||
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -1070,6 +1070,7 @@ secrets:
|
|||||||
identity:
|
identity:
|
||||||
api:
|
api:
|
||||||
public: keystone-tls-public
|
public: keystone-tls-public
|
||||||
|
internal: keystone-tls-api
|
||||||
|
|
||||||
# typically overridden by environmental
|
# typically overridden by environmental
|
||||||
# values, but should include all endpoints
|
# values, but should include all endpoints
|
||||||
@ -1235,6 +1236,7 @@ endpoints:
|
|||||||
default: 80
|
default: 80
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
|
certificates: false
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
cron_credential_rotate: true
|
cron_credential_rotate: true
|
||||||
|
80
keystone/values_overrides/tls.yaml
Normal file
80
keystone/values_overrides/tls.yaml
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
---
|
||||||
|
network:
|
||||||
|
api:
|
||||||
|
ingress:
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/rewrite-target: null
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||||
|
pod:
|
||||||
|
security_context:
|
||||||
|
keystone:
|
||||||
|
pod:
|
||||||
|
runAsUser: 0
|
||||||
|
container:
|
||||||
|
keystone_api:
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
conf:
|
||||||
|
software:
|
||||||
|
apache2:
|
||||||
|
a2enmod:
|
||||||
|
- ssl
|
||||||
|
wsgi_keystone: |
|
||||||
|
{{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
{{- $vh := tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
|
|
||||||
|
Listen 0.0.0.0:{{ $portInt }}
|
||||||
|
|
||||||
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
||||||
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
|
||||||
|
|
||||||
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||||
|
CustomLog /dev/stdout combined env=!forwarded
|
||||||
|
CustomLog /dev/stdout proxy env=forwarded
|
||||||
|
|
||||||
|
<VirtualHost *:{{ tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
|
||||||
|
ServerName {{ printf "%s.%s.svc.%s" "keystone-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
|
||||||
|
WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||||
|
WSGIProcessGroup keystone-public
|
||||||
|
WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
ErrorLogFormat "%{cu}t %M"
|
||||||
|
</IfVersion>
|
||||||
|
ErrorLog /dev/stdout
|
||||||
|
|
||||||
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||||
|
CustomLog /dev/stdout combined env=!forwarded
|
||||||
|
CustomLog /dev/stdout proxy env=forwarded
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/keystone/certs/tls.crt
|
||||||
|
SSLCertificateKeyFile /etc/keystone/certs/tls.key
|
||||||
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
|
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||||
|
SSLHonorCipherOrder on
|
||||||
|
</VirtualHost>
|
||||||
|
endpoints:
|
||||||
|
identity:
|
||||||
|
auth:
|
||||||
|
admin:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
test:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: keystone-tls-api
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
kind: Issuer
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
public: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
default: 443
|
||||||
|
manifests:
|
||||||
|
certificates: true
|
||||||
|
...
|
30
neutron/templates/bin/_neutron-rpc-server.sh.tpl
Normal file
30
neutron/templates/bin/_neutron-rpc-server.sh.tpl
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
set -ex
|
||||||
|
COMMAND="${@:-start}"
|
||||||
|
|
||||||
|
function start () {
|
||||||
|
exec neutron-rpc-server \
|
||||||
|
--config-file /etc/neutron/neutron.conf \
|
||||||
|
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini
|
||||||
|
}
|
||||||
|
|
||||||
|
function stop () {
|
||||||
|
kill -TERM 1
|
||||||
|
}
|
||||||
|
|
||||||
|
$COMMAND
|
@ -18,6 +18,55 @@ set -ex
|
|||||||
COMMAND="${@:-start}"
|
COMMAND="${@:-start}"
|
||||||
|
|
||||||
function start () {
|
function start () {
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
add_config=""
|
||||||
|
{{- if .Values.conf.plugins.taas.taas.enabled }}
|
||||||
|
add_config+='taas_plugin.ini;'
|
||||||
|
{{- end }}
|
||||||
|
{{- if ( has "sriov" .Values.network.backend ) }}
|
||||||
|
add_config+='sriov_agent.ini;'
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.conf.plugins.l2gateway }}
|
||||||
|
add_config+='l2gw_plugin.ini;'
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
export OS_NEUTRON_CONFIG_FILES=${add_config}
|
||||||
|
|
||||||
|
for WSGI_SCRIPT in neutron-api; do
|
||||||
|
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/neutron/
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
# Loading Apache2 ENV variables
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
mkdir -p ${APACHE_RUN_DIR}
|
||||||
|
fi
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2enmod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2enmod }}
|
||||||
|
a2enmod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2ensite }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2ensite }}
|
||||||
|
a2ensite {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2dismod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2dismod }}
|
||||||
|
a2dismod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
if [ -f /var/run/apache2/apache2.pid ]; then
|
||||||
|
# Remove the stale pid for debian/ubuntu images
|
||||||
|
rm -f /var/run/apache2/apache2.pid
|
||||||
|
fi
|
||||||
|
# Starts Apache2
|
||||||
|
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
|
||||||
|
{{- else }}
|
||||||
exec neutron-server \
|
exec neutron-server \
|
||||||
--config-file /etc/neutron/neutron.conf \
|
--config-file /etc/neutron/neutron.conf \
|
||||||
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
|
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
|
||||||
@ -34,10 +83,18 @@ function start () {
|
|||||||
{{- if .Values.conf.plugins.l2gateway }} \
|
{{- if .Values.conf.plugins.l2gateway }} \
|
||||||
--config-file /etc/neutron/l2gw_plugin.ini
|
--config-file /etc/neutron/l2gw_plugin.ini
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
function stop () {
|
function stop () {
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
fi
|
||||||
|
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
||||||
|
{{- else }}
|
||||||
kill -TERM 1
|
kill -TERM 1
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
$COMMAND
|
$COMMAND
|
||||||
|
17
neutron/templates/certificates.yaml
Normal file
17
neutron/templates/certificates.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{/*
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{ dict "envAll" . "service" "network" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- end -}}
|
@ -81,6 +81,10 @@ data:
|
|||||||
{{ tuple "bin/_neutron-bagpipe-bgp.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_neutron-bagpipe-bgp.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
neutron-bagpipe-bgp-init.sh: |
|
neutron-bagpipe-bgp-init.sh: |
|
||||||
{{ tuple "bin/_neutron-bagpipe-bgp-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_neutron-bagpipe-bgp-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
neutron-rpc-server.sh: |
|
||||||
|
{{ tuple "bin/_neutron-rpc-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
neutron-server.sh: |
|
neutron-server.sh: |
|
||||||
{{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
neutron-ironic-agent.sh: |
|
neutron-ironic-agent.sh: |
|
||||||
|
@ -272,6 +272,10 @@ data:
|
|||||||
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
|
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
|
||||||
auto_bridge_add: {{ toJson $envAll.Values.conf.auto_bridge_add | b64enc }}
|
auto_bridge_add: {{ toJson $envAll.Values.conf.auto_bridge_add | b64enc }}
|
||||||
dpdk.conf: {{ toJson $envAll.Values.conf.ovs_dpdk | b64enc }}
|
dpdk.conf: {{ toJson $envAll.Values.conf.ovs_dpdk | b64enc }}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_neutron_server "key" "wsgi-server.conf" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- end }}
|
||||||
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
|
||||||
{{- $filePrefix := replace "_" "-" $key }}
|
{{- $filePrefix := replace "_" "-" $key }}
|
||||||
{{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
|
{{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
|
||||||
|
@ -189,6 +189,7 @@ spec:
|
|||||||
mountPath: /run/netns
|
mountPath: /run/netns
|
||||||
mountPropagation: Bidirectional
|
mountPropagation: Bidirectional
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -211,6 +212,7 @@ spec:
|
|||||||
hostPath:
|
hostPath:
|
||||||
path: /run/netns
|
path: /run/netns
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -177,10 +177,64 @@ spec:
|
|||||||
mountPath: /etc/neutron/policy.json
|
mountPath: /etc/neutron/policy.json
|
||||||
subPath: policy.json
|
subPath: policy.json
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: wsgi-neutron
|
||||||
|
mountPath: /var/www/cgi-bin/neutron
|
||||||
|
- name: neutron-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.site_dir }}/wsgi-server.conf
|
||||||
|
subPath: wsgi-server.conf
|
||||||
|
readOnly: true
|
||||||
|
- name: neutron-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
|
||||||
|
subPath: mpm_event.conf
|
||||||
|
readOnly: true
|
||||||
|
{{ end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: neutron-rpc-server
|
||||||
|
{{ tuple $envAll "neutron_rpc_server" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.rpc_server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "application" "neutron_server" "container" "neutron_rpc_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "readiness" "probeTemplate" (include "serverReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
|
||||||
|
{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "liveness" "probeTemplate" (include "serverLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
|
||||||
|
command:
|
||||||
|
- /tmp/neutron-rpc-server.sh
|
||||||
|
- start
|
||||||
|
lifecycle:
|
||||||
|
preStop:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /tmp/neutron-rpc-server.sh
|
||||||
|
- stop
|
||||||
|
volumeMounts:
|
||||||
|
- name: neutron-bin
|
||||||
|
mountPath: /tmp/neutron-rpc-server.sh
|
||||||
|
subPath: neutron-rpc-server.sh
|
||||||
|
readOnly: true
|
||||||
|
- name: neutron-etc
|
||||||
|
mountPath: /etc/neutron/neutron.conf
|
||||||
|
subPath: neutron.conf
|
||||||
|
readOnly: true
|
||||||
|
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
|
||||||
|
- name: neutron-etc
|
||||||
|
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
|
||||||
|
subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
- name: neutron-etc
|
||||||
|
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
|
||||||
|
subPath: ml2_conf.ini
|
||||||
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: wsgi-neutron
|
||||||
|
emptyDir: {}
|
||||||
|
{{- end }}
|
||||||
- name: pod-var-neutron
|
- name: pod-var-neutron
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: neutron-bin
|
- name: neutron-bin
|
||||||
@ -195,5 +249,6 @@ spec:
|
|||||||
- name: neutron-plugin-shared
|
- name: neutron-plugin-shared
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_server .Values.network.server.ingress.public }}
|
{{- if and .Values.manifests.ingress_server .Values.network.server.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}}
|
{{- $envAll := . }}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.network.server.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName }}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.network.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end }}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
||||||
{{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}}
|
{{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
|
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_endpoints }}
|
{{- if .Values.manifests.job_ks_endpoints }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_service }}
|
{{- if .Values.manifests.job_ks_service }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_user }}
|
{{- if .Values.manifests.job_ks_user }}
|
||||||
{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
|
{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -51,8 +51,9 @@ spec:
|
|||||||
mountPath: /tmp/ks-user.sh
|
mountPath: /tmp/ks-user.sh
|
||||||
subPath: ks-user.sh
|
subPath: ks-user.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: SERVICE_OS_SERVICE_NAME
|
- name: SERVICE_OS_SERVICE_NAME
|
||||||
@ -66,7 +67,7 @@ spec:
|
|||||||
- name: {{ .Release.Name }}-reset
|
- name: {{ .Release.Name }}-reset
|
||||||
{{ tuple $envAll "purge_test" | include "helm-toolkit.snippets.image" | indent 6 }}
|
{{ tuple $envAll "purge_test" | include "helm-toolkit.snippets.image" | indent 6 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
||||||
@ -95,13 +96,14 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
mountPath: /tmp/pod-tmp
|
mountPath: /tmp/pod-tmp
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
containers:
|
containers:
|
||||||
- name: neutron-test
|
- name: neutron-test
|
||||||
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
|
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
||||||
@ -124,6 +126,7 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: rally-db
|
- name: rally-db
|
||||||
mountPath: /var/lib/rally
|
mountPath: /var/lib/rally
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||||
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -138,5 +141,6 @@ spec:
|
|||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
- name: rally-db
|
- name: rally-db
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
||||||
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -31,6 +31,7 @@ images:
|
|||||||
ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
||||||
ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
||||||
neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
||||||
|
neutron_rpc_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
||||||
neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
||||||
neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
||||||
neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
||||||
@ -473,6 +474,7 @@ pod:
|
|||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
- SYS_MODULE
|
- SYS_MODULE
|
||||||
|
- SYS_CHROOT
|
||||||
runAsUser: 0
|
runAsUser: 0
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
neutron_lb_agent_init:
|
neutron_lb_agent_init:
|
||||||
@ -497,6 +499,7 @@ pod:
|
|||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
- SYS_MODULE
|
- SYS_MODULE
|
||||||
|
- SYS_CHROOT
|
||||||
runAsUser: 0
|
runAsUser: 0
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
neutron_ovs_agent_init:
|
neutron_ovs_agent_init:
|
||||||
@ -2179,9 +2182,13 @@ secrets:
|
|||||||
admin: neutron-rabbitmq-admin
|
admin: neutron-rabbitmq-admin
|
||||||
neutron: neutron-rabbitmq-user
|
neutron: neutron-rabbitmq-user
|
||||||
tls:
|
tls:
|
||||||
|
compute_metadata:
|
||||||
|
metadata:
|
||||||
|
internal: metadata-tls-metadata
|
||||||
network:
|
network:
|
||||||
server:
|
server:
|
||||||
public: neutron-tls-public
|
public: neutron-tls-public
|
||||||
|
internal: neutron-tls-server
|
||||||
|
|
||||||
# typically overridden by environmental
|
# typically overridden by environmental
|
||||||
# values, but should include all endpoints
|
# values, but should include all endpoints
|
||||||
@ -2468,6 +2475,7 @@ network_policy:
|
|||||||
- {}
|
- {}
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
|
certificates: false
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
daemonset_dhcp_agent: true
|
daemonset_dhcp_agent: true
|
||||||
|
@ -16,5 +16,6 @@ images:
|
|||||||
neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
|
neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
|
||||||
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
|
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
|
||||||
neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
|
neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
|
||||||
|
neutron_rpc_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
|
||||||
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
|
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
|
||||||
...
|
...
|
||||||
|
145
neutron/values_overrides/tls.yaml
Normal file
145
neutron/values_overrides/tls.yaml
Normal file
@ -0,0 +1,145 @@
|
|||||||
|
---
|
||||||
|
network:
|
||||||
|
server:
|
||||||
|
ingress:
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||||
|
pod:
|
||||||
|
security_context:
|
||||||
|
neutron_server:
|
||||||
|
pod:
|
||||||
|
runAsUser: 0
|
||||||
|
container:
|
||||||
|
neutron_server:
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
neutron_rpc_server:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
resources:
|
||||||
|
rpc_server:
|
||||||
|
requests:
|
||||||
|
memory: "128Mi"
|
||||||
|
cpu: "100m"
|
||||||
|
limits:
|
||||||
|
memory: "1024Mi"
|
||||||
|
cpu: "2000m"
|
||||||
|
conf:
|
||||||
|
software:
|
||||||
|
apache2:
|
||||||
|
binary: apache2
|
||||||
|
start_parameters: -DFOREGROUND
|
||||||
|
conf_dir: /etc/apache2/conf-enabled
|
||||||
|
site_dir: /etc/apache2/sites-available
|
||||||
|
mods_dir: /etc/apache2/mods-available
|
||||||
|
a2enmod:
|
||||||
|
- ssl
|
||||||
|
a2dismod: null
|
||||||
|
a2ensite:
|
||||||
|
- wsgi-server
|
||||||
|
mpm_event: |
|
||||||
|
<IfModule mpm_event_module>
|
||||||
|
ServerLimit 1024
|
||||||
|
StartServers 32
|
||||||
|
MinSpareThreads 32
|
||||||
|
MaxSpareThreads 256
|
||||||
|
ThreadsPerChild 25
|
||||||
|
MaxRequestsPerChild 128
|
||||||
|
ThreadLimit 720
|
||||||
|
</IfModule>
|
||||||
|
wsgi_neutron_server: |
|
||||||
|
<Directory /usr/local/bin>
|
||||||
|
Require all granted
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
{{- $portInt := tuple "network" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
|
Listen {{ $portInt }}
|
||||||
|
<VirtualHost *:{{ $portInt }}>
|
||||||
|
ServerName {{ printf "%s.%s.svc.%s" "neutron-server" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
|
||||||
|
WSGIDaemonProcess neutron-server processes=1 threads=1 user=neutron display-name=%{GROUP}
|
||||||
|
WSGIProcessGroup neutron-server
|
||||||
|
WSGIScriptAlias / /var/www/cgi-bin/neutron/neutron-api
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
AllowEncodedSlashes On
|
||||||
|
<IfVersion >= 2.4>
|
||||||
|
ErrorLogFormat "%{cu}t %M"
|
||||||
|
</IfVersion>
|
||||||
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||||
|
ErrorLog /dev/stdout
|
||||||
|
CustomLog /dev/stdout combined env=!forwarded
|
||||||
|
CustomLog /dev/stdout proxy env=forwarded
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile /etc/neutron/certs/tls.crt
|
||||||
|
SSLCertificateKeyFile /etc/neutron/certs/tls.key
|
||||||
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
|
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||||
|
SSLHonorCipherOrder on
|
||||||
|
</VirtualHost>
|
||||||
|
Alias /networking /var/www/cgi-bin/neutron/neutron-api
|
||||||
|
<Location /networking>
|
||||||
|
SetHandler wsgi-script
|
||||||
|
Options +ExecCGI
|
||||||
|
WSGIProcessGroup neutron-server
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
WSGISocketPrefix /var/run/apache2
|
||||||
|
neutron:
|
||||||
|
nova:
|
||||||
|
cafile: /etc/neutron/certs/ca.crt
|
||||||
|
keystone_authtoken:
|
||||||
|
cafile: /etc/neutron/certs/ca.crt
|
||||||
|
metadata_agent:
|
||||||
|
DEFAULT:
|
||||||
|
auth_ca_cert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
nova_metadata_port: 443
|
||||||
|
nova_metadata_protocol: https
|
||||||
|
endpoints:
|
||||||
|
compute:
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
public: 443
|
||||||
|
compute_metadata:
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
metadata:
|
||||||
|
public: 443
|
||||||
|
identity:
|
||||||
|
auth:
|
||||||
|
admin:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
neutron:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
nova:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
test:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
default: 443
|
||||||
|
network:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: neutron-tls-server
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
scheme:
|
||||||
|
default: https
|
||||||
|
port:
|
||||||
|
api:
|
||||||
|
public: 443
|
||||||
|
ingress:
|
||||||
|
port:
|
||||||
|
ingress:
|
||||||
|
default: 443
|
||||||
|
manifests:
|
||||||
|
certificates: true
|
||||||
|
...
|
@ -15,5 +15,6 @@ images:
|
|||||||
neutron_metadata: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
|
neutron_metadata: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
|
||||||
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
|
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
|
||||||
neutron_server: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
|
neutron_server: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
|
||||||
|
neutron_rpc_server: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
|
||||||
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
|
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
|
||||||
...
|
...
|
||||||
|
@ -18,13 +18,51 @@ set -ex
|
|||||||
COMMAND="${@:-start}"
|
COMMAND="${@:-start}"
|
||||||
|
|
||||||
function start () {
|
function start () {
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
for WSGI_SCRIPT in nova-metadata-wsgi; do
|
||||||
|
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
# Loading Apache2 ENV variables
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
mkdir -p ${APACHE_RUN_DIR}
|
||||||
|
fi
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2enmod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2enmod }}
|
||||||
|
a2enmod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2dismod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2dismod }}
|
||||||
|
a2dismod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
if [ -f /var/run/apache2/apache2.pid ]; then
|
||||||
|
# Remove the stale pid for debian/ubuntu images
|
||||||
|
rm -f /var/run/apache2/apache2.pid
|
||||||
|
fi
|
||||||
|
# Starts Apache2
|
||||||
|
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
|
||||||
|
{{- else }}
|
||||||
exec nova-api-metadata \
|
exec nova-api-metadata \
|
||||||
--config-file /etc/nova/nova.conf \
|
--config-file /etc/nova/nova.conf \
|
||||||
--config-file /tmp/pod-shared/nova-api-metadata.ini
|
--config-file /tmp/pod-shared/nova-api-metadata.ini
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
function stop () {
|
function stop () {
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
fi
|
||||||
|
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
||||||
|
{{- else }}
|
||||||
kill -TERM 1
|
kill -TERM 1
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
$COMMAND
|
$COMMAND
|
||||||
|
@ -18,12 +18,51 @@ set -ex
|
|||||||
COMMAND="${@:-start}"
|
COMMAND="${@:-start}"
|
||||||
|
|
||||||
function start () {
|
function start () {
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
for WSGI_SCRIPT in nova-api-wsgi; do
|
||||||
|
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
# Loading Apache2 ENV variables
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
mkdir -p ${APACHE_RUN_DIR}
|
||||||
|
fi
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2enmod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2enmod }}
|
||||||
|
a2enmod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- if .Values.conf.software.apache2.a2dismod }}
|
||||||
|
{{- range .Values.conf.software.apache2.a2dismod }}
|
||||||
|
a2dismod {{ . }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
|
||||||
|
if [ -f /var/run/apache2/apache2.pid ]; then
|
||||||
|
# Remove the stale pid for debian/ubuntu images
|
||||||
|
rm -f /var/run/apache2/apache2.pid
|
||||||
|
fi
|
||||||
|
# Starts Apache2
|
||||||
|
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
|
||||||
|
{{- else }}
|
||||||
exec nova-api-os-compute \
|
exec nova-api-os-compute \
|
||||||
--config-file /etc/nova/nova.conf
|
--config-file /etc/nova/nova.conf
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
function stop () {
|
function stop () {
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
fi
|
||||||
|
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
||||||
|
{{- else }}
|
||||||
kill -TERM 1
|
kill -TERM 1
|
||||||
|
{{- end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
$COMMAND
|
$COMMAND
|
||||||
|
@ -46,6 +46,9 @@ function start () {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function stop () {
|
function stop () {
|
||||||
|
if [ -f /etc/apache2/envvars ]; then
|
||||||
|
source /etc/apache2/envvars
|
||||||
|
fi
|
||||||
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
27
nova/templates/certificates.yaml
Normal file
27
nova/templates/certificates.yaml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
{{/*
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{ dict "envAll" . "service" "compute" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- if .Values.manifests.deployment_novncproxy }}
|
||||||
|
{{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.manifests.deployment_placement }}
|
||||||
|
{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- end }}
|
||||||
|
{{ dict "envAll" . "service" "compute_metadata" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- if .Values.manifests.deployment_spiceproxy }}
|
||||||
|
{{ dict "envAll" . "service" "compute_spice_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
@ -265,6 +265,11 @@ data:
|
|||||||
nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }}
|
nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }}
|
||||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }}
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }}
|
||||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config" "format" "Secret" ) | indent 2 }}
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_api "key" "wsgi-api.conf" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_metadata "key" "wsgi-metadata.conf" "format" "Secret" ) | indent 2 }}
|
||||||
|
{{- end }}
|
||||||
{{- if .Values.conf.security }}
|
{{- if .Values.conf.security }}
|
||||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
|
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -53,7 +53,7 @@ spec:
|
|||||||
{{ tuple $envAll "nova_service_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
|
{{ tuple $envAll "nova_service_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova }}
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" .Values.manifests.certificates}}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
|
@ -240,6 +240,10 @@ spec:
|
|||||||
value: "{{ .Values.pod.probes.rpc_timeout }}"
|
value: "{{ .Values.pod.probes.rpc_timeout }}"
|
||||||
- name: RPC_PROBE_RETRIES
|
- name: RPC_PROBE_RETRIES
|
||||||
value: "{{ .Values.pod.probes.rpc_retries }}"
|
value: "{{ .Values.pod.probes.rpc_retries }}"
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: REQUESTS_CA_BUNDLE
|
||||||
|
value: "/etc/nova/certs/ca.crt"
|
||||||
|
{{- end }}
|
||||||
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
|
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
|
||||||
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
|
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
|
||||||
command:
|
command:
|
||||||
@ -377,6 +381,7 @@ spec:
|
|||||||
subPath: tf-plugin.pth
|
subPath: tf-plugin.pth
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||||
{{- if .Values.network.sshd.enabled }}
|
{{- if .Values.network.sshd.enabled }}
|
||||||
- name: nova-compute-ssh
|
- name: nova-compute-ssh
|
||||||
@ -390,6 +395,10 @@ spec:
|
|||||||
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }}
|
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }}
|
||||||
- name: SSH_PORT
|
- name: SSH_PORT
|
||||||
value: {{ .Values.network.ssh.port | quote }}
|
value: {{ .Values.network.ssh.port | quote }}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: REQUESTS_CA_BUNDLE
|
||||||
|
value: "/etc/nova/certs/ca.crt"
|
||||||
|
{{- end }}
|
||||||
ports:
|
ports:
|
||||||
- containerPort: {{ .Values.network.ssh.port }}
|
- containerPort: {{ .Values.network.ssh.port }}
|
||||||
command:
|
command:
|
||||||
@ -412,6 +421,7 @@ spec:
|
|||||||
mountPath: /tmp/ssh-start.sh
|
mountPath: /tmp/ssh-start.sh
|
||||||
subPath: ssh-start.sh
|
subPath: ssh-start.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -481,6 +491,7 @@ spec:
|
|||||||
- name: tf-plugin-bin
|
- name: tf-plugin-bin
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -166,10 +166,27 @@ spec:
|
|||||||
- name: pod-shared
|
- name: pod-shared
|
||||||
mountPath: /tmp/pod-shared
|
mountPath: /tmp/pod-shared
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: wsgi-nova
|
||||||
|
mountPath: /var/www/cgi-bin/nova
|
||||||
|
- name: nova-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-metadata.conf
|
||||||
|
subPath: wsgi-metadata.conf
|
||||||
|
readOnly: true
|
||||||
|
- name: nova-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
|
||||||
|
subPath: mpm_event.conf
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: wsgi-nova
|
||||||
|
emptyDir: {}
|
||||||
|
{{- end }}
|
||||||
- name: nova-bin
|
- name: nova-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: nova-bin
|
name: nova-bin
|
||||||
@ -180,5 +197,6 @@ spec:
|
|||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
- name: pod-shared
|
- name: pod-shared
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -114,10 +114,27 @@ spec:
|
|||||||
mountPath: /etc/nova/api_audit_map.conf
|
mountPath: /etc/nova/api_audit_map.conf
|
||||||
subPath: api_audit_map.conf
|
subPath: api_audit_map.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: wsgi-nova
|
||||||
|
mountPath: /var/www/cgi-bin/nova
|
||||||
|
- name: nova-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-api.conf
|
||||||
|
subPath: wsgi-api.conf
|
||||||
|
readOnly: true
|
||||||
|
- name: nova-etc
|
||||||
|
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
|
||||||
|
subPath: mpm_event.conf
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: wsgi-nova
|
||||||
|
emptyDir: {}
|
||||||
|
{{- end }}
|
||||||
- name: pod-var-nova
|
- name: pod-var-nova
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: nova-bin
|
- name: nova-bin
|
||||||
@ -128,5 +145,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: nova-etc
|
secretName: nova-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -88,6 +88,10 @@ spec:
|
|||||||
value: "{{ .Values.pod.probes.rpc_timeout }}"
|
value: "{{ .Values.pod.probes.rpc_timeout }}"
|
||||||
- name: RPC_PROBE_RETRIES
|
- name: RPC_PROBE_RETRIES
|
||||||
value: "{{ .Values.pod.probes.rpc_retries }}"
|
value: "{{ .Values.pod.probes.rpc_retries }}"
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: REQUESTS_CA_BUNDLE
|
||||||
|
value: "/etc/nova/certs/ca.crt"
|
||||||
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
- /tmp/nova-conductor.sh
|
- /tmp/nova-conductor.sh
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
@ -115,6 +119,7 @@ spec:
|
|||||||
mountPath: /etc/nova/policy.yaml
|
mountPath: /etc/nova/policy.yaml
|
||||||
subPath: policy.yaml
|
subPath: policy.yaml
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -127,5 +132,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: nova-etc
|
secretName: nova-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -139,6 +139,7 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: pod-shared
|
- name: pod-shared
|
||||||
mountPath: /tmp/pod-shared
|
mountPath: /tmp/pod-shared
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -155,5 +156,6 @@ spec:
|
|||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: pod-shared
|
- name: pod-shared
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -120,6 +120,7 @@ spec:
|
|||||||
subPath: security.conf
|
subPath: security.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -134,5 +135,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: nova-etc
|
secretName: nova-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -88,6 +88,10 @@ spec:
|
|||||||
value: "{{ .Values.pod.probes.rpc_timeout }}"
|
value: "{{ .Values.pod.probes.rpc_timeout }}"
|
||||||
- name: RPC_PROBE_RETRIES
|
- name: RPC_PROBE_RETRIES
|
||||||
value: "{{ .Values.pod.probes.rpc_retries }}"
|
value: "{{ .Values.pod.probes.rpc_retries }}"
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: REQUESTS_CA_BUNDLE
|
||||||
|
value: "/etc/nova/certs/ca.crt"
|
||||||
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
- /tmp/nova-scheduler.sh
|
- /tmp/nova-scheduler.sh
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
@ -115,6 +119,7 @@ spec:
|
|||||||
mountPath: /etc/nova/policy.yaml
|
mountPath: /etc/nova/policy.yaml
|
||||||
subPath: policy.yaml
|
subPath: policy.yaml
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -127,5 +132,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: nova-etc
|
secretName: nova-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -138,6 +138,7 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
- name: pod-shared
|
- name: pod-shared
|
||||||
mountPath: /tmp/pod-shared
|
mountPath: /tmp/pod-shared
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -154,5 +155,6 @@ spec:
|
|||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: pod-shared
|
- name: pod-shared
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_metadata .Values.network.metadata.ingress.public }}
|
{{- if and .Values.manifests.ingress_metadata .Values.network.metadata.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}}
|
{{- $envAll := . -}}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.compute_metadata.metadata.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName }}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_metadata.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public }}
|
{{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
|
{{- $envAll := . }}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.compute_novnc_proxy.novncproxy.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName }}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_novnc_proxy.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end }}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_osapi .Values.network.osapi.ingress.public }}
|
{{- if and .Values.manifests.ingress_osapi .Values.network.osapi.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}}
|
{{- $envAll := . -}}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.compute.osapi.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName }}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end }}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -13,6 +13,11 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_placement .Values.network.placement.ingress.public }}
|
{{- if and .Values.manifests.ingress_placement .Values.network.placement.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}}
|
{{- $envAll := . -}}
|
||||||
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}}
|
||||||
|
{{- $secretName := $envAll.Values.secrets.tls.placement.placement.internal -}}
|
||||||
|
{{- if and .Values.manifests.certificates $secretName }}
|
||||||
|
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
|
||||||
|
{{- end }}
|
||||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -63,7 +63,7 @@ spec:
|
|||||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }}
|
{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: WAIT_PERCENTAGE
|
- name: WAIT_PERCENTAGE
|
||||||
@ -91,6 +91,7 @@ spec:
|
|||||||
mountPath: {{ $logConfigFile | quote }}
|
mountPath: {{ $logConfigFile | quote }}
|
||||||
subPath: {{ base $logConfigFile | quote }}
|
subPath: {{ base $logConfigFile | quote }}
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
@ -104,6 +105,7 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: {{ $configMapEtc | quote }}
|
secretName: {{ $configMapEtc | quote }}
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
---
|
---
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
@ -42,7 +42,7 @@ spec:
|
|||||||
{{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
@ -54,6 +54,7 @@ spec:
|
|||||||
mountPath: /tmp/cell-setup-init.sh
|
mountPath: /tmp/cell-setup-init.sh
|
||||||
subPath: cell-setup-init.sh
|
subPath: cell-setup-init.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
containers:
|
containers:
|
||||||
- name: nova-cell-setup
|
- name: nova-cell-setup
|
||||||
{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
@ -96,4 +97,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: nova-bin
|
name: nova-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_endpoints }}
|
{{- if .Values.manifests.job_ks_endpoints }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_placement_endpoints }}
|
{{- if .Values.manifests.job_ks_placement_endpoints }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_placement_service }}
|
{{- if .Values.manifests.job_ks_placement_service }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
|
||||||
|
{{- end -}}
|
||||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user