From 9216563be219711b9c8d4d3685c7e43524aca8b8 Mon Sep 17 00:00:00 2001 From: "Terekhin, Alexey (at4945)" Date: Thu, 12 Jan 2023 14:05:55 -0800 Subject: [PATCH] Fix for creation endpoins and services when v1/v2 are disabled. Change-Id: I187e882c653c93ad4e1ef83a88ac4fcc3e60f763 --- cinder/Chart.yaml | 2 +- cinder/templates/configmap-etc.yaml | 2 +- .../cron-job-cinder-volume-usage-audit.yaml | 4 +- cinder/templates/deployment-api.yaml | 14 ++-- cinder/templates/deployment-scheduler.yaml | 4 +- cinder/templates/deployment-volume.yaml | 6 +- cinder/templates/ingress-api.yaml | 6 +- cinder/templates/job-bootstrap.yaml | 2 +- .../templates/job-create-internal-tenant.yaml | 4 +- cinder/templates/job-ks-endpoints.yaml | 11 ++- cinder/templates/job-ks-service.yaml | 11 ++- cinder/templates/job-ks-user.yaml | 2 +- cinder/templates/pod-rally-test.yaml | 6 +- cinder/templates/secret-ingress-tls.yaml | 2 +- cinder/templates/service-api.yaml | 4 +- cinder/templates/service-ingress-api.yaml | 2 +- cinder/values.yaml | 81 ++++++++++++++++--- cinder/values_overrides/tls.yaml | 30 ++++++- doc/source/specs/tenant-ceph.rst | 2 + releasenotes/notes/cinder.yaml | 1 + tools/deployment/common/setup-certificates.sh | 32 ++++++++ 21 files changed, 184 insertions(+), 44 deletions(-) diff --git a/cinder/Chart.yaml b/cinder/Chart.yaml index e20765961a..5a208ffd9d 100644 --- a/cinder/Chart.yaml +++ b/cinder/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Cinder name: cinder -version: 0.3.2 +version: 0.3.3 home: https://docs.openstack.org/cinder/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png sources: diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index fe73a881a6..e5a7ce7160 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -94,7 +94,7 @@ limitations under the License. {{- end -}} {{- if empty .Values.conf.cinder.DEFAULT.osapi_volume_listen_port -}} -{{- $_ := tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.cinder.DEFAULT "osapi_volume_listen_port" -}} +{{- $_ := tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.cinder.DEFAULT "osapi_volume_listen_port" -}} {{- end -}} {{- if .Values.conf.cinder.service_user.send_service_user_token -}} diff --git a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml index 1d935f1255..897b5b63e4 100644 --- a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml +++ b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml @@ -90,7 +90,7 @@ spec: mountPath: /tmp/volume-usage-audit.sh subPath: volume-usage-audit.sh readOnly: true -{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} {{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }} @@ -107,7 +107,7 @@ spec: configMap: name: cinder-bin defaultMode: 0555 -{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }} diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index b3e6be102f..8ef57549a0 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -93,17 +93,17 @@ spec: - stop ports: - name: c-api - containerPort: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + containerPort: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} readinessProbe: httpGet: - scheme: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }} + scheme: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }} path: / - port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + port: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} livenessProbe: httpGet: - scheme: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }} + scheme: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }} path: / - port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + port: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} initialDelaySeconds: 30 failureThreshold: 3 periodSeconds: 10 @@ -165,7 +165,7 @@ spec: readOnly: true {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} -{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }} volumes: @@ -188,7 +188,7 @@ spec: emptyDir: {} {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml index 59c35971e5..cf69dd1e08 100644 --- a/cinder/templates/deployment-scheduler.yaml +++ b/cinder/templates/deployment-scheduler.yaml @@ -107,7 +107,7 @@ spec: - name: cinder-coordination mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }} {{- end }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }} @@ -128,7 +128,7 @@ spec: - name: cinder-coordination emptyDir: {} {{- end }} - {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }} diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index 0fccd461e6..9207c258dc 100755 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -131,7 +131,7 @@ spec: readOnly: true - name: pod-shared mountPath: /tmp/pod-shared -{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} env: {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} @@ -281,7 +281,7 @@ spec: mountPropagation: HostToContainer {{- end }} {{- end }} -{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }} @@ -351,7 +351,7 @@ spec: path: /sys {{- end }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/cinder/templates/ingress-api.yaml b/cinder/templates/ingress-api.yaml index f5ab1ffd95..4586d3a118 100644 --- a/cinder/templates/ingress-api.yaml +++ b/cinder/templates/ingress-api.yaml @@ -14,10 +14,10 @@ limitations under the License. {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} {{- $envAll := . -}} -{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volumev3" "backendPort" "c-api" -}} -{{- $secretName := $envAll.Values.secrets.tls.volumev3.api.internal -}} +{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volume" "backendPort" "c-api" -}} +{{- $secretName := $envAll.Values.secrets.tls.volume.api.internal -}} {{- if and .Values.manifests.certificates $secretName -}} -{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volumev3.host_fqdn_override.default.tls.issuerRef.name -}} +{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volume.host_fqdn_override.default.tls.issuerRef.name -}} {{- end -}} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{- end }} diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml index a7b590e224..271b94839c 100644 --- a/cinder/templates/job-bootstrap.yaml +++ b/cinder/templates/job-bootstrap.yaml @@ -20,7 +20,7 @@ helm.sh/hook-weight: "5" {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} {{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}} -{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}} +{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}} {{- end -}} {{- if .Values.pod.tolerations.cinder.enabled -}} {{- $_ := set $bootstrapJob "tolerationsEnabled" true -}} diff --git a/cinder/templates/job-create-internal-tenant.yaml b/cinder/templates/job-create-internal-tenant.yaml index 78de218893..1a0a475b35 100644 --- a/cinder/templates/job-create-internal-tenant.yaml +++ b/cinder/templates/job-create-internal-tenant.yaml @@ -68,7 +68,7 @@ spec: mountPath: /tmp/create-internal-tenant.sh subPath: create-internal-tenant.sh readOnly: true -{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} env: {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} @@ -97,5 +97,5 @@ spec: configMap: name: {{ $configMapBin | quote }} defaultMode: 0555 -{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end -}} diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml index 99d5360ef3..cee225b3cf 100644 --- a/cinder/templates/job-ks-endpoints.yaml +++ b/cinder/templates/job-ks-endpoints.yaml @@ -17,10 +17,17 @@ helm.sh/hook: post-install,post-upgrade helm.sh/hook-weight: "-2" {{- end }} +{{- $volTypes := list "volumev3" -}} +{{- if .Values.conf.cinder.DEFAULT.enable_v1_api }} +{{- $volTypes = append $volTypes "volume" }} +{{- end }} +{{- if .Values.conf.cinder.DEFAULT.enable_v2_api }} +{{- $volTypes = append $volTypes "volumev2" }} +{{- end }} {{- if .Values.manifests.job_ks_endpoints }} -{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volumev3" ) -}} +{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( $volTypes ) -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}} -{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}} +{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml index 159f66a577..ff83df3457 100644 --- a/cinder/templates/job-ks-service.yaml +++ b/cinder/templates/job-ks-service.yaml @@ -24,9 +24,16 @@ helm.sh/hook-weight: "-3" {{- $serviceTypes = append $serviceTypes $v }} {{- end }} {{- end }} -{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" $serviceTypes -}} +{{- $volTypes := list "volumev3" -}} +{{- if .Values.conf.cinder.DEFAULT.enable_v1_api }} +{{- $volTypes = append $volTypes "volume" }} +{{- end }} +{{- if .Values.conf.cinder.DEFAULT.enable_v2_api }} +{{- $volTypes = append $volTypes "volumev2" }} +{{- end }} +{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( $volTypes ) -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}} -{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}} +{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml index 78f48cfc8f..a53a88d857 100644 --- a/cinder/templates/job-ks-user.yaml +++ b/cinder/templates/job-ks-user.yaml @@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1" {{- if .Values.manifests.job_ks_user }} {{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}} {{- if or .Values.manifests.certificates .Values.tls.identity -}} -{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}} +{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}} {{- end -}} {{- if .Values.helm3_hook }} {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }} diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml index 34316c6586..3ed52cde4a 100644 --- a/cinder/templates/pod-rally-test.yaml +++ b/cinder/templates/pod-rally-test.yaml @@ -53,7 +53,7 @@ spec: mountPath: /tmp/ks-user.sh subPath: ks-user.sh readOnly: true -{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} +{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} env: {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} @@ -93,7 +93,7 @@ spec: readOnly: true - name: rally-db mountPath: /var/lib/rally -{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} +{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} volumes: - name: pod-tmp @@ -108,6 +108,6 @@ spec: defaultMode: 0555 - name: rally-db emptyDir: {} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }} {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} {{- end }} diff --git a/cinder/templates/secret-ingress-tls.yaml b/cinder/templates/secret-ingress-tls.yaml index f298d67bff..6a185b29c4 100644 --- a/cinder/templates/secret-ingress-tls.yaml +++ b/cinder/templates/secret-ingress-tls.yaml @@ -13,5 +13,5 @@ limitations under the License. */}} {{- if .Values.manifests.secret_ingress_tls }} -{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "volumev3" ) }} +{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "volume" ) }} {{- end }} diff --git a/cinder/templates/service-api.yaml b/cinder/templates/service-api.yaml index d0530633c0..c906aa04f1 100644 --- a/cinder/templates/service-api.yaml +++ b/cinder/templates/service-api.yaml @@ -18,11 +18,11 @@ limitations under the License. apiVersion: v1 kind: Service metadata: - name: {{ tuple "volumev3" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + name: {{ tuple "volume" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} spec: ports: - name: c-api - port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + port: {{ tuple "volume" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} {{ if .Values.network.api.node_port.enabled }} nodePort: {{ .Values.network.api.node_port.port }} {{ end }} diff --git a/cinder/templates/service-ingress-api.yaml b/cinder/templates/service-ingress-api.yaml index ff0d27e516..951afb5942 100644 --- a/cinder/templates/service-ingress-api.yaml +++ b/cinder/templates/service-ingress-api.yaml @@ -13,6 +13,6 @@ limitations under the License. */}} {{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }} -{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "volumev3" -}} +{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "volume" -}} {{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }} {{- end }} diff --git a/cinder/values.yaml b/cinder/values.yaml index 7633d97739..15c11784e3 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -434,7 +434,19 @@ conf: composite:osapi_volume: use: call:cinder.api:root_app_factory /: apiversions + /v1: openstack_volume_api_v1 + /v2: openstack_volume_api_v2 /v3: openstack_volume_api_v3 + composite:openstack_volume_api_v1: + use: call:cinder.api.middleware.auth:pipeline_factory + noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1 + keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1 + keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv1 + composite:openstack_volume_api_v2: + use: call:cinder.api.middleware.auth:pipeline_factory + noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2 + keystone: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2 + keystone_nolimit: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken audit keystonecontext apiv2 composite:openstack_volume_api_v3: use: call:cinder.api.middleware.auth:pipeline_factory noauth: cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3 @@ -455,6 +467,10 @@ conf: paste.filter_factory: cinder.api.middleware.auth:NoAuthMiddleware.factory filter:sizelimit: paste.filter_factory: oslo_middleware.sizelimit:RequestBodySizeLimiter.factory + app:apiv1: + paste.app_factory: cinder.api.v1.router:APIRouter.factory + app:apiv2: + paste.app_factory: cinder.api.v2.router:APIRouter.factory app:apiv3: paste.app_factory: cinder.api.v3.router:APIRouter.factory pipeline:apiversions: @@ -487,6 +503,8 @@ conf: types: type volumes: volume service_endpoints: + volume: service/storage/block + volumev2: service/storage/block volumev3: service/storage/block cinder_sudoers: | # This sudoers file supports rootwrap for both Kolla and LOCI Images. @@ -774,6 +792,7 @@ conf: use_syslog: false use_stderr: true enable_v1_api: false + enable_v2_api: false volume_name_template: "%s" osapi_volume_workers: 1 glance_api_version: 2 @@ -911,7 +930,7 @@ conf: rados_connect_timeout: -1 rbd_user: cinder rbd_secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337 - image_volume_cache_enabled: True + image_volume_cache_enabled: true image_volume_cache_max_size_gb: 200 image_volume_cache_max_count: 50 rally_tests: @@ -1029,7 +1048,7 @@ dependencies: - endpoint: internal service: identity - endpoint: internal - service: volumev3 + service: volume backup_storage_init: jobs: null bootstrap: @@ -1037,7 +1056,7 @@ dependencies: - endpoint: internal service: identity - endpoint: internal - service: volumev3 + service: volume pod: - requireSameNode: false labels: @@ -1088,7 +1107,7 @@ dependencies: - endpoint: internal service: identity - endpoint: internal - service: volumev3 + service: volume storage_init: jobs: null tests: @@ -1096,7 +1115,7 @@ dependencies: - endpoint: internal service: identity - endpoint: internal - service: volumev3 + service: volume volume: jobs: - cinder-db-sync @@ -1108,7 +1127,7 @@ dependencies: - endpoint: internal service: identity - endpoint: internal - service: volumev3 + service: volume volume_usage_audit: jobs: - cinder-db-sync @@ -1120,7 +1139,7 @@ dependencies: - endpoint: internal service: identity - endpoint: internal - service: volumev3 + service: volume image_repo_sync: services: - endpoint: internal @@ -1147,7 +1166,7 @@ secrets: admin: cinder-rabbitmq-admin cinder: cinder-rabbitmq-user tls: - volumev3: + volume: api: public: cinder-tls-public internal: cinder-tls-api @@ -1240,8 +1259,52 @@ endpoints: api: default: 9292 public: 80 - volumev3: + volume: name: cinder + hosts: + default: cinder-api + public: cinder + host_fqdn_override: + default: null + # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public + # endpoints using the following format: + # public: + # host: null + # tls: + # crt: null + # key: null + path: + default: '/v1/%(tenant_id)s' + scheme: + default: 'http' + port: + api: + default: 8776 + public: 80 + volumev2: + name: cinderv2 + hosts: + default: cinder-api + public: cinder + host_fqdn_override: + default: null + # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public + # endpoints using the following format: + # public: + # host: null + # tls: + # crt: null + # key: null + path: + default: '/v2/%(tenant_id)s' + scheme: + default: 'http' + port: + api: + default: 8776 + public: 80 + volumev3: + name: cinderv3 hosts: default: cinder-api public: cinder diff --git a/cinder/values_overrides/tls.yaml b/cinder/values_overrides/tls.yaml index 42f5059ea0..1b6c834bdd 100644 --- a/cinder/values_overrides/tls.yaml +++ b/cinder/values_overrides/tls.yaml @@ -33,7 +33,7 @@ conf: ThreadLimit 720 wsgi_cinder: | - {{- $portInt := tuple "volumev3" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- $portInt := tuple "volume" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }} Listen {{ $portInt }} ServerName {{ printf "%s.%s.svc.%s" "cinder-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }} @@ -95,6 +95,34 @@ endpoints: port: api: public: 443 + volume: + host_fqdn_override: + default: + tls: + secretName: cinder-tls-api + issuerRef: + name: ca-issuer + kind: ClusterIssuer + scheme: + default: https + internal: https + port: + api: + public: 443 + volumev2: + host_fqdn_override: + default: + tls: + secretName: cinder-tls-api + issuerRef: + name: ca-issuer + kind: ClusterIssuer + scheme: + default: https + internal: https + port: + api: + public: 443 volumev3: host_fqdn_override: default: diff --git a/doc/source/specs/tenant-ceph.rst b/doc/source/specs/tenant-ceph.rst index c7e6983cba..083e9df0b2 100644 --- a/doc/source/specs/tenant-ceph.rst +++ b/doc/source/specs/tenant-ceph.rst @@ -1019,8 +1019,10 @@ Update script overrides as following: | ID | Name | Type | +----------------------------------+----------+--------------+ | 0eddeb6af4fd43ea8f73f63a1ae01438 | swift | object-store | + | 66bd0179eada4ab8899a58356fd4d508 | cinder | volume | | 67cc6b945e934246b25d31a9374a64af | keystone | identity | | 81a61ec8eff74070bb3c2f0118c1bcd5 | glance | image | + | c126046fc5ec4c52acfc8fee0e2f4dda | cinderv2 | volumev2 | | f89b99a31a124b7790e3bb60387380b1 | cinderv3 | volumev3 | +----------------------------------+----------+--------------+ + sleep 30 diff --git a/releasenotes/notes/cinder.yaml b/releasenotes/notes/cinder.yaml index de26fd54f7..0d6f13de7d 100644 --- a/releasenotes/notes/cinder.yaml +++ b/releasenotes/notes/cinder.yaml @@ -52,4 +52,5 @@ cinder: - 0.3.0 Remove support for Train and Ussuri - 0.3.1 Change ceph-config-helper image tag - 0.3.2 Remove default policy rules + - 0.3.3 Fix for creation endpoins and services when v1/v2 are disabled ... diff --git a/tools/deployment/common/setup-certificates.sh b/tools/deployment/common/setup-certificates.sh index f342e439cc..5f65db7639 100755 --- a/tools/deployment/common/setup-certificates.sh +++ b/tools/deployment/common/setup-certificates.sh @@ -281,6 +281,38 @@ $(cat ${GLANCE_API_CRT} | sed 's/^/ /') key: | $(cat ${GLANCE_API_KEY} | sed 's/^/ /') ca: | +$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /') + volume: + scheme: + public: https + port: + api: + public: 443 + host_fqdn_override: + public: + host: "$(cat "${CINDER_CSR}" | jq -r '.CN')" + tls: + crt: | +$(cat ${CINDER_CRT} | sed 's/^/ /') + key: | +$(cat ${CINDER_KEY} | sed 's/^/ /') + ca: | +$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /') + volumev2: + scheme: + public: https + port: + api: + public: 443 + host_fqdn_override: + public: + host: "$(cat "${CINDER_CSR}" | jq -r '.CN')" + tls: + crt: | +$(cat ${CINDER_CRT} | sed 's/^/ /') + key: | +$(cat ${CINDER_KEY} | sed 's/^/ /') + ca: | $(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/ /') volumev3: scheme: