---
neutron:
  images:
    tags:
      nginx: docker.io/nginx:1.18.0
  network:
    server:
      ingress:
        annotations:
          nginx.ingress.kubernetes.io/backend-protocol: "https"
  pod:
    security_context:
      neutron_server:
        pod:
          runAsUser: 0
        container:
          neutron_server:
            readOnlyRootFilesystem: false
    resources:
      nginx:
        requests:
          memory: "128Mi"
          cpu: "100m"
        limits:
          memory: "1024Mi"
          cpu: "2000m"
  conf:
    nginx: |
      worker_processes 1;
      daemon off;
      user nginx;

      events {
        worker_connections 1024;
      }

      http {
        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        sendfile on;
        keepalive_timeout 65s;
        tcp_nodelay on;

        log_format main '[nginx] method=$request_method path=$request_uri '
                        'status=$status upstream_status=$upstream_status duration=$request_time size=$body_bytes_sent '
                        '"$remote_user" "$http_referer" "$http_user_agent"';

        access_log /dev/stdout  main;

        upstream websocket {
          server 127.0.0.1:$PORT;
        }

        server {
          server_name {{ printf "%s.%s.svc.%s" "${SHORTNAME}" .Release.Namespace .Values.endpoints.cluster_domain_suffix }};
          listen $POD_IP:$PORT ssl;

          client_max_body_size  0;

          ssl_certificate      /etc/nginx/certs/tls.crt;
          ssl_certificate_key  /etc/nginx/certs/tls.key;
          ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

          location / {
            proxy_pass_request_headers on;

            proxy_http_version  1.1;
            proxy_pass          http://websocket;
            proxy_read_timeout  90;
          }
        }
      }
    neutron:
      DEFAULT:
        bind_host: 127.0.0.1
      nova:
        cafile: /etc/neutron/certs/ca.crt
      keystone_authtoken:
        cafile: /etc/neutron/certs/ca.crt
      oslo_messaging_rabbit:
        ssl: true
        ssl_ca_file: /etc/rabbitmq/certs/ca.crt
        ssl_cert_file: /etc/rabbitmq/certs/tls.crt
        ssl_key_file: /etc/rabbitmq/certs/tls.key
    metadata_agent:
      DEFAULT:
        auth_ca_cert: /etc/ssl/certs/openstack-helm.crt
        nova_metadata_port: 443
        nova_metadata_protocol: https
  endpoints:
    compute:
      scheme:
        default: https
      port:
        api:
          public: 443
    compute_metadata:
      scheme:
        default: https
      port:
        metadata:
          public: 443
    identity:
      auth:
        admin:
          cacert: /etc/ssl/certs/openstack-helm.crt
        neutron:
          cacert: /etc/ssl/certs/openstack-helm.crt
        nova:
          cacert: /etc/ssl/certs/openstack-helm.crt
        test:
          cacert: /etc/ssl/certs/openstack-helm.crt
      scheme:
        default: https
      port:
        api:
          default: 443
    network:
      host_fqdn_override:
        default:
          tls:
            secretName: neutron-tls-server
            issuerRef:
              name: ca-issuer
              kind: ClusterIssuer
      scheme:
        default: https
      port:
        api:
          public: 443
    ingress:
      port:
        ingress:
          default: 443
    oslo_messaging:
      port:
        https:
          default: 15680
  manifests:
    certificates: true
...