From 27c4d562c8ade4b4f34ec807ac327334fdd13cb3 Mon Sep 17 00:00:00 2001 From: Lucas Cavalcante Date: Thu, 23 Dec 2021 11:13:15 -0300 Subject: [PATCH] Fixes Application Apply failing when HTTPS enabled Openstack-helm provides the option to terminate TLS at the services. However, at Starlingx TLS termination is done at the reverse proxy (ingress) and therefore is unecessary for the OpenStack itself be HTTPS and terminate tls a second time. Furthermore, it is not possible to have https enabled on openstack services with the current centos based containers that we have, openstack-helm only supports tls using debian based containers. Manually working arroud this creates a cumbersome override file, so to diminish this overrides this patch 0020 and 0013(osh-i) disables https at the backend, thus maitaining the same behaviour as stx 5.0 Mariadb and RabbitMQ tls does not seem to be working very well within Starlingx, so we also disable TLS for them. I am not confident that current openstack-helm and openstack-helm-infra supports production level openstack with mariadb in TLS mode. Furthermore, from the way everything is redirected in StarlingX I do see too many performance and stability issues using both of them with tls enabled. Disclaimer I did not test with either only mairiadb tls or rabbitmq activated, but with both of them on the system is not usable. Test Plan: PASS: Openstack is Applied. (https disabled) PASS: enable https. Opensatck is Applied (WITHOUT service.conf overrides) Signed-off-by: Lucas Cavalcante Change-Id: Ifb7946e9a289234047934b52d200b951a59c1a3f Partial-bug: 1960354 Related-to: https://review.opendev.org/c/starlingx/helm-charts/+/828815 --- .../centos/openstack-helm-infra.spec | 6 + openstack-helm-infra/debian/deb_folder/rules | 19 + ...0020-Fix-tls-in-openstack-helm-infra.patch | 136 + .../files/0021-Remove-mariadb-tls.patch | 191 ++ .../files/0022-Remove-rabbitmq-tls.patch | 91 + openstack-helm/centos/openstack-helm.spec | 4 + openstack-helm/debian/deb_folder/rules | 17 + .../files/0007-Add-stx_admin-account.patch | 2 +- ...3-Remove-TLS-from-openstack-services.patch | 2394 +++++++++++++++++ .../0014-Remove-mariadb-and-rabbit-tls.patch | 1789 ++++++++++++ .../nova-api-proxy/templates/deployment.yaml | 4 +- .../templates/job-ks-endpoints.yaml | 2 +- 12 files changed, 4651 insertions(+), 4 deletions(-) create mode 100644 openstack-helm-infra/files/0020-Fix-tls-in-openstack-helm-infra.patch create mode 100644 openstack-helm-infra/files/0021-Remove-mariadb-tls.patch create mode 100644 openstack-helm-infra/files/0022-Remove-rabbitmq-tls.patch create mode 100644 openstack-helm/files/0013-Remove-TLS-from-openstack-services.patch create mode 100644 openstack-helm/files/0014-Remove-mariadb-and-rabbit-tls.patch diff --git a/openstack-helm-infra/centos/openstack-helm-infra.spec b/openstack-helm-infra/centos/openstack-helm-infra.spec index f1bb0c30..23be46ee 100644 --- a/openstack-helm-infra/centos/openstack-helm-infra.spec +++ b/openstack-helm-infra/centos/openstack-helm-infra.spec @@ -28,6 +28,9 @@ Patch16: 0016-Disabling-helm3_hooks.patch Patch17: 0017-Enable-taint-toleration-for-Openstack-services.patch Patch18: 0018-Add-GaleraDB-Secure-Replica-Traffic.patch Patch19: 0019-Add-force_boot-command-to-rabbit-start-template.patch +Patch20: 0020-Fix-tls-in-openstack-helm-infra.patch +Patch21: 0021-Remove-mariadb-tls.patch +Patch22: 0022-Remove-rabbitmq-tls.patch BuildRequires: helm BuildRequires: chartmuseum @@ -50,6 +53,9 @@ Openstack Helm Infra charts %patch17 -p1 %patch18 -p1 %patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 %build # Host a server for the charts diff --git a/openstack-helm-infra/debian/deb_folder/rules b/openstack-helm-infra/debian/deb_folder/rules index f290be91..5883d946 100755 --- a/openstack-helm-infra/debian/deb_folder/rules +++ b/openstack-helm-infra/debian/deb_folder/rules @@ -8,6 +8,25 @@ export HELM_FOLDER = $(ROOT)/usr/lib/helm dh $@ override_dh_auto_build: + # Move the source files from the extracted root directory to build root. + mv openstack-helm-infra/* . + # Apply the openstack-helm-infra patches. + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0001-Add-imagePullSecrets-in-service-account.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0003-Partial-revert-of-31e3469d28858d7b5eb6355e88b6f49fd6.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0004-Fix-pod-restarts-on-all-workers-when-worker-added-re.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0005-Add-io_thread_pool-for-rabbitmq.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0006-Enable-override-of-rabbitmq-probe-parameters.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0009-Enable-override-of-mariadb-server-probe-parameters.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0011-Add-mariadb-database-config-override-to-support-ipv6.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0012-enable-Values.conf.database.config_override-for-mari.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0013-Allow-set-public-endpoint-url-for-all-openstack-types.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0016-Disabling-helm3_hooks.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0017-Enable-taint-toleration-for-Openstack-services.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0018-Add-GaleraDB-Secure-Replica-Traffic.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0019-Add-force_boot-command-to-rabbit-start-template.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0020-Fix-tls-in-openstack-helm-infra.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0021-Remove-mariadb-tls.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0022-Remove-rabbitmq-tls.patch # Host a server for the helm charts. chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" --storage-local-rootdir="." & sleep 2 diff --git a/openstack-helm-infra/files/0020-Fix-tls-in-openstack-helm-infra.patch b/openstack-helm-infra/files/0020-Fix-tls-in-openstack-helm-infra.patch new file mode 100644 index 00000000..0bf6422b --- /dev/null +++ b/openstack-helm-infra/files/0020-Fix-tls-in-openstack-helm-infra.patch @@ -0,0 +1,136 @@ +From d7d223ef40ab11e5c9a00b4b30000f6905885c04 Mon Sep 17 00:00:00 2001 +From: Lucas Cavalcante +Date: Wed, 19 Jan 2022 11:54:38 -0300 +Subject: [PATCH] Fix Support for TLS in openstack-helm-infra + +WIP + +Signed-off-by: Lucas Cavalcante +Change-Id: I382e0fc68c9a92c6a9570097db2c6a959525059d +--- + .../templates/manifests/_secret-tls.yaml.tpl | 97 +++++++------------ + 1 file changed, 33 insertions(+), 64 deletions(-) + +diff --git a/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl +index 24a70450..f34ac527 100644 +--- a/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl ++++ b/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl +@@ -15,66 +15,36 @@ limitations under the License. + {{/* + abstract: | + Creates a manifest for a services public tls secret +-examples: +- - values: | +- secrets: +- tls: +- key_manager: +- api: +- public: barbican-tls-public +- endpoints: +- key_manager: +- host_fqdn_override: +- public: +- tls: +- crt: | +- FOO-CRT +- key: | +- FOO-KEY +- ca: | +- FOO-CA_CRT +- usage: | +- {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}} +- return: | +- --- +- apiVersion: v1 +- kind: Secret +- metadata: +- name: barbican-tls-public +- type: kubernetes.io/tls +- data: +- tls.key: Rk9PLUtFWQo= +- tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo= +- +- - values: | +- secrets: +- tls: +- key_manager: +- api: +- public: barbican-tls-public +- endpoints: +- key_manager: +- host_fqdn_override: +- public: +- tls: +- crt: | +- FOO-CRT +- FOO-INTERMEDIATE_CRT +- FOO-CA_CRT +- key: | +- FOO-KEY +- usage: | +- {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}} +- return: | +- --- +- apiVersion: v1 +- kind: Secret +- metadata: +- name: barbican-tls-public +- type: kubernetes.io/tls +- data: +- tls.key: Rk9PLUtFWQo= +- tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg== ++values: | ++ secrets: ++ tls: ++ key_manager: ++ api: ++ public: barbican-tls-public ++ endpoints: ++ key_manager: ++ host_fqdn_override: ++ public: ++ tls: ++ crt: | ++ FOO-CRT ++ key: | ++ FOO-KEY ++ ca: | ++ FOO-CA_CRT ++usage: | ++ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}} ++return: | ++ --- ++ apiVersion: v1 ++ kind: Secret ++ metadata: ++ name: barbican-tls-public ++ type: kubernetes.io/tls ++ data: ++ tls.crt: Rk9PLUNSVAo= ++ tls.key: Rk9PLUtFWQo= ++ ca.crt: Rk9PLUNBX0NSVAo= + */}} + + {{- define "helm-toolkit.manifests.secret_ingress_tls" }} +@@ -95,14 +65,13 @@ metadata: + name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }} + type: kubernetes.io/tls + data: ++ tls.crt: {{ $endpointHost.tls.crt | b64enc }} + tls.key: {{ $endpointHost.tls.key | b64enc }} + {{- if $endpointHost.tls.ca }} +- tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }} +-{{- else }} +- tls.crt: {{ $endpointHost.tls.crt | b64enc }} +-{{- end }} ++ ca.crt: {{ $endpointHost.tls.ca | b64enc }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} ++{{- end }} +\ No newline at end of file +-- +2.17.1 + diff --git a/openstack-helm-infra/files/0021-Remove-mariadb-tls.patch b/openstack-helm-infra/files/0021-Remove-mariadb-tls.patch new file mode 100644 index 00000000..56dabcf1 --- /dev/null +++ b/openstack-helm-infra/files/0021-Remove-mariadb-tls.patch @@ -0,0 +1,191 @@ +From 6fa2814271b7806aece4fb44f6d8eabe8c5ab6aa Mon Sep 17 00:00:00 2001 +From: Lucas Cavalcante +Date: Tue, 8 Feb 2022 09:18:02 -0300 +Subject: [PATCH 21/22] Remove mariadb + +Change-Id: I37405da8faab3495ebe55c81389e0d769aaeb1d1 +--- + .../templates/manifests/_job-db-drop-mysql.tpl | 7 ------- + .../templates/manifests/_job-db-init-mysql.tpl | 7 ------- + helm-toolkit/templates/manifests/_job-db-sync.tpl | 3 --- + helm-toolkit/templates/scripts/_db-drop.py.tpl | 11 ++--------- + helm-toolkit/templates/scripts/_db-init.py.tpl | 14 ++++---------- + 5 files changed, 6 insertions(+), 36 deletions(-) + +diff --git a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl +index 934a2435..8ae71c67 100644 +--- a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl ++++ b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl +@@ -37,7 +37,6 @@ limitations under the License. + {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} + {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} + {{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + + {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }} + {{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +@@ -133,9 +132,6 @@ spec: + subPath: {{ base $dbToDrop.logConfigFile | quote }} + readOnly: true + {{- end }} +-{{- if $envAll.Values.manifests.certificates }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- end }} + {{- end }} + volumes: + - name: pod-tmp +@@ -150,9 +146,6 @@ spec: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + {{- end }} +-{{- if $envAll.Values.manifests.certificates }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- end }} + {{- $local := dict "configMapBinFirst" true -}} + {{- range $key1, $dbToDrop := $dbsToDrop }} + {{- $dbToDropType := default "oslo" $dbToDrop.inputType }} +diff --git a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl +index c164ad0a..dcfbb35f 100644 +--- a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl ++++ b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl +@@ -37,7 +37,6 @@ limitations under the License. + {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} + {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} + {{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + + {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }} + {{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +@@ -132,9 +131,6 @@ spec: + subPath: {{ base $dbToInit.logConfigFile | quote }} + readOnly: true + {{- end }} +-{{- if $envAll.Values.manifests.certificates }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- end }} + {{- end }} + volumes: + - name: pod-tmp +@@ -149,9 +145,6 @@ spec: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + {{- end }} +-{{- if $envAll.Values.manifests.certificates }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- end }} + {{- $local := dict "configMapBinFirst" true -}} + {{- range $key1, $dbToInit := $dbsToInit }} + {{- $dbToInitType := default "oslo" $dbToInit.inputType }} +diff --git a/helm-toolkit/templates/manifests/_job-db-sync.tpl b/helm-toolkit/templates/manifests/_job-db-sync.tpl +index 659238a4..f181061f 100644 +--- a/helm-toolkit/templates/manifests/_job-db-sync.tpl ++++ b/helm-toolkit/templates/manifests/_job-db-sync.tpl +@@ -34,7 +34,6 @@ limitations under the License. + {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} + {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} + {{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}} + + {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }} + {{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +@@ -106,7 +105,6 @@ spec: + mountPath: {{ $dbToSync.logConfigFile | quote }} + subPath: {{ base $dbToSync.logConfigFile | quote }} + readOnly: true +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- if $podVolMounts }} + {{ $podVolMounts | toYaml | indent 12 }} + {{- end }} +@@ -129,7 +127,6 @@ spec: + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- if $podVols }} + {{ $podVols | toYaml | indent 8 }} + {{- end }} +diff --git a/helm-toolkit/templates/scripts/_db-drop.py.tpl b/helm-toolkit/templates/scripts/_db-drop.py.tpl +index 03884fa1..81447546 100644 +--- a/helm-toolkit/templates/scripts/_db-drop.py.tpl ++++ b/helm-toolkit/templates/scripts/_db-drop.py.tpl +@@ -54,13 +54,6 @@ else: + logger.critical('environment variable ROOT_DB_CONNECTION not set') + sys.exit(1) + +-mysql_x509 = os.getenv('MARIADB_X509', "") +-ssl_args = {} +-if mysql_x509: +- ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', +- 'key': '/etc/mysql/certs/tls.key', +- 'cert': '/etc/mysql/certs/tls.crt'}} +- + # Get the connection string for the service db + if "OPENSTACK_CONFIG_FILE" in os.environ: + os_conf = os.environ['OPENSTACK_CONFIG_FILE'] +@@ -101,7 +94,7 @@ try: + host = root_engine_full.url.host + port = root_engine_full.url.port + root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) +- root_engine = create_engine(root_engine_url, connect_args=ssl_args) ++ root_engine = create_engine(root_engine_url) + connection = root_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1} as {2}".format( +@@ -112,7 +105,7 @@ except: + + # User DB engine + try: +- user_engine = create_engine(user_db_conn, connect_args=ssl_args) ++ user_engine = create_engine(user_db_conn) + # Get our user data out of the user_engine + database = user_engine.url.database + user = user_engine.url.username +diff --git a/helm-toolkit/templates/scripts/_db-init.py.tpl b/helm-toolkit/templates/scripts/_db-init.py.tpl +index 4294d40c..9671b734 100644 +--- a/helm-toolkit/templates/scripts/_db-init.py.tpl ++++ b/helm-toolkit/templates/scripts/_db-init.py.tpl +@@ -54,12 +54,6 @@ else: + logger.critical('environment variable ROOT_DB_CONNECTION not set') + sys.exit(1) + +-mysql_x509 = os.getenv('MARIADB_X509', "") +-ssl_args = {} +-if mysql_x509: +- ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', +- 'key': '/etc/mysql/certs/tls.key', +- 'cert': '/etc/mysql/certs/tls.crt'}} + + # Get the connection string for the service db + if "OPENSTACK_CONFIG_FILE" in os.environ: +@@ -101,7 +95,7 @@ try: + host = root_engine_full.url.host + port = root_engine_full.url.port + root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)]) +- root_engine = create_engine(root_engine_url, connect_args=ssl_args) ++ root_engine = create_engine(root_engine_url) + connection = root_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1} as {2}".format( +@@ -112,7 +106,7 @@ except: + + # User DB engine + try: +- user_engine = create_engine(user_db_conn, connect_args=ssl_args) ++ user_engine = create_engine(user_db_conn) + # Get our user data out of the user_engine + database = user_engine.url.database + user = user_engine.url.username +@@ -133,8 +127,8 @@ except: + # Create DB User + try: + root_engine.execute( +- "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format( +- database, user, password, mysql_x509)) ++ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\'".format( ++ database, user, password)) + logger.info("Created user {0} for {1}".format(user, database)) + except: + logger.critical("Could not create user {0} for {1}".format(user, database)) +-- +2.17.1 + diff --git a/openstack-helm-infra/files/0022-Remove-rabbitmq-tls.patch b/openstack-helm-infra/files/0022-Remove-rabbitmq-tls.patch new file mode 100644 index 00000000..8147b06c --- /dev/null +++ b/openstack-helm-infra/files/0022-Remove-rabbitmq-tls.patch @@ -0,0 +1,91 @@ +From 4b2cc6a3c4b9af9dd2688d52b493828cef97cdb6 Mon Sep 17 00:00:00 2001 +From: Lucas Cavalcante +Date: Tue, 8 Feb 2022 09:20:36 -0300 +Subject: [PATCH 22/22] remove rabbit tls + +Change-Id: I04c4c25c72b10b87e71c2f286e21526e5e062b67 +--- + .../templates/manifests/_job-rabbit-init.yaml.tpl | 15 --------------- + .../templates/scripts/_rabbit-init.sh.tpl | 15 --------------- + 2 files changed, 30 deletions(-) + +diff --git a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl +index 59e0da0f..b776d055 100644 +--- a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl ++++ b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl +@@ -25,9 +25,6 @@ limitations under the License. + {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} + {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} + {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} +-{{- $serviceNamePretty := $serviceName | replace "_" "-" -}} +-{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}} +-{{- $tlsSecret := index . "tlsSecret" | default "" -}} + + {{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }} + {{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +@@ -85,9 +82,6 @@ spec: + mountPath: /tmp/rabbit-init.sh + subPath: rabbit-init.sh + readOnly: true +-{{- if $envAll.Values.manifests.certificates }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- end }} + env: + - name: RABBITMQ_ADMIN_CONNECTION + valueFrom: +@@ -102,12 +96,6 @@ spec: + {{- if $envAll.Values.conf.rabbitmq }} + - name: RABBITMQ_AUXILIARY_CONFIGURATION + value: {{ toJson $envAll.Values.conf.rabbitmq | quote }} +-{{- end }} +-{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }} +- - name: RABBITMQ_X509 +- value: "REQUIRE X509" +- - name: USER_CERT_PATH +- value: {{ $tlsPath | quote }} + {{- end }} + volumes: + - name: pod-tmp +@@ -122,7 +110,4 @@ spec: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + {{- end }} +-{{- if $envAll.Values.manifests.certificates }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- end }} + {{- end -}} +diff --git a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl +index 87872d6f..7fb16a0f 100644 +--- a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl ++++ b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl +@@ -47,27 +47,12 @@ RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \ + RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}" + + function rabbitmqadmin_cli () { +- if [ -n "$RABBITMQ_X509" ] +- then + rabbitmqadmin \ +- --ssl \ +- --ssl-disable-hostname-verification \ +- --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \ +- --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \ +- --ssl-key-file="${USER_CERT_PATH}/tls.key" \ + --host="${RABBIT_HOSTNAME}" \ + --port="${RABBIT_PORT}" \ + --username="${RABBITMQ_ADMIN_USERNAME}" \ + --password="${RABBITMQ_ADMIN_PASSWORD}" \ + ${@} +- else +- rabbitmqadmin \ +- --host="${RABBIT_HOSTNAME}" \ +- --port="${RABBIT_PORT}" \ +- --username="${RABBITMQ_ADMIN_USERNAME}" \ +- --password="${RABBITMQ_ADMIN_PASSWORD}" \ +- ${@} +- fi + } + + echo "Managing: User: ${RABBITMQ_USERNAME}" +-- +2.17.1 + diff --git a/openstack-helm/centos/openstack-helm.spec b/openstack-helm/centos/openstack-helm.spec index 3a4de558..a3ceb391 100644 --- a/openstack-helm/centos/openstack-helm.spec +++ b/openstack-helm/centos/openstack-helm.spec @@ -31,6 +31,8 @@ Patch09: 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch Patch10: 0010-Enable-taint-toleration-for-Openstack-services.patch Patch11: 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch Patch12: 0012-Replace-deprecated-Nova-VNC-configurations.patch +Patch13: 0013-Remove-TLS-from-openstack-services.patch +Patch14: 0014-Remove-mariadb-and-rabbit-tls.patch BuildRequires: helm BuildRequires: openstack-helm-infra @@ -54,6 +56,8 @@ Openstack Helm charts %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 %build # Stage helm-toolkit in the local repo diff --git a/openstack-helm/debian/deb_folder/rules b/openstack-helm/debian/deb_folder/rules index 9b214c86..60d5d91d 100755 --- a/openstack-helm/debian/deb_folder/rules +++ b/openstack-helm/debian/deb_folder/rules @@ -11,8 +11,25 @@ export TOOLKIT_VERSION = 0.2.19 dh $@ override_dh_auto_build: + # Move the source files from the extracted root directory to build root. + mv openstack-helm/* . # Stage helm-toolkit in the local repo. cp $(HELM_FOLDER)/helm-toolkit-$(TOOLKIT_VERSION).tgz . + # Apply the openstack-helm patches. + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0001-Remove-stale-Apache2-service-pids-when-a-POD-starts.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0002-Nova-console-ip-address-search-optionality.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0003-Nova-chart-Support-ephemeral-pool-creation.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0004-Support-ingress-creation-for-keystone-admin-endpoint.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0005-Allow-set-public-endpoint-url-for-keystone-endpoints.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0006-Wrong-usage-of-rbd_store_chunk_size.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0007-Add-stx_admin-account.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0008-Disabling-helm3_hook.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0010-Enable-taint-toleration-for-Openstack-services.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0012-Replace-deprecated-Nova-VNC-configurations.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0013-Remove-TLS-from-openstack-services.patch + patch --no-backup-if-mismatch --fuzz=0 -p1 < 0014-Remove-mariadb-and-rabbit-tls.patch # Host a server for the helm charts. chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" \ --storage-local-rootdir="." & diff --git a/openstack-helm/files/0007-Add-stx_admin-account.patch b/openstack-helm/files/0007-Add-stx_admin-account.patch index 640a9a39..742e43ed 100644 --- a/openstack-helm/files/0007-Add-stx_admin-account.patch +++ b/openstack-helm/files/0007-Add-stx_admin-account.patch @@ -39,7 +39,7 @@ index 00000000..91f990f3 +{{- if .Values.manifests.job_ks_user }} +{{- $ksUserJob := dict "envAll" . "serviceName" "keystone" "serviceUser" "stx_admin" -}} +{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.public -}} +{{- end -}} +{{- if .Values.pod.tolerations.keystone.enabled -}} +{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} diff --git a/openstack-helm/files/0013-Remove-TLS-from-openstack-services.patch b/openstack-helm/files/0013-Remove-TLS-from-openstack-services.patch new file mode 100644 index 00000000..9416fb9e --- /dev/null +++ b/openstack-helm/files/0013-Remove-TLS-from-openstack-services.patch @@ -0,0 +1,2394 @@ +From 6741666ec144c447508db3d1500f11db5955bf7a Mon Sep 17 00:00:00 2001 +From: Lucas Cavalcante +Date: Thu, 10 Feb 2022 16:23:26 -0300 +Subject: [PATCH 13/14] Remove TLS from openstack services at backend + +Openstack-helm provides the option to terminate TLS at the services. +However, at Starlingx TLS termination is done at the reverse +proxy (ingress) and therefore is unecessary for the OpenStack to be +HTTPS. Removing this option creates a cumbersome override file, so +to diminish this overrides this patches disables https at the backend + +Change-Id: Ibc0e53d95cfe43e0e04c9cc14bc81469fb919a40 +--- + cinder/templates/bin/_cinder-api.sh.tpl | 40 ----------- + cinder/templates/certificates.yaml | 17 ----- + cinder/templates/configmap-etc.yaml | 4 -- + cinder/templates/deployment-api.yaml | 28 ++------ + cinder/templates/deployment-scheduler.yaml | 4 +- + cinder/templates/deployment-volume.yaml | 6 +- + cinder/templates/ingress-api.yaml | 7 +- + cinder/templates/job-bootstrap.yaml | 2 +- + .../templates/job-create-internal-tenant.yaml | 4 +- + cinder/templates/job-ks-endpoints.yaml | 2 +- + cinder/templates/job-ks-service.yaml | 2 +- + cinder/templates/job-ks-user.yaml | 2 +- + cinder/templates/pod-rally-test.yaml | 6 +- + glance/templates/certificates.yaml | 18 ----- + glance/templates/deployment-api.yaml | 60 +--------------- + glance/templates/deployment-registry.yaml | 4 +- + glance/templates/ingress-api.yaml | 7 +- + glance/templates/ingress-registry.yaml | 2 +- + glance/templates/job-bootstrap.yaml | 2 +- + glance/templates/job-ks-endpoints.yaml | 2 +- + glance/templates/job-ks-service.yaml | 2 +- + glance/templates/job-ks-user.yaml | 2 +- + glance/templates/job-storage-init.yaml | 4 +- + glance/templates/pod-rally-test.yaml | 6 +- + heat/templates/bin/_heat-api.sh.tpl | 35 ---------- + heat/templates/bin/_heat-cfn.sh.tpl | 37 ---------- + heat/templates/certificates.yaml | 18 ----- + heat/templates/deployment-api.yaml | 14 +--- + heat/templates/deployment-cfn.yaml | 14 +--- + heat/templates/deployment-engine.yaml | 4 +- + heat/templates/ingress-api.yaml | 4 -- + heat/templates/ingress-cfn.yaml | 4 -- + heat/templates/job-bootstrap.yaml | 2 +- + heat/templates/job-ks-endpoints.yaml | 2 +- + heat/templates/job-ks-service.yaml | 2 +- + heat/templates/job-ks-user-domain.yaml | 4 +- + heat/templates/job-ks-user-trustee.yaml | 2 +- + heat/templates/job-ks-user.yaml | 2 +- + heat/templates/job-trusts.yaml | 4 +- + heat/templates/pod-rally-test.yaml | 6 +- + horizon/templates/certificates.yaml | 17 ----- + horizon/templates/deployment.yaml | 4 +- + horizon/templates/ingress-api.yaml | 4 -- + horizon/templates/pod-helm-tests.yaml | 4 +- + keystone/templates/bin/_keystone-api.sh.tpl | 4 -- + keystone/templates/certificates.yaml | 17 ----- + keystone/templates/deployment-api.yaml | 8 +-- + keystone/templates/ingress-api.yaml | 7 +- + keystone/templates/job-bootstrap.yaml | 4 +- + keystone/templates/job-domain-manage.yaml | 14 +--- + keystone/templates/pod-rally-test.yaml | 16 ++--- + neutron/templates/certificates.yaml | 17 ----- + .../templates/daemonset-metadata-agent.yaml | 4 +- + neutron/templates/deployment-server.yaml | 68 +------------------ + neutron/templates/ingress-server.yaml | 4 -- + neutron/templates/job-bootstrap.yaml | 2 +- + neutron/templates/job-ks-endpoints.yaml | 2 +- + neutron/templates/job-ks-service.yaml | 2 +- + neutron/templates/job-ks-user.yaml | 2 +- + neutron/templates/pod-rally-test.yaml | 8 +-- + neutron/values.yaml | 1 + + nova/templates/bin/_nova-api-metadata.sh.tpl | 38 ----------- + nova/templates/bin/_nova-api.sh.tpl | 39 ----------- + nova/templates/certificates.yaml | 27 -------- + nova/templates/cron-job-service-cleaner.yaml | 4 +- + nova/templates/daemonset-compute.yaml | 10 +-- + nova/templates/deployment-api-metadata.yaml | 16 +---- + nova/templates/deployment-api-osapi.yaml | 16 +---- + nova/templates/deployment-conductor.yaml | 6 +- + nova/templates/deployment-novncproxy.yaml | 4 +- + nova/templates/deployment-placement.yaml | 4 +- + nova/templates/deployment-scheduler.yaml | 6 +- + nova/templates/deployment-spiceproxy.yaml | 4 +- + nova/templates/ingress-metadata.yaml | 4 -- + nova/templates/ingress-novncproxy.yaml | 4 -- + nova/templates/ingress-osapi.yaml | 4 -- + nova/templates/ingress-placement.yaml | 4 -- + nova/templates/job-bootstrap.yaml | 4 +- + nova/templates/job-cell-setup.yaml | 4 +- + nova/templates/job-ks-endpoints.yaml | 2 +- + .../templates/job-ks-placement-endpoints.yaml | 2 +- + nova/templates/job-ks-placement-service.yaml | 2 +- + nova/templates/job-ks-placement-user.yaml | 2 +- + nova/templates/job-ks-service.yaml | 2 +- + nova/templates/job-ks-user.yaml | 2 +- + nova/templates/pod-rally-test.yaml | 6 +- + placement/templates/certificates.yaml | 17 ----- + placement/templates/deployment.yaml | 4 +- + placement/templates/ingress.yaml | 4 -- + placement/templates/job-db-migrate.yaml | 4 +- + placement/templates/job-ks-endpoints.yaml | 2 +- + placement/templates/job-ks-service.yaml | 2 +- + placement/templates/job-ks-user.yaml | 2 +- + 93 files changed, 130 insertions(+), 717 deletions(-) + delete mode 100644 cinder/templates/certificates.yaml + delete mode 100644 glance/templates/certificates.yaml + delete mode 100644 heat/templates/certificates.yaml + delete mode 100644 horizon/templates/certificates.yaml + delete mode 100644 keystone/templates/certificates.yaml + delete mode 100644 neutron/templates/certificates.yaml + delete mode 100644 nova/templates/certificates.yaml + delete mode 100644 placement/templates/certificates.yaml + +diff --git a/cinder/templates/bin/_cinder-api.sh.tpl b/cinder/templates/bin/_cinder-api.sh.tpl +index 3b64745c..b883d007 100644 +--- a/cinder/templates/bin/_cinder-api.sh.tpl ++++ b/cinder/templates/bin/_cinder-api.sh.tpl +@@ -18,52 +18,12 @@ set -ex + COMMAND="${@:-start}" + + function start () { +-{{- if .Values.manifests.certificates }} +- for WSGI_SCRIPT in cinder-wsgi; do +- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/cinder/ +- done +- +- if [ -f /etc/apache2/envvars ]; then +- # Loading Apache2 ENV variables +- source /etc/apache2/envvars +- mkdir -p ${APACHE_RUN_DIR} +- fi +- +-{{- if .Values.conf.software.apache2.a2enmod }} +- {{- range .Values.conf.software.apache2.a2enmod }} +- a2enmod {{ . }} +- {{- end }} +-{{- end }} +- +-{{- if .Values.conf.software.apache2.a2dismod }} +- {{- range .Values.conf.software.apache2.a2dismod }} +- a2dismod {{ . }} +- {{- end }} +-{{- end }} +- +- if [ -f /var/run/apache2/apache2.pid ]; then +- # Remove the stale pid for debian/ubuntu images +- rm -f /var/run/apache2/apache2.pid +- fi +- # Starts Apache2 +- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }} +-{{- else }} + exec cinder-api \ + --config-file /etc/cinder/cinder.conf +-{{- end }} + } + + function stop () { +-{{- if .Values.manifests.certificates }} +- if [ -f /etc/apache2/envvars ]; then +- # Loading Apache2 ENV variables +- source /etc/apache2/envvars +- mkdir -p ${APACHE_RUN_DIR} +- fi +- {{ .Values.conf.software.apache2.binary }} -k graceful-stop +-{{- else }} + kill -TERM 1 +-{{- end }} + } + + $COMMAND +diff --git a/cinder/templates/certificates.yaml b/cinder/templates/certificates.yaml +deleted file mode 100644 +index 7ccf6ca1..00000000 +--- a/cinder/templates/certificates.yaml ++++ /dev/null +@@ -1,17 +0,0 @@ +-{{/* +-Licensed under the Apache License, Version 2.0 (the "License"); +-you may not use this file except in compliance with the License. +-You may obtain a copy of the License at +- +- http://www.apache.org/licenses/LICENSE-2.0 +- +-Unless required by applicable law or agreed to in writing, software +-distributed under the License is distributed on an "AS IS" BASIS, +-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-See the License for the specific language governing permissions and +-limitations under the License. +-*/}} +- +-{{- if .Values.manifests.certificates -}} +-{{ dict "envAll" . "service" "volumev3" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- end -}} +diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml +index ee84bbda..239d729c 100644 +--- a/cinder/templates/configmap-etc.yaml ++++ b/cinder/templates/configmap-etc.yaml +@@ -146,10 +146,6 @@ data: + backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }} + api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }} + policy.yaml: {{ toYaml .Values.conf.policy | b64enc }} +-{{- if .Values.manifests.certificates }} +-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }} +-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cinder "key" "wsgi-cinder.conf" "format" "Secret" ) | indent 2 }} +-{{- end }} + api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }} + cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }} + rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }} +diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml +index db4dd8d9..300226b5 100644 +--- a/cinder/templates/deployment-api.yaml ++++ b/cinder/templates/deployment-api.yaml +@@ -77,6 +77,10 @@ spec: + {{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }} + {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + {{ dict "envAll" $envAll "application" "cinder_api" "container" "cinder_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} ++ env: ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} ++{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} ++{{- end }} + command: + - /tmp/cinder-api.sh + - start +@@ -103,8 +107,6 @@ spec: + volumeMounts: + - name: pod-tmp + mountPath: /tmp +- - name: wsgi-cinder +- mountPath: /var/www/cgi-bin/cinder + - name: cinder-bin + mountPath: /tmp/cinder-api.sh + subPath: cinder-api.sh +@@ -135,35 +137,17 @@ spec: + mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }} + subPath: resource_filters.json + readOnly: true +-{{- if .Values.conf.security }} +- - name: cinder-etc +- mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf +- subPath: security.conf +- readOnly: true +-{{- end }} + {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }} + - name: cinder-coordination + mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }} + {{- end }} +- {{- if .Values.manifests.certificates }} +- - name: cinder-etc +- mountPath: {{ .Values.conf.software.apache2.site_dir }}/cinder-api.conf +- subPath: wsgi-cinder.conf +- readOnly: true +- - name: cinder-etc +- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf +- subPath: mpm_event.conf +- readOnly: true +- {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp + emptyDir: {} +- - name: wsgi-cinder +- emptyDir: {} + - name: cinder-bin + configMap: + name: cinder-bin +@@ -179,7 +163,7 @@ spec: + emptyDir: {} + {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml +index cf69dd1e..8108b3e2 100644 +--- a/cinder/templates/deployment-scheduler.yaml ++++ b/cinder/templates/deployment-scheduler.yaml +@@ -107,7 +107,7 @@ spec: + - name: cinder-coordination + mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }} + {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }} +@@ -128,7 +128,7 @@ spec: + - name: cinder-coordination + emptyDir: {} + {{- end }} +- {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++ {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }} +diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml +index 2e5f0f4a..6a10f764 100755 +--- a/cinder/templates/deployment-volume.yaml ++++ b/cinder/templates/deployment-volume.yaml +@@ -131,7 +131,7 @@ spec: + readOnly: true + - name: pod-shared + mountPath: /tmp/pod-shared +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +@@ -269,7 +269,7 @@ spec: + mountPropagation: HostToContainer + {{- end }} + {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }} +@@ -333,7 +333,7 @@ spec: + path: /sys + {{- end }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/cinder/templates/ingress-api.yaml b/cinder/templates/ingress-api.yaml +index 4586d3a1..a514adfd 100644 +--- a/cinder/templates/ingress-api.yaml ++++ b/cinder/templates/ingress-api.yaml +@@ -13,11 +13,6 @@ limitations under the License. + */}} + + {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} +-{{- $envAll := . -}} +-{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volume" "backendPort" "c-api" -}} +-{{- $secretName := $envAll.Values.secrets.tls.volume.api.internal -}} +-{{- if and .Values.manifests.certificates $secretName -}} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volume.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end -}} ++{{- $ingressOpts := dict "envAll" . "backendServiceType" "volume" "backendPort" "c-api" -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} +diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml +index be387e3b..571b50bd 100644 +--- a/cinder/templates/job-bootstrap.yaml ++++ b/cinder/templates/job-bootstrap.yaml +@@ -15,7 +15,7 @@ limitations under the License. + {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} + {{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}} ++{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} + {{- end -}} + {{- if .Values.pod.tolerations.cinder.enabled -}} + {{- $_ := set $bootstrapJob "tolerationsEnabled" true -}} +diff --git a/cinder/templates/job-create-internal-tenant.yaml b/cinder/templates/job-create-internal-tenant.yaml +index 0e95c72f..d80ae445 100644 +--- a/cinder/templates/job-create-internal-tenant.yaml ++++ b/cinder/templates/job-create-internal-tenant.yaml +@@ -68,7 +68,7 @@ spec: + mountPath: /tmp/create-internal-tenant.sh + subPath: create-internal-tenant.sh + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: + {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +@@ -97,5 +97,5 @@ spec: + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end -}} +diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml +index 8509edce..e2a8eff2 100644 +--- a/cinder/templates/job-ks-endpoints.yaml ++++ b/cinder/templates/job-ks-endpoints.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2" + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} +diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml +index ab416e8c..ca3e808d 100644 +--- a/cinder/templates/job-ks-service.yaml ++++ b/cinder/templates/job-ks-service.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3" + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} +diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml +index f72e36cc..72e87cba 100644 +--- a/cinder/templates/job-ks-user.yaml ++++ b/cinder/templates/job-ks-user.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1" + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }} +diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml +index 3ed52cde..14b83620 100644 +--- a/cinder/templates/pod-rally-test.yaml ++++ b/cinder/templates/pod-rally-test.yaml +@@ -53,7 +53,7 @@ spec: + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true +-{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + env: + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} +@@ -93,7 +93,7 @@ spec: + readOnly: true + - name: rally-db + mountPath: /var/lib/rally +-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp +@@ -108,6 +108,6 @@ spec: + defaultMode: 0555 + - name: rally-db + emptyDir: {} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/glance/templates/certificates.yaml b/glance/templates/certificates.yaml +deleted file mode 100644 +index 55f3751b..00000000 +--- a/glance/templates/certificates.yaml ++++ /dev/null +@@ -1,18 +0,0 @@ +-{{/* +-Licensed under the Apache License, Version 2.0 (the "License"); +-you may not use this file except in compliance with the License. +-You may obtain a copy of the License at +- +- http://www.apache.org/licenses/LICENSE-2.0 +- +-Unless required by applicable law or agreed to in writing, software +-distributed under the License is distributed on an "AS IS" BASIS, +-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-See the License for the specific language governing permissions and +-limitations under the License. +-*/}} +- +-{{- if .Values.manifests.certificates -}} +-{{ dict "envAll" . "service" "image" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{ dict "envAll" . "service" "image_registry" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- end -}} +diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml +index 18d45c2c..80b398c6 100644 +--- a/glance/templates/deployment-api.yaml ++++ b/glance/templates/deployment-api.yaml +@@ -95,46 +95,6 @@ spec: + readOnly: true + {{ end }} + containers: +- {{- if $envAll.Values.manifests.certificates }} +- - name: nginx +-{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }} +-{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +-{{ dict "envAll" $envAll "application" "glance" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +- ports: +- - name: g-api +- containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +- env: +- - name: PORT +- value: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} +- - name: POD_IP +- valueFrom: +- fieldRef: +- fieldPath: status.podIP +- - name: SHORTNAME +- value: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }} +- readinessProbe: +- tcpSocket: +- port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +- command: +- - /tmp/nginx.sh +- - start +- lifecycle: +- preStop: +- exec: +- command: +- - /tmp/nginx.sh +- - stop +- volumeMounts: +- - name: glance-bin +- mountPath: /tmp/nginx.sh +- subPath: nginx.sh +- readOnly: true +- - name: glance-etc +- mountPath: /etc/nginx/nginx.conf +- subPath: nginx.conf +- readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +- {{- end }} + - name: glance-api + {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }} + {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +@@ -148,21 +108,6 @@ spec: + command: + - /tmp/glance-api.sh + - stop +- {{- if $envAll.Values.manifests.certificates }} +- readinessProbe: +- exec: +- command: +- - python +- - -c +- - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')" +- livenessProbe: +- exec: +- command: +- - python +- - -c +- - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')" +- initialDelaySeconds: 30 +- {{- else }} + ports: + - name: g-api + containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +@@ -172,7 +117,6 @@ spec: + livenessProbe: + tcpSocket: + port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +- {{- end }} + volumeMounts: + - name: pod-tmp + mountPath: /tmp +@@ -229,7 +173,7 @@ spec: + readOnly: true + {{- end }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -265,7 +209,7 @@ spec: + secretName: {{ .Values.secrets.rbd | quote }} + {{- end }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml +index 2cbeac14..f88d4784 100644 +--- a/glance/templates/deployment-registry.yaml ++++ b/glance/templates/deployment-registry.yaml +@@ -111,7 +111,7 @@ spec: + mountPath: /etc/glance/policy.yaml + subPath: policy.yaml + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -127,7 +127,7 @@ spec: + secret: + secretName: glance-etc + defaultMode: 0444 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/glance/templates/ingress-api.yaml b/glance/templates/ingress-api.yaml +index 939855e0..497d96ad 100644 +--- a/glance/templates/ingress-api.yaml ++++ b/glance/templates/ingress-api.yaml +@@ -13,11 +13,6 @@ limitations under the License. + */}} + + {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} +-{{- $envAll := . }} +-{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "image" "backendPort" "g-api" -}} +-{{- $secretName := $envAll.Values.secrets.tls.image.api.internal -}} +-{{- if and .Values.manifests.certificates $secretName -}} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end -}} ++{{- $ingressOpts := dict "envAll" . "backendServiceType" "image" "backendPort" "g-api" -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} +diff --git a/glance/templates/ingress-registry.yaml b/glance/templates/ingress-registry.yaml +index b9bbaa36..01e39e99 100644 +--- a/glance/templates/ingress-registry.yaml ++++ b/glance/templates/ingress-registry.yaml +@@ -15,7 +15,7 @@ limitations under the License. + {{- if and .Values.manifests.ingress_registry .Values.network.registry.ingress.public }} + {{- $envAll := . }} + {{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "image_registry" "backendPort" "g-reg" -}} +-{{- $secretName := $envAll.Values.secrets.tls.image_registry.api.internal -}} ++{{- $secretName := $envAll.Values.secrets.tls.image_registry.api.public -}} + {{- if and .Values.manifests.certificates $secretName -}} + {{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image_registry.host_fqdn_override.default.tls.issuerRef.name -}} + {{- end -}} +diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml +index 461c52af..0c334d07 100644 +--- a/glance/templates/job-bootstrap.yaml ++++ b/glance/templates/job-bootstrap.yaml +@@ -31,7 +31,7 @@ volumes: + {{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }} + {{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.internal -}} ++{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }} +diff --git a/glance/templates/job-ks-endpoints.yaml b/glance/templates/job-ks-endpoints.yaml +index 992ee37f..14355331 100644 +--- a/glance/templates/job-ks-endpoints.yaml ++++ b/glance/templates/job-ks-endpoints.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2" + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} +diff --git a/glance/templates/job-ks-service.yaml b/glance/templates/job-ks-service.yaml +index 21bb1302..f36ceec9 100644 +--- a/glance/templates/job-ks-service.yaml ++++ b/glance/templates/job-ks-service.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3" + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} +diff --git a/glance/templates/job-ks-user.yaml b/glance/templates/job-ks-user.yaml +index 226be718..bf09fda4 100644 +--- a/glance/templates/job-ks-user.yaml ++++ b/glance/templates/job-ks-user.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1" + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.internal -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }} +diff --git a/glance/templates/job-storage-init.yaml b/glance/templates/job-storage-init.yaml +index f6ac0a10..133e12be 100644 +--- a/glance/templates/job-storage-init.yaml ++++ b/glance/templates/job-storage-init.yaml +@@ -168,7 +168,7 @@ spec: + - name: glance-images + mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }} + {{ end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + volumes: + - name: pod-tmp + emptyDir: {} +@@ -194,5 +194,5 @@ spec: + persistentVolumeClaim: + claimName: glance-images + {{ end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/glance/templates/pod-rally-test.yaml b/glance/templates/pod-rally-test.yaml +index 938c040d..7d1021ac 100644 +--- a/glance/templates/pod-rally-test.yaml ++++ b/glance/templates/pod-rally-test.yaml +@@ -54,7 +54,7 @@ spec: + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true +-{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + env: + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} +@@ -97,7 +97,7 @@ spec: + mountPath: /var/lib/rally + - name: rally-work + mountPath: /home/rally/.rally +-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp +@@ -114,6 +114,6 @@ spec: + emptyDir: {} + - name: rally-work + emptyDir: {} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/heat/templates/bin/_heat-api.sh.tpl b/heat/templates/bin/_heat-api.sh.tpl +index b756d59e..e737562c 100644 +--- a/heat/templates/bin/_heat-api.sh.tpl ++++ b/heat/templates/bin/_heat-api.sh.tpl +@@ -19,47 +19,12 @@ COMMAND="${@:-start}" + + function start () { + +-{{- if .Values.manifests.certificates }} +- for WSGI_SCRIPT in heat-wsgi-api; do +- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/ +- done +- +- if [ -f /etc/apache2/envvars ]; then +- # Loading Apache2 ENV variables +- source /etc/apache2/envvars +- mkdir -p ${APACHE_RUN_DIR} +- fi +- +-{{- if .Values.conf.software.apache2.a2enmod }} +- {{- range .Values.conf.software.apache2.a2enmod }} +- a2enmod {{ . }} +- {{- end }} +-{{- end }} +- +-{{- if .Values.conf.software.apache2.a2dismod }} +- {{- range .Values.conf.software.apache2.a2dismod }} +- a2dismod {{ . }} +- {{- end }} +-{{- end }} +- +- if [ -f /var/run/apache2/apache2.pid ]; then +- # Remove the stale pid for debian/ubuntu images +- rm -f /var/run/apache2/apache2.pid +- fi +- # Starts Apache2 +- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }} +-{{- else }} + exec heat-api \ + --config-file /etc/heat/heat.conf +-{{- end }} + } + + function stop () { +-{{- if .Values.manifests.certificates }} +- {{ .Values.conf.software.apache2.binary }} -k graceful-stop +-{{- else }} + kill -TERM 1 +-{{- end }} + } + + $COMMAND +diff --git a/heat/templates/bin/_heat-cfn.sh.tpl b/heat/templates/bin/_heat-cfn.sh.tpl +index 757b59af..97f82798 100644 +--- a/heat/templates/bin/_heat-cfn.sh.tpl ++++ b/heat/templates/bin/_heat-cfn.sh.tpl +@@ -18,49 +18,12 @@ set -ex + COMMAND="${@:-start}" + + function start () { +-{{- if .Values.manifests.certificates }} +- for WSGI_SCRIPT in heat-wsgi-api-cfn; do +- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/ +- done +- +- if [ -f /etc/apache2/envvars ]; then +- # Loading Apache2 ENV variables +- source /etc/apache2/envvars +- mkdir -p ${APACHE_RUN_DIR} +- fi +- +- +-{{- if .Values.conf.software.apache2.a2enmod }} +- {{- range .Values.conf.software.apache2.a2enmod }} +- a2enmod {{ . }} +- {{- end }} +-{{- end }} +- +-{{- if .Values.conf.software.apache2.a2dismod }} +- {{- range .Values.conf.software.apache2.a2dismod }} +- a2dismod {{ . }} +- {{- end }} +-{{- end }} +- +- +- if [ -f /var/run/apache2/apache2.pid ]; then +- # Remove the stale pid for debian/ubuntu images +- rm -f /var/run/apache2/apache2.pid +- fi +- # Starts Apache2 +- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }} +-{{- else }} + exec heat-api-cfn \ + --config-file /etc/heat/heat.conf +-{{- end }} + } + + function stop () { +-{{- if .Values.manifests.certificates }} +- {{ .Values.conf.software.apache2.binary }} -k graceful-stop +-{{- else }} + kill -TERM 1 +-{{- end }} + } + + $COMMAND +diff --git a/heat/templates/certificates.yaml b/heat/templates/certificates.yaml +deleted file mode 100644 +index 353dfd69..00000000 +--- a/heat/templates/certificates.yaml ++++ /dev/null +@@ -1,18 +0,0 @@ +-{{/* +-Licensed under the Apache License, Version 2.0 (the "License"); +-you may not use this file except in compliance with the License. +-You may obtain a copy of the License at +- +- http://www.apache.org/licenses/LICENSE-2.0 +- +-Unless required by applicable law or agreed to in writing, software +-distributed under the License is distributed on an "AS IS" BASIS, +-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-See the License for the specific language governing permissions and +-limitations under the License. +-*/}} +- +-{{- if .Values.manifests.certificates -}} +-{{ dict "envAll" . "service" "orchestration" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{ dict "envAll" . "service" "cloudformation" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- end -}} +diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml +index d3cebb0a..8f83a631 100644 +--- a/heat/templates/deployment-api.yaml ++++ b/heat/templates/deployment-api.yaml +@@ -114,17 +114,7 @@ spec: + mountPath: /etc/heat/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true +- {{- if .Values.manifests.certificates }} +- - name: heat-etc +- mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api.conf +- subPath: wsgi-heat.conf +- readOnly: true +- - name: heat-etc +- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf +- subPath: mpm_event.conf +- readOnly: true +- {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -142,7 +132,7 @@ spec: + secret: + secretName: heat-etc + defaultMode: 0444 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml +index dc05f6f5..3b62539a 100644 +--- a/heat/templates/deployment-cfn.yaml ++++ b/heat/templates/deployment-cfn.yaml +@@ -114,17 +114,7 @@ spec: + mountPath: /etc/heat/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true +- {{- if .Values.manifests.certificates }} +- - name: heat-etc +- mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api-cfn.conf +- subPath: wsgi-cnf.conf +- readOnly: true +- - name: heat-etc +- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf +- subPath: mpm_event.conf +- readOnly: true +- {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -141,6 +131,6 @@ spec: + secret: + secretName: heat-etc + defaultMode: 0444 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml +index da9c905f..e9d5873c 100644 +--- a/heat/templates/deployment-engine.yaml ++++ b/heat/templates/deployment-engine.yaml +@@ -103,7 +103,7 @@ spec: + subPath: policy.yaml + readOnly: true + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -120,7 +120,7 @@ spec: + secretName: heat-etc + defaultMode: 0444 + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/heat/templates/ingress-api.yaml b/heat/templates/ingress-api.yaml +index 8d5c9a03..47a3bbaf 100644 +--- a/heat/templates/ingress-api.yaml ++++ b/heat/templates/ingress-api.yaml +@@ -15,9 +15,5 @@ limitations under the License. + {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} + {{- $envAll := . }} + {{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "orchestration" "backendPort" "h-api" -}} +-{{- $secretName := $envAll.Values.secrets.tls.orchestration.api.internal -}} +-{{- if and .Values.manifests.certificates $secretName -}} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.orchestration.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} +diff --git a/heat/templates/ingress-cfn.yaml b/heat/templates/ingress-cfn.yaml +index d9653384..8bcb7884 100644 +--- a/heat/templates/ingress-cfn.yaml ++++ b/heat/templates/ingress-cfn.yaml +@@ -15,9 +15,5 @@ limitations under the License. + {{- if and .Values.manifests.ingress_cfn .Values.network.cfn.ingress.public }} + {{- $envAll := . }} + {{- $ingressOpts := dict "envAll" $envAll "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}} +-{{- $secretName := $envAll.Values.secrets.tls.cloudformation.cfn.internal -}} +-{{- if and .Values.manifests.certificates $secretName -}} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.cloudformation.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} +diff --git a/heat/templates/job-bootstrap.yaml b/heat/templates/job-bootstrap.yaml +index ee321545..cd0a77eb 100644 +--- a/heat/templates/job-bootstrap.yaml ++++ b/heat/templates/job-bootstrap.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "5" + {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} + {{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} ++{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }} +diff --git a/heat/templates/job-ks-endpoints.yaml b/heat/templates/job-ks-endpoints.yaml +index 9c7daeee..09aa9862 100644 +--- a/heat/templates/job-ks-endpoints.yaml ++++ b/heat/templates/job-ks-endpoints.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2" + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} +diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml +index 6505cefe..96107695 100644 +--- a/heat/templates/job-ks-service.yaml ++++ b/heat/templates/job-ks-service.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3" + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} +diff --git a/heat/templates/job-ks-user-domain.yaml b/heat/templates/job-ks-user-domain.yaml +index 89b73dd9..1eabf4cf 100644 +--- a/heat/templates/job-ks-user-domain.yaml ++++ b/heat/templates/job-ks-user-domain.yaml +@@ -64,7 +64,7 @@ spec: + mountPath: /tmp/ks-domain-user.sh + subPath: ks-domain-user.sh + readOnly: true +-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: + {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +@@ -100,5 +100,5 @@ spec: + configMap: + name: heat-bin + defaultMode: 0555 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/heat/templates/job-ks-user-trustee.yaml b/heat/templates/job-ks-user-trustee.yaml +index 934c6021..984951d2 100644 +--- a/heat/templates/job-ks-user-trustee.yaml ++++ b/heat/templates/job-ks-user-trustee.yaml +@@ -19,7 +19,7 @@ helm.sh/hook: post-install,post-upgrade + {{- if .Values.manifests.job_ks_user_trustee }} + {{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.heat_trust" . | fromYaml) }} +diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml +index db39a556..a7cd5747 100644 +--- a/heat/templates/job-ks-user.yaml ++++ b/heat/templates/job-ks-user.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1" + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }} +diff --git a/heat/templates/job-trusts.yaml b/heat/templates/job-trusts.yaml +index e713d278..16a87950 100644 +--- a/heat/templates/job-trusts.yaml ++++ b/heat/templates/job-trusts.yaml +@@ -68,7 +68,7 @@ spec: + mountPath: /tmp/trusts.sh + subPath: trusts.sh + readOnly: true +-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }} + env: + {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }} +@@ -87,5 +87,5 @@ spec: + configMap: + name: heat-bin + defaultMode: 0555 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }} +diff --git a/heat/templates/pod-rally-test.yaml b/heat/templates/pod-rally-test.yaml +index 3b7d95da..ebf4b12d 100644 +--- a/heat/templates/pod-rally-test.yaml ++++ b/heat/templates/pod-rally-test.yaml +@@ -52,7 +52,7 @@ spec: + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + env: + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} +@@ -98,7 +98,7 @@ spec: + subPath: {{ printf "test_template_%d" $key }} + readOnly: true + {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp +@@ -113,6 +113,6 @@ spec: + defaultMode: 0555 + - name: rally-db + emptyDir: {} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }} ++{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/horizon/templates/certificates.yaml b/horizon/templates/certificates.yaml +deleted file mode 100644 +index 8dbb884a..00000000 +--- a/horizon/templates/certificates.yaml ++++ /dev/null +@@ -1,17 +0,0 @@ +-{{/* +-Licensed under the Apache License, Version 2.0 (the "License"); +-you may not use this file except in compliance with the License. +-You may obtain a copy of the License at +- +- http://www.apache.org/licenses/LICENSE-2.0 +- +-Unless required by applicable law or agreed to in writing, software +-distributed under the License is distributed on an "AS IS" BASIS, +-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-See the License for the specific language governing permissions and +-limitations under the License. +-*/}} +- +-{{- if .Values.manifests.certificates -}} +-{{ dict "envAll" . "service" "dashboard" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- end -}} +diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml +index 3bb0a3a8..0e646b9e 100644 +--- a/horizon/templates/deployment.yaml ++++ b/horizon/templates/deployment.yaml +@@ -132,7 +132,7 @@ spec: + subPath: {{ base $policyFile }} + readOnly: true + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal "path" "/etc/openstack-dashboard/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -151,6 +151,6 @@ spec: + secretName: horizon-etc + defaultMode: 0444 + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/horizon/templates/ingress-api.yaml b/horizon/templates/ingress-api.yaml +index 252ac523..22f13814 100644 +--- a/horizon/templates/ingress-api.yaml ++++ b/horizon/templates/ingress-api.yaml +@@ -15,9 +15,5 @@ limitations under the License. + {{- if and .Values.manifests.ingress_api .Values.network.dashboard.ingress.public }} + {{- $envAll := . }} + {{- $ingressOpts := dict "envAll" $envAll "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}} +-{{- $secretName := $envAll.Values.secrets.tls.dashboard.dashboard.internal -}} +-{{- if and .Values.manifests.certificates $secretName -}} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.dashboard.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} +diff --git a/horizon/templates/pod-helm-tests.yaml b/horizon/templates/pod-helm-tests.yaml +index dbcb9a3c..bb7abc89 100644 +--- a/horizon/templates/pod-helm-tests.yaml ++++ b/horizon/templates/pod-helm-tests.yaml +@@ -62,7 +62,7 @@ spec: + mountPath: /tmp/selenium-test.py + subPath: selenium-test.py + readOnly: true +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp +@@ -71,6 +71,6 @@ spec: + configMap: + name: horizon-bin + defaultMode: 0555 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }} ++{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/keystone/templates/bin/_keystone-api.sh.tpl b/keystone/templates/bin/_keystone-api.sh.tpl +index f6216df1..85740a05 100644 +--- a/keystone/templates/bin/_keystone-api.sh.tpl ++++ b/keystone/templates/bin/_keystone-api.sh.tpl +@@ -49,10 +49,6 @@ function start () { + } + + function stop () { +- if [ -f /etc/apache2/envvars ]; then +- # Loading Apache2 ENV variables +- source /etc/apache2/envvars +- fi + {{ .Values.conf.software.apache2.binary }} -k graceful-stop + } + +diff --git a/keystone/templates/certificates.yaml b/keystone/templates/certificates.yaml +deleted file mode 100644 +index f8a73c4b..00000000 +--- a/keystone/templates/certificates.yaml ++++ /dev/null +@@ -1,17 +0,0 @@ +-{{/* +-Licensed under the Apache License, Version 2.0 (the "License"); +-you may not use this file except in compliance with the License. +-You may obtain a copy of the License at +- +- http://www.apache.org/licenses/LICENSE-2.0 +- +-Unless required by applicable law or agreed to in writing, software +-distributed under the License is distributed on an "AS IS" BASIS, +-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-See the License for the specific language governing permissions and +-limitations under the License. +-*/}} +- +-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}} +-{{ dict "envAll" . "service" "identity" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- end -}} +diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml +index 94e705b8..ed2c3d54 100644 +--- a/keystone/templates/deployment-api.yaml ++++ b/keystone/templates/deployment-api.yaml +@@ -153,8 +153,8 @@ spec: + {{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- end }} +-{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.public }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- end }} + {{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +@@ -195,8 +195,8 @@ spec: + {{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +-{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.public }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} + {{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +diff --git a/keystone/templates/ingress-api.yaml b/keystone/templates/ingress-api.yaml +index 525c2121..b7b0e238 100644 +--- a/keystone/templates/ingress-api.yaml ++++ b/keystone/templates/ingress-api.yaml +@@ -13,12 +13,7 @@ limitations under the License. + */}} + + {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} +-{{- $envAll := . }} +-{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "identity" "backendPort" "ks-pub" -}} +-{{- $secretName := $envAll.Values.secrets.tls.identity.api.internal -}} +-{{- if and .Values.manifests.certificates $secretName -}} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.identity.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end -}} ++{{- $ingressOpts := dict "envAll" . "backendServiceType" "identity" "backendPort" "ks-pub" -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} + {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.admin }} +diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml +index 04833279..3e3ff2aa 100644 +--- a/keystone/templates/job-bootstrap.yaml ++++ b/keystone/templates/job-bootstrap.yaml +@@ -19,8 +19,8 @@ helm.sh/hook-weight: "5" + + {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} + {{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}} +-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}} +-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}} ++{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.public -}} ++{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.public -}} + {{- end -}} + {{- if .Values.pod.tolerations.keystone.enabled -}} + {{- $_ := set $bootstrapJob "tolerationsEnabled" true -}} +diff --git a/keystone/templates/job-domain-manage.yaml b/keystone/templates/job-domain-manage.yaml +index 8acd192e..679a009c 100644 +--- a/keystone/templates/job-domain-manage.yaml ++++ b/keystone/templates/job-domain-manage.yaml +@@ -56,7 +56,7 @@ spec: + {{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + {{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + command: +@@ -68,18 +68,12 @@ spec: + mountPath: /tmp/domain-manage-init.sh + subPath: domain-manage-init.sh + readOnly: true +-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- end }} + containers: + - name: keystone-domain-manage + {{ tuple $envAll "keystone_domain_manage" | include "helm-toolkit.snippets.image" | indent 10 }} + {{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + {{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }} +-{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +-{{- end }} + command: + - /tmp/domain-manage.sh + volumeMounts: +@@ -119,9 +113,6 @@ spec: + {{- end }} + - name: keystone-credential-keys + mountPath: {{ .Values.conf.keystone.credential.key_repository }} +-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- end }} + {{ if $mounts_keystone_domain_manage.volumeMounts }}{{ toYaml $mounts_keystone_domain_manage.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -146,8 +137,5 @@ spec: + - name: keystone-credential-keys + secret: + secretName: keystone-credential-keys +-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- end }} + {{ if $mounts_keystone_domain_manage.volumes }}{{ toYaml $mounts_keystone_domain_manage.volumes | indent 9 }}{{ end }} + {{- end }} +diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml +index c3730cc3..8474b639 100644 +--- a/keystone/templates/pod-rally-test.yaml ++++ b/keystone/templates/pod-rally-test.yaml +@@ -52,11 +52,11 @@ spec: + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true +-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.public }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{- end }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.public) }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + - name: SERVICE_OS_SERVICE_NAME +@@ -72,7 +72,7 @@ spec: + {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} + {{ dict "envAll" $envAll "application" "test" "container" "keystone_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6}} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.public) }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} +@@ -97,8 +97,8 @@ spec: + mountPath: /var/lib/rally + - name: rally-work + mountPath: /home/rally/.rally +-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.public }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{- end }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: +@@ -116,8 +116,8 @@ spec: + emptyDir: {} + - name: rally-work + emptyDir: {} +-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }} ++{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.public }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{- end }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/neutron/templates/certificates.yaml b/neutron/templates/certificates.yaml +deleted file mode 100644 +index f65396d0..00000000 +--- a/neutron/templates/certificates.yaml ++++ /dev/null +@@ -1,17 +0,0 @@ +-{{/* +-Licensed under the Apache License, Version 2.0 (the "License"); +-you may not use this file except in compliance with the License. +-You may obtain a copy of the License at +- +- http://www.apache.org/licenses/LICENSE-2.0 +- +-Unless required by applicable law or agreed to in writing, software +-distributed under the License is distributed on an "AS IS" BASIS, +-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-See the License for the specific language governing permissions and +-limitations under the License. +-*/}} +- +-{{- if .Values.manifests.certificates -}} +-{{ dict "envAll" . "service" "network" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- end -}} +diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml +index edfa0a10..8474ff38 100644 +--- a/neutron/templates/daemonset-metadata-agent.yaml ++++ b/neutron/templates/daemonset-metadata-agent.yaml +@@ -192,7 +192,7 @@ spec: + mountPath: /run/netns + mountPropagation: Bidirectional + {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -216,7 +216,7 @@ spec: + hostPath: + path: /run/netns + {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml +index 94c4e1a2..3a8b6e8b 100644 +--- a/neutron/templates/deployment-server.yaml ++++ b/neutron/templates/deployment-server.yaml +@@ -13,31 +13,13 @@ limitations under the License. + */}} + + {{- define "serverReadinessProbeTemplate" }} +-{{- if .Values.manifests.certificates }} +-exec: +- command: +- - python +- - -c +- - "import requests; requests.get('http://127.0.0.1:{{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')" +-initialDelaySeconds: 30 +-{{- else }} + tcpSocket: + port: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- end }} +-{{- end }} + {{- define "serverLivenessProbeTemplate" }} +-{{- if .Values.manifests.certificates }} +-exec: +- command: +- - python +- - -c +- - "import requests; requests.get('http://127.0.0.1:{{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')" +-initialDelaySeconds: 30 +-{{- else }} + tcpSocket: + port: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- end }} +-{{- end }} + + {{- if .Values.manifests.deployment_server }} + {{- $envAll := . }} +@@ -102,48 +84,6 @@ spec: + mountPath: /opt/plugin + {{- end }} + containers: +- {{- if $envAll.Values.manifests.certificates }} +- - name: nginx +-{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }} +-{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +-{{ dict "envAll" $envAll "application" "neutron_server" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +- ports: +- - name: q-api +- containerPort: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +- env: +- - name: PORT +- value: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} +- - name: POD_IP +- valueFrom: +- fieldRef: +- fieldPath: status.podIP +- - name: SHORTNAME +- value: {{ tuple "network" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }} +- readinessProbe: +- tcpSocket: +- port: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +- command: +- - /tmp/nginx.sh +- - start +- lifecycle: +- preStop: +- exec: +- command: +- - /tmp/nginx.sh +- - stop +- volumeMounts: +- - name: pod-tmp +- mountPath: /tmp +- - name: neutron-bin +- mountPath: /tmp/nginx.sh +- subPath: nginx.sh +- readOnly: true +- - name: neutron-etc +- mountPath: /etc/nginx/nginx.conf +- subPath: nginx.conf +- readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +- {{- end }} + - name: neutron-server + {{ tuple $envAll "neutron_server" | include "helm-toolkit.snippets.image" | indent 10 }} + {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +@@ -241,16 +181,12 @@ spec: + subPath: policy.yaml + readOnly: true + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp + emptyDir: {} +- {{- if .Values.manifests.certificates }} +- - name: wsgi-neutron +- emptyDir: {} +- {{- end }} + - name: pod-var-neutron + emptyDir: {} + - name: neutron-bin +@@ -266,7 +202,7 @@ spec: + emptyDir: {} + {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/neutron/templates/ingress-server.yaml b/neutron/templates/ingress-server.yaml +index 6e6eb735..43526fa8 100644 +--- a/neutron/templates/ingress-server.yaml ++++ b/neutron/templates/ingress-server.yaml +@@ -15,9 +15,5 @@ limitations under the License. + {{- if and .Values.manifests.ingress_server .Values.network.server.ingress.public }} + {{- $envAll := . }} + {{- $ingressOpts := dict "envAll" $envAll "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}} +-{{- $secretName := $envAll.Values.secrets.tls.network.server.internal -}} +-{{- if and .Values.manifests.certificates $secretName }} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.network.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end }} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} +diff --git a/neutron/templates/job-bootstrap.yaml b/neutron/templates/job-bootstrap.yaml +index 3a3faba0..a385fa22 100644 +--- a/neutron/templates/job-bootstrap.yaml ++++ b/neutron/templates/job-bootstrap.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "5" + {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} + {{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.internal -}} ++{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }} +diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml +index 39b9387f..47c5bcad 100644 +--- a/neutron/templates/job-ks-endpoints.yaml ++++ b/neutron/templates/job-ks-endpoints.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2" + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksEndpointsJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksEndpointsJob "tlsSecret" .Values.secrets.tls.network.server.internal -}} ++{{- $_ := set $ksEndpointsJob "tlsSecret" .Values.secrets.tls.network.server.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksEndpointsJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} +diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml +index 84fb56d4..9d05ed13 100644 +--- a/neutron/templates/job-ks-service.yaml ++++ b/neutron/templates/job-ks-service.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3" + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} +diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml +index 80a19bc9..c4ea8957 100644 +--- a/neutron/templates/job-ks-user.yaml ++++ b/neutron/templates/job-ks-user.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1" + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }} +diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml +index cd6899c2..e288c870 100644 +--- a/neutron/templates/pod-rally-test.yaml ++++ b/neutron/templates/pod-rally-test.yaml +@@ -53,7 +53,7 @@ spec: + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + env: + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} +@@ -98,7 +98,7 @@ spec: + readOnly: true + - name: pod-tmp + mountPath: /tmp/pod-tmp +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ end }} + containers: + - name: neutron-test +@@ -128,7 +128,7 @@ spec: + readOnly: true + - name: rally-db + mountPath: /var/lib/rally +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp +@@ -143,6 +143,6 @@ spec: + defaultMode: 0555 + - name: rally-db + emptyDir: {} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/neutron/values.yaml b/neutron/values.yaml +index 80834331..29917a59 100644 +--- a/neutron/values.yaml ++++ b/neutron/values.yaml +@@ -2226,6 +2226,7 @@ secrets: + compute_metadata: + metadata: + internal: metadata-tls-metadata ++ public: neutron-tls-public + network: + server: + public: neutron-tls-public +diff --git a/nova/templates/bin/_nova-api-metadata.sh.tpl b/nova/templates/bin/_nova-api-metadata.sh.tpl +index 18195f26..246a11c6 100644 +--- a/nova/templates/bin/_nova-api-metadata.sh.tpl ++++ b/nova/templates/bin/_nova-api-metadata.sh.tpl +@@ -18,51 +18,13 @@ set -ex + COMMAND="${@:-start}" + + function start () { +-{{- if .Values.manifests.certificates }} +- for WSGI_SCRIPT in nova-metadata-wsgi; do +- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/ +- done +- +- if [ -f /etc/apache2/envvars ]; then +- # Loading Apache2 ENV variables +- source /etc/apache2/envvars +- mkdir -p ${APACHE_RUN_DIR} +- fi +- +-{{- if .Values.conf.software.apache2.a2enmod }} +- {{- range .Values.conf.software.apache2.a2enmod }} +- a2enmod {{ . }} +- {{- end }} +-{{- end }} +- +-{{- if .Values.conf.software.apache2.a2dismod }} +- {{- range .Values.conf.software.apache2.a2dismod }} +- a2dismod {{ . }} +- {{- end }} +-{{- end }} +- +- if [ -f /var/run/apache2/apache2.pid ]; then +- # Remove the stale pid for debian/ubuntu images +- rm -f /var/run/apache2/apache2.pid +- fi +- # Starts Apache2 +- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }} +-{{- else }} + exec nova-api-metadata \ + --config-file /etc/nova/nova.conf \ + --config-file /tmp/pod-shared/nova-api-metadata.ini +-{{- end }} + } + + function stop () { +-{{- if .Values.manifests.certificates }} +- if [ -f /etc/apache2/envvars ]; then +- source /etc/apache2/envvars +- fi +- {{ .Values.conf.software.apache2.binary }} -k graceful-stop +-{{- else }} + kill -TERM 1 +-{{- end }} + } + + $COMMAND +diff --git a/nova/templates/bin/_nova-api.sh.tpl b/nova/templates/bin/_nova-api.sh.tpl +index c62de9a6..95fcb130 100644 +--- a/nova/templates/bin/_nova-api.sh.tpl ++++ b/nova/templates/bin/_nova-api.sh.tpl +@@ -18,51 +18,12 @@ set -ex + COMMAND="${@:-start}" + + function start () { +-{{- if .Values.manifests.certificates }} +- for WSGI_SCRIPT in nova-api-wsgi; do +- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/ +- done +- +- if [ -f /etc/apache2/envvars ]; then +- # Loading Apache2 ENV variables +- source /etc/apache2/envvars +- mkdir -p ${APACHE_RUN_DIR} +- fi +- +-{{- if .Values.conf.software.apache2.a2enmod }} +- {{- range .Values.conf.software.apache2.a2enmod }} +- a2enmod {{ . }} +- {{- end }} +-{{- end }} +- +-{{- if .Values.conf.software.apache2.a2dismod }} +- {{- range .Values.conf.software.apache2.a2dismod }} +- a2dismod {{ . }} +- {{- end }} +-{{- end }} +- +- +- if [ -f /var/run/apache2/apache2.pid ]; then +- # Remove the stale pid for debian/ubuntu images +- rm -f /var/run/apache2/apache2.pid +- fi +- # Starts Apache2 +- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }} +-{{- else }} + exec nova-api-os-compute \ + --config-file /etc/nova/nova.conf +-{{- end }} + } + + function stop () { +-{{- if .Values.manifests.certificates }} +- if [ -f /etc/apache2/envvars ]; then +- source /etc/apache2/envvars +- fi +- {{ .Values.conf.software.apache2.binary }} -k graceful-stop +-{{- else }} + kill -TERM 1 +-{{- end }} + } + + $COMMAND +diff --git a/nova/templates/certificates.yaml b/nova/templates/certificates.yaml +deleted file mode 100644 +index 3bf6c8db..00000000 +--- a/nova/templates/certificates.yaml ++++ /dev/null +@@ -1,27 +0,0 @@ +-{{/* +-Licensed under the Apache License, Version 2.0 (the "License"); +-you may not use this file except in compliance with the License. +-You may obtain a copy of the License at +- +- http://www.apache.org/licenses/LICENSE-2.0 +- +-Unless required by applicable law or agreed to in writing, software +-distributed under the License is distributed on an "AS IS" BASIS, +-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-See the License for the specific language governing permissions and +-limitations under the License. +-*/}} +- +-{{- if .Values.manifests.certificates -}} +-{{ dict "envAll" . "service" "compute" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- if .Values.manifests.deployment_novncproxy }} +-{{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- end }} +-{{- if .Values.manifests.deployment_placement }} +-{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- end }} +-{{ dict "envAll" . "service" "compute_metadata" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- if .Values.manifests.deployment_spiceproxy }} +-{{ dict "envAll" . "service" "compute_spice_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- end }} +-{{- end -}} +diff --git a/nova/templates/cron-job-service-cleaner.yaml b/nova/templates/cron-job-service-cleaner.yaml +index 9f745ace..e64251d1 100644 +--- a/nova/templates/cron-job-service-cleaner.yaml ++++ b/nova/templates/cron-job-service-cleaner.yaml +@@ -72,7 +72,7 @@ spec: + readOnly: true + - name: etcnova + mountPath: /etc/nova +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} + volumes: + - name: pod-tmp + emptyDir: {} +@@ -86,5 +86,5 @@ spec: + configMap: + name: nova-bin + defaultMode: 0555 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 12 }} + {{- end }} +diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml +index 6b162481..7cb3c2cd 100644 +--- a/nova/templates/daemonset-compute.yaml ++++ b/nova/templates/daemonset-compute.yaml +@@ -278,7 +278,7 @@ spec: + value: "{{ .Values.pod.probes.rpc_retries }}" + {{- if .Values.manifests.certificates }} + - name: REQUESTS_CA_BUNDLE +- value: "/etc/nova/certs/ca.crt" ++ value: "/etc/ssl/certs/openstack-helm.crt" + {{- end }} + {{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} + {{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} +@@ -435,7 +435,7 @@ spec: + subPath: tf-plugin.pth + readOnly: true + {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} + {{- if .Values.network.ssh.enabled }} +@@ -450,7 +450,7 @@ spec: + value: {{ .Values.network.ssh.port | quote }} + {{- if .Values.manifests.certificates }} + - name: REQUESTS_CA_BUNDLE +- value: "/etc/nova/certs/ca.crt" ++ value: "/etc/ssl/certs/openstack-helm.crt" + {{- end }} + ports: + - containerPort: {{ .Values.network.ssh.port }} +@@ -464,7 +464,7 @@ spec: + mountPath: /tmp/ssh-start.sh + subPath: ssh-start.sh + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} + {{ end }} + volumes: +@@ -550,7 +550,7 @@ spec: + - name: tf-plugin-bin + emptyDir: {} + {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml +index 44d3a492..8b131241 100644 +--- a/nova/templates/deployment-api-metadata.yaml ++++ b/nova/templates/deployment-api-metadata.yaml +@@ -169,20 +169,8 @@ spec: + - name: pod-shared + mountPath: /tmp/pod-shared + readOnly: true +- {{- if .Values.manifests.certificates }} +- - name: wsgi-nova +- mountPath: /var/www/cgi-bin/nova +- - name: nova-etc +- mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-metadata.conf +- subPath: wsgi-metadata.conf +- readOnly: true +- - name: nova-etc +- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf +- subPath: mpm_event.conf +- readOnly: true +- {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -202,6 +190,6 @@ spec: + - name: pod-shared + emptyDir: {} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml +index 29c80ba9..64122cf7 100644 +--- a/nova/templates/deployment-api-osapi.yaml ++++ b/nova/templates/deployment-api-osapi.yaml +@@ -117,20 +117,8 @@ spec: + mountPath: /etc/nova/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true +- {{- if .Values.manifests.certificates }} +- - name: wsgi-nova +- mountPath: /var/www/cgi-bin/nova +- - name: nova-etc +- mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-api.conf +- subPath: wsgi-api.conf +- readOnly: true +- - name: nova-etc +- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf +- subPath: mpm_event.conf +- readOnly: true +- {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -151,7 +139,7 @@ spec: + secretName: nova-etc + defaultMode: 0444 + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml +index ba301abe..d92f55f9 100644 +--- a/nova/templates/deployment-conductor.yaml ++++ b/nova/templates/deployment-conductor.yaml +@@ -93,7 +93,7 @@ spec: + value: "{{ .Values.pod.probes.rpc_retries }}" + {{- if .Values.manifests.certificates }} + - name: REQUESTS_CA_BUNDLE +- value: "/etc/nova/certs/ca.crt" ++ value: "/etc/ssl/certs/openstack-helm.crt" + {{- end }} + command: + - /tmp/nova-conductor.sh +@@ -122,7 +122,7 @@ spec: + mountPath: /etc/nova/policy.yaml + subPath: policy.yaml + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }} +@@ -137,7 +137,7 @@ spec: + secret: + secretName: nova-etc + defaultMode: 0444 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }} +diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml +index 517005d9..c9aae286 100644 +--- a/nova/templates/deployment-novncproxy.yaml ++++ b/nova/templates/deployment-novncproxy.yaml +@@ -143,7 +143,7 @@ spec: + - name: pod-shared + mountPath: /tmp/pod-shared + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -162,7 +162,7 @@ spec: + - name: pod-shared + emptyDir: {} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-placement.yaml b/nova/templates/deployment-placement.yaml +index 8d5e508b..c8237732 100644 +--- a/nova/templates/deployment-placement.yaml ++++ b/nova/templates/deployment-placement.yaml +@@ -124,7 +124,7 @@ spec: + readOnly: true + {{- end }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -140,6 +140,6 @@ spec: + secretName: nova-etc + defaultMode: 0444 + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml +index 52e46958..f94d6a79 100644 +--- a/nova/templates/deployment-scheduler.yaml ++++ b/nova/templates/deployment-scheduler.yaml +@@ -93,7 +93,7 @@ spec: + value: "{{ .Values.pod.probes.rpc_retries }}" + {{- if .Values.manifests.certificates }} + - name: REQUESTS_CA_BUNDLE +- value: "/etc/nova/certs/ca.crt" ++ value: "/etc/ssl/certs/openstack-helm.crt" + {{- end }} + command: + - /tmp/nova-scheduler.sh +@@ -123,7 +123,7 @@ spec: + subPath: policy.yaml + readOnly: true + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -138,7 +138,7 @@ spec: + secretName: nova-etc + defaultMode: 0444 + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml +index e430d257..66aa26dd 100644 +--- a/nova/templates/deployment-spiceproxy.yaml ++++ b/nova/templates/deployment-spiceproxy.yaml +@@ -141,7 +141,7 @@ spec: + readOnly: true + - name: pod-shared + mountPath: /tmp/pod-shared +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -158,6 +158,6 @@ spec: + emptyDir: {} + - name: pod-shared + emptyDir: {} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/ingress-metadata.yaml b/nova/templates/ingress-metadata.yaml +index 36eb8647..8c88cfdc 100644 +--- a/nova/templates/ingress-metadata.yaml ++++ b/nova/templates/ingress-metadata.yaml +@@ -15,9 +15,5 @@ limitations under the License. + {{- if and .Values.manifests.ingress_metadata .Values.network.metadata.ingress.public }} + {{- $envAll := . -}} + {{- $ingressOpts := dict "envAll" $envAll "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}} +-{{- $secretName := $envAll.Values.secrets.tls.compute_metadata.metadata.internal -}} +-{{- if and .Values.manifests.certificates $secretName }} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_metadata.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} +diff --git a/nova/templates/ingress-novncproxy.yaml b/nova/templates/ingress-novncproxy.yaml +index cad53cf3..04643569 100644 +--- a/nova/templates/ingress-novncproxy.yaml ++++ b/nova/templates/ingress-novncproxy.yaml +@@ -15,9 +15,5 @@ limitations under the License. + {{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public }} + {{- $envAll := . }} + {{- $ingressOpts := dict "envAll" $envAll "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}} +-{{- $secretName := $envAll.Values.secrets.tls.compute_novnc_proxy.novncproxy.internal -}} +-{{- if and .Values.manifests.certificates $secretName }} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_novnc_proxy.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end }} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} +diff --git a/nova/templates/ingress-osapi.yaml b/nova/templates/ingress-osapi.yaml +index b78f80f4..6f9a4f74 100644 +--- a/nova/templates/ingress-osapi.yaml ++++ b/nova/templates/ingress-osapi.yaml +@@ -15,9 +15,5 @@ limitations under the License. + {{- if and .Values.manifests.ingress_osapi .Values.network.osapi.ingress.public }} + {{- $envAll := . -}} + {{- $ingressOpts := dict "envAll" $envAll "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}} +-{{- $secretName := $envAll.Values.secrets.tls.compute.osapi.internal -}} +-{{- if and .Values.manifests.certificates $secretName }} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end }} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} +diff --git a/nova/templates/ingress-placement.yaml b/nova/templates/ingress-placement.yaml +index 28b0f0d3..1161676f 100644 +--- a/nova/templates/ingress-placement.yaml ++++ b/nova/templates/ingress-placement.yaml +@@ -15,9 +15,5 @@ limitations under the License. + {{- if and .Values.manifests.ingress_placement .Values.network.placement.ingress.public }} + {{- $envAll := . -}} + {{- $ingressOpts := dict "envAll" $envAll "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}} +-{{- $secretName := $envAll.Values.secrets.tls.placement.placement.internal -}} +-{{- if and .Values.manifests.certificates $secretName }} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end }} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} +diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml +index dac8754d..1229acec 100644 +--- a/nova/templates/job-bootstrap.yaml ++++ b/nova/templates/job-bootstrap.yaml +@@ -99,7 +99,7 @@ spec: + mountPath: {{ $logConfigFile | quote }} + subPath: {{ base $logConfigFile | quote }} + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + volumes: + - name: pod-tmp + emptyDir: {} +@@ -113,7 +113,7 @@ spec: + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + --- + kind: ClusterRole + apiVersion: rbac.authorization.k8s.io/v1 +diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml +index e2bd2889..1f9c5dbc 100644 +--- a/nova/templates/job-cell-setup.yaml ++++ b/nova/templates/job-cell-setup.yaml +@@ -60,7 +60,7 @@ spec: + mountPath: /tmp/cell-setup-init.sh + subPath: cell-setup-init.sh + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + containers: + - name: nova-cell-setup + {{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }} +@@ -106,5 +106,5 @@ spec: + name: nova-bin + defaultMode: 0555 + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/nova/templates/job-ks-endpoints.yaml b/nova/templates/job-ks-endpoints.yaml +index 52ec50e4..247fb76c 100644 +--- a/nova/templates/job-ks-endpoints.yaml ++++ b/nova/templates/job-ks-endpoints.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2" + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} +diff --git a/nova/templates/job-ks-placement-endpoints.yaml b/nova/templates/job-ks-placement-endpoints.yaml +index b5a10aed..287e30b7 100644 +--- a/nova/templates/job-ks-placement-endpoints.yaml ++++ b/nova/templates/job-ks-placement-endpoints.yaml +@@ -15,7 +15,7 @@ limitations under the License. + {{- if .Values.manifests.job_ks_placement_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}} + {{- end -}} + {{- if .Values.pod.tolerations.nova.enabled -}} + {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} +diff --git a/nova/templates/job-ks-placement-service.yaml b/nova/templates/job-ks-placement-service.yaml +index d5846517..88d20b62 100644 +--- a/nova/templates/job-ks-placement-service.yaml ++++ b/nova/templates/job-ks-placement-service.yaml +@@ -15,7 +15,7 @@ limitations under the License. + {{- if .Values.manifests.job_ks_placement_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}} + {{- end -}} + {{- if .Values.pod.tolerations.nova.enabled -}} + {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} +diff --git a/nova/templates/job-ks-placement-user.yaml b/nova/templates/job-ks-placement-user.yaml +index f6de6f6b..7524df9a 100644 +--- a/nova/templates/job-ks-placement-user.yaml ++++ b/nova/templates/job-ks-placement-user.yaml +@@ -15,7 +15,7 @@ limitations under the License. + {{- if .Values.manifests.job_ks_placement_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "placement" "serviceUser" "placement" "configMapBin" "nova-bin" -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}} + {{- end -}} + {{- if .Values.pod.tolerations.nova.enabled -}} + {{- $_ := set $ksUserJob "tolerationsEnabled" true -}} +diff --git a/nova/templates/job-ks-service.yaml b/nova/templates/job-ks-service.yaml +index 9d1eebe5..97963d51 100644 +--- a/nova/templates/job-ks-service.yaml ++++ b/nova/templates/job-ks-service.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3" + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} +diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml +index 65e5055a..c4327f89 100644 +--- a/nova/templates/job-ks-user.yaml ++++ b/nova/templates/job-ks-user.yaml +@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1" + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}} +diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml +index 019596f1..b9599d21 100644 +--- a/nova/templates/pod-rally-test.yaml ++++ b/nova/templates/pod-rally-test.yaml +@@ -53,7 +53,7 @@ spec: + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true +-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + env: + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} +@@ -93,7 +93,7 @@ spec: + readOnly: true + - name: rally-db + mountPath: /var/lib/rally +-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp +@@ -108,6 +108,6 @@ spec: + defaultMode: 0555 + - name: rally-db + emptyDir: {} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/placement/templates/certificates.yaml b/placement/templates/certificates.yaml +deleted file mode 100644 +index ada7fde1..00000000 +--- a/placement/templates/certificates.yaml ++++ /dev/null +@@ -1,17 +0,0 @@ +-{{/* +-Licensed under the Apache License, Version 2.0 (the "License"); +-you may not use this file except in compliance with the License. +-You may obtain a copy of the License at +- +- http://www.apache.org/licenses/LICENSE-2.0 +- +-Unless required by applicable law or agreed to in writing, software +-distributed under the License is distributed on an "AS IS" BASIS, +-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-See the License for the specific language governing permissions and +-limitations under the License. +-*/}} +- +-{{- if .Values.manifests.certificates -}} +-{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +-{{- end -}} +diff --git a/placement/templates/deployment.yaml b/placement/templates/deployment.yaml +index 9dcde008..8418753f 100644 +--- a/placement/templates/deployment.yaml ++++ b/placement/templates/deployment.yaml +@@ -115,7 +115,7 @@ spec: + subPath: wsgi-placement.conf + readOnly: true + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -131,6 +131,6 @@ spec: + secretName: placement-etc + defaultMode: 0444 + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/placement/templates/ingress.yaml b/placement/templates/ingress.yaml +index 68ce111a..779b2fe6 100644 +--- a/placement/templates/ingress.yaml ++++ b/placement/templates/ingress.yaml +@@ -17,9 +17,5 @@ limitations under the License. + {{- if and .Values.manifests.ingress .Values.network.api.ingress.public }} + {{- $envAll := . -}} + {{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "placement" "backendPort" "p-api" -}} +-{{- $secretName := $envAll.Values.secrets.tls.placement.api.internal -}} +-{{- if and .Values.manifests.certificates $secretName -}} +-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}} +-{{- end -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} +diff --git a/placement/templates/job-db-migrate.yaml b/placement/templates/job-db-migrate.yaml +index ef733778..7a17df8d 100644 +--- a/placement/templates/job-db-migrate.yaml ++++ b/placement/templates/job-db-migrate.yaml +@@ -86,7 +86,7 @@ spec: + mountPath: /etc/placement/placement.conf + subPath: placement.conf + readOnly: true +-{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} ++{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + volumes: + - name: pod-tmp +@@ -100,5 +100,5 @@ spec: + secretName: placement-etc + defaultMode: 0444 + {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/placement/templates/job-ks-endpoints.yaml b/placement/templates/job-ks-endpoints.yaml +index 111ba33a..5177f5b9 100644 +--- a/placement/templates/job-ks-endpoints.yaml ++++ b/placement/templates/job-ks-endpoints.yaml +@@ -22,7 +22,7 @@ helm.sh/hook-weight: "1" + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}} +diff --git a/placement/templates/job-ks-service.yaml b/placement/templates/job-ks-service.yaml +index 10e45bd6..7aac55f0 100644 +--- a/placement/templates/job-ks-service.yaml ++++ b/placement/templates/job-ks-service.yaml +@@ -22,7 +22,7 @@ helm.sh/hook-weight: "-2" + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}} +diff --git a/placement/templates/job-ks-user.yaml b/placement/templates/job-ks-user.yaml +index 2c1a0023..4b13c106 100644 +--- a/placement/templates/job-ks-user.yaml ++++ b/placement/templates/job-ks-user.yaml +@@ -22,7 +22,7 @@ helm.sh/hook-weight: "-1" + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}} + {{- if .Values.manifests.certificates -}} +-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.public -}} + {{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}} +-- +2.17.1 + diff --git a/openstack-helm/files/0014-Remove-mariadb-and-rabbit-tls.patch b/openstack-helm/files/0014-Remove-mariadb-and-rabbit-tls.patch new file mode 100644 index 00000000..ceeac7da --- /dev/null +++ b/openstack-helm/files/0014-Remove-mariadb-and-rabbit-tls.patch @@ -0,0 +1,1789 @@ +From 72da87bb30c1294227758c147c3898c933de7ca0 Mon Sep 17 00:00:00 2001 +From: Lucas Cavalcante +Date: Thu, 10 Feb 2022 16:37:22 -0300 +Subject: [PATCH 14/14] Remove mariadb and rabbit tls + +Cinder, Glance and other services stopped communicating properly +after the rebase brought tls to mariadb and rabbit, this removes +such connections + +Change-Id: Ic5d6461985e16dd41d51511caeefd5a0e95283f8 +--- + cinder/templates/configmap-etc.yaml | 4 ---- + .../cron-job-cinder-volume-usage-audit.yaml | 4 ---- + cinder/templates/deployment-api.yaml | 4 ---- + cinder/templates/deployment-backup.yaml | 4 ---- + cinder/templates/deployment-scheduler.yaml | 4 ---- + cinder/templates/deployment-volume.yaml | 4 ---- + cinder/templates/job-db-drop.yaml | 3 --- + cinder/templates/job-db-init.yaml | 3 --- + cinder/templates/job-db-sync.yaml | 3 --- + cinder/templates/job-rabbit-init.yaml | 3 --- + cinder/templates/secret-db.yaml | 4 ---- + cinder/templates/secret_rabbitmq.yaml | 3 --- + glance/templates/configmap-etc.yaml | 8 -------- + glance/templates/deployment-api.yaml | 4 ---- + glance/templates/deployment-registry.yaml | 1 - + glance/templates/job-db-drop.yaml | 3 --- + glance/templates/job-db-init.yaml | 3 --- + glance/templates/job-db-sync.yaml | 3 --- + glance/templates/job-metadefs-load.yaml | 2 -- + glance/templates/job-rabbit-init.yaml | 3 --- + glance/templates/secret-db.yaml | 4 ---- + glance/templates/secret-rabbitmq.yaml | 3 --- + heat/templates/configmap-etc.yaml | 4 ---- + heat/templates/cron-job-engine-cleaner.yaml | 2 -- + heat/templates/cron-job-purge-deleted.yaml | 2 -- + heat/templates/deployment-api.yaml | 1 - + heat/templates/deployment-engine.yaml | 4 ---- + heat/templates/job-db-drop.yaml | 3 --- + heat/templates/job-db-init.yaml | 3 --- + heat/templates/job-db-sync.yaml | 3 --- + heat/templates/job-rabbit-init.yaml | 3 --- + heat/templates/secret-db.yaml | 4 ---- + heat/templates/secret-rabbitmq.yaml | 3 --- + horizon/templates/deployment.yaml | 2 -- + horizon/templates/job-db-drop.yaml | 3 --- + horizon/templates/job-db-init.yaml | 3 --- + horizon/templates/job-db-sync.yaml | 2 -- + horizon/templates/secret-db.yaml | 4 ---- + horizon/values.yaml | 9 --------- + keystone/templates/bin/_cred-clean.py.tpl | 11 ++--------- + keystone/templates/configmap-etc.yaml | 4 ---- + keystone/templates/deployment-api.yaml | 12 ------------ + keystone/templates/job-credential-cleanup.yaml | 10 ---------- + keystone/templates/job-db-drop.yaml | 3 --- + keystone/templates/job-db-init.yaml | 3 --- + keystone/templates/job-db-sync.yaml | 12 ------------ + keystone/templates/job-rabbit-init.yaml | 3 --- + keystone/templates/secret-db.yaml | 4 ---- + keystone/templates/secret-rabbitmq.yaml | 3 --- + neutron/templates/configmap-etc.yaml | 4 ---- + neutron/templates/daemonset-dhcp-agent.yaml | 2 -- + neutron/templates/daemonset-l2gw-agent.yaml | 2 -- + neutron/templates/daemonset-l3-agent.yaml | 2 -- + neutron/templates/daemonset-lb-agent.yaml | 2 -- + neutron/templates/daemonset-metadata-agent.yaml | 2 -- + neutron/templates/daemonset-ovs-agent.yaml | 2 -- + neutron/templates/daemonset-sriov-agent.yaml | 2 -- + neutron/templates/deployment-ironic-agent.yaml | 2 -- + neutron/templates/deployment-server.yaml | 4 ---- + neutron/templates/job-db-drop.yaml | 3 --- + neutron/templates/job-db-init.yaml | 3 --- + neutron/templates/job-db-sync.yaml | 3 --- + neutron/templates/job-rabbit-init.yaml | 3 --- + neutron/templates/secret-db.yaml | 4 ---- + neutron/templates/secret_rabbitmq.yaml | 3 --- + nova/templates/configmap-etc.yaml | 17 ----------------- + .../cron-job-archive-deleted-rows.yaml | 1 - + nova/templates/cron-job-cell-setup.yaml | 2 -- + nova/templates/daemonset-compute.yaml | 2 -- + nova/templates/deployment-api-metadata.yaml | 2 -- + nova/templates/deployment-api-osapi.yaml | 4 ---- + nova/templates/deployment-conductor.yaml | 4 ---- + nova/templates/deployment-consoleauth.yaml | 2 -- + nova/templates/deployment-novncproxy.yaml | 4 ---- + nova/templates/deployment-placement.yaml | 2 -- + nova/templates/deployment-scheduler.yaml | 4 ---- + nova/templates/job-cell-setup.yaml | 2 -- + nova/templates/job-db-drop.yaml | 3 --- + nova/templates/job-db-init.yaml | 3 --- + nova/templates/job-db-sync.yaml | 3 --- + nova/templates/job-rabbit-init.yaml | 3 --- + nova/templates/secret-db-api.yaml | 4 ---- + nova/templates/secret-db-cell0.yaml | 4 ---- + nova/templates/secret-db.yaml | 4 ---- + nova/templates/secret_rabbitmq.yaml | 3 --- + .../templates/bin/_mysql-migrate-db.sh.tpl | 6 ------ + placement/templates/configmap-etc.yaml | 4 ---- + placement/templates/deployment.yaml | 2 -- + placement/templates/job-db-drop.yaml | 3 --- + placement/templates/job-db-init.yaml | 3 --- + placement/templates/job-db-migrate.yaml | 6 ------ + placement/templates/job-db-sync.yaml | 3 --- + placement/templates/secret-db.yaml | 4 ---- + 93 files changed, 2 insertions(+), 342 deletions(-) + +diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml +index 239d729c..04f90f71 100644 +--- a/cinder/templates/configmap-etc.yaml ++++ b/cinder/templates/configmap-etc.yaml +@@ -51,12 +51,8 @@ limitations under the License. + + {{- if empty .Values.conf.cinder.database.connection -}} + {{- $connection := tuple "oslo_db" "internal" "cinder" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.cinder.database "connection" -}} +-{{- else -}} + {{- $_ := set .Values.conf.cinder.database "connection" $connection -}} + {{- end -}} +-{{- end -}} + + {{- if empty .Values.conf.cinder.DEFAULT.transport_url -}} + {{- $_ := tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.cinder.DEFAULT "transport_url" -}} +diff --git a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml +index 4b152081..6cd7a02a 100644 +--- a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml ++++ b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml +@@ -85,8 +85,6 @@ spec: + mountPath: /tmp/volume-usage-audit.sh + subPath: volume-usage-audit.sh + readOnly: true +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} + {{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }} + volumes: + - name: pod-tmp +@@ -101,7 +99,5 @@ spec: + configMap: + name: cinder-bin + defaultMode: 0555 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} + {{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }} + {{- end }} +diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml +index 300226b5..85fc19d7 100644 +--- a/cinder/templates/deployment-api.yaml ++++ b/cinder/templates/deployment-api.yaml +@@ -141,9 +141,7 @@ spec: + - name: cinder-coordination + mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }} + {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -162,8 +160,6 @@ spec: + - name: cinder-coordination + emptyDir: {} + {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml +index 55c7289c..2fdf644f 100755 +--- a/cinder/templates/deployment-backup.yaml ++++ b/cinder/templates/deployment-backup.yaml +@@ -270,8 +270,6 @@ spec: + mountPath: /usr/local/sbin/iscsiadm + subPath: iscsiadm + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_cinder_backup.volumeMounts }}{{ toYaml $mounts_cinder_backup.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -336,7 +334,5 @@ spec: + - name: usrlocalsbin + emptyDir: {} + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_cinder_backup.volumes }}{{ toYaml $mounts_cinder_backup.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml +index 8108b3e2..17f379e3 100644 +--- a/cinder/templates/deployment-scheduler.yaml ++++ b/cinder/templates/deployment-scheduler.yaml +@@ -108,8 +108,6 @@ spec: + mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }} + {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -129,7 +127,5 @@ spec: + emptyDir: {} + {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml +index 6a10f764..6f15f7ce 100755 +--- a/cinder/templates/deployment-volume.yaml ++++ b/cinder/templates/deployment-volume.yaml +@@ -270,8 +270,6 @@ spec: + {{- end }} + {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -332,8 +330,6 @@ spec: + hostPath: + path: /sys + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/cinder/templates/job-db-drop.yaml b/cinder/templates/job-db-drop.yaml +index 1115af50..86c7e710 100644 +--- a/cinder/templates/job-db-drop.yaml ++++ b/cinder/templates/job-db-drop.yaml +@@ -14,9 +14,6 @@ limitations under the License. + + {{- if .Values.manifests.job_db_drop }} + {{- $dbDropJob := dict "envAll" . "serviceName" "cinder" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.cinder.enabled -}} + {{- $_ := set $dbDropJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/cinder/templates/job-db-init.yaml b/cinder/templates/job-db-init.yaml +index c7e450ad..46071c9b 100644 +--- a/cinder/templates/job-db-init.yaml ++++ b/cinder/templates/job-db-init.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-5" + + {{- if .Values.manifests.job_db_init }} + {{- $dbInitJob := dict "envAll" . "serviceName" "cinder" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }} + {{- end }} +diff --git a/cinder/templates/job-db-sync.yaml b/cinder/templates/job-db-sync.yaml +index 1bab87b0..69ee540d 100644 +--- a/cinder/templates/job-db-sync.yaml ++++ b/cinder/templates/job-db-sync.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-4" + + {{- if .Values.manifests.job_db_sync }} + {{- $dbSyncJob := dict "envAll" . "serviceName" "cinder" "podVolMounts" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumeMounts "podVols" .Values.pod.mounts.cinder_db_sync.cinder_db_sync.volumes -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }} + {{- end }} +diff --git a/cinder/templates/job-rabbit-init.yaml b/cinder/templates/job-rabbit-init.yaml +index 43d23922..85b49514 100644 +--- a/cinder/templates/job-rabbit-init.yaml ++++ b/cinder/templates/job-rabbit-init.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-4" + + {{- if .Values.manifests.job_rabbit_init }} + {{- $rmqUserJob := dict "envAll" . "serviceName" "cinder" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }} + {{- end }} +diff --git a/cinder/templates/secret-db.yaml b/cinder/templates/secret-db.yaml +index a5cee90b..a129534e 100644 +--- a/cinder/templates/secret-db.yaml ++++ b/cinder/templates/secret-db.yaml +@@ -24,10 +24,6 @@ metadata: + name: {{ $secretName }} + type: Opaque + data: +-{{- if $envAll.Values.manifests.certificates }} +- DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +-{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} + {{- end }} + {{- end }} +-{{- end }} +diff --git a/cinder/templates/secret_rabbitmq.yaml b/cinder/templates/secret_rabbitmq.yaml +index 2c4403e2..bce1b6d1 100644 +--- a/cinder/templates/secret_rabbitmq.yaml ++++ b/cinder/templates/secret_rabbitmq.yaml +@@ -15,9 +15,6 @@ limitations under the License. + {{- if .Values.manifests.secret_rabbitmq }} + {{- $envAll := . }} + {{- $rabbitmqProtocol := "http" }} +-{{- if $envAll.Values.manifests.certificates }} +-{{- $rabbitmqProtocol = "https" }} +-{{- end }} + {{- range $key1, $userClass := tuple "admin" "cinder" }} + {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} + --- +diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml +index f9be6bfb..bac89895 100644 +--- a/glance/templates/configmap-etc.yaml ++++ b/glance/templates/configmap-etc.yaml +@@ -82,20 +82,12 @@ limitations under the License. + + {{- if empty .Values.conf.glance.database.connection -}} + {{- $connection := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.glance.database "connection" -}} +-{{- else -}} + {{- $_ := set .Values.conf.glance.database "connection" $connection -}} + {{- end -}} +-{{- end -}} + {{- if empty .Values.conf.glance_registry.connection -}} + {{- $connection := tuple "oslo_db" "internal" "glance" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.glance_registry.database "connection" -}} +-{{- else -}} + {{- $_ := set .Values.conf.glance_registry.database "connection" $connection -}} + {{- end -}} +-{{- end -}} + + {{- if empty .Values.conf.glance.DEFAULT.transport_url -}} + {{- $_ := tuple "oslo_messaging" "internal" "glance" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.glance.DEFAULT "transport_url" -}} +diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml +index 80b398c6..c4edd278 100644 +--- a/glance/templates/deployment-api.yaml ++++ b/glance/templates/deployment-api.yaml +@@ -172,9 +172,7 @@ spec: + subPath: key + readOnly: true + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -208,8 +206,6 @@ spec: + secret: + secretName: {{ .Values.secrets.rbd | quote }} + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml +index f88d4784..d8185f7d 100644 +--- a/glance/templates/deployment-registry.yaml ++++ b/glance/templates/deployment-registry.yaml +@@ -112,7 +112,6 @@ spec: + subPath: policy.yaml + readOnly: true + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +diff --git a/glance/templates/job-db-drop.yaml b/glance/templates/job-db-drop.yaml +index 66f3a189..1f24b0c6 100644 +--- a/glance/templates/job-db-drop.yaml ++++ b/glance/templates/job-db-drop.yaml +@@ -16,9 +16,6 @@ limitations under the License. + {{- $serviceName := "glance" -}} + {{- $dbToDrop := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}} + {{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbToDrop" $dbToDrop -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbToDrop "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.glance.enabled -}} + {{- $_ := set $dbDropJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/glance/templates/job-db-init.yaml b/glance/templates/job-db-init.yaml +index 6f797814..4a947ef5 100644 +--- a/glance/templates/job-db-init.yaml ++++ b/glance/templates/job-db-init.yaml +@@ -21,9 +21,6 @@ helm.sh/hook-weight: "-5" + {{- $serviceName := "glance" -}} + {{- $dbToInit := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" -}} + {{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbToInit" $dbToInit -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }} + {{- end }} +diff --git a/glance/templates/job-db-sync.yaml b/glance/templates/job-db-sync.yaml +index 1434edd1..529199b7 100644 +--- a/glance/templates/job-db-sync.yaml ++++ b/glance/templates/job-db-sync.yaml +@@ -20,9 +20,6 @@ helm.sh/hook-weight: "-4" + {{- if .Values.manifests.job_db_sync }} + {{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" "glance" "glance-api" ) "logConfigFile" (printf "/etc/%s/logging.conf" "glance" ) "image" ( index .Values.images.tags ( printf "%s_db_sync" "glance" )) ) -}} + {{- $dbSyncJob := dict "envAll" . "serviceName" "glance" "podVolMounts" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumeMounts "podVols" .Values.pod.mounts.glance_db_sync.glance_db_sync.volumes "dbToSync" $dbToSync -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }} + {{- end }} +diff --git a/glance/templates/job-metadefs-load.yaml b/glance/templates/job-metadefs-load.yaml +index ca6081fb..0f2cff69 100644 +--- a/glance/templates/job-metadefs-load.yaml ++++ b/glance/templates/job-metadefs-load.yaml +@@ -85,7 +85,6 @@ spec: + subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }} + readOnly: true + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + volumes: + - name: pod-tmp + emptyDir: {} +@@ -99,5 +98,4 @@ spec: + secret: + secretName: glance-etc + defaultMode: 0444 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/glance/templates/job-rabbit-init.yaml b/glance/templates/job-rabbit-init.yaml +index 6bd14d6e..5e1d0e57 100644 +--- a/glance/templates/job-rabbit-init.yaml ++++ b/glance/templates/job-rabbit-init.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-4" + + {{- if .Values.manifests.job_rabbit_init }} + {{- $rmqUserJob := dict "envAll" . "serviceName" "glance" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }} + {{- end }} +diff --git a/glance/templates/secret-db.yaml b/glance/templates/secret-db.yaml +index 0a1085d3..09be8498 100644 +--- a/glance/templates/secret-db.yaml ++++ b/glance/templates/secret-db.yaml +@@ -24,10 +24,6 @@ metadata: + name: {{ $secretName }} + type: Opaque + data: +-{{- if $envAll.Values.manifests.certificates }} +- DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +-{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} + {{- end }} + {{- end }} +-{{- end }} +diff --git a/glance/templates/secret-rabbitmq.yaml b/glance/templates/secret-rabbitmq.yaml +index aba76397..48c8006f 100644 +--- a/glance/templates/secret-rabbitmq.yaml ++++ b/glance/templates/secret-rabbitmq.yaml +@@ -15,9 +15,6 @@ limitations under the License. + {{- if .Values.manifests.secret_rabbitmq }} + {{- $envAll := . }} + {{- $rabbitmqProtocol := "http" }} +-{{- if $envAll.Values.manifests.certificates }} +-{{- $rabbitmqProtocol = "https" }} +-{{- end }} + {{- range $key1, $userClass := tuple "admin" "glance" }} + {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} + --- +diff --git a/heat/templates/configmap-etc.yaml b/heat/templates/configmap-etc.yaml +index d5716e1f..62a851b2 100644 +--- a/heat/templates/configmap-etc.yaml ++++ b/heat/templates/configmap-etc.yaml +@@ -74,12 +74,8 @@ limitations under the License. + + {{- if empty .Values.conf.heat.database.connection -}} + {{- $connection := tuple "oslo_db" "internal" "heat" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.heat.database "connection" -}} +-{{- else -}} + {{- $_ := set .Values.conf.heat.database "connection" $connection -}} + {{- end -}} +-{{- end -}} + + {{- if empty .Values.conf.heat.DEFAULT.transport_url -}} + {{- $_ := tuple "oslo_messaging" "internal" "heat" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.heat.DEFAULT "transport_url" -}} +diff --git a/heat/templates/cron-job-engine-cleaner.yaml b/heat/templates/cron-job-engine-cleaner.yaml +index 329193cb..09578185 100644 +--- a/heat/templates/cron-job-engine-cleaner.yaml ++++ b/heat/templates/cron-job-engine-cleaner.yaml +@@ -88,7 +88,6 @@ spec: + subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }} + readOnly: true + {{ end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }} + {{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }} + volumes: + - name: pod-tmp +@@ -99,7 +98,6 @@ spec: + secret: + secretName: heat-etc + defaultMode: 0444 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} + - name: heat-bin + configMap: + name: heat-bin +diff --git a/heat/templates/cron-job-purge-deleted.yaml b/heat/templates/cron-job-purge-deleted.yaml +index 987b572c..b8ee6905 100644 +--- a/heat/templates/cron-job-purge-deleted.yaml ++++ b/heat/templates/cron-job-purge-deleted.yaml +@@ -82,7 +82,6 @@ spec: + subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }} + readOnly: true + {{ end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }} + {{ if $mounts_heat_purge_deleted.volumeMounts }}{{ toYaml $mounts_heat_purge_deleted.volumeMounts | indent 14 }}{{ end }} + volumes: + - name: pod-tmp +@@ -93,7 +92,6 @@ spec: + secret: + secretName: heat-etc + defaultMode: 0444 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} + - name: heat-bin + configMap: + name: heat-bin +diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml +index 8f83a631..eee17ac8 100644 +--- a/heat/templates/deployment-api.yaml ++++ b/heat/templates/deployment-api.yaml +@@ -115,7 +115,6 @@ spec: + subPath: api_audit_map.conf + readOnly: true + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml +index e9d5873c..662c12b5 100644 +--- a/heat/templates/deployment-engine.yaml ++++ b/heat/templates/deployment-engine.yaml +@@ -102,9 +102,7 @@ spec: + mountPath: /etc/heat/policy.yaml + subPath: policy.yaml + readOnly: true +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -119,8 +117,6 @@ spec: + secret: + secretName: heat-etc + defaultMode: 0444 +- {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/heat/templates/job-db-drop.yaml b/heat/templates/job-db-drop.yaml +index 7caa9619..c3a7c35d 100644 +--- a/heat/templates/job-db-drop.yaml ++++ b/heat/templates/job-db-drop.yaml +@@ -14,9 +14,6 @@ limitations under the License. + + {{- if .Values.manifests.job_db_drop }} + {{- $dbDropJob := dict "envAll" . "serviceName" "heat" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.heat.enabled -}} + {{- $_ := set $dbDropJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/heat/templates/job-db-init.yaml b/heat/templates/job-db-init.yaml +index 442a2fa4..0a6cbb33 100644 +--- a/heat/templates/job-db-init.yaml ++++ b/heat/templates/job-db-init.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-5" + + {{- if .Values.manifests.job_db_init }} + {{- $dbInitJob := dict "envAll" . "serviceName" "heat" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }} + {{- end }} +diff --git a/heat/templates/job-db-sync.yaml b/heat/templates/job-db-sync.yaml +index a25faf84..668f8a0d 100644 +--- a/heat/templates/job-db-sync.yaml ++++ b/heat/templates/job-db-sync.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-4" + + {{- if .Values.manifests.job_db_sync }} + {{- $dbSyncJob := dict "envAll" . "serviceName" "heat" "podVolMounts" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumeMounts "podVols" .Values.pod.mounts.heat_db_sync.heat_db_sync.volumes -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }} + {{- end }} +diff --git a/heat/templates/job-rabbit-init.yaml b/heat/templates/job-rabbit-init.yaml +index bd6b228c..161a5aaa 100644 +--- a/heat/templates/job-rabbit-init.yaml ++++ b/heat/templates/job-rabbit-init.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-4" + + {{- if .Values.manifests.job_rabbit_init }} + {{- $rmqUserJob := dict "envAll" . "serviceName" "heat" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }} + {{- end }} +diff --git a/heat/templates/secret-db.yaml b/heat/templates/secret-db.yaml +index ef020d16..39ba92ae 100644 +--- a/heat/templates/secret-db.yaml ++++ b/heat/templates/secret-db.yaml +@@ -24,10 +24,6 @@ metadata: + name: {{ $secretName }} + type: Opaque + data: +-{{- if $envAll.Values.manifests.certificates }} +- DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +-{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} + {{- end }} + {{- end }} +-{{- end }} +diff --git a/heat/templates/secret-rabbitmq.yaml b/heat/templates/secret-rabbitmq.yaml +index ca1ea8c3..71bde15d 100644 +--- a/heat/templates/secret-rabbitmq.yaml ++++ b/heat/templates/secret-rabbitmq.yaml +@@ -15,9 +15,6 @@ limitations under the License. + {{- if .Values.manifests.secret_rabbitmq }} + {{- $envAll := . }} + {{- $rabbitmqProtocol := "http" }} +-{{- if $envAll.Values.manifests.certificates }} +-{{- $rabbitmqProtocol = "https" }} +-{{- end }} + {{- range $key1, $userClass := tuple "admin" "heat" }} + {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} + --- +diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml +index 0e646b9e..78271f5c 100644 +--- a/horizon/templates/deployment.yaml ++++ b/horizon/templates/deployment.yaml +@@ -133,7 +133,6 @@ spec: + readOnly: true + {{- end }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -150,7 +149,6 @@ spec: + secret: + secretName: horizon-etc + defaultMode: 0444 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/horizon/templates/job-db-drop.yaml b/horizon/templates/job-db-drop.yaml +index 6f761d7c..858abc1f 100644 +--- a/horizon/templates/job-db-drop.yaml ++++ b/horizon/templates/job-db-drop.yaml +@@ -15,9 +15,6 @@ limitations under the License. + {{- if .Values.manifests.job_db_drop }} + {{- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}} + {{- $dbDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.horizon.enabled -}} + {{- $_ := set $dbDropJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/horizon/templates/job-db-init.yaml b/horizon/templates/job-db-init.yaml +index 095a1f3d..346e2970 100644 +--- a/horizon/templates/job-db-init.yaml ++++ b/horizon/templates/job-db-init.yaml +@@ -15,9 +15,6 @@ limitations under the License. + {{- if .Values.manifests.job_db_init }} + {{- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}} + {{- $dbInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.horizon.enabled -}} + {{- $_ := set $dbInitJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/horizon/templates/job-db-sync.yaml b/horizon/templates/job-db-sync.yaml +index fe5a213b..91f58e83 100644 +--- a/horizon/templates/job-db-sync.yaml ++++ b/horizon/templates/job-db-sync.yaml +@@ -67,7 +67,6 @@ spec: + mountPath: /tmp/manage.py + subPath: manage.py + readOnly: true +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 10 }} + {{ if $mounts_horizon_db_sync.volumeMounts }}{{ toYaml $mounts_horizon_db_sync.volumeMounts | indent 10 }}{{ end }} + volumes: + - name: horizon-etc +@@ -78,6 +77,5 @@ spec: + configMap: + name: horizon-bin + defaultMode: 0555 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 6 }} + {{ if $mounts_horizon_db_sync.volumes }}{{ toYaml $mounts_horizon_db_sync.volumes | indent 6 }}{{ end }} + {{- end }} +diff --git a/horizon/templates/secret-db.yaml b/horizon/templates/secret-db.yaml +index cfc7dac0..e05d140a 100644 +--- a/horizon/templates/secret-db.yaml ++++ b/horizon/templates/secret-db.yaml +@@ -24,10 +24,6 @@ metadata: + name: {{ $secretName }} + type: Opaque + data: +-{{- if $envAll.Values.manifests.certificates }} +- DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +-{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} + {{- end }} + {{- end }} +-{{- end }} +diff --git a/horizon/values.yaml b/horizon/values.yaml +index d9a359f6..bea9740c 100644 +--- a/horizon/values.yaml ++++ b/horizon/values.yaml +@@ -378,15 +378,6 @@ conf: + 'PASSWORD': '{{ .Values.endpoints.oslo_db.auth.horizon.password }}', + 'HOST': '{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}', + 'default-character-set': 'utf8', +- {{- if .Values.manifests.certificates }} +- 'OPTIONS':{ +- 'ssl': { +- 'ca': '/etc/mysql/certs/ca.crt', +- 'cert': '/etc/mysql/certs/tls.crt', +- 'key': '/etc/mysql/certs/tls.key' +- } +- }, +- {{- end }} + 'PORT': '{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}' + } + } +diff --git a/keystone/templates/bin/_cred-clean.py.tpl b/keystone/templates/bin/_cred-clean.py.tpl +index e01c3fc3..8dd1e008 100644 +--- a/keystone/templates/bin/_cred-clean.py.tpl ++++ b/keystone/templates/bin/_cred-clean.py.tpl +@@ -52,13 +52,6 @@ else: + logger.critical('environment variable ROOT_DB_CONNECTION not set') + sys.exit(1) + +-mysql_x509 = os.getenv('MARIADB_X509', "") +-ssl_args = {} +-if mysql_x509: +- ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt', +- 'key': '/etc/mysql/certs/tls.key', +- 'cert': '/etc/mysql/certs/tls.crt'}} +- + # Get the connection string for the service db + if "OPENSTACK_CONFIG_FILE" in os.environ: + os_conf = os.environ['OPENSTACK_CONFIG_FILE'] +@@ -103,7 +96,7 @@ try: + port = root_engine_full.url.port + root_engine_url = ''.join([drivername, '://', root_user, ':', + root_password, '@', host, ':', str(port)]) +- root_engine = create_engine(root_engine_url, connect_args=ssl_args) ++ root_engine = create_engine(root_engine_url) + connection = root_engine.connect() + connection.close() + logger.info("Tested connection to DB @ {0}:{1} as {2}".format( +@@ -114,7 +107,7 @@ except: + + # User DB engine + try: +- user_engine = create_engine(user_db_conn, connect_args=ssl_args) ++ user_engine = create_engine(user_db_conn) + # Get our user data out of the user_engine + database = user_engine.url.database + user = user_engine.url.username +diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml +index 4b7f0463..8b24dc3c 100644 +--- a/keystone/templates/configmap-etc.yaml ++++ b/keystone/templates/configmap-etc.yaml +@@ -17,12 +17,8 @@ limitations under the License. + + {{- if empty .Values.conf.keystone.database.connection -}} + {{- $connection := tuple "oslo_db" "internal" "keystone" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +-{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.keystone.database "connection" -}} +-{{- else -}} + {{- $_ := set .Values.conf.keystone.database "connection" $connection -}} + {{- end -}} +-{{- end -}} + + {{- if empty .Values.conf.keystone.DEFAULT.transport_url -}} + {{- $_ := tuple "oslo_messaging" "internal" "keystone" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.keystone.DEFAULT "transport_url" -}} +diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml +index ed2c3d54..79ad3900 100644 +--- a/keystone/templates/deployment-api.yaml ++++ b/keystone/templates/deployment-api.yaml +@@ -150,15 +150,9 @@ spec: + {{- end }} + - name: keystone-credential-keys + mountPath: {{ .Values.conf.keystone.credential.key_repository }} +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- end }} + {{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.public }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- end }} +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- end }} + {{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -192,14 +186,8 @@ spec: + - name: keystone-credential-keys + secret: + secretName: keystone-credential-keys +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- end }} + {{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.public }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- end }} + {{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/keystone/templates/job-credential-cleanup.yaml b/keystone/templates/job-credential-cleanup.yaml +index fcd7f11f..097b4450 100644 +--- a/keystone/templates/job-credential-cleanup.yaml ++++ b/keystone/templates/job-credential-cleanup.yaml +@@ -72,10 +72,6 @@ spec: + value: {{ $dbToClean.configDbSection | quote }} + - name: OPENSTACK_CONFIG_DB_KEY + value: {{ $dbToClean.configDbKey | quote }} +-{{- end }} +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} +- - name: MARIADB_X509 +- value: "REQUIRE X509" + {{- end }} + command: + - python +@@ -98,9 +94,6 @@ spec: + mountPath: {{ $dbToClean.logConfigFile | quote }} + subPath: {{ base $dbToClean.logConfigFile | quote }} + readOnly: true +-{{- end }} +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- end }} + volumes: + - name: pod-tmp +@@ -109,9 +102,6 @@ spec: + configMap: + name: "keystone-bin" + defaultMode: 0555 +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- end }} + {{- $local := dict "configMapBinFirst" true -}} + {{- $dbToCleanType := default "oslo" $dbToClean.inputType }} + {{- if and (eq $dbToCleanType "oslo") $local.configMapBinFirst }} +diff --git a/keystone/templates/job-db-drop.yaml b/keystone/templates/job-db-drop.yaml +index df270ff6..59802548 100644 +--- a/keystone/templates/job-db-drop.yaml ++++ b/keystone/templates/job-db-drop.yaml +@@ -14,9 +14,6 @@ limitations under the License. + + {{- if .Values.manifests.job_db_drop }} + {{- $dbDropJob := dict "envAll" . "serviceName" "keystone" -}} +-{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.keystone.enabled -}} + {{- $_ := set $dbDropJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/keystone/templates/job-db-init.yaml b/keystone/templates/job-db-init.yaml +index 757b705e..42f25c6f 100644 +--- a/keystone/templates/job-db-init.yaml ++++ b/keystone/templates/job-db-init.yaml +@@ -21,9 +21,6 @@ helm.sh/hook-weight: "-5" + + {{- if .Values.manifests.job_db_init }} + {{- $dbInitJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}} +-{{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.keystone.enabled -}} + {{- $_ := set $dbInitJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml +index 08e82d78..c61861e3 100644 +--- a/keystone/templates/job-db-sync.yaml ++++ b/keystone/templates/job-db-sync.yaml +@@ -53,12 +53,6 @@ volumeMounts: + - name: keystone-fernet-keys + mountPath: {{ $envAll.Values.conf.keystone.fernet_tokens.key_repository }} + readOnly: true +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }} +-{{- end }} +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 2 }} +-{{- end }} + {{- end }} + + {{- define "keystone.templates._job_db_sync.pod_vols" -}} +@@ -67,12 +61,6 @@ volumes: + - name: keystone-fernet-keys + secret: + secretName: keystone-fernet-keys +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }} +-{{- end }} +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 2 }} +-{{- end }} + {{- end }} + + {{- if .Values.manifests.job_db_sync }} +diff --git a/keystone/templates/job-rabbit-init.yaml b/keystone/templates/job-rabbit-init.yaml +index 02390adf..64234cc0 100644 +--- a/keystone/templates/job-rabbit-init.yaml ++++ b/keystone/templates/job-rabbit-init.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-4" + + {{- if .Values.manifests.job_rabbit_init }} + {{- $rmqUserJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) -}} +-{{- if and .Values.manifests.certificates .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +-{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.keystone.enabled -}} + {{- $_ := set $rmqUserJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/keystone/templates/secret-db.yaml b/keystone/templates/secret-db.yaml +index 55ff5937..16d6d4aa 100644 +--- a/keystone/templates/secret-db.yaml ++++ b/keystone/templates/secret-db.yaml +@@ -24,10 +24,6 @@ metadata: + name: {{ $secretName }} + type: Opaque + data: +-{{- if $envAll.Values.manifests.certificates }} +- DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +-{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} + {{- end }} + {{- end }} +-{{- end }} +diff --git a/keystone/templates/secret-rabbitmq.yaml b/keystone/templates/secret-rabbitmq.yaml +index fb7c7041..37cb70ac 100644 +--- a/keystone/templates/secret-rabbitmq.yaml ++++ b/keystone/templates/secret-rabbitmq.yaml +@@ -15,9 +15,6 @@ limitations under the License. + {{- if .Values.manifests.secret_rabbitmq }} + {{- $envAll := . }} + {{- $rabbitmqProtocol := "http" }} +-{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }} +-{{- $rabbitmqProtocol = "https" }} +-{{- end }} + {{- range $key1, $userClass := tuple "admin" "keystone" }} + {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} + --- +diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml +index e5cb874a..f4a15901 100644 +--- a/neutron/templates/configmap-etc.yaml ++++ b/neutron/templates/configmap-etc.yaml +@@ -53,11 +53,7 @@ limitations under the License. + + {{- if empty $envAll.Values.conf.neutron.database.connection -}} + {{- $connection := tuple "oslo_db" "internal" "neutron" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.neutron.database "connection" -}} +-{{- else -}} + {{- $_ := set .Values.conf.neutron.database "connection" $connection -}} +-{{- end -}} + {{- end }} + + {{- if empty $envAll.Values.conf.neutron.DEFAULT.transport_url -}} +diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml +index bc924e7e..a6c326c3 100644 +--- a/neutron/templates/daemonset-dhcp-agent.yaml ++++ b/neutron/templates/daemonset-dhcp-agent.yaml +@@ -242,7 +242,6 @@ spec: + mountPath: /run/netns + mountPropagation: Bidirectional + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_dhcp_agent.volumeMounts }}{{ toYaml $mounts_neutron_dhcp_agent.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -267,7 +266,6 @@ spec: + hostPath: + path: /run/netns + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_dhcp_agent.volumes }}{{ toYaml $mounts_neutron_dhcp_agent.volumes | indent 8 }}{{ end }} + {{- end }} + {{- end }} +diff --git a/neutron/templates/daemonset-l2gw-agent.yaml b/neutron/templates/daemonset-l2gw-agent.yaml +index 2bb2fdcd..1be06d83 100644 +--- a/neutron/templates/daemonset-l2gw-agent.yaml ++++ b/neutron/templates/daemonset-l2gw-agent.yaml +@@ -135,7 +135,6 @@ spec: + mountPath: /etc/neutron/l2gw_agent.ini + subPath: l2gw_agent.ini + readOnly: true +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_l2gw_agent.volumeMounts }}{{ toYaml $mounts_neutron_l2gw_agent.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -150,7 +149,6 @@ spec: + secret: + secretName: {{ $configMapName }} + defaultMode: 0444 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_l2gw_agent.volumes }}{{ toYaml $mounts_neutron_l2gw_agent.volumes | indent 8 }}{{ end }} + {{- end }} + {{- end }} +diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml +index d70a6351..7bc38e24 100644 +--- a/neutron/templates/daemonset-l3-agent.yaml ++++ b/neutron/templates/daemonset-l3-agent.yaml +@@ -244,7 +244,6 @@ spec: + mountPath: /run/netns + mountPropagation: Bidirectional + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_l3_agent.volumeMounts }}{{ toYaml $mounts_neutron_l3_agent.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -275,7 +274,6 @@ spec: + hostPath: + path: /run/netns + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_l3_agent.volumes }}{{ toYaml $mounts_neutron_l3_agent.volumes | indent 8 }}{{ end }} + {{- end }} + {{- end }} +diff --git a/neutron/templates/daemonset-lb-agent.yaml b/neutron/templates/daemonset-lb-agent.yaml +index 7cb86372..6bacfdfa 100644 +--- a/neutron/templates/daemonset-lb-agent.yaml ++++ b/neutron/templates/daemonset-lb-agent.yaml +@@ -198,7 +198,6 @@ spec: + {{- end }} + - name: run + mountPath: /run +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_lb_agent.volumeMounts }}{{ toYaml $mounts_neutron_lb_agent.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -221,7 +220,6 @@ spec: + - name: host-rootfs + hostPath: + path: / +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_lb_agent.volumes }}{{ toYaml $mounts_neutron_lb_agent.volumes | indent 8 }}{{ end }} + {{- end }} + {{- end }} +diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml +index 8474ff38..4fd75da9 100644 +--- a/neutron/templates/daemonset-metadata-agent.yaml ++++ b/neutron/templates/daemonset-metadata-agent.yaml +@@ -193,7 +193,6 @@ spec: + mountPropagation: Bidirectional + {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -217,7 +216,6 @@ spec: + path: /run/netns + {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }} + {{- end }} + {{- end }} +diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml +index 59e33f0f..db2243be 100644 +--- a/neutron/templates/daemonset-ovs-agent.yaml ++++ b/neutron/templates/daemonset-ovs-agent.yaml +@@ -265,7 +265,6 @@ spec: + {{- end }} + - name: run + mountPath: /run +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_ovs_agent.volumeMounts }}{{ toYaml $mounts_neutron_ovs_agent.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -296,7 +295,6 @@ spec: + path: /sys/bus/pci/devices + type: Directory + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_ovs_agent.volumes }}{{ toYaml $mounts_neutron_ovs_agent.volumes | indent 8 }}{{ end }} + {{- end }} + {{- end }} +diff --git a/neutron/templates/daemonset-sriov-agent.yaml b/neutron/templates/daemonset-sriov-agent.yaml +index 4bf00216..539e3239 100644 +--- a/neutron/templates/daemonset-sriov-agent.yaml ++++ b/neutron/templates/daemonset-sriov-agent.yaml +@@ -212,7 +212,6 @@ spec: + {{- end }} + - name: run + mountPath: /run +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_sriov_agent.volumeMounts }}{{ toYaml $mounts_neutron_sriov_agent.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: host-sys-class-net +@@ -238,7 +237,6 @@ spec: + - name: run + hostPath: + path: /run +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_sriov_agent.volumes }}{{ toYaml $mounts_neutron_sriov_agent.volumes | indent 8 }}{{ end }} + {{- end }} + {{- end }} +diff --git a/neutron/templates/deployment-ironic-agent.yaml b/neutron/templates/deployment-ironic-agent.yaml +index 431225f0..95666069 100644 +--- a/neutron/templates/deployment-ironic-agent.yaml ++++ b/neutron/templates/deployment-ironic-agent.yaml +@@ -96,7 +96,6 @@ spec: + mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini + subPath: ml2_conf.ini + readOnly: true +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_ironic_agent.volumeMounts }}{{ toYaml $mounts_neutron_ironic_agent.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -111,6 +110,5 @@ spec: + secret: + secretName: neutron-etc + defaultMode: 0444 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_ironic_agent.volumes }}{{ toYaml $mounts_neutron_ironic_agent.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml +index 3a8b6e8b..ae6ba868 100644 +--- a/neutron/templates/deployment-server.yaml ++++ b/neutron/templates/deployment-server.yaml +@@ -180,9 +180,7 @@ spec: + mountPath: /etc/neutron/policy.yaml + subPath: policy.yaml + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -201,8 +199,6 @@ spec: + - name: neutron-plugin-shared + emptyDir: {} + {{- end }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/neutron/templates/job-db-drop.yaml b/neutron/templates/job-db-drop.yaml +index 67d4174d..5acedf1d 100644 +--- a/neutron/templates/job-db-drop.yaml ++++ b/neutron/templates/job-db-drop.yaml +@@ -15,9 +15,6 @@ limitations under the License. + + {{- if .Values.manifests.job_db_drop }} + {{- $dbDropJob := dict "envAll" . "serviceName" "neutron" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.neutron.enabled -}} + {{- $_ := set $dbDropJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/neutron/templates/job-db-init.yaml b/neutron/templates/job-db-init.yaml +index 184ec97d..caf8b359 100644 +--- a/neutron/templates/job-db-init.yaml ++++ b/neutron/templates/job-db-init.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-5" + + {{- if .Values.manifests.job_db_init }} + {{- $dbInitJob := dict "envAll" . "serviceName" "neutron" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }} + {{- end }} +diff --git a/neutron/templates/job-db-sync.yaml b/neutron/templates/job-db-sync.yaml +index 1d224079..f3e3320e 100644 +--- a/neutron/templates/job-db-sync.yaml ++++ b/neutron/templates/job-db-sync.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-4" + + {{- if .Values.manifests.job_db_sync }} + {{- $dbSyncJob := dict "envAll" . "serviceName" "neutron" "podVolMounts" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumeMounts "podVols" .Values.pod.mounts.neutron_db_sync.neutron_db_sync.volumes -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }} + {{- end }} +diff --git a/neutron/templates/job-rabbit-init.yaml b/neutron/templates/job-rabbit-init.yaml +index 0d08170d..685ee774 100644 +--- a/neutron/templates/job-rabbit-init.yaml ++++ b/neutron/templates/job-rabbit-init.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-4" + + {{- if .Values.manifests.job_rabbit_init }} + {{- $rmqUserJob := dict "envAll" . "serviceName" "neutron" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }} + {{- end }} +diff --git a/neutron/templates/secret-db.yaml b/neutron/templates/secret-db.yaml +index 47d956fa..f9883908 100644 +--- a/neutron/templates/secret-db.yaml ++++ b/neutron/templates/secret-db.yaml +@@ -24,10 +24,6 @@ metadata: + name: {{ $secretName }} + type: Opaque + data: +-{{- if $envAll.Values.manifests.certificates }} +- DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +-{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} + {{- end }} + {{- end }} +-{{- end }} +diff --git a/neutron/templates/secret_rabbitmq.yaml b/neutron/templates/secret_rabbitmq.yaml +index 16c70e4b..f6484145 100644 +--- a/neutron/templates/secret_rabbitmq.yaml ++++ b/neutron/templates/secret_rabbitmq.yaml +@@ -15,9 +15,6 @@ limitations under the License. + {{- if .Values.manifests.secret_rabbitmq }} + {{- $envAll := . }} + {{- $rabbitmqProtocol := "http" }} +-{{- if $envAll.Values.manifests.certificates }} +-{{- $rabbitmqProtocol = "https" }} +-{{- end }} + {{- range $key1, $userClass := tuple "admin" "neutron" }} + {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} + --- +diff --git a/nova/templates/configmap-etc.yaml b/nova/templates/configmap-etc.yaml +index 820defd9..09bad6da 100644 +--- a/nova/templates/configmap-etc.yaml ++++ b/nova/templates/configmap-etc.yaml +@@ -78,30 +78,18 @@ limitations under the License. + + {{- if empty .Values.conf.nova.database.connection -}} + {{- $connection := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.database "connection" -}} +-{{- else -}} + {{- $_ := set .Values.conf.nova.database "connection" $connection -}} + {{- end -}} +-{{- end -}} + + {{- if empty .Values.conf.nova.api_database.connection -}} + {{- $connection := tuple "oslo_db_api" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.api_database "connection" -}} +-{{- else -}} + {{- $_ := set .Values.conf.nova.api_database "connection" $connection -}} + {{- end -}} +-{{- end -}} + + {{- if empty .Values.conf.nova.cell0_database.connection -}} + {{- $connection := tuple "oslo_db_cell0" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.nova.cell0_database "connection" -}} +-{{- else -}} + {{- $_ := set .Values.conf.nova.cell0_database "connection" $connection -}} + {{- end -}} +-{{- end -}} + + {{- if empty .Values.conf.nova.DEFAULT.transport_url -}} + {{- $_ := tuple "oslo_messaging" "internal" "nova" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.nova.DEFAULT "transport_url" -}} +@@ -280,11 +268,6 @@ data: + nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }} + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }} + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config" "format" "Secret" ) | indent 2 }} +-{{- if .Values.manifests.certificates }} +-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }} +-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_api "key" "wsgi-api.conf" "format" "Secret" ) | indent 2 }} +-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_metadata "key" "wsgi-metadata.conf" "format" "Secret" ) | indent 2 }} +-{{- end }} + {{- if .Values.conf.security }} + {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }} + {{- end }} +diff --git a/nova/templates/cron-job-archive-deleted-rows.yaml b/nova/templates/cron-job-archive-deleted-rows.yaml +index 29a6e705..f9c3508f 100644 +--- a/nova/templates/cron-job-archive-deleted-rows.yaml ++++ b/nova/templates/cron-job-archive-deleted-rows.yaml +@@ -74,7 +74,6 @@ spec: + mountPath: /tmp/archive-deleted-rows.sh + readOnly: true + subPath: archive-deleted-rows.sh +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} + volumes: + - name: pod-tmp + emptyDir: {} +diff --git a/nova/templates/cron-job-cell-setup.yaml b/nova/templates/cron-job-cell-setup.yaml +index f2d2801e..7111a4d3 100644 +--- a/nova/templates/cron-job-cell-setup.yaml ++++ b/nova/templates/cron-job-cell-setup.yaml +@@ -82,7 +82,6 @@ spec: + mountPath: /etc/nova/policy.yaml + subPath: policy.yaml + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} + volumes: + - name: pod-tmp + emptyDir: {} +@@ -96,5 +95,4 @@ spec: + configMap: + name: nova-bin + defaultMode: 0555 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} + {{- end }} +diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml +index 7cb3c2cd..175dece6 100644 +--- a/nova/templates/daemonset-compute.yaml ++++ b/nova/templates/daemonset-compute.yaml +@@ -436,7 +436,6 @@ spec: + readOnly: true + {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} + {{- if .Values.network.ssh.enabled }} + - name: nova-compute-ssh +@@ -551,7 +550,6 @@ spec: + emptyDir: {} + {{- end }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }} + {{- end }} + {{- end }} +diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml +index 8b131241..b4daad65 100644 +--- a/nova/templates/deployment-api-metadata.yaml ++++ b/nova/templates/deployment-api-metadata.yaml +@@ -169,7 +169,6 @@ spec: + - name: pod-shared + mountPath: /tmp/pod-shared + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -189,7 +188,6 @@ spec: + defaultMode: 0444 + - name: pod-shared + emptyDir: {} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml +index 64122cf7..46f5d31d 100644 +--- a/nova/templates/deployment-api-osapi.yaml ++++ b/nova/templates/deployment-api-osapi.yaml +@@ -117,9 +117,7 @@ spec: + mountPath: /etc/nova/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -138,8 +136,6 @@ spec: + secret: + secretName: nova-etc + defaultMode: 0444 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml +index d92f55f9..baa04c38 100644 +--- a/nova/templates/deployment-conductor.yaml ++++ b/nova/templates/deployment-conductor.yaml +@@ -123,8 +123,6 @@ spec: + subPath: policy.yaml + readOnly: true + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -138,7 +136,5 @@ spec: + secretName: nova-etc + defaultMode: 0444 + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml +index 1af01430..3e3d3f45 100644 +--- a/nova/templates/deployment-consoleauth.yaml ++++ b/nova/templates/deployment-consoleauth.yaml +@@ -118,7 +118,6 @@ spec: + mountPath: /etc/nova/policy.yaml + subPath: policy.yaml + readOnly: true +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_consoleauth.volumeMounts }}{{ toYaml $mounts_nova_consoleauth.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -131,6 +130,5 @@ spec: + secret: + secretName: nova-etc + defaultMode: 0444 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_consoleauth.volumes }}{{ toYaml $mounts_nova_consoleauth.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml +index c9aae286..3a080926 100644 +--- a/nova/templates/deployment-novncproxy.yaml ++++ b/nova/templates/deployment-novncproxy.yaml +@@ -142,9 +142,7 @@ spec: + readOnly: true + - name: pod-shared + mountPath: /tmp/pod-shared +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -161,8 +159,6 @@ spec: + emptyDir: {} + - name: pod-shared + emptyDir: {} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-placement.yaml b/nova/templates/deployment-placement.yaml +index c8237732..3115eb44 100644 +--- a/nova/templates/deployment-placement.yaml ++++ b/nova/templates/deployment-placement.yaml +@@ -123,7 +123,6 @@ spec: + subPath: security.conf + readOnly: true + {{- end }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -139,7 +138,6 @@ spec: + secret: + secretName: nova-etc + defaultMode: 0444 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml +index f94d6a79..ca430ad7 100644 +--- a/nova/templates/deployment-scheduler.yaml ++++ b/nova/templates/deployment-scheduler.yaml +@@ -122,9 +122,7 @@ spec: + mountPath: /etc/nova/policy.yaml + subPath: policy.yaml + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -137,8 +135,6 @@ spec: + secret: + secretName: nova-etc + defaultMode: 0444 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml +index 1f9c5dbc..6fd8bca4 100644 +--- a/nova/templates/job-cell-setup.yaml ++++ b/nova/templates/job-cell-setup.yaml +@@ -91,7 +91,6 @@ spec: + mountPath: /etc/nova/policy.yaml + subPath: policy.yaml + readOnly: true +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + volumes: + - name: pod-tmp + emptyDir: {} +@@ -105,6 +104,5 @@ spec: + configMap: + name: nova-bin + defaultMode: 0555 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/nova/templates/job-db-drop.yaml b/nova/templates/job-db-drop.yaml +index b0471ef2..9acd5487 100644 +--- a/nova/templates/job-db-drop.yaml ++++ b/nova/templates/job-db-drop.yaml +@@ -19,9 +19,6 @@ limitations under the License. + {{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}} + {{- $dbsToDrop := list $dbSvc $dbApi $dbCell }} + {{- $dbDropJob := dict "envAll" . "serviceName" $serviceName "dbsToDrop" $dbsToDrop -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.nova.enabled -}} + {{- $_ := set $dbDropJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/nova/templates/job-db-init.yaml b/nova/templates/job-db-init.yaml +index 72b0a808..ba3ff300 100644 +--- a/nova/templates/job-db-init.yaml ++++ b/nova/templates/job-db-init.yaml +@@ -24,9 +24,6 @@ helm.sh/hook-weight: "-5" + {{- $dbCell := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "cell0_database" "configDbKey" "connection" -}} + {{- $dbsToInit := list $dbSvc $dbApi $dbCell }} + {{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }} + {{- end }} +diff --git a/nova/templates/job-db-sync.yaml b/nova/templates/job-db-sync.yaml +index 061e18f1..c21a8312 100644 +--- a/nova/templates/job-db-sync.yaml ++++ b/nova/templates/job-db-sync.yaml +@@ -40,9 +40,6 @@ env: + {{- if .Values.manifests.job_db_sync }} + {{- $podEnvVars := include "nova.templates._job_db_sync.env_vars" (tuple .) | toString | fromYaml }} + {{- $dbSyncJob := dict "envAll" . "serviceName" "nova" "podVolMounts" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumeMounts "podVols" .Values.pod.mounts.nova_db_sync.nova_db_sync.volumes "podEnvVars" $podEnvVars.env -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }} + {{- end }} +diff --git a/nova/templates/job-rabbit-init.yaml b/nova/templates/job-rabbit-init.yaml +index b5133d30..021801f8 100644 +--- a/nova/templates/job-rabbit-init.yaml ++++ b/nova/templates/job-rabbit-init.yaml +@@ -19,9 +19,6 @@ helm.sh/hook-weight: "-4" + + {{- if .Values.manifests.job_rabbit_init }} + {{- $rmqUserJob := dict "envAll" . "serviceName" "nova" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }} + {{- end }} +diff --git a/nova/templates/secret-db-api.yaml b/nova/templates/secret-db-api.yaml +index baf75b1e..120a68bb 100644 +--- a/nova/templates/secret-db-api.yaml ++++ b/nova/templates/secret-db-api.yaml +@@ -24,10 +24,6 @@ metadata: + name: {{ $secretName }} + type: Opaque + data: +-{{- if $envAll.Values.manifests.certificates }} +- DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +-{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} + {{- end }} + {{- end }} +-{{- end }} +diff --git a/nova/templates/secret-db-cell0.yaml b/nova/templates/secret-db-cell0.yaml +index 100b57fc..b6d34834 100644 +--- a/nova/templates/secret-db-cell0.yaml ++++ b/nova/templates/secret-db-cell0.yaml +@@ -24,10 +24,6 @@ metadata: + name: {{ $secretName }} + type: Opaque + data: +-{{- if $envAll.Values.manifests.certificates }} +- DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +-{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} + {{- end }} + {{- end }} +-{{- end }} +diff --git a/nova/templates/secret-db.yaml b/nova/templates/secret-db.yaml +index d9cbf8f4..c02bd8da 100644 +--- a/nova/templates/secret-db.yaml ++++ b/nova/templates/secret-db.yaml +@@ -24,10 +24,6 @@ metadata: + name: {{ $secretName }} + type: Opaque + data: +-{{- if $envAll.Values.manifests.certificates }} +- DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +-{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} + {{- end }} + {{- end }} +-{{- end }} +diff --git a/nova/templates/secret_rabbitmq.yaml b/nova/templates/secret_rabbitmq.yaml +index b49f84ea..66451a05 100644 +--- a/nova/templates/secret_rabbitmq.yaml ++++ b/nova/templates/secret_rabbitmq.yaml +@@ -15,9 +15,6 @@ limitations under the License. + {{- if .Values.manifests.secret_rabbitmq }} + {{- $envAll := . }} + {{- $rabbitmqProtocol := "http" }} +-{{- if $envAll.Values.manifests.certificates }} +-{{- $rabbitmqProtocol = "https" }} +-{{- end }} + {{- range $key1, $userClass := tuple "admin" "nova" }} + {{- $secretName := index $envAll.Values.secrets.oslo_messaging $userClass }} + --- +diff --git a/placement/templates/bin/_mysql-migrate-db.sh.tpl b/placement/templates/bin/_mysql-migrate-db.sh.tpl +index a87ebaf4..ee12b7a1 100644 +--- a/placement/templates/bin/_mysql-migrate-db.sh.tpl ++++ b/placement/templates/bin/_mysql-migrate-db.sh.tpl +@@ -90,12 +90,6 @@ function mysql_command() { + command="mysql --skip-column-names" + fi + +- if [ ! -z "$MARIADB_X509" ]; then +- local ca=/etc/mysql/certs/ca.crt +- local cert=/etc/mysql/certs/tls.crt +- local key=/etc/mysql/certs/tls.key +- $command -h$host -u$user -p$pass $db --ssl-ca=$ca --ssl-cert=$cert --ssl-key=$key $* 2>$LAST_MYSQL_ERR +- else + $command -h$host -u$user -p$pass $db $* 2>$LAST_MYSQL_ERR + fi + } +diff --git a/placement/templates/configmap-etc.yaml b/placement/templates/configmap-etc.yaml +index c5880af2..e0053dde 100644 +--- a/placement/templates/configmap-etc.yaml ++++ b/placement/templates/configmap-etc.yaml +@@ -19,12 +19,8 @@ limitations under the License. + + {{- if empty .Values.conf.placement.placement_database.connection -}} + {{- $connection := tuple "oslo_db" "internal" "placement" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.placement.placement_database "connection" -}} +-{{- else -}} + {{- $_ := set .Values.conf.placement.placement_database "connection" $connection -}} + {{- end -}} +-{{- end -}} + + {{- if empty .Values.conf.placement.keystone_authtoken.auth_uri -}} + {{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.placement.keystone_authtoken "auth_uri" -}} +diff --git a/placement/templates/deployment.yaml b/placement/templates/deployment.yaml +index 8418753f..1637d023 100644 +--- a/placement/templates/deployment.yaml ++++ b/placement/templates/deployment.yaml +@@ -114,7 +114,6 @@ spec: + mountPath: /etc/apache2/conf-enabled/wsgi-placement.conf + subPath: wsgi-placement.conf + readOnly: true +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }} + volumes: +@@ -130,7 +129,6 @@ spec: + secret: + secretName: placement-etc + defaultMode: 0444 +-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/placement/templates/job-db-drop.yaml b/placement/templates/job-db-drop.yaml +index f6e26e73..5f2001ce 100644 +--- a/placement/templates/job-db-drop.yaml ++++ b/placement/templates/job-db-drop.yaml +@@ -17,9 +17,6 @@ limitations under the License. + {{- if .Values.manifests.job_db_drop }} + {{- $serviceName := "placement" -}} + {{- $dbDropJob := dict "envAll" . "serviceName" $serviceName -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.placement.enabled -}} + {{- $_ := set $dbDropJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/placement/templates/job-db-init.yaml b/placement/templates/job-db-init.yaml +index 6edd4175..60667953 100644 +--- a/placement/templates/job-db-init.yaml ++++ b/placement/templates/job-db-init.yaml +@@ -24,9 +24,6 @@ helm.sh/hook-weight: "-5" + {{- $dbApi := dict "adminSecret" .Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "placement_database" "configDbKey" "connection" -}} + {{- $dbsToInit := list $dbApi }} + {{- $dbInitJob := dict "envAll" . "serviceName" $serviceName "dbsToInit" $dbsToInit -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}} + {{- end }} +diff --git a/placement/templates/job-db-migrate.yaml b/placement/templates/job-db-migrate.yaml +index 7a17df8d..6e2c0455 100644 +--- a/placement/templates/job-db-migrate.yaml ++++ b/placement/templates/job-db-migrate.yaml +@@ -67,10 +67,6 @@ spec: + value: {{ .Values.endpoints.oslo_db.auth.placement.password | quote }} + - name: PLACEMENT_DB_HOST + value: {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" | quote }} +-{{- if $envAll.Values.manifests.certificates }} +- - name: MARIADB_X509 +- value: "REQUIRE X509" +-{{- end }} + volumeMounts: + - name: pod-tmp + mountPath: /tmp +@@ -87,7 +83,6 @@ spec: + subPath: placement.conf + readOnly: true + {{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + volumes: + - name: pod-tmp + emptyDir: {} +@@ -99,6 +94,5 @@ spec: + secret: + secretName: placement-etc + defaultMode: 0444 +-{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/placement/templates/job-db-sync.yaml b/placement/templates/job-db-sync.yaml +index e1c59360..105d354e 100644 +--- a/placement/templates/job-db-sync.yaml ++++ b/placement/templates/job-db-sync.yaml +@@ -16,9 +16,6 @@ limitations under the License. + + {{- if .Values.manifests.job_db_sync }} + {{- $dbSyncJob := dict "envAll" . "serviceName" "placement" -}} +-{{- if .Values.manifests.certificates -}} +-{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} +-{{- end -}} + {{- if .Values.pod.tolerations.placement.enabled -}} + {{- $_ := set $dbSyncJob "tolerationsEnabled" true -}} + {{- end -}} +diff --git a/placement/templates/secret-db.yaml b/placement/templates/secret-db.yaml +index 91beb970..45247e71 100644 +--- a/placement/templates/secret-db.yaml ++++ b/placement/templates/secret-db.yaml +@@ -26,10 +26,6 @@ metadata: + name: {{ $secretName }} + type: Opaque + data: +-{{- if $envAll.Values.manifests.certificates }} +- DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}} +-{{- else }} + DB_CONNECTION: {{ $connection | b64enc -}} + {{- end }} + {{- end }} +-{{- end }} +-- +2.17.1 + diff --git a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml index f93e2318..6f3e389e 100644 --- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml +++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml @@ -77,7 +77,7 @@ spec: mountPath: /etc/proxy/api-proxy-paste.ini subPath: api-proxy-paste.ini readOnly: true -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_api_proxy.volumeMounts }}{{ toYaml $mounts_nova_api_proxy.volumeMounts | indent 12 }}{{ end }} volumes: - name: nova-api-proxy-bin @@ -88,6 +88,6 @@ spec: configMap: name: nova-api-proxy-etc defaultMode: 0777 -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_api_proxy.volumes}}{{ toYaml $mounts_nova_api_proxy.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml index c592499e..da0b3265 100644 --- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml +++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml @@ -9,7 +9,7 @@ {{- if .Values.manifests.job_ks_endpoints }} {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} {{- if .Values.manifests.certificates -}} -{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.api_proxy.internal -}} +{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.api_proxy.public -}} {{- end -}} {{- if .Values.pod.tolerations.nova.enabled -}} {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}