Fixes Application Apply failing when HTTPS enabled

Openstack-helm provides the option to terminate TLS at the services.
However, at Starlingx TLS termination is done at the reverse
proxy (ingress) and therefore is unecessary for the OpenStack itself
be HTTPS and terminate tls a second time. Furthermore,  it is not
possible to have https enabled on openstack services with the
current centos based containers that we have, openstack-helm only
supports tls using debian based containers.

Manually working arroud this creates a cumbersome override file, so
to diminish this overrides this patch 0020 and 0013(osh-i) disables
https at the backend, thus maitaining the same behaviour as stx 5.0

Mariadb and RabbitMQ tls does not seem to be working very well within
Starlingx, so we also disable TLS for them. I am not confident that
current openstack-helm and openstack-helm-infra supports production level
openstack with mariadb in TLS mode. Furthermore, from the way everything
is redirected in StarlingX I do see too many performance and stability
issues using both of them with tls enabled.

Disclaimer I did not test with either only mairiadb tls or
rabbitmq activated, but with both of them on the system is not usable.

Test Plan:

PASS: Openstack is Applied. (https disabled)
PASS: enable https. Opensatck is Applied (WITHOUT service.conf
overrides)

Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: Ifb7946e9a289234047934b52d200b951a59c1a3f
Partial-bug: 1960354
Related-to: https://review.opendev.org/c/starlingx/helm-charts/+/828815

openstack-helm-infra/centos/openstack-helm-infra.spec

@@ -28,6 +28,9 @@ Patch16: 0016-Disabling-helm3_hooks.patch
 Patch17: 0017-Enable-taint-toleration-for-Openstack-services.patch
 Patch18: 0018-Add-GaleraDB-Secure-Replica-Traffic.patch
 Patch19: 0019-Add-force_boot-command-to-rabbit-start-template.patch
+Patch20: 0020-Fix-tls-in-openstack-helm-infra.patch
+Patch21: 0021-Remove-mariadb-tls.patch
+Patch22: 0022-Remove-rabbitmq-tls.patch
 
 BuildRequires: helm
 BuildRequires: chartmuseum
@@ -50,6 +53,9 @@ Openstack Helm Infra charts
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
 
 %build
 # Host a server for the charts

openstack-helm-infra/debian/deb_folder/rules

@@ -8,6 +8,25 @@ export HELM_FOLDER = $(ROOT)/usr/lib/helm
 	dh $@
 
 override_dh_auto_build:
+	# Move the source files from the extracted root directory to build root.
+	mv openstack-helm-infra/* .
+	# Apply the openstack-helm-infra patches.
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0001-Add-imagePullSecrets-in-service-account.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0003-Partial-revert-of-31e3469d28858d7b5eb6355e88b6f49fd6.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0004-Fix-pod-restarts-on-all-workers-when-worker-added-re.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0005-Add-io_thread_pool-for-rabbitmq.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0006-Enable-override-of-rabbitmq-probe-parameters.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0009-Enable-override-of-mariadb-server-probe-parameters.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0011-Add-mariadb-database-config-override-to-support-ipv6.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0012-enable-Values.conf.database.config_override-for-mari.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0013-Allow-set-public-endpoint-url-for-all-openstack-types.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0016-Disabling-helm3_hooks.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0017-Enable-taint-toleration-for-Openstack-services.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0018-Add-GaleraDB-Secure-Replica-Traffic.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0019-Add-force_boot-command-to-rabbit-start-template.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0020-Fix-tls-in-openstack-helm-infra.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0021-Remove-mariadb-tls.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0022-Remove-rabbitmq-tls.patch
 	# Host a server for the helm charts.
 	chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" --storage-local-rootdir="." &
 	sleep 2

openstack-helm-infra/files/0020-Fix-tls-in-openstack-helm-infra.patch

@@ -0,0 +1,136 @@
+From d7d223ef40ab11e5c9a00b4b30000f6905885c04 Mon Sep 17 00:00:00 2001
+From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
+Date: Wed, 19 Jan 2022 11:54:38 -0300
+Subject: [PATCH] Fix Support for TLS in openstack-helm-infra
+
+WIP
+
+Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
+Change-Id: I382e0fc68c9a92c6a9570097db2c6a959525059d
+---
+ .../templates/manifests/_secret-tls.yaml.tpl  | 97 +++++++------------
+ 1 file changed, 33 insertions(+), 64 deletions(-)
+
+diff --git a/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
+index 24a70450..f34ac527 100644
+--- a/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
++++ b/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
+@@ -15,66 +15,36 @@ limitations under the License.
+ {{/*
+ abstract: |
+   Creates a manifest for a services public tls secret
+-examples:
+-  - values: |
+-      secrets:
+-        tls:
+-          key_manager:
+-            api:
+-              public: barbican-tls-public
+-      endpoints:
+-        key_manager:
+-          host_fqdn_override:
+-            public:
+-              tls:
+-                crt: |
+-                  FOO-CRT
+-                key: |
+-                  FOO-KEY
+-                ca: |
+-                  FOO-CA_CRT
+-  usage: |
+-    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+-  return: |
+-    ---
+-    apiVersion: v1
+-    kind: Secret
+-    metadata:
+-      name: barbican-tls-public
+-    type: kubernetes.io/tls
+-    data:
+-      tls.key: Rk9PLUtFWQo=
+-      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+-
+-  - values: |
+-      secrets:
+-        tls:
+-          key_manager:
+-            api:
+-              public: barbican-tls-public
+-      endpoints:
+-        key_manager:
+-          host_fqdn_override:
+-            public:
+-              tls:
+-                crt: |
+-                  FOO-CRT
+-                  FOO-INTERMEDIATE_CRT
+-                  FOO-CA_CRT
+-                key: |
+-                  FOO-KEY
+-  usage: |
+-    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+-  return: |
+-    ---
+-    apiVersion: v1
+-    kind: Secret
+-    metadata:
+-      name: barbican-tls-public
+-    type: kubernetes.io/tls
+-    data:
+-      tls.key: Rk9PLUtFWQo=
+-      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
++values: |
++  secrets:
++    tls:
++      key_manager:
++        api:
++          public: barbican-tls-public
++  endpoints:
++    key_manager:
++      host_fqdn_override:
++        public:
++          tls:
++            crt: |
++              FOO-CRT
++            key: |
++              FOO-KEY
++            ca: |
++              FOO-CA_CRT
++usage: |
++  {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
++return: |
++  ---
++  apiVersion: v1
++  kind: Secret
++  metadata:
++    name: barbican-tls-public
++  type: kubernetes.io/tls
++  data:
++    tls.crt: Rk9PLUNSVAo=
++    tls.key: Rk9PLUtFWQo=
++    ca.crt: Rk9PLUNBX0NSVAo=
+ */}}
+ 
+ {{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+@@ -95,14 +65,13 @@ metadata:
+   name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+ type: kubernetes.io/tls
+ data:
++  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+   tls.key: {{ $endpointHost.tls.key | b64enc }}
+ {{- if $endpointHost.tls.ca }}
+-  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+-{{- else }}
+-  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+-{{- end }}
++  ca.crt: {{ $endpointHost.tls.ca | b64enc }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
++{{- end }}
+\ No newline at end of file
+-- 
+2.17.1
+

openstack-helm-infra/files/0021-Remove-mariadb-tls.patch

@@ -0,0 +1,191 @@
+From 6fa2814271b7806aece4fb44f6d8eabe8c5ab6aa Mon Sep 17 00:00:00 2001
+From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
+Date: Tue, 8 Feb 2022 09:18:02 -0300
+Subject: [PATCH 21/22] Remove mariadb
+
+Change-Id: I37405da8faab3495ebe55c81389e0d769aaeb1d1
+---
+ .../templates/manifests/_job-db-drop-mysql.tpl     |  7 -------
+ .../templates/manifests/_job-db-init-mysql.tpl     |  7 -------
+ helm-toolkit/templates/manifests/_job-db-sync.tpl  |  3 ---
+ helm-toolkit/templates/scripts/_db-drop.py.tpl     | 11 ++---------
+ helm-toolkit/templates/scripts/_db-init.py.tpl     | 14 ++++----------
+ 5 files changed, 6 insertions(+), 36 deletions(-)
+
+diff --git a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
+index 934a2435..8ae71c67 100644
+--- a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
++++ b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
+@@ -37,7 +37,6 @@ limitations under the License.
+ {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+ {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+ {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+ 
+ {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+ {{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+@@ -133,9 +132,6 @@ spec:
+               subPath: {{ base $dbToDrop.logConfigFile | quote }}
+               readOnly: true
+ {{- end }}
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+-{{- end }}
+ {{- end }}
+       volumes:
+         - name: pod-tmp
+@@ -150,9 +146,6 @@ spec:
+             name: {{ $configMapBin | quote }}
+             defaultMode: 0555
+ {{- end }}
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+-{{- end }}
+ {{- $local := dict "configMapBinFirst" true -}}
+ {{- range $key1, $dbToDrop := $dbsToDrop }}
+ {{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+diff --git a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
+index c164ad0a..dcfbb35f 100644
+--- a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
++++ b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
+@@ -37,7 +37,6 @@ limitations under the License.
+ {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+ {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+ {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+ 
+ {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+ {{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+@@ -132,9 +131,6 @@ spec:
+               subPath: {{ base $dbToInit.logConfigFile | quote }}
+               readOnly: true
+ {{- end }}
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+-{{- end }}
+ {{- end }}
+       volumes:
+         - name: pod-tmp
+@@ -149,9 +145,6 @@ spec:
+             name: {{ $configMapBin | quote }}
+             defaultMode: 0555
+ {{- end }}
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+-{{- end }}
+ {{- $local := dict "configMapBinFirst" true -}}
+ {{- range $key1, $dbToInit := $dbsToInit }}
+ {{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+diff --git a/helm-toolkit/templates/manifests/_job-db-sync.tpl b/helm-toolkit/templates/manifests/_job-db-sync.tpl
+index 659238a4..f181061f 100644
+--- a/helm-toolkit/templates/manifests/_job-db-sync.tpl
++++ b/helm-toolkit/templates/manifests/_job-db-sync.tpl
+@@ -34,7 +34,6 @@ limitations under the License.
+ {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+ {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+ {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+ 
+ {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+ {{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+@@ -106,7 +105,6 @@ spec:
+               mountPath: {{ $dbToSync.logConfigFile | quote }}
+               subPath: {{ base $dbToSync.logConfigFile | quote }}
+               readOnly: true
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ {{- if $podVolMounts }}
+ {{ $podVolMounts | toYaml | indent 12 }}
+ {{- end }}
+@@ -129,7 +127,6 @@ spec:
+           secret:
+             secretName: {{ $configMapEtc | quote }}
+             defaultMode: 0444
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+ {{- if $podVols }}
+ {{ $podVols | toYaml | indent 8 }}
+ {{- end }}
+diff --git a/helm-toolkit/templates/scripts/_db-drop.py.tpl b/helm-toolkit/templates/scripts/_db-drop.py.tpl
+index 03884fa1..81447546 100644
+--- a/helm-toolkit/templates/scripts/_db-drop.py.tpl
++++ b/helm-toolkit/templates/scripts/_db-drop.py.tpl
+@@ -54,13 +54,6 @@ else:
+     logger.critical('environment variable ROOT_DB_CONNECTION not set')
+     sys.exit(1)
+ 
+-mysql_x509 = os.getenv('MARIADB_X509', "")
+-ssl_args = {}
+-if mysql_x509:
+-    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+-                        'key': '/etc/mysql/certs/tls.key',
+-                        'cert': '/etc/mysql/certs/tls.crt'}}
+-
+ # Get the connection string for the service db
+ if "OPENSTACK_CONFIG_FILE" in os.environ:
+     os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+@@ -101,7 +94,7 @@ try:
+     host = root_engine_full.url.host
+     port = root_engine_full.url.port
+     root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+-    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
++    root_engine = create_engine(root_engine_url)
+     connection = root_engine.connect()
+     connection.close()
+     logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+@@ -112,7 +105,7 @@ except:
+ 
+ # User DB engine
+ try:
+-    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
++    user_engine = create_engine(user_db_conn)
+     # Get our user data out of the user_engine
+     database = user_engine.url.database
+     user = user_engine.url.username
+diff --git a/helm-toolkit/templates/scripts/_db-init.py.tpl b/helm-toolkit/templates/scripts/_db-init.py.tpl
+index 4294d40c..9671b734 100644
+--- a/helm-toolkit/templates/scripts/_db-init.py.tpl
++++ b/helm-toolkit/templates/scripts/_db-init.py.tpl
+@@ -54,12 +54,6 @@ else:
+     logger.critical('environment variable ROOT_DB_CONNECTION not set')
+     sys.exit(1)
+ 
+-mysql_x509 = os.getenv('MARIADB_X509', "")
+-ssl_args = {}
+-if mysql_x509:
+-    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+-                'key': '/etc/mysql/certs/tls.key',
+-                'cert': '/etc/mysql/certs/tls.crt'}}
+ 
+ # Get the connection string for the service db
+ if "OPENSTACK_CONFIG_FILE" in os.environ:
+@@ -101,7 +95,7 @@ try:
+     host = root_engine_full.url.host
+     port = root_engine_full.url.port
+     root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+-    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
++    root_engine = create_engine(root_engine_url)
+     connection = root_engine.connect()
+     connection.close()
+     logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+@@ -112,7 +106,7 @@ except:
+ 
+ # User DB engine
+ try:
+-    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
++    user_engine = create_engine(user_db_conn)
+     # Get our user data out of the user_engine
+     database = user_engine.url.database
+     user = user_engine.url.username
+@@ -133,8 +127,8 @@ except:
+ # Create DB User
+ try:
+     root_engine.execute(
+-        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+-            database, user, password, mysql_x509))
++        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\'".format(
++            database, user, password))
+     logger.info("Created user {0} for {1}".format(user, database))
+ except:
+     logger.critical("Could not create user {0} for {1}".format(user, database))
+-- 
+2.17.1
+

openstack-helm-infra/files/0022-Remove-rabbitmq-tls.patch

@@ -0,0 +1,91 @@
+From 4b2cc6a3c4b9af9dd2688d52b493828cef97cdb6 Mon Sep 17 00:00:00 2001
+From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
+Date: Tue, 8 Feb 2022 09:20:36 -0300
+Subject: [PATCH 22/22] remove rabbit tls
+
+Change-Id: I04c4c25c72b10b87e71c2f286e21526e5e062b67
+---
+ .../templates/manifests/_job-rabbit-init.yaml.tpl | 15 ---------------
+ .../templates/scripts/_rabbit-init.sh.tpl         | 15 ---------------
+ 2 files changed, 30 deletions(-)
+
+diff --git a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
+index 59e0da0f..b776d055 100644
+--- a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
++++ b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
+@@ -25,9 +25,6 @@ limitations under the License.
+ {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+ {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+ {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+-{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+-{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+-{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+ 
+ {{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+ {{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+@@ -85,9 +82,6 @@ spec:
+               mountPath: /tmp/rabbit-init.sh
+               subPath: rabbit-init.sh
+               readOnly: true
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+-{{- end }}
+           env:
+           - name: RABBITMQ_ADMIN_CONNECTION
+             valueFrom:
+@@ -102,12 +96,6 @@ spec:
+ {{- if $envAll.Values.conf.rabbitmq }}
+           - name: RABBITMQ_AUXILIARY_CONFIGURATION
+             value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+-{{- end }}
+-{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+-          - name: RABBITMQ_X509
+-            value: "REQUIRE X509"
+-          - name: USER_CERT_PATH
+-            value: {{ $tlsPath | quote }}
+ {{- end }}
+       volumes:
+         - name: pod-tmp
+@@ -122,7 +110,4 @@ spec:
+             name: {{ $configMapBin | quote }}
+             defaultMode: 0555
+ {{- end }}
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+-{{- end }}
+ {{- end -}}
+diff --git a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+index 87872d6f..7fb16a0f 100644
+--- a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
++++ b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+@@ -47,27 +47,12 @@ RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+ 
+ function rabbitmqadmin_cli () {
+-  if [ -n "$RABBITMQ_X509" ]
+-  then
+     rabbitmqadmin \
+-      --ssl \
+-      --ssl-disable-hostname-verification \
+-      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+-      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+-      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+       --host="${RABBIT_HOSTNAME}" \
+       --port="${RABBIT_PORT}" \
+       --username="${RABBITMQ_ADMIN_USERNAME}" \
+       --password="${RABBITMQ_ADMIN_PASSWORD}" \
+       ${@}
+-  else
+-    rabbitmqadmin \
+-      --host="${RABBIT_HOSTNAME}" \
+-      --port="${RABBIT_PORT}" \
+-      --username="${RABBITMQ_ADMIN_USERNAME}" \
+-      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+-      ${@}
+-  fi
+ }
+ 
+ echo "Managing: User: ${RABBITMQ_USERNAME}"
+-- 
+2.17.1
+

openstack-helm/centos/openstack-helm.spec

@@ -31,6 +31,8 @@ Patch09: 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
 Patch10: 0010-Enable-taint-toleration-for-Openstack-services.patch
 Patch11: 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
 Patch12: 0012-Replace-deprecated-Nova-VNC-configurations.patch
+Patch13: 0013-Remove-TLS-from-openstack-services.patch
+Patch14: 0014-Remove-mariadb-and-rabbit-tls.patch
 
 BuildRequires: helm
 BuildRequires: openstack-helm-infra
@@ -54,6 +56,8 @@ Openstack Helm charts
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
+%patch14 -p1
 
 %build
 # Stage helm-toolkit in the local repo

openstack-helm/debian/deb_folder/rules

@@ -11,8 +11,25 @@ export TOOLKIT_VERSION = 0.2.19
 	dh $@
 
 override_dh_auto_build:
+	# Move the source files from the extracted root directory to build root.
+	mv openstack-helm/* .
 	# Stage helm-toolkit in the local repo.
 	cp $(HELM_FOLDER)/helm-toolkit-$(TOOLKIT_VERSION).tgz .
+	# Apply the openstack-helm patches.
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0001-Remove-stale-Apache2-service-pids-when-a-POD-starts.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0002-Nova-console-ip-address-search-optionality.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0003-Nova-chart-Support-ephemeral-pool-creation.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0004-Support-ingress-creation-for-keystone-admin-endpoint.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0005-Allow-set-public-endpoint-url-for-keystone-endpoints.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0006-Wrong-usage-of-rbd_store_chunk_size.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0007-Add-stx_admin-account.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0008-Disabling-helm3_hook.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0010-Enable-taint-toleration-for-Openstack-services.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0012-Replace-deprecated-Nova-VNC-configurations.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0013-Remove-TLS-from-openstack-services.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0014-Remove-mariadb-and-rabbit-tls.patch
 	# Host a server for the helm charts.
 	chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" \
 		--storage-local-rootdir="." &

openstack-helm/files/0007-Add-stx_admin-account.patch

@@ -39,7 +39,7 @@ index 00000000..91f990f3
 +{{- if .Values.manifests.job_ks_user }}
 +{{- $ksUserJob := dict "envAll" . "serviceName" "keystone" "serviceUser" "stx_admin" -}}
 +{{- if .Values.manifests.certificates -}}
-+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.public -}}
 +{{- end -}}
 +{{- if .Values.pod.tolerations.keystone.enabled -}}
 +{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}

stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml

@@ -77,7 +77,7 @@ spec:
               mountPath: /etc/proxy/api-proxy-paste.ini
               subPath: api-proxy-paste.ini
               readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_api_proxy.volumeMounts }}{{ toYaml $mounts_nova_api_proxy.volumeMounts | indent 12 }}{{ end }}
       volumes:
         - name: nova-api-proxy-bin
@@ -88,6 +88,6 @@ spec:
           configMap:
             name: nova-api-proxy-etc
             defaultMode: 0777
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_api_proxy.volumes}}{{ toYaml $mounts_nova_api_proxy.volumes | indent 8 }}{{ end }}
 {{- end }}

stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml

@@ -9,7 +9,7 @@
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
 {{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.api_proxy.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.api_proxy.public -}}
 {{- end -}}
 {{- if .Values.pod.tolerations.nova.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}