Fixes Application Apply failing when HTTPS enabled

Openstack-helm provides the option to terminate TLS at the services. However, at Starlingx TLS termination is done at the reverse proxy (ingress) and therefore is unecessary for the OpenStack itself be HTTPS and terminate tls a second time. Furthermore, it is not possible to have https enabled on openstack services with the current centos based containers that we have, openstack-helm only supports tls using debian based containers. Manually working arroud this creates a cumbersome override file, so to diminish this overrides this patch 0020 and 0013(osh-i) disables https at the backend, thus maitaining the same behaviour as stx 5.0 Mariadb and RabbitMQ tls does not seem to be working very well within Starlingx, so we also disable TLS for them. I am not confident that current openstack-helm and openstack-helm-infra supports production level openstack with mariadb in TLS mode. Furthermore, from the way everything is redirected in StarlingX I do see too many performance and stability issues using both of them with tls enabled. Disclaimer I did not test with either only mairiadb tls or rabbitmq activated, but with both of them on the system is not usable. Test Plan: PASS: Openstack is Applied. (https disabled) PASS: enable https. Opensatck is Applied (WITHOUT service.conf overrides) Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com> Change-Id: Ifb7946e9a289234047934b52d200b951a59c1a3f Partial-bug: 1960354 Related-to: https://review.opendev.org/c/starlingx/helm-charts/+/828815
2021-12-23 11:13:15 -03:00 · 2021-12-23 11:13:15 -03:00 · 27c4d562c8
commit 27c4d562c8
parent 9892254209
12 changed files with 4651 additions and 4 deletions
--- a/openstack-helm-infra/centos/openstack-helm-infra.spec
+++ b/openstack-helm-infra/centos/openstack-helm-infra.spec
@ -28,6 +28,9 @@ Patch16: 0016-Disabling-helm3_hooks.patch
 Patch17: 0017-Enable-taint-toleration-for-Openstack-services.patch
 Patch18: 0018-Add-GaleraDB-Secure-Replica-Traffic.patch
 Patch19: 0019-Add-force_boot-command-to-rabbit-start-template.patch
+Patch20: 0020-Fix-tls-in-openstack-helm-infra.patch
+Patch21: 0021-Remove-mariadb-tls.patch
+Patch22: 0022-Remove-rabbitmq-tls.patch

 BuildRequires: helm
 BuildRequires: chartmuseum
@ -50,6 +53,9 @@ Openstack Helm Infra charts
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1

 %build
 # Host a server for the charts
--- a/openstack-helm-infra/debian/deb_folder/rules
+++ b/openstack-helm-infra/debian/deb_folder/rules
@ -8,6 +8,25 @@ export HELM_FOLDER = $(ROOT)/usr/lib/helm
 	dh $@

 override_dh_auto_build:
+	# Move the source files from the extracted root directory to build root.
+	mv openstack-helm-infra/* .
+	# Apply the openstack-helm-infra patches.
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0001-Add-imagePullSecrets-in-service-account.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0003-Partial-revert-of-31e3469d28858d7b5eb6355e88b6f49fd6.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0004-Fix-pod-restarts-on-all-workers-when-worker-added-re.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0005-Add-io_thread_pool-for-rabbitmq.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0006-Enable-override-of-rabbitmq-probe-parameters.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0009-Enable-override-of-mariadb-server-probe-parameters.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0011-Add-mariadb-database-config-override-to-support-ipv6.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0012-enable-Values.conf.database.config_override-for-mari.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0013-Allow-set-public-endpoint-url-for-all-openstack-types.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0016-Disabling-helm3_hooks.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0017-Enable-taint-toleration-for-Openstack-services.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0018-Add-GaleraDB-Secure-Replica-Traffic.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0019-Add-force_boot-command-to-rabbit-start-template.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0020-Fix-tls-in-openstack-helm-infra.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0021-Remove-mariadb-tls.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0022-Remove-rabbitmq-tls.patch
 	# Host a server for the helm charts.
 	chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" --storage-local-rootdir="." &
 	sleep 2
--- a/openstack-helm-infra/files/0020-Fix-tls-in-openstack-helm-infra.patch
+++ b/openstack-helm-infra/files/0020-Fix-tls-in-openstack-helm-infra.patch
@ -0,0 +1,136 @@
+From d7d223ef40ab11e5c9a00b4b30000f6905885c04 Mon Sep 17 00:00:00 2001
+From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
+Date: Wed, 19 Jan 2022 11:54:38 -0300
+Subject: [PATCH] Fix Support for TLS in openstack-helm-infra
+
+WIP
+
+Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
+Change-Id: I382e0fc68c9a92c6a9570097db2c6a959525059d
+---
+ .../templates/manifests/_secret-tls.yaml.tpl  | 97 +++++++------------
+ 1 file changed, 33 insertions(+), 64 deletions(-)
+
+diff --git a/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
+index 24a70450..f34ac527 100644
+--- a/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
+@@ -15,66 +15,36 @@ limitations under the License.
+ {{/*
+ abstract: |
+   Creates a manifest for a services public tls secret
+-examples:
+-  - values: |
+-      secrets:
+-        tls:
+-          key_manager:
+-            api:
+-              public: barbican-tls-public
+-      endpoints:
+-        key_manager:
+-          host_fqdn_override:
+-            public:
+-              tls:
+-                crt: |
+-                  FOO-CRT
+-                key: |
+-                  FOO-KEY
+-                ca: |
+-                  FOO-CA_CRT
+-  usage: |
+-    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+-  return: |
+-    ---
+-    apiVersion: v1
+-    kind: Secret
+-    metadata:
+-      name: barbican-tls-public
+-    type: kubernetes.io/tls
+-    data:
+-      tls.key: Rk9PLUtFWQo=
+-      tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+-
+-  - values: |
+-      secrets:
+-        tls:
+-          key_manager:
+-            api:
+-              public: barbican-tls-public
+-      endpoints:
+-        key_manager:
+-          host_fqdn_override:
+-            public:
+-              tls:
+-                crt: |
+-                  FOO-CRT
+-                  FOO-INTERMEDIATE_CRT
+-                  FOO-CA_CRT
+-                key: |
+-                  FOO-KEY
+-  usage: |
+-    {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+-  return: |
+-    ---
+-    apiVersion: v1
+-    kind: Secret
+-    metadata:
+-      name: barbican-tls-public
+-    type: kubernetes.io/tls
+-    data:
+-      tls.key: Rk9PLUtFWQo=
+-      tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+values: |
+  secrets:
+    tls:
+      key_manager:
+        api:
+          public: barbican-tls-public
+  endpoints:
+    key_manager:
+      host_fqdn_override:
+        public:
+          tls:
+            crt: |
+              FOO-CRT
+            key: |
+              FOO-KEY
+            ca: |
+              FOO-CA_CRT
+usage: |
+  {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+return: |
+  ---
+  apiVersion: v1
+  kind: Secret
+  metadata:
+    name: barbican-tls-public
+  type: kubernetes.io/tls
+  data:
+    tls.crt: Rk9PLUNSVAo=
+    tls.key: Rk9PLUtFWQo=
+    ca.crt: Rk9PLUNBX0NSVAo=
+ */}}
+ 
+ {{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+@@ -95,14 +65,13 @@ metadata:
+   name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+ type: kubernetes.io/tls
+ data:
+  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+   tls.key: {{ $endpointHost.tls.key | b64enc }}
+ {{- if $endpointHost.tls.ca }}
+-  tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+-{{- else }}
+-  tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+-{{- end }}
+  ca.crt: {{ $endpointHost.tls.ca | b64enc }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+\ No newline at end of file
+-- 
+2.17.1
+
--- a/openstack-helm-infra/files/0021-Remove-mariadb-tls.patch
+++ b/openstack-helm-infra/files/0021-Remove-mariadb-tls.patch
@ -0,0 +1,191 @@
+From 6fa2814271b7806aece4fb44f6d8eabe8c5ab6aa Mon Sep 17 00:00:00 2001
+From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
+Date: Tue, 8 Feb 2022 09:18:02 -0300
+Subject: [PATCH 21/22] Remove mariadb
+
+Change-Id: I37405da8faab3495ebe55c81389e0d769aaeb1d1
+---
+ .../templates/manifests/_job-db-drop-mysql.tpl     |  7 -------
+ .../templates/manifests/_job-db-init-mysql.tpl     |  7 -------
+ helm-toolkit/templates/manifests/_job-db-sync.tpl  |  3 ---
+ helm-toolkit/templates/scripts/_db-drop.py.tpl     | 11 ++---------
+ helm-toolkit/templates/scripts/_db-init.py.tpl     | 14 ++++----------
+ 5 files changed, 6 insertions(+), 36 deletions(-)
+
+diff --git a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
+index 934a2435..8ae71c67 100644
+--- a/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
+@@ -37,7 +37,6 @@ limitations under the License.
+ {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+ {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+ {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+ 
+ {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+ {{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+@@ -133,9 +132,6 @@ spec:
+               subPath: {{ base $dbToDrop.logConfigFile | quote }}
+               readOnly: true
+ {{- end }}
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+-{{- end }}
+ {{- end }}
+       volumes:
+         - name: pod-tmp
+@@ -150,9 +146,6 @@ spec:
+             name: {{ $configMapBin | quote }}
+             defaultMode: 0555
+ {{- end }}
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+-{{- end }}
+ {{- $local := dict "configMapBinFirst" true -}}
+ {{- range $key1, $dbToDrop := $dbsToDrop }}
+ {{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+diff --git a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
+index c164ad0a..dcfbb35f 100644
+--- a/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
+@@ -37,7 +37,6 @@ limitations under the License.
+ {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+ {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+ {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+ 
+ {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+ {{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+@@ -132,9 +131,6 @@ spec:
+               subPath: {{ base $dbToInit.logConfigFile | quote }}
+               readOnly: true
+ {{- end }}
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+-{{- end }}
+ {{- end }}
+       volumes:
+         - name: pod-tmp
+@@ -149,9 +145,6 @@ spec:
+             name: {{ $configMapBin | quote }}
+             defaultMode: 0555
+ {{- end }}
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+-{{- end }}
+ {{- $local := dict "configMapBinFirst" true -}}
+ {{- range $key1, $dbToInit := $dbsToInit }}
+ {{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+diff --git a/helm-toolkit/templates/manifests/_job-db-sync.tpl b/helm-toolkit/templates/manifests/_job-db-sync.tpl
+index 659238a4..f181061f 100644
+--- a/helm-toolkit/templates/manifests/_job-db-sync.tpl
+++ b/helm-toolkit/templates/manifests/_job-db-sync.tpl
+@@ -34,7 +34,6 @@ limitations under the License.
+ {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+ {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+ {{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+-{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+ 
+ {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+ {{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+@@ -106,7 +105,6 @@ spec:
+               mountPath: {{ $dbToSync.logConfigFile | quote }}
+               subPath: {{ base $dbToSync.logConfigFile | quote }}
+               readOnly: true
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ {{- if $podVolMounts }}
+ {{ $podVolMounts | toYaml | indent 12 }}
+ {{- end }}
+@@ -129,7 +127,6 @@ spec:
+           secret:
+             secretName: {{ $configMapEtc | quote }}
+             defaultMode: 0444
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+ {{- if $podVols }}
+ {{ $podVols | toYaml | indent 8 }}
+ {{- end }}
+diff --git a/helm-toolkit/templates/scripts/_db-drop.py.tpl b/helm-toolkit/templates/scripts/_db-drop.py.tpl
+index 03884fa1..81447546 100644
+--- a/helm-toolkit/templates/scripts/_db-drop.py.tpl
+++ b/helm-toolkit/templates/scripts/_db-drop.py.tpl
+@@ -54,13 +54,6 @@ else:
+     logger.critical('environment variable ROOT_DB_CONNECTION not set')
+     sys.exit(1)
+ 
+-mysql_x509 = os.getenv('MARIADB_X509', "")
+-ssl_args = {}
+-if mysql_x509:
+-    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+-                        'key': '/etc/mysql/certs/tls.key',
+-                        'cert': '/etc/mysql/certs/tls.crt'}}
+-
+ # Get the connection string for the service db
+ if "OPENSTACK_CONFIG_FILE" in os.environ:
+     os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+@@ -101,7 +94,7 @@ try:
+     host = root_engine_full.url.host
+     port = root_engine_full.url.port
+     root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+-    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    root_engine = create_engine(root_engine_url)
+     connection = root_engine.connect()
+     connection.close()
+     logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+@@ -112,7 +105,7 @@ except:
+ 
+ # User DB engine
+ try:
+-    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    user_engine = create_engine(user_db_conn)
+     # Get our user data out of the user_engine
+     database = user_engine.url.database
+     user = user_engine.url.username
+diff --git a/helm-toolkit/templates/scripts/_db-init.py.tpl b/helm-toolkit/templates/scripts/_db-init.py.tpl
+index 4294d40c..9671b734 100644
+--- a/helm-toolkit/templates/scripts/_db-init.py.tpl
+++ b/helm-toolkit/templates/scripts/_db-init.py.tpl
+@@ -54,12 +54,6 @@ else:
+     logger.critical('environment variable ROOT_DB_CONNECTION not set')
+     sys.exit(1)
+ 
+-mysql_x509 = os.getenv('MARIADB_X509', "")
+-ssl_args = {}
+-if mysql_x509:
+-    ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+-                'key': '/etc/mysql/certs/tls.key',
+-                'cert': '/etc/mysql/certs/tls.crt'}}
+ 
+ # Get the connection string for the service db
+ if "OPENSTACK_CONFIG_FILE" in os.environ:
+@@ -101,7 +95,7 @@ try:
+     host = root_engine_full.url.host
+     port = root_engine_full.url.port
+     root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+-    root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+    root_engine = create_engine(root_engine_url)
+     connection = root_engine.connect()
+     connection.close()
+     logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+@@ -112,7 +106,7 @@ except:
+ 
+ # User DB engine
+ try:
+-    user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+    user_engine = create_engine(user_db_conn)
+     # Get our user data out of the user_engine
+     database = user_engine.url.database
+     user = user_engine.url.username
+@@ -133,8 +127,8 @@ except:
+ # Create DB User
+ try:
+     root_engine.execute(
+-        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\' {3}".format(
+-            database, user, password, mysql_x509))
+        "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\' IDENTIFIED BY \'{2}\'".format(
+            database, user, password))
+     logger.info("Created user {0} for {1}".format(user, database))
+ except:
+     logger.critical("Could not create user {0} for {1}".format(user, database))
+-- 
+2.17.1
+
--- a/openstack-helm-infra/files/0022-Remove-rabbitmq-tls.patch
+++ b/openstack-helm-infra/files/0022-Remove-rabbitmq-tls.patch
@ -0,0 +1,91 @@
+From 4b2cc6a3c4b9af9dd2688d52b493828cef97cdb6 Mon Sep 17 00:00:00 2001
+From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
+Date: Tue, 8 Feb 2022 09:20:36 -0300
+Subject: [PATCH 22/22] remove rabbit tls
+
+Change-Id: I04c4c25c72b10b87e71c2f286e21526e5e062b67
+---
+ .../templates/manifests/_job-rabbit-init.yaml.tpl | 15 ---------------
+ .../templates/scripts/_rabbit-init.sh.tpl         | 15 ---------------
+ 2 files changed, 30 deletions(-)
+
+diff --git a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
+index 59e0da0f..b776d055 100644
+--- a/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
+@@ -25,9 +25,6 @@ limitations under the License.
+ {{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+ {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+ {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+-{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+-{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+-{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+ 
+ {{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+ {{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+@@ -85,9 +82,6 @@ spec:
+               mountPath: /tmp/rabbit-init.sh
+               subPath: rabbit-init.sh
+               readOnly: true
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+-{{- end }}
+           env:
+           - name: RABBITMQ_ADMIN_CONNECTION
+             valueFrom:
+@@ -102,12 +96,6 @@ spec:
+ {{- if $envAll.Values.conf.rabbitmq }}
+           - name: RABBITMQ_AUXILIARY_CONFIGURATION
+             value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+-{{- end }}
+-{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+-          - name: RABBITMQ_X509
+-            value: "REQUIRE X509"
+-          - name: USER_CERT_PATH
+-            value: {{ $tlsPath | quote }}
+ {{- end }}
+       volumes:
+         - name: pod-tmp
+@@ -122,7 +110,4 @@ spec:
+             name: {{ $configMapBin | quote }}
+             defaultMode: 0555
+ {{- end }}
+-{{- if $envAll.Values.manifests.certificates }}
+-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+-{{- end }}
+ {{- end -}}
+diff --git a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+index 87872d6f..7fb16a0f 100644
+--- a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+@@ -47,27 +47,12 @@ RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+ 
+ function rabbitmqadmin_cli () {
+-  if [ -n "$RABBITMQ_X509" ]
+-  then
+     rabbitmqadmin \
+-      --ssl \
+-      --ssl-disable-hostname-verification \
+-      --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+-      --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+-      --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+       --host="${RABBIT_HOSTNAME}" \
+       --port="${RABBIT_PORT}" \
+       --username="${RABBITMQ_ADMIN_USERNAME}" \
+       --password="${RABBITMQ_ADMIN_PASSWORD}" \
+       ${@}
+-  else
+-    rabbitmqadmin \
+-      --host="${RABBIT_HOSTNAME}" \
+-      --port="${RABBIT_PORT}" \
+-      --username="${RABBITMQ_ADMIN_USERNAME}" \
+-      --password="${RABBITMQ_ADMIN_PASSWORD}" \
+-      ${@}
+-  fi
+ }
+ 
+ echo "Managing: User: ${RABBITMQ_USERNAME}"
+-- 
+2.17.1
+
--- a/openstack-helm/centos/openstack-helm.spec
+++ b/openstack-helm/centos/openstack-helm.spec
@ -31,6 +31,8 @@ Patch09: 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
 Patch10: 0010-Enable-taint-toleration-for-Openstack-services.patch
 Patch11: 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
 Patch12: 0012-Replace-deprecated-Nova-VNC-configurations.patch
+Patch13: 0013-Remove-TLS-from-openstack-services.patch
+Patch14: 0014-Remove-mariadb-and-rabbit-tls.patch

 BuildRequires: helm
 BuildRequires: openstack-helm-infra
@ -54,6 +56,8 @@ Openstack Helm charts
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
+%patch14 -p1

 %build
 # Stage helm-toolkit in the local repo
--- a/openstack-helm/debian/deb_folder/rules
+++ b/openstack-helm/debian/deb_folder/rules
@ -11,8 +11,25 @@ export TOOLKIT_VERSION = 0.2.19
 	dh $@

 override_dh_auto_build:
+	# Move the source files from the extracted root directory to build root.
+	mv openstack-helm/* .
 	# Stage helm-toolkit in the local repo.
 	cp $(HELM_FOLDER)/helm-toolkit-$(TOOLKIT_VERSION).tgz .
+	# Apply the openstack-helm patches.
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0001-Remove-stale-Apache2-service-pids-when-a-POD-starts.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0002-Nova-console-ip-address-search-optionality.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0003-Nova-chart-Support-ephemeral-pool-creation.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0004-Support-ingress-creation-for-keystone-admin-endpoint.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0005-Allow-set-public-endpoint-url-for-keystone-endpoints.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0006-Wrong-usage-of-rbd_store_chunk_size.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0007-Add-stx_admin-account.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0008-Disabling-helm3_hook.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0010-Enable-taint-toleration-for-Openstack-services.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0012-Replace-deprecated-Nova-VNC-configurations.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0013-Remove-TLS-from-openstack-services.patch
+	patch --no-backup-if-mismatch --fuzz=0 -p1 < 0014-Remove-mariadb-and-rabbit-tls.patch
 	# Host a server for the helm charts.
 	chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" \
 		--storage-local-rootdir="." &
--- a/openstack-helm/files/0007-Add-stx_admin-account.patch
+++ b/openstack-helm/files/0007-Add-stx_admin-account.patch
@ -39,7 +39,7 @@ index 00000000..91f990f3
 +{{- if .Values.manifests.job_ks_user }}
 +{{- $ksUserJob := dict "envAll" . "serviceName" "keystone" "serviceUser" "stx_admin" -}}
 +{{- if .Values.manifests.certificates -}}
-+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.public -}}
 +{{- end -}}
 +{{- if .Values.pod.tolerations.keystone.enabled -}}
 +{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
--- a/openstack-helm/files/0013-Remove-TLS-from-openstack-services.patch
+++ b/openstack-helm/files/0013-Remove-TLS-from-openstack-services.patch
--- a/openstack-helm/files/0014-Remove-mariadb-and-rabbit-tls.patch
+++ b/openstack-helm/files/0014-Remove-mariadb-and-rabbit-tls.patch
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml
@ -77,7 +77,7 @@ spec:
              mountPath: /etc/proxy/api-proxy-paste.ini
              subPath: api-proxy-paste.ini
              readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_api_proxy.volumeMounts }}{{ toYaml $mounts_nova_api_proxy.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: nova-api-proxy-bin
@ -88,6 +88,6 @@ spec:
          configMap:
            name: nova-api-proxy-etc
            defaultMode: 0777
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_api_proxy.volumes}}{{ toYaml $mounts_nova_api_proxy.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml
+++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml
@ -9,7 +9,7 @@
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
 {{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.api_proxy.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.api_proxy.public -}}
 {{- end -}}
 {{- if .Values.pod.tolerations.nova.enabled -}}
 {{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}