diff --git a/openstack-helm-infra/centos/openstack-helm-infra.spec b/openstack-helm-infra/centos/openstack-helm-infra.spec index 9428208c..1d02aba1 100644 --- a/openstack-helm-infra/centos/openstack-helm-infra.spec +++ b/openstack-helm-infra/centos/openstack-helm-infra.spec @@ -30,6 +30,7 @@ Patch12: 0012-enable-Values.conf.database.config_override-for-mari.patch Patch13: 0013-Allow-set-public-endpoint-url-for-all-openstack-types.patch Patch14: 0014-Add-tolerations-to-rabbitmq-chart.patch Patch15: 0015-Add-tolerations-to-mariadb-chart.patch +Patch16: 0016-Add-Trust-ingress-support-to-helm-toolkit.patch BuildRequires: helm BuildRequires: chartmuseum @@ -54,6 +55,7 @@ Openstack Helm Infra charts %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 %build # Host a server for the charts diff --git a/openstack-helm-infra/files/0016-Add-Trust-ingress-support-to-helm-toolkit.patch b/openstack-helm-infra/files/0016-Add-Trust-ingress-support-to-helm-toolkit.patch new file mode 100644 index 00000000..c3f03e0a --- /dev/null +++ b/openstack-helm-infra/files/0016-Add-Trust-ingress-support-to-helm-toolkit.patch @@ -0,0 +1,365 @@ +From 77afb812d696e25e5f889a54bcedbb6a898656b8 Mon Sep 17 00:00:00 2001 +From: Lucas Cavalcante +Date: Thu, 22 Jul 2021 09:01:02 -0300 +Subject: [PATCH] Add Trust ingress support to helm-toolkit + +This patch enables the following OpenStack services to trust +public ingress certificate: keystone, horizon, glance, +cinder, heat, nova, placement and neutron. + +This patch is roughly based on +https://review.opendev.org/c/openstack/openstack-helm-infra/+/737194 + +Signed-off-by: Lucas Cavalcante +--- + .../templates/manifests/_job-bootstrap.tpl | 5 +- + .../templates/manifests/_job-ks-endpoints.tpl | 5 +- + .../templates/manifests/_job-ks-service.tpl | 5 +- + .../templates/manifests/_job-ks-user.yaml.tpl | 5 +- + .../templates/scripts/_rally_test.sh.tpl | 2 +- + .../snippets/_keystone_openrc_env_vars.tpl | 13 +++ + .../snippets/_keystone_secret_openrc.tpl | 3 + + .../_keystone_user_create_env_vars.tpl | 1 + + .../templates/snippets/_tls_volume.tpl | 47 +++++++++++ + .../templates/snippets/_tls_volume_mount.tpl | 82 +++++++++++++++++++ + 10 files changed, 163 insertions(+), 5 deletions(-) + create mode 100644 helm-toolkit/templates/snippets/_tls_volume.tpl + create mode 100644 helm-toolkit/templates/snippets/_tls_volume_mount.tpl + +diff --git a/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/helm-toolkit/templates/manifests/_job-bootstrap.tpl +index 9c1f9aae..c67a4a70 100644 +--- a/helm-toolkit/templates/manifests/_job-bootstrap.tpl ++++ b/helm-toolkit/templates/manifests/_job-bootstrap.tpl +@@ -29,6 +29,7 @@ limitations under the License. + {{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} + {{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}} + {{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}} ++{{- $tlsSecret := index . "tlsSecret" | default "" -}} + {{- $keystoneUser := index . "keystoneUser" | default $serviceName -}} + {{- $openrc := index . "openrc" | default "true" -}} + {{- $secretBin := index . "secretBin" -}} +@@ -68,7 +69,7 @@ spec: + {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + {{- if eq $openrc "true" }} + env: +-{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }} ++{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + {{- end }} +@@ -93,6 +94,7 @@ spec: + mountPath: {{ $logConfigFile | quote }} + subPath: {{ base $logConfigFile | quote }} + readOnly: true ++{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- if $podVolMounts }} + {{ $podVolMounts | toYaml | indent 12 }} + {{- end }} +@@ -115,6 +117,7 @@ spec: + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 ++{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- if $podVols }} + {{ $podVols | toYaml | indent 8 }} + {{- end }} +diff --git a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl +index 11e77335..674bb214 100644 +--- a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl ++++ b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl +@@ -25,6 +25,7 @@ limitations under the License. + {{- $serviceTypes := index . "serviceTypes" -}} + {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} + {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} ++{{- $tlsSecret := index . "tlsSecret" | default "" -}} + {{- $secretBin := index . "secretBin" -}} + {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} + {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +@@ -73,8 +74,9 @@ spec: + mountPath: /tmp/ks-endpoints.sh + subPath: ks-endpoints.sh + readOnly: true ++{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + - name: OS_SVC_ENDPOINT +@@ -100,4 +102,5 @@ spec: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + {{- end }} ++{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/helm-toolkit/templates/manifests/_job-ks-service.tpl b/helm-toolkit/templates/manifests/_job-ks-service.tpl +index 71cc9094..f3a9503e 100644 +--- a/helm-toolkit/templates/manifests/_job-ks-service.tpl ++++ b/helm-toolkit/templates/manifests/_job-ks-service.tpl +@@ -25,6 +25,7 @@ limitations under the License. + {{- $serviceTypes := index . "serviceTypes" -}} + {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} + {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} ++{{- $tlsSecret := index . "tlsSecret" | default "" -}} + {{- $secretBin := index . "secretBin" -}} + {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} + {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +@@ -72,8 +73,9 @@ spec: + mountPath: /tmp/ks-service.sh + subPath: ks-service.sh + readOnly: true ++{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + - name: OS_SERVICE_NAME +@@ -94,4 +96,5 @@ spec: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + {{- end }} ++{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl +index 1003e4f7..2fafaa16 100644 +--- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl ++++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl +@@ -26,6 +26,7 @@ limitations under the License. + {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} + {{- $serviceUser := index . "serviceUser" | default $serviceName -}} + {{- $secretBin := index . "secretBin" -}} ++{{- $tlsSecret := index . "tlsSecret" | default "" -}} + {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} + {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} + {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} +@@ -71,8 +72,9 @@ spec: + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true ++{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + - name: SERVICE_OS_SERVICE_NAME +@@ -100,4 +102,5 @@ spec: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + {{- end }} ++{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end -}} +diff --git a/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/helm-toolkit/templates/scripts/_rally_test.sh.tpl +index a7b614a6..ccaf435b 100644 +--- a/helm-toolkit/templates/scripts/_rally_test.sh.tpl ++++ b/helm-toolkit/templates/scripts/_rally_test.sh.tpl +@@ -68,7 +68,7 @@ cat > /tmp/rally-config.json << EOF + } + ], + "https_insecure": false, +- "https_cacert": "" ++ "https_cacert": "${OS_CACERT}" + } + } + EOF +diff --git a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl +index d856ab21..dcbb361a 100644 +--- a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl ++++ b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl +@@ -67,9 +67,15 @@ return: | + secretKeyRef: + name: example-keystone-admin + key: OS_PASSWORD ++ - name: OS_CACERT ++ valueFrom: ++ secretKeyRef: ++ name: example-keystone-admin ++ key: OS_CACERT + */}} + + {{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }} ++{{- $useCA := .useCA -}} + {{- $ksUserSecret := .ksUserSecret }} + - name: OS_IDENTITY_API_VERSION + value: "3" +@@ -118,4 +124,11 @@ return: | + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_DEFAULT_DOMAIN ++{{- if $useCA }} ++- name: OS_CACERT ++ valueFrom: ++ secretKeyRef: ++ name: {{ $ksUserSecret }} ++ key: OS_CACERT ++{{- end }} + {{- end }} +diff --git a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl +index f6083b9b..e328ea4a 100644 +--- a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl ++++ b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl +@@ -28,4 +28,7 @@ OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }} + OS_USERNAME: {{ $userContext.username | b64enc }} + OS_PASSWORD: {{ $userContext.password | b64enc }} + OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }} ++{{- if $userContext.cacert }} ++OS_CACERT: {{ $userContext.cacert | b64enc }} ++{{- end }} + {{- end }} +diff --git a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl +index 622757bc..ff717ef3 100644 +--- a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl ++++ b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl +@@ -24,6 +24,7 @@ values: | + service_user: example-keystone-user + usage: | + {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user ) }} ++ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }} + return: | + - name: SERVICE_OS_REGION_NAME + valueFrom: +diff --git a/helm-toolkit/templates/snippets/_tls_volume.tpl b/helm-toolkit/templates/snippets/_tls_volume.tpl +new file mode 100644 +index 00000000..41fe3d96 +--- /dev/null ++++ b/helm-toolkit/templates/snippets/_tls_volume.tpl +@@ -0,0 +1,47 @@ ++{{/* ++Licensed under the Apache License, Version 2.0 (the "License"); ++you may not use this file except in compliance with the License. ++You may obtain a copy of the License at ++ ++ http://www.apache.org/licenses/LICENSE-2.0 ++ ++Unless required by applicable law or agreed to in writing, software ++distributed under the License is distributed on an "AS IS" BASIS, ++WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++See the License for the specific language governing permissions and ++limitations under the License. ++*/}} ++{{/* ++abstract: | ++ Renders a secret volume for tls. ++ ++ Dictionary Parameters: ++ enabled: boolean check if you want to conditional disable this snippet (optional) ++ name: name of the volume (required) ++ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional) ++ ++values: | ++ manifests: ++ certificates: true ++ ++usage: | ++ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}} ++ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}} ++ ++return: | ++ - name: glance-tls-api ++ secret: ++ secretName: glance-tls-api ++ defaultMode: 292 ++*/}} ++{{- define "helm-toolkit.snippets.tls_volume" }} ++{{- $enabled := index . "enabled" -}} ++{{- $name := index . "name" -}} ++{{- $secretName := index . "secretName" | default $name -}} ++{{- if and $enabled (ne $name "") }} ++- name: {{ $name }} ++ secret: ++ secretName: {{ $secretName }} ++ defaultMode: 292 ++{{- end }} ++{{- end }} +diff --git a/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl +new file mode 100644 +index 00000000..9cfa8195 +--- /dev/null ++++ b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl +@@ -0,0 +1,82 @@ ++{{/* ++Licensed under the Apache License, Version 2.0 (the "License"); ++you may not use this file except in compliance with the License. ++You may obtain a copy of the License at ++ ++ http://www.apache.org/licenses/LICENSE-2.0 ++ ++Unless required by applicable law or agreed to in writing, software ++distributed under the License is distributed on an "AS IS" BASIS, ++WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++See the License for the specific language governing permissions and ++limitations under the License. ++*/}} ++{{/* ++abstract: | ++ Renders a volume mount for TLS key, cert and CA. ++ ++ Dictionary Parameters: ++ enabled: boolean check if you want to conditional disable this snippet (optional) ++ name: name that of the volume and should match the volume name (required) ++ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required) ++ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}. ++ the default is the full set. (optional) ++ ++values: | ++ manifests: ++ certificates: true ++ ++usage: | ++ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}} ++ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} ++ ++return: | ++ - name: glance-tls-api ++ mountPath: /etc/glance/certs/tls.crt ++ subPath: tls.crt ++ readOnly: true ++ - name: glance-tls-api ++ mountPath: /etc/glance/certs/tls.key ++ subPath: tls.key ++ readOnly: true ++ - name: glance-tls-api ++ mountPath: /etc/glance/certs/ca.crt ++ subPath: ca.crt ++ readOnly: true ++ ++abstract: | ++ This mounts a specific issuing CA only for service validation ++ ++usage: | ++ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}} ++ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} ++ ++return: | ++ - name: glance-tls-api ++ mountPath: /etc/ssl/certs/openstack-helm.crt ++ subPath: ca.crt ++ readOnly: true ++*/}} ++{{- define "helm-toolkit.snippets.tls_volume_mount" }} ++{{- $enabled := index . "enabled" -}} ++{{- $name := index . "name" -}} ++{{- $path := index . "path" | default "" -}} ++{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }} ++{{- if $enabled }} ++{{- if and (eq $path "") (ne $name "") }} ++- name: {{ $name }} ++ mountPath: "/etc/ssl/certs/openstack-helm.crt" ++ subPath: ca.crt ++ readOnly: true ++{{- else }} ++{{- if ne $name "" }} ++{{- range $key, $value := $certs }} ++- name: {{ $name }} ++ mountPath: {{ printf "%s/%s" $path $value }} ++ subPath: {{ $value }} ++ readOnly: true ++{{- end }} ++{{- end }} ++{{- end }} ++{{- end }} ++{{- end }} +-- +2.17.1 + diff --git a/openstack-helm-infra/files/0017-Add-Trust-ingress-support-to-helm-toolkit.patch b/openstack-helm-infra/files/0017-Add-Trust-ingress-support-to-helm-toolkit.patch new file mode 100644 index 00000000..c3f03e0a --- /dev/null +++ b/openstack-helm-infra/files/0017-Add-Trust-ingress-support-to-helm-toolkit.patch @@ -0,0 +1,365 @@ +From 77afb812d696e25e5f889a54bcedbb6a898656b8 Mon Sep 17 00:00:00 2001 +From: Lucas Cavalcante +Date: Thu, 22 Jul 2021 09:01:02 -0300 +Subject: [PATCH] Add Trust ingress support to helm-toolkit + +This patch enables the following OpenStack services to trust +public ingress certificate: keystone, horizon, glance, +cinder, heat, nova, placement and neutron. + +This patch is roughly based on +https://review.opendev.org/c/openstack/openstack-helm-infra/+/737194 + +Signed-off-by: Lucas Cavalcante +--- + .../templates/manifests/_job-bootstrap.tpl | 5 +- + .../templates/manifests/_job-ks-endpoints.tpl | 5 +- + .../templates/manifests/_job-ks-service.tpl | 5 +- + .../templates/manifests/_job-ks-user.yaml.tpl | 5 +- + .../templates/scripts/_rally_test.sh.tpl | 2 +- + .../snippets/_keystone_openrc_env_vars.tpl | 13 +++ + .../snippets/_keystone_secret_openrc.tpl | 3 + + .../_keystone_user_create_env_vars.tpl | 1 + + .../templates/snippets/_tls_volume.tpl | 47 +++++++++++ + .../templates/snippets/_tls_volume_mount.tpl | 82 +++++++++++++++++++ + 10 files changed, 163 insertions(+), 5 deletions(-) + create mode 100644 helm-toolkit/templates/snippets/_tls_volume.tpl + create mode 100644 helm-toolkit/templates/snippets/_tls_volume_mount.tpl + +diff --git a/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/helm-toolkit/templates/manifests/_job-bootstrap.tpl +index 9c1f9aae..c67a4a70 100644 +--- a/helm-toolkit/templates/manifests/_job-bootstrap.tpl ++++ b/helm-toolkit/templates/manifests/_job-bootstrap.tpl +@@ -29,6 +29,7 @@ limitations under the License. + {{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}} + {{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}} + {{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}} ++{{- $tlsSecret := index . "tlsSecret" | default "" -}} + {{- $keystoneUser := index . "keystoneUser" | default $serviceName -}} + {{- $openrc := index . "openrc" | default "true" -}} + {{- $secretBin := index . "secretBin" -}} +@@ -68,7 +69,7 @@ spec: + {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + {{- if eq $openrc "true" }} + env: +-{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }} ++{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + {{- end }} +@@ -93,6 +94,7 @@ spec: + mountPath: {{ $logConfigFile | quote }} + subPath: {{ base $logConfigFile | quote }} + readOnly: true ++{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{- if $podVolMounts }} + {{ $podVolMounts | toYaml | indent 12 }} + {{- end }} +@@ -115,6 +117,7 @@ spec: + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 ++{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- if $podVols }} + {{ $podVols | toYaml | indent 8 }} + {{- end }} +diff --git a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl +index 11e77335..674bb214 100644 +--- a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl ++++ b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl +@@ -25,6 +25,7 @@ limitations under the License. + {{- $serviceTypes := index . "serviceTypes" -}} + {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} + {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} ++{{- $tlsSecret := index . "tlsSecret" | default "" -}} + {{- $secretBin := index . "secretBin" -}} + {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} + {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +@@ -73,8 +74,9 @@ spec: + mountPath: /tmp/ks-endpoints.sh + subPath: ks-endpoints.sh + readOnly: true ++{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + - name: OS_SVC_ENDPOINT +@@ -100,4 +102,5 @@ spec: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + {{- end }} ++{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/helm-toolkit/templates/manifests/_job-ks-service.tpl b/helm-toolkit/templates/manifests/_job-ks-service.tpl +index 71cc9094..f3a9503e 100644 +--- a/helm-toolkit/templates/manifests/_job-ks-service.tpl ++++ b/helm-toolkit/templates/manifests/_job-ks-service.tpl +@@ -25,6 +25,7 @@ limitations under the License. + {{- $serviceTypes := index . "serviceTypes" -}} + {{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}} + {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} ++{{- $tlsSecret := index . "tlsSecret" | default "" -}} + {{- $secretBin := index . "secretBin" -}} + {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} + {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} +@@ -72,8 +73,9 @@ spec: + mountPath: /tmp/ks-service.sh + subPath: ks-service.sh + readOnly: true ++{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + - name: OS_SERVICE_NAME +@@ -94,4 +96,5 @@ spec: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + {{- end }} ++{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl +index 1003e4f7..2fafaa16 100644 +--- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl ++++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl +@@ -26,6 +26,7 @@ limitations under the License. + {{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}} + {{- $serviceUser := index . "serviceUser" | default $serviceName -}} + {{- $secretBin := index . "secretBin" -}} ++{{- $tlsSecret := index . "tlsSecret" | default "" -}} + {{- $backoffLimit := index . "backoffLimit" | default "1000" -}} + {{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}} + {{- $serviceUserPretty := $serviceUser | replace "_" "-" -}} +@@ -71,8 +72,9 @@ spec: + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true ++{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + - name: SERVICE_OS_SERVICE_NAME +@@ -100,4 +102,5 @@ spec: + name: {{ $configMapBin | quote }} + defaultMode: 0555 + {{- end }} ++{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end -}} +diff --git a/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/helm-toolkit/templates/scripts/_rally_test.sh.tpl +index a7b614a6..ccaf435b 100644 +--- a/helm-toolkit/templates/scripts/_rally_test.sh.tpl ++++ b/helm-toolkit/templates/scripts/_rally_test.sh.tpl +@@ -68,7 +68,7 @@ cat > /tmp/rally-config.json << EOF + } + ], + "https_insecure": false, +- "https_cacert": "" ++ "https_cacert": "${OS_CACERT}" + } + } + EOF +diff --git a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl +index d856ab21..dcbb361a 100644 +--- a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl ++++ b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl +@@ -67,9 +67,15 @@ return: | + secretKeyRef: + name: example-keystone-admin + key: OS_PASSWORD ++ - name: OS_CACERT ++ valueFrom: ++ secretKeyRef: ++ name: example-keystone-admin ++ key: OS_CACERT + */}} + + {{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }} ++{{- $useCA := .useCA -}} + {{- $ksUserSecret := .ksUserSecret }} + - name: OS_IDENTITY_API_VERSION + value: "3" +@@ -118,4 +124,11 @@ return: | + secretKeyRef: + name: {{ $ksUserSecret }} + key: OS_DEFAULT_DOMAIN ++{{- if $useCA }} ++- name: OS_CACERT ++ valueFrom: ++ secretKeyRef: ++ name: {{ $ksUserSecret }} ++ key: OS_CACERT ++{{- end }} + {{- end }} +diff --git a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl +index f6083b9b..e328ea4a 100644 +--- a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl ++++ b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl +@@ -28,4 +28,7 @@ OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }} + OS_USERNAME: {{ $userContext.username | b64enc }} + OS_PASSWORD: {{ $userContext.password | b64enc }} + OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }} ++{{- if $userContext.cacert }} ++OS_CACERT: {{ $userContext.cacert | b64enc }} ++{{- end }} + {{- end }} +diff --git a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl +index 622757bc..ff717ef3 100644 +--- a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl ++++ b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl +@@ -24,6 +24,7 @@ values: | + service_user: example-keystone-user + usage: | + {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user ) }} ++ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }} + return: | + - name: SERVICE_OS_REGION_NAME + valueFrom: +diff --git a/helm-toolkit/templates/snippets/_tls_volume.tpl b/helm-toolkit/templates/snippets/_tls_volume.tpl +new file mode 100644 +index 00000000..41fe3d96 +--- /dev/null ++++ b/helm-toolkit/templates/snippets/_tls_volume.tpl +@@ -0,0 +1,47 @@ ++{{/* ++Licensed under the Apache License, Version 2.0 (the "License"); ++you may not use this file except in compliance with the License. ++You may obtain a copy of the License at ++ ++ http://www.apache.org/licenses/LICENSE-2.0 ++ ++Unless required by applicable law or agreed to in writing, software ++distributed under the License is distributed on an "AS IS" BASIS, ++WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++See the License for the specific language governing permissions and ++limitations under the License. ++*/}} ++{{/* ++abstract: | ++ Renders a secret volume for tls. ++ ++ Dictionary Parameters: ++ enabled: boolean check if you want to conditional disable this snippet (optional) ++ name: name of the volume (required) ++ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional) ++ ++values: | ++ manifests: ++ certificates: true ++ ++usage: | ++ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}} ++ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}} ++ ++return: | ++ - name: glance-tls-api ++ secret: ++ secretName: glance-tls-api ++ defaultMode: 292 ++*/}} ++{{- define "helm-toolkit.snippets.tls_volume" }} ++{{- $enabled := index . "enabled" -}} ++{{- $name := index . "name" -}} ++{{- $secretName := index . "secretName" | default $name -}} ++{{- if and $enabled (ne $name "") }} ++- name: {{ $name }} ++ secret: ++ secretName: {{ $secretName }} ++ defaultMode: 292 ++{{- end }} ++{{- end }} +diff --git a/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl +new file mode 100644 +index 00000000..9cfa8195 +--- /dev/null ++++ b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl +@@ -0,0 +1,82 @@ ++{{/* ++Licensed under the Apache License, Version 2.0 (the "License"); ++you may not use this file except in compliance with the License. ++You may obtain a copy of the License at ++ ++ http://www.apache.org/licenses/LICENSE-2.0 ++ ++Unless required by applicable law or agreed to in writing, software ++distributed under the License is distributed on an "AS IS" BASIS, ++WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++See the License for the specific language governing permissions and ++limitations under the License. ++*/}} ++{{/* ++abstract: | ++ Renders a volume mount for TLS key, cert and CA. ++ ++ Dictionary Parameters: ++ enabled: boolean check if you want to conditional disable this snippet (optional) ++ name: name that of the volume and should match the volume name (required) ++ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required) ++ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}. ++ the default is the full set. (optional) ++ ++values: | ++ manifests: ++ certificates: true ++ ++usage: | ++ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}} ++ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} ++ ++return: | ++ - name: glance-tls-api ++ mountPath: /etc/glance/certs/tls.crt ++ subPath: tls.crt ++ readOnly: true ++ - name: glance-tls-api ++ mountPath: /etc/glance/certs/tls.key ++ subPath: tls.key ++ readOnly: true ++ - name: glance-tls-api ++ mountPath: /etc/glance/certs/ca.crt ++ subPath: ca.crt ++ readOnly: true ++ ++abstract: | ++ This mounts a specific issuing CA only for service validation ++ ++usage: | ++ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}} ++ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}} ++ ++return: | ++ - name: glance-tls-api ++ mountPath: /etc/ssl/certs/openstack-helm.crt ++ subPath: ca.crt ++ readOnly: true ++*/}} ++{{- define "helm-toolkit.snippets.tls_volume_mount" }} ++{{- $enabled := index . "enabled" -}} ++{{- $name := index . "name" -}} ++{{- $path := index . "path" | default "" -}} ++{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }} ++{{- if $enabled }} ++{{- if and (eq $path "") (ne $name "") }} ++- name: {{ $name }} ++ mountPath: "/etc/ssl/certs/openstack-helm.crt" ++ subPath: ca.crt ++ readOnly: true ++{{- else }} ++{{- if ne $name "" }} ++{{- range $key, $value := $certs }} ++- name: {{ $name }} ++ mountPath: {{ printf "%s/%s" $path $value }} ++ subPath: {{ $value }} ++ readOnly: true ++{{- end }} ++{{- end }} ++{{- end }} ++{{- end }} ++{{- end }} +-- +2.17.1 + diff --git a/openstack-helm/centos/openstack-helm.spec b/openstack-helm/centos/openstack-helm.spec index 62ee8b92..c8f20cc8 100644 --- a/openstack-helm/centos/openstack-helm.spec +++ b/openstack-helm/centos/openstack-helm.spec @@ -29,6 +29,7 @@ Patch07: 0007-Allow-more-generic-overrides-for-placeme.patch Patch08: 0008-Allow-set-public-endpoint-url-for-keystone-endpoints.patch Patch09: 0009-Wrong-usage-of-rbd_store_chunk_size.patch Patch10: 0010-Add-stx_admin-account.patch +Patch11: 0011-Trust-public-ingress-certificate.patch BuildRequires: helm BuildRequires: openstack-helm-infra @@ -50,6 +51,7 @@ Openstack Helm charts %patch08 -p1 %patch09 -p1 %patch10 -p1 +%patch11 -p1 %build # Stage helm-toolkit in the local repo diff --git a/openstack-helm/files/0010-Add-stx_admin-account.patch b/openstack-helm/files/0010-Add-stx_admin-account.patch index 182d2bda..56879cdd 100644 --- a/openstack-helm/files/0010-Add-stx_admin-account.patch +++ b/openstack-helm/files/0010-Add-stx_admin-account.patch @@ -100,4 +100,3 @@ index 473379d..68bbcdd 100644 pod_rally_test: true -- 2.7.4 - diff --git a/openstack-helm/files/0011-Trust-public-ingress-certificate.patch b/openstack-helm/files/0011-Trust-public-ingress-certificate.patch new file mode 100644 index 00000000..6c443464 --- /dev/null +++ b/openstack-helm/files/0011-Trust-public-ingress-certificate.patch @@ -0,0 +1,1333 @@ +From 0213e7bc58629ec045964fcf480631bc977a9124 Mon Sep 17 00:00:00 2001 +From: Lucas Cavalcante +Date: Tue, 27 Jul 2021 11:55:01 -0300 +Subject: [PATCH] Trust public ingress certificate + +This patch enables the following OpenStack services to trust +public ingress certificate: keystone, horizon, glance, +cinder, heat, nova, placement and neutron. + +This path is roughly based on +https://review.opendev.org/c/openstack/openstack-helm/+/737899 +and considers starlingx workaround that forces services to use +public ingress + +Signed-off-by: Lucas Cavalcante +--- + cinder/templates/deployment-api.yaml | 6 ++++++ + cinder/templates/deployment-volume.yaml | 6 +++--- + cinder/templates/job-bootstrap.yaml | 3 +++ + cinder/templates/job-create-internal-tenant.yaml | 4 +++- + cinder/templates/job-ks-endpoints.yaml | 3 +++ + cinder/templates/job-ks-service.yaml | 3 +++ + cinder/templates/job-ks-user.yaml | 3 +++ + cinder/templates/pod-rally-test.yaml | 7 +++++-- + cinder/values.yaml | 1 + + glance/templates/deployment-api.yaml | 2 ++ + glance/templates/deployment-registry.yaml | 2 ++ + glance/templates/job-bootstrap.yaml | 3 +++ + glance/templates/job-ks-endpoints.yaml | 3 +++ + glance/templates/job-ks-service.yaml | 3 +++ + glance/templates/job-ks-user.yaml | 3 +++ + glance/values.yaml | 1 + + heat/templates/deployment-api.yaml | 2 ++ + heat/templates/deployment-cfn.yaml | 2 ++ + heat/templates/deployment-engine.yaml | 2 ++ + heat/templates/job-bootstrap.yaml | 3 +++ + heat/templates/job-ks-endpoints.yaml | 3 +++ + heat/templates/job-ks-service.yaml | 3 +++ + heat/templates/job-ks-user-domain.yaml | 4 +++- + heat/templates/job-ks-user-trustee.yaml | 3 +++ + heat/templates/job-ks-user.yaml | 3 +++ + heat/templates/job-trusts.yaml | 4 +++- + heat/templates/pod-rally-test.yaml | 7 +++++-- + heat/values.yaml | 1 + + horizon/templates/deployment.yaml | 2 ++ + horizon/values.yaml | 4 +++- + keystone/templates/deployment-api.yaml | 2 ++ + keystone/templates/job-bootstrap.yaml | 3 +++ + keystone/templates/job-ks-user.yaml | 3 +++ + keystone/templates/pod-rally-test.yaml | 7 +++++-- + keystone/values.yaml | 1 + + neutron/templates/daemonset-metadata-agent.yaml | 2 ++ + neutron/templates/deployment-server.yaml | 2 ++ + neutron/templates/job-bootstrap.yaml | 3 +++ + neutron/templates/job-ks-endpoints.yaml | 3 +++ + neutron/templates/job-ks-service.yaml | 3 +++ + neutron/templates/job-ks-user.yaml | 3 +++ + neutron/templates/pod-rally-test.yaml | 10 +++++++--- + neutron/values.yaml | 1 + + nova/templates/cron-job-service-cleaner.yaml | 4 +++- + nova/templates/daemonset-compute.yaml | 3 +++ + nova/templates/deployment-api-metadata.yaml | 2 ++ + nova/templates/deployment-api-osapi.yaml | 2 ++ + nova/templates/deployment-conductor.yaml | 2 ++ + nova/templates/deployment-novncproxy.yaml | 2 ++ + nova/templates/deployment-placement.yaml | 2 ++ + nova/templates/deployment-scheduler.yaml | 2 ++ + nova/templates/deployment-spiceproxy.yaml | 2 ++ + nova/templates/job-bootstrap.yaml | 4 +++- + nova/templates/job-cell-setup.yaml | 4 +++- + nova/templates/job-ks-endpoints.yaml | 3 +++ + nova/templates/job-ks-placement-endpoints.yaml | 3 +++ + nova/templates/job-ks-placement-service.yaml | 3 +++ + nova/templates/job-ks-placement-user.yaml | 3 +++ + nova/templates/job-ks-service.yaml | 3 +++ + nova/templates/job-ks-user.yaml | 3 +++ + nova/templates/pod-rally-test.yaml | 7 +++++-- + nova/values.yaml | 4 ++++ + placement/templates/deployment.yaml | 2 ++ + placement/templates/job-ks-endpoints.yaml | 3 +++ + placement/templates/job-ks-service.yaml | 3 +++ + placement/templates/job-ks-user.yaml | 3 +++ + placement/values.yaml | 1 + + 67 files changed, 188 insertions(+), 21 deletions(-) + +diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml +index 34f0e730..fcc97bd2 100644 +--- a/cinder/templates/deployment-api.yaml ++++ b/cinder/templates/deployment-api.yaml +@@ -74,6 +74,10 @@ spec: + {{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }} + {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + {{ dict "envAll" $envAll "application" "cinder_api" "container" "cinder_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} ++ env: ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} ++{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} ++{{- end }} + command: + - /tmp/cinder-api.sh + - start +@@ -134,6 +138,7 @@ spec: + - name: cinder-coordination + mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }} + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -152,5 +157,6 @@ spec: + - name: cinder-coordination + emptyDir: {} + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml +index af8a8d9c..7922f3b5 100755 +--- a/cinder/templates/deployment-volume.yaml ++++ b/cinder/templates/deployment-volume.yaml +@@ -111,19 +111,18 @@ spec: + readOnly: true + - name: pod-shared + mountPath: /tmp/pod-shared ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + - name: INTERNAL_PROJECT_NAME + value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }} + - name: INTERNAL_USER_NAME + value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }} +- + {{- with $env := dict "ksUserSecret" (index .Values.secrets.identity "cinder" ) }} + {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} + {{- end }} +- + containers: + - name: cinder-volume + {{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }} +@@ -259,5 +258,6 @@ spec: + - name: usrlocalsbin + emptyDir: {} + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml +index 4867099c..e78f965c 100644 +--- a/cinder/templates/job-bootstrap.yaml ++++ b/cinder/templates/job-bootstrap.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} + {{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} ++{{- end -}} + {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} + {{- end }} +diff --git a/cinder/templates/job-create-internal-tenant.yaml b/cinder/templates/job-create-internal-tenant.yaml +index 2cb722e2..0d983cb4 100644 +--- a/cinder/templates/job-create-internal-tenant.yaml ++++ b/cinder/templates/job-create-internal-tenant.yaml +@@ -54,8 +54,9 @@ spec: + mountPath: /tmp/create-internal-tenant.sh + subPath: create-internal-tenant.sh + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + - name: SERVICE_OS_SERVICE_NAME +@@ -82,4 +83,5 @@ spec: + configMap: + name: {{ $configMapBin | quote }} + defaultMode: 0555 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end -}} +diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml +index 60f5beca..413e6650 100644 +--- a/cinder/templates/job-ks-endpoints.yaml ++++ b/cinder/templates/job-ks-endpoints.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml +index bfdad1e2..05411dcf 100644 +--- a/cinder/templates/job-ks-service.yaml ++++ b/cinder/templates/job-ks-service.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml +index 4d10dfe1..7e78a510 100644 +--- a/cinder/templates/job-ks-user.yaml ++++ b/cinder/templates/job-ks-user.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml +index 2575263a..933e1ff4 100644 +--- a/cinder/templates/pod-rally-test.yaml ++++ b/cinder/templates/pod-rally-test.yaml +@@ -49,8 +49,9 @@ spec: + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true ++{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + - name: SERVICE_OS_SERVICE_NAME +@@ -65,7 +66,7 @@ spec: + {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} + {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} +@@ -88,6 +89,7 @@ spec: + readOnly: true + - name: rally-db + mountPath: /var/lib/rally ++{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp +@@ -102,5 +104,6 @@ spec: + defaultMode: 0555 + - name: rally-db + emptyDir: {} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/cinder/values.yaml b/cinder/values.yaml +index 85344d83..865f9e33 100644 +--- a/cinder/values.yaml ++++ b/cinder/values.yaml +@@ -1445,6 +1445,7 @@ network_policy: + - {} + + manifests: ++ certificates: false + configmap_bin: true + configmap_etc: true + cron_volume_usage_audit: true +diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml +index 76f8655c..844f7824 100644 +--- a/glance/templates/deployment-api.yaml ++++ b/glance/templates/deployment-api.yaml +@@ -164,6 +164,7 @@ spec: + subPath: key + readOnly: true + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -197,5 +198,6 @@ spec: + secret: + secretName: {{ .Values.secrets.rbd | quote }} + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml +index 5928c2bb..2bf24767 100644 +--- a/glance/templates/deployment-registry.yaml ++++ b/glance/templates/deployment-registry.yaml +@@ -109,6 +109,7 @@ spec: + mountPath: /etc/glance/policy.json + subPath: policy.json + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -123,5 +124,6 @@ spec: + secret: + secretName: glance-etc + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml +index 3fe72b4c..cb5661fa 100644 +--- a/glance/templates/job-bootstrap.yaml ++++ b/glance/templates/job-bootstrap.yaml +@@ -25,5 +25,8 @@ volumes: + {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} + {{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }} + {{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.public -}} ++{{- end -}} + {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} + {{- end }} +diff --git a/glance/templates/job-ks-endpoints.yaml b/glance/templates/job-ks-endpoints.yaml +index 5ac03006..5a1575b0 100644 +--- a/glance/templates/job-ks-endpoints.yaml ++++ b/glance/templates/job-ks-endpoints.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/glance/templates/job-ks-service.yaml b/glance/templates/job-ks-service.yaml +index d323ba3b..8c0f0eb5 100644 +--- a/glance/templates/job-ks-service.yaml ++++ b/glance/templates/job-ks-service.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/glance/templates/job-ks-user.yaml b/glance/templates/job-ks-user.yaml +index d39d6a35..69a351c9 100644 +--- a/glance/templates/job-ks-user.yaml ++++ b/glance/templates/job-ks-user.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.public -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/glance/values.yaml b/glance/values.yaml +index 5ffa2cc1..b6e12e62 100644 +--- a/glance/values.yaml ++++ b/glance/values.yaml +@@ -990,6 +990,7 @@ pod: + cpu: "2000m" + + manifests: ++ certificates: false + configmap_bin: true + configmap_etc: true + deployment_api: true +diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml +index f76093b5..6c3c9b70 100644 +--- a/heat/templates/deployment-api.yaml ++++ b/heat/templates/deployment-api.yaml +@@ -109,6 +109,7 @@ spec: + mountPath: /etc/heat/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -123,5 +124,6 @@ spec: + secret: + secretName: heat-etc + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml +index 65be294e..adbd6ee3 100644 +--- a/heat/templates/deployment-cfn.yaml ++++ b/heat/templates/deployment-cfn.yaml +@@ -109,6 +109,7 @@ spec: + mountPath: /etc/heat/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -123,5 +124,6 @@ spec: + secret: + secretName: heat-etc + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml +index da007ef7..2c1913c3 100644 +--- a/heat/templates/deployment-engine.yaml ++++ b/heat/templates/deployment-engine.yaml +@@ -99,6 +99,7 @@ spec: + mountPath: /etc/heat/policy.json + subPath: policy.json + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -113,5 +114,6 @@ spec: + secret: + secretName: heat-etc + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/heat/templates/job-bootstrap.yaml b/heat/templates/job-bootstrap.yaml +index 8334e12f..b7218488 100644 +--- a/heat/templates/job-bootstrap.yaml ++++ b/heat/templates/job-bootstrap.yaml +@@ -15,5 +15,8 @@ limitations under the License. + + {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} + {{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} ++{{- end -}} + {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} + {{- end }} +diff --git a/heat/templates/job-ks-endpoints.yaml b/heat/templates/job-ks-endpoints.yaml +index 61989035..d8b1bb34 100644 +--- a/heat/templates/job-ks-endpoints.yaml ++++ b/heat/templates/job-ks-endpoints.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml +index b468ff23..f50a73e1 100644 +--- a/heat/templates/job-ks-service.yaml ++++ b/heat/templates/job-ks-service.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/heat/templates/job-ks-user-domain.yaml b/heat/templates/job-ks-user-domain.yaml +index 91584020..18ec80a2 100644 +--- a/heat/templates/job-ks-user-domain.yaml ++++ b/heat/templates/job-ks-user-domain.yaml +@@ -53,8 +53,9 @@ spec: + mountPath: /tmp/ks-domain-user.sh + subPath: ks-domain-user.sh + readOnly: true ++{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + env: +-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + - name: SERVICE_OS_SERVICE_NAME +@@ -88,4 +89,5 @@ spec: + configMap: + name: heat-bin + defaultMode: 0555 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/heat/templates/job-ks-user-trustee.yaml b/heat/templates/job-ks-user-trustee.yaml +index a9fadc8f..2e0771a8 100644 +--- a/heat/templates/job-ks-user-trustee.yaml ++++ b/heat/templates/job-ks-user-trustee.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_user_trustee }} + {{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml +index 6a08b355..c5b787df 100644 +--- a/heat/templates/job-ks-user.yaml ++++ b/heat/templates/job-ks-user.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/heat/templates/job-trusts.yaml b/heat/templates/job-trusts.yaml +index 10f156d9..de796293 100644 +--- a/heat/templates/job-trusts.yaml ++++ b/heat/templates/job-trusts.yaml +@@ -57,9 +57,10 @@ spec: + mountPath: /tmp/trusts.sh + subPath: trusts.sh + readOnly: true ++{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }} + env: +-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + - name: SERVICE_OS_ROLES +@@ -75,4 +76,5 @@ spec: + configMap: + name: heat-bin + defaultMode: 0555 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }} +diff --git a/heat/templates/pod-rally-test.yaml b/heat/templates/pod-rally-test.yaml +index 52d2aee7..d9352a68 100644 +--- a/heat/templates/pod-rally-test.yaml ++++ b/heat/templates/pod-rally-test.yaml +@@ -50,7 +50,8 @@ spec: + subPath: ks-user.sh + readOnly: true + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + - name: SERVICE_OS_SERVICE_NAME +@@ -65,7 +66,7 @@ spec: + {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} + {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} +@@ -94,6 +95,7 @@ spec: + subPath: {{ printf "test_template_%d" $key }} + readOnly: true + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp +@@ -108,5 +110,6 @@ spec: + defaultMode: 0555 + - name: rally-db + emptyDir: {} ++{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/heat/values.yaml b/heat/values.yaml +index c6eabbe1..d388e6bb 100644 +--- a/heat/values.yaml ++++ b/heat/values.yaml +@@ -1261,6 +1261,7 @@ network_policy: + - {} + + manifests: ++ certificates: false + configmap_bin: true + configmap_etc: true + cron_job_engine_cleaner: true +diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml +index 519fb826..049fe01e 100644 +--- a/horizon/templates/deployment.yaml ++++ b/horizon/templates/deployment.yaml +@@ -129,6 +129,7 @@ spec: + subPath: {{ base $policyFile }} + readOnly: true + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -145,5 +146,6 @@ spec: + secret: + secretName: horizon-etc + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/horizon/values.yaml b/horizon/values.yaml +index 31bbe109..2b27c462 100644 +--- a/horizon/values.yaml ++++ b/horizon/values.yaml +@@ -423,8 +423,10 @@ conf: + # Disable SSL certificate checks (useful for self-signed certificates): + #OPENSTACK_SSL_NO_VERIFY = True + ++ {{- if .Values.manifests.certificates }} + # The CA certificate to use to verify SSL connections +- #OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' ++ OPENSTACK_SSL_CACERT = '/etc/ssl/certs/openstack-helm.crt' ++ {{- end }} + + # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the + # capabilities of the auth backend for Keystone. +diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml +index 03891187..a0cd5d26 100644 +--- a/keystone/templates/deployment-api.yaml ++++ b/keystone/templates/deployment-api.yaml +@@ -147,6 +147,7 @@ spec: + {{- end }} + - name: keystone-credential-keys + mountPath: {{ .Values.conf.keystone.credential.key_repository }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -180,5 +181,6 @@ spec: + - name: keystone-credential-keys + secret: + secretName: keystone-credential-keys ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml +index c874746c..9f06b880 100644 +--- a/keystone/templates/job-bootstrap.yaml ++++ b/keystone/templates/job-bootstrap.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} + {{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.public -}} ++{{- end -}} + {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} + {{- end }} +diff --git a/keystone/templates/job-ks-user.yaml b/keystone/templates/job-ks-user.yaml +index aec4641c..d0086925 100644 +--- a/keystone/templates/job-ks-user.yaml ++++ b/keystone/templates/job-ks-user.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "keystone" "serviceUser" "stx_admin" -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.public -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml +index 8d9972e4..f1106829 100644 +--- a/keystone/templates/pod-rally-test.yaml ++++ b/keystone/templates/pod-rally-test.yaml +@@ -50,7 +50,8 @@ spec: + subPath: ks-user.sh + readOnly: true + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + - name: SERVICE_OS_SERVICE_NAME +@@ -65,7 +66,7 @@ spec: + {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} + {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} +@@ -88,6 +89,7 @@ spec: + readOnly: true + - name: rally-db + mountPath: /var/lib/rally ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp +@@ -102,5 +104,6 @@ spec: + defaultMode: 0555 + - name: rally-db + emptyDir: {} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/keystone/values.yaml b/keystone/values.yaml +index 198c7f22..2e09b9d5 100644 +--- a/keystone/values.yaml ++++ b/keystone/values.yaml +@@ -1250,6 +1250,7 @@ endpoints: + default: 80 + + manifests: ++ certificates: false + configmap_bin: true + configmap_etc: true + cron_credential_rotate: true +diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml +index 4f6a6265..24067e25 100644 +--- a/neutron/templates/daemonset-metadata-agent.yaml ++++ b/neutron/templates/daemonset-metadata-agent.yaml +@@ -184,6 +184,7 @@ spec: + mountPath: /run/netns + mountPropagation: Bidirectional + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -206,6 +207,7 @@ spec: + hostPath: + path: /run/netns + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }} + {{- end }} + {{- end }} +diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml +index 09e6249a..38e0d70b 100644 +--- a/neutron/templates/deployment-server.yaml ++++ b/neutron/templates/deployment-server.yaml +@@ -138,6 +138,7 @@ spec: + mountPath: /etc/neutron/policy.json + subPath: policy.json + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -152,5 +153,6 @@ spec: + secret: + secretName: neutron-etc + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/neutron/templates/job-bootstrap.yaml b/neutron/templates/job-bootstrap.yaml +index b3c8287c..8d85a107 100644 +--- a/neutron/templates/job-bootstrap.yaml ++++ b/neutron/templates/job-bootstrap.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} + {{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.public -}} ++{{- end -}} + {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} + {{- end }} +diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml +index 6493fd30..9259051b 100644 +--- a/neutron/templates/job-ks-endpoints.yaml ++++ b/neutron/templates/job-ks-endpoints.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml +index 9afd0368..e92cc83a 100644 +--- a/neutron/templates/job-ks-service.yaml ++++ b/neutron/templates/job-ks-service.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml +index f80551c5..a8b99153 100644 +--- a/neutron/templates/job-ks-user.yaml ++++ b/neutron/templates/job-ks-user.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.public -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml +index 7ebaced3..b655372d 100644 +--- a/neutron/templates/pod-rally-test.yaml ++++ b/neutron/templates/pod-rally-test.yaml +@@ -50,8 +50,9 @@ spec: + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + - name: SERVICE_OS_SERVICE_NAME +@@ -65,7 +66,7 @@ spec: + - name: {{ .Release.Name }}-reset + {{ tuple $envAll "purge_test" | include "helm-toolkit.snippets.image" | indent 6 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} +@@ -94,13 +95,14 @@ spec: + readOnly: true + - name: pod-tmp + mountPath: /tmp/pod-tmp ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ end }} + containers: + - name: {{ .Release.Name }}-test + {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} + {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} +@@ -123,6 +125,7 @@ spec: + readOnly: true + - name: rally-db + mountPath: /var/lib/rally ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp +@@ -137,5 +140,6 @@ spec: + defaultMode: 0555 + - name: rally-db + emptyDir: {} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/neutron/values.yaml b/neutron/values.yaml +index afb7de25..aa766662 100644 +--- a/neutron/values.yaml ++++ b/neutron/values.yaml +@@ -2403,6 +2403,7 @@ network_policy: + - {} + + manifests: ++ certificates: false + configmap_bin: true + configmap_etc: true + daemonset_dhcp_agent: true +diff --git a/nova/templates/cron-job-service-cleaner.yaml b/nova/templates/cron-job-service-cleaner.yaml +index 0d897b8e..7276dd78 100644 +--- a/nova/templates/cron-job-service-cleaner.yaml ++++ b/nova/templates/cron-job-service-cleaner.yaml +@@ -53,7 +53,7 @@ spec: + {{ tuple $envAll "nova_service_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }} + {{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }} + env: +-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova }} ++{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" .Values.manifests.certificates}} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }} + {{- end }} + command: +@@ -67,6 +67,7 @@ spec: + readOnly: true + - name: etcnova + mountPath: /etc/nova ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} + volumes: + - name: pod-tmp + emptyDir: {} +@@ -80,4 +81,5 @@ spec: + configMap: + name: nova-bin + defaultMode: 0555 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 12 }} + {{- end }} +diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml +index 3d0908f2..efc0032f 100644 +--- a/nova/templates/daemonset-compute.yaml ++++ b/nova/templates/daemonset-compute.yaml +@@ -344,6 +344,7 @@ spec: + mountPath: /usr/local/sbin/iscsiadm + subPath: iscsiadm + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} + {{- if .Values.network.sshd.enabled }} + - name: nova-compute-ssh +@@ -379,6 +380,7 @@ spec: + mountPath: /tmp/ssh-start.sh + subPath: ssh-start.sh + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ end }} + volumes: + - name: pod-tmp +@@ -442,6 +444,7 @@ spec: + - name: usrlocalsbin + emptyDir: {} + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }} + {{- end }} + {{- end }} +diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml +index d5da3acf..85f30ebf 100644 +--- a/nova/templates/deployment-api-metadata.yaml ++++ b/nova/templates/deployment-api-metadata.yaml +@@ -161,6 +161,7 @@ spec: + - name: pod-shared + mountPath: /tmp/pod-shared + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -175,5 +176,6 @@ spec: + defaultMode: 0444 + - name: pod-shared + emptyDir: {} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml +index 89e75a79..9832ec3b 100644 +--- a/nova/templates/deployment-api-osapi.yaml ++++ b/nova/templates/deployment-api-osapi.yaml +@@ -109,6 +109,7 @@ spec: + mountPath: /etc/nova/api_audit_map.conf + subPath: api_audit_map.conf + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -123,5 +124,6 @@ spec: + secret: + secretName: nova-etc + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml +index a4d38529..fbc5e111 100644 +--- a/nova/templates/deployment-conductor.yaml ++++ b/nova/templates/deployment-conductor.yaml +@@ -114,6 +114,7 @@ spec: + mountPath: /etc/nova/policy.yaml + subPath: policy.yaml + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -126,5 +127,6 @@ spec: + secret: + secretName: nova-etc + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml +index 723ee884..fef8a51d 100644 +--- a/nova/templates/deployment-novncproxy.yaml ++++ b/nova/templates/deployment-novncproxy.yaml +@@ -139,6 +139,7 @@ spec: + readOnly: true + - name: pod-shared + mountPath: /tmp/pod-shared ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -155,5 +156,6 @@ spec: + emptyDir: {} + - name: pod-shared + emptyDir: {} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-placement.yaml b/nova/templates/deployment-placement.yaml +index d6faa30f..bdd8e51f 100644 +--- a/nova/templates/deployment-placement.yaml ++++ b/nova/templates/deployment-placement.yaml +@@ -118,6 +118,7 @@ spec: + subPath: security.conf + readOnly: true + {{- end }} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -132,5 +133,6 @@ spec: + secret: + secretName: nova-etc + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml +index cdee77f6..dd5e3273 100644 +--- a/nova/templates/deployment-scheduler.yaml ++++ b/nova/templates/deployment-scheduler.yaml +@@ -114,6 +114,7 @@ spec: + mountPath: /etc/nova/policy.yaml + subPath: policy.yaml + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -126,5 +127,6 @@ spec: + secret: + secretName: nova-etc + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml +index 13e273e7..58edd39e 100644 +--- a/nova/templates/deployment-spiceproxy.yaml ++++ b/nova/templates/deployment-spiceproxy.yaml +@@ -138,6 +138,7 @@ spec: + readOnly: true + - name: pod-shared + mountPath: /tmp/pod-shared ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -154,5 +155,6 @@ spec: + emptyDir: {} + - name: pod-shared + emptyDir: {} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml +index 45dfac1c..a1343352 100644 +--- a/nova/templates/job-bootstrap.yaml ++++ b/nova/templates/job-bootstrap.yaml +@@ -63,7 +63,7 @@ spec: + imagePullPolicy: {{ $envAll.Values.images.pull_policy }} + {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: +-{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }} ++{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + - name: WAIT_PERCENTAGE +@@ -91,6 +91,7 @@ spec: + mountPath: {{ $logConfigFile | quote }} + subPath: {{ base $logConfigFile | quote }} + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + volumes: + - name: pod-tmp + emptyDir: {} +@@ -104,6 +105,7 @@ spec: + secret: + secretName: {{ $configMapEtc | quote }} + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + --- + kind: ClusterRole + apiVersion: rbac.authorization.k8s.io/v1 +diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml +index 675dac34..bbb13ccf 100644 +--- a/nova/templates/job-cell-setup.yaml ++++ b/nova/templates/job-cell-setup.yaml +@@ -42,7 +42,7 @@ spec: + {{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }} + {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: +-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} + {{- end }} + command: +@@ -54,6 +54,7 @@ spec: + mountPath: /tmp/cell-setup-init.sh + subPath: cell-setup-init.sh + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + containers: + - name: nova-cell-setup + {{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }} +@@ -96,4 +97,5 @@ spec: + configMap: + name: nova-bin + defaultMode: 0555 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{- end }} +diff --git a/nova/templates/job-ks-endpoints.yaml b/nova/templates/job-ks-endpoints.yaml +index c9177499..cf606b96 100644 +--- a/nova/templates/job-ks-endpoints.yaml ++++ b/nova/templates/job-ks-endpoints.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/nova/templates/job-ks-placement-endpoints.yaml b/nova/templates/job-ks-placement-endpoints.yaml +index d907e772..3380c629 100644 +--- a/nova/templates/job-ks-placement-endpoints.yaml ++++ b/nova/templates/job-ks-placement-endpoints.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_placement_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/nova/templates/job-ks-placement-service.yaml b/nova/templates/job-ks-placement-service.yaml +index aa85c77f..05511388 100644 +--- a/nova/templates/job-ks-placement-service.yaml ++++ b/nova/templates/job-ks-placement-service.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_placement_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/nova/templates/job-ks-placement-user.yaml b/nova/templates/job-ks-placement-user.yaml +index d24e540c..930ea097 100644 +--- a/nova/templates/job-ks-placement-user.yaml ++++ b/nova/templates/job-ks-placement-user.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_placement_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "placement" "serviceUser" "placement" "configMapBin" "nova-bin" -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/nova/templates/job-ks-service.yaml b/nova/templates/job-ks-service.yaml +index 123da415..70ac7220 100644 +--- a/nova/templates/job-ks-service.yaml ++++ b/nova/templates/job-ks-service.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml +index c2f8df36..8a390101 100644 +--- a/nova/templates/job-ks-user.yaml ++++ b/nova/templates/job-ks-user.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml +index e025ee26..2553f106 100644 +--- a/nova/templates/pod-rally-test.yaml ++++ b/nova/templates/pod-rally-test.yaml +@@ -49,8 +49,9 @@ spec: + mountPath: /tmp/ks-user.sh + subPath: ks-user.sh + readOnly: true ++{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + - name: SERVICE_OS_SERVICE_NAME +@@ -65,7 +66,7 @@ spec: + {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} + {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} + env: +-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} ++{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates}} + {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} + {{- end }} + {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} +@@ -88,6 +89,7 @@ spec: + readOnly: true + - name: rally-db + mountPath: /var/lib/rally ++{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} + {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} + volumes: + - name: pod-tmp +@@ -102,5 +104,6 @@ spec: + defaultMode: 0555 + - name: rally-db + emptyDir: {} ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} + {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} + {{- end }} +diff --git a/nova/values.yaml b/nova/values.yaml +index c445d156..a2efbc03 100644 +--- a/nova/values.yaml ++++ b/nova/values.yaml +@@ -1865,6 +1865,9 @@ secrets: + admin: nova-rabbitmq-admin + nova: nova-rabbitmq-user + tls: ++ compute_metadata: ++ metadata: ++ public: metadata-tls-public + compute: + osapi: + public: nova-tls-public +@@ -2632,6 +2635,7 @@ network_policy: + - {} + + manifests: ++ certificate: false + configmap_bin: true + configmap_etc: true + cron_job_cell_setup: true +diff --git a/placement/templates/deployment.yaml b/placement/templates/deployment.yaml +index 65bbf6d0..329fa08e 100644 +--- a/placement/templates/deployment.yaml ++++ b/placement/templates/deployment.yaml +@@ -106,6 +106,7 @@ spec: + mountPath: /etc/apache2/conf-enabled/wsgi-placement.conf + subPath: wsgi-placement.conf + readOnly: true ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp +@@ -120,5 +121,6 @@ spec: + secret: + secretName: placement-etc + defaultMode: 0444 ++{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }} + {{- end }} +diff --git a/placement/templates/job-ks-endpoints.yaml b/placement/templates/job-ks-endpoints.yaml +index 19269f95..a755fb6a 100644 +--- a/placement/templates/job-ks-endpoints.yaml ++++ b/placement/templates/job-ks-endpoints.yaml +@@ -16,5 +16,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_endpoints }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/placement/templates/job-ks-service.yaml b/placement/templates/job-ks-service.yaml +index 87151af0..737999c4 100644 +--- a/placement/templates/job-ks-service.yaml ++++ b/placement/templates/job-ks-service.yaml +@@ -16,5 +16,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_service }} + {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.public -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/placement/templates/job-ks-user.yaml b/placement/templates/job-ks-user.yaml +index 1dd4d11d..c53a0fe0 100644 +--- a/placement/templates/job-ks-user.yaml ++++ b/placement/templates/job-ks-user.yaml +@@ -16,5 +16,8 @@ limitations under the License. + + {{- if .Values.manifests.job_ks_user }} + {{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.public -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/placement/values.yaml b/placement/values.yaml +index f16fd5d0..f0342d1e 100644 +--- a/placement/values.yaml ++++ b/placement/values.yaml +@@ -415,6 +415,7 @@ dependencies: + service: oslo_db + + manifests: ++ certificates: false + configmap_bin: true + configmap_etc: true + deployment: true +-- +2.17.1 + diff --git a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml index c9972779..0cf22d94 100644 --- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml +++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml @@ -74,6 +74,7 @@ spec: mountPath: /etc/proxy/api-proxy-paste.ini subPath: api-proxy-paste.ini readOnly: true +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_api_proxy.volumeMounts }}{{ toYaml $mounts_nova_api_proxy.volumeMounts | indent 12 }}{{ end }} volumes: - name: nova-api-proxy-bin @@ -84,5 +85,6 @@ spec: configMap: name: nova-api-proxy-etc defaultMode: 0777 +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_api_proxy.volumes}}{{ toYaml $mounts_nova_api_proxy.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml index 0c8524de..560d0a9a 100644 --- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml +++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml @@ -8,5 +8,8 @@ {{- if .Values.manifests.job_ks_endpoints }} {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} +{{- if .Values.manifests.certificates -}} +{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.api_proxy.public -}} +{{- end -}} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} {{- end }} diff --git a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/values.yaml b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/values.yaml index e367fd7d..6013b312 100644 --- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/values.yaml +++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/values.yaml @@ -291,7 +291,7 @@ secrets: tls: compute: api_proxy: - public: nova-api-proxy-tls-public + public: nova-tls-public manifests: configmap_bin: true diff --git a/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml b/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml index 595843f4..5f748bb1 100644 --- a/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml +++ b/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml @@ -3213,8 +3213,10 @@ data: # Disable SSL certificate checks (useful for self-signed certificates): #OPENSTACK_SSL_NO_VERIFY = True + {{- if .Values.manifests.certificates }} # The CA certificate to use to verify SSL connections - #OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' + OPENSTACK_SSL_CACERT = '/etc/ssl/certs/openstack-helm.crt' + {{- end }} # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the # capabilities of the auth backend for Keystone.