Merge "Update openstack-helm-infra commit"

This commit is contained in:
Zuul 2021-10-12 21:49:01 +00:00 committed by Gerrit Code Review
commit 9a86882cda
22 changed files with 297 additions and 957 deletions

View File

@ -1,2 +1,2 @@
openstack-helm-34a7533b6484a157c8725889d0d68e792e13fc8d.tar.gz#openstack-helm#https://github.com/openstack/openstack-helm/archive/34a7533b6484a157c8725889d0d68e792e13fc8d.tar.gz#http##
openstack-helm-infra-34d54f2812b7d54431d548cff08fe8da7f838124.tar.gz#openstack-helm-infra#https://github.com/openstack/openstack-helm-infra/archive/34d54f2812b7d54431d548cff08fe8da7f838124.tar.gz#http##
openstack-helm-infra-8351fdd0f1228717342c2accc96977b0cdc36dc3.tar.gz#openstack-helm-infra#https://github.com/openstack/openstack-helm-infra/archive/8351fdd0f1228717342c2accc96977b0cdc36dc3.tar.gz#http##

View File

@ -1,5 +1,5 @@
TAR_NAME=openstack-helm-infra
SHA=34d54f2812b7d54431d548cff08fe8da7f838124
SHA=8351fdd0f1228717342c2accc96977b0cdc36dc3
VERSION=1.0.0
TAR="$TAR_NAME-$SHA.tar.gz"

View File

@ -1,4 +1,4 @@
%global sha 34d54f2812b7d54431d548cff08fe8da7f838124
%global sha 8351fdd0f1228717342c2accc96977b0cdc36dc3
%global helm_folder /usr/lib/helm
Summary: Openstack-Helm-Infra charts
@ -16,21 +16,17 @@ Source1: repositories.yaml
BuildArch: noarch
Patch01: 0001-Add-imagePullSecrets-in-service-account.patch
Patch02: 0002-Set-Min-NGINX-handles.patch
Patch03: 0003-Partial-revert-of-31e3469d28858d7b5eb6355e88b6f49fd6.patch
Patch04: 0004-Fix-pod-restarts-on-all-workers-when-worker-added-re.patch
Patch05: 0005-Add-io_thread_pool-for-rabbitmq.patch
Patch06: 0006-Enable-override-of-rabbitmq-probe-parameters.patch
Patch07: 0007-Fix-ipv6-address-issue-causing-mariadb-ingress-not-ready.patch
Patch08: 0008-Fix-rabbitmq-could-not-bind-port-to-ipv6-address-iss.patch
Patch09: 0009-Enable-override-of-mariadb-server-probe-parameters.patch
Patch10: 0010-Mariadb-use-utf8_general_ci-collation-as-default.patch
Patch11: 0011-Add-mariadb-database-config-override-to-support-ipv6.patch
Patch12: 0012-enable-Values.conf.database.config_override-for-mari.patch
Patch13: 0013-Allow-set-public-endpoint-url-for-all-openstack-types.patch
Patch14: 0014-Add-tolerations-to-rabbitmq-chart.patch
Patch15: 0015-Add-tolerations-to-mariadb-chart.patch
Patch16: 0016-Add-Trust-ingress-support-to-helm-toolkit.patch
Patch16: 0016-Disabling-helm3_hooks.patch
BuildRequires: helm
BuildRequires: chartmuseum
@ -41,15 +37,11 @@ Openstack Helm Infra charts
%prep
%setup -n openstack-helm-infra
%patch01 -p1
%patch02 -p1
%patch03 -p1
%patch04 -p1
%patch05 -p1
%patch06 -p1
%patch07 -p1
%patch08 -p1
%patch09 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1

View File

@ -1,28 +0,0 @@
From 93ec2454cba41bf3de1419bada1f145f1ca9dbd9 Mon Sep 17 00:00:00 2001
From: Al Bailey <Al.Bailey@windriver.com>
Date: Wed, 20 Feb 2019 13:56:27 -0600
Subject: [PATCH 3/4] Set Min NGINX handles
Signed-off-by: Robert Church <robert.church@windriver.com>
---
mariadb/files/nginx.tmpl | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/mariadb/files/nginx.tmpl b/mariadb/files/nginx.tmpl
index 5ec3d0d..07b7cc5 100644
--- a/mariadb/files/nginx.tmpl
+++ b/mariadb/files/nginx.tmpl
@@ -23,7 +23,9 @@ daemon off;
worker_processes {{ $cfg.WorkerProcesses }};
pid /run/nginx.pid;
-{{ if ne .MaxOpenFiles 0 }}
+{{ if lt .MaxOpenFiles 2048 }}
+worker_rlimit_nofile 2048;
+{{else}}
worker_rlimit_nofile {{ .MaxOpenFiles }};
{{ end }}
--
2.16.5

View File

@ -24,32 +24,32 @@ index 41dc198..e0e61e6 100644
volumeMounts:
- name: pod-tmp
mountPath: /tmp
@@ -191,6 +195,10 @@ spec:
value: "{{ tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
- name: PORT_CLUSTERING
value: "{{ add (tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") 20000 }}"
@@ -215,6 +219,10 @@ spec:
{{- if ne (.Values.conf.feature_flags | default "") "default" }}
- name: RABBITMQ_FEATURE_FLAGS
value: "{{ .Values.conf.feature_flags }}"
+{{- end }}
+{{- if $envAll.Values.io_thread_pool.enabled }}
+ - name: RABBITMQ_IO_THREAD_POOL_SIZE
+ value: {{ $envAll.Values.io_thread_pool.size | quote }}
+{{- end }}
{{- end }}
readinessProbe:
initialDelaySeconds: 10
timeoutSeconds: 10
diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml
index 6c95787..9cd3a91 100644
--- a/rabbitmq/values.yaml
+++ b/rabbitmq/values.yaml
@@ -334,6 +334,10 @@ volume:
class_name: general
size: 256Mi
@@ -375,6 +375,10 @@ volume:
# Set helm3_hook to false while using helm2
helm3_hook: true
+io_thread_pool:
+ enabled: false
+ size: 64
+
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
--
--
2.7.4

View File

@ -17,7 +17,7 @@ diff --git a/rabbitmq/templates/statefulset.yaml b/rabbitmq/templates/statefulse
index e0e61e6..f71dc3e 100644
--- a/rabbitmq/templates/statefulset.yaml
+++ b/rabbitmq/templates/statefulset.yaml
@@ -200,14 +200,16 @@ spec:
@@ -225,14 +225,16 @@ spec:
value: {{ $envAll.Values.io_thread_pool.size | quote }}
{{- end }}
readinessProbe:
@ -30,7 +30,7 @@ index e0e61e6..f71dc3e 100644
command:
- /tmp/rabbitmq-readiness.sh
livenessProbe:
- initialDelaySeconds: 30
- initialDelaySeconds: 60
- timeoutSeconds: 10
+ initialDelaySeconds: {{ $envAll.Values.pod.probes.liveness.initialDelaySeconds }}
+ periodSeconds: {{ $envAll.Values.pod.probes.liveness.periodSeconds }}

View File

@ -1,32 +0,0 @@
From 6fccedb6743ea240d52fbe52f3129e7dc5ee29db Mon Sep 17 00:00:00 2001
From: Zhipeng Liu <zhipengs.liu@intel.com>
Date: Thu, 27 Feb 2020 01:01:57 +0800
Subject: [PATCH] Fix ipv6 address issue causing mariadb ingress not ready
Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>
---
mariadb/files/nginx.tmpl | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/mariadb/files/nginx.tmpl b/mariadb/files/nginx.tmpl
index 5ec3d0d..356fad5 100644
--- a/mariadb/files/nginx.tmpl
+++ b/mariadb/files/nginx.tmpl
@@ -473,11 +473,11 @@ stream {
{{ range $j, $endpoint := $tcpServer.Endpoints }}
{{ if eq $j 0 }}
# NOTE(portdirect): see https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-health-check/#passive-tcp-health-checks to tune passive healthchecks
- server {{ $endpoint.Address }}:{{ $endpoint.Port }};
+ server {{ formatIP $endpoint.Address }}:{{ $endpoint.Port }};
{{ else if eq $j 1 }}
- server {{ $endpoint.Address }}:{{ $endpoint.Port }} backup;
+ server {{ formatIP $endpoint.Address }}:{{ $endpoint.Port }} backup;
{{ else }}
- server {{ $endpoint.Address }}:{{ $endpoint.Port }} down;
+ server {{ formatIP $endpoint.Address }}:{{ $endpoint.Port }} down;
{{ end }}
{{ end }}
}
--
2.7.4

View File

@ -1,93 +0,0 @@
From d6ed947c071d8eeaf646e42dae55fc0d0764d23c Mon Sep 17 00:00:00 2001
From: Zhipeng Liu <zhipengs.liu@intel.com>
Date: Fri, 20 Mar 2020 23:37:20 +0800
Subject: [PATCH] Fix rabbitmq could not bind port to ipv6 address issue
Signed-off-by: Zhipeng Liu <zhipengs.liu@intel.com>
---
rabbitmq/templates/configmap-etc.yaml | 11 ++++++++++-
rabbitmq/templates/statefulset.yaml | 10 ++++++++++
rabbitmq/values.yaml | 7 +++++--
3 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/rabbitmq/templates/configmap-etc.yaml b/rabbitmq/templates/configmap-etc.yaml
index 87f25f5..ca05c8e 100644
--- a/rabbitmq/templates/configmap-etc.yaml
+++ b/rabbitmq/templates/configmap-etc.yaml
@@ -21,7 +21,9 @@ limitations under the License.
{{- $_ := print "kubernetes.default.svc." $envAll.Values.endpoints.cluster_domain_suffix | set $envAll.Values.conf.rabbitmq.cluster_formation.k8s "host" -}}
{{- end -}}
-{{- $_ := print "0.0.0.0:" ( tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") | set $envAll.Values.conf.rabbitmq.listeners.tcp "1" -}}
+{{- $_ := print ":::" ( tuple "oslo_messaging" "internal" "amqp" . | include "helm-toolkit.endpoints.endpoint_port_lookup") | set $envAll.Values.conf.rabbitmq.listeners.tcp "1" -}}
+
+{{- $_ := tuple "oslo_messaging" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set $envAll.Values.conf.rabbitmq "management.listener.port" -}}
---
apiVersion: v1
@@ -33,4 +35,11 @@ data:
{{ tuple "etc/_enabled_plugins.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rabbitmq.conf: |
{{ include "rabbitmq.utils.to_rabbit_config" $envAll.Values.conf.rabbitmq | indent 4 }}
+{{- if .Values.manifests.config_ipv6 }}
+ rabbitmq-env.conf: |
+ SERVER_ADDITIONAL_ERL_ARGS="+A 128 -kernel inetrc '/etc/rabbitmq/erl_inetrc' -proto_dist inet6_tcp"
+ CTL_ERL_ARGS="-proto_dist inet6_tcp"
+ erl_inetrc: |
+ {inet6, true}.
+{{- end }}
{{ end }}
diff --git a/rabbitmq/templates/statefulset.yaml b/rabbitmq/templates/statefulset.yaml
index 96334de..4fb1f38 100644
--- a/rabbitmq/templates/statefulset.yaml
+++ b/rabbitmq/templates/statefulset.yaml
@@ -239,6 +239,16 @@ spec:
mountPath: /etc/rabbitmq/rabbitmq.conf
subPath: rabbitmq.conf
readOnly: true
+{{- if .Values.manifests.config_ipv6 }}
+ - name: rabbitmq-etc
+ mountPath: /etc/rabbitmq/rabbitmq-env.conf
+ subPath: rabbitmq-env.conf
+ readOnly: true
+ - name: rabbitmq-etc
+ mountPath: /etc/rabbitmq/erl_inetrc
+ subPath: erl_inetrc
+ readOnly: true
+{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml
index ebaf43c..0824a0e 100644
--- a/rabbitmq/values.yaml
+++ b/rabbitmq/values.yaml
@@ -36,9 +36,9 @@ images:
prometheus_rabbitmq_exporter: docker.io/kbudde/rabbitmq-exporter:v0.21.0
prometheus_rabbitmq_exporter_helm_tests: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
rabbitmq_init: docker.io/openstackhelm/heat:ocata-ubuntu_xenial
- rabbitmq: docker.io/rabbitmq:3.7.13
+ rabbitmq: docker.io/rabbitmq:3.7.24
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
- scripted_test: docker.io/rabbitmq:3.7.13-management
+ scripted_test: docker.io/rabbitmq:3.7.24-management
image_repo_sync: docker.io/docker:17.07.0
pull_policy: "IfNotPresent"
local_registry:
@@ -195,6 +195,8 @@ conf:
queue_master_locator: min-masters
loopback_users.guest: "false"
management.load_definitions: "/var/lib/rabbitmq/definitions.json"
+ management.listener.ip: "::"
+ management.listener.port: null
dependencies:
dynamic:
@@ -385,3 +387,4 @@ manifests:
service_ingress_management: true
service: true
statefulset: true
+ config_ipv6: false
--
1.8.3.1

View File

@ -29,7 +29,7 @@ index e31d4ac..83e135f 100644
exec:
command:
- /tmp/stop.sh
-{{ dict "envAll" . "component" "server" "container" "mariadb" "type" "readiness" "probeTemplate" (include "mariadbReadinessProbe" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 -}}
-{{ dict "envAll" . "component" "server" "container" "mariadb" "type" "readiness" "probeTemplate" (include "mariadbReadinessProbe" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" . "component" "server" "container" "mariadb" "type" "readiness" "probeTemplate" (include "mariadbReadinessProbe" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" . "component" "server" "container" "mariadb" "type" "startup" "probeTemplate" (include "mariadbReadinessProbe" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" . "component" "server" "container" "mariadb" "type" "liveness" "probeTemplate" (include "mariadbReadinessProbe" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}

View File

@ -1,32 +0,0 @@
From 8e6de1efc32797f3ba1bc166b2b70992b3399022 Mon Sep 17 00:00:00 2001
From: "Chen, Yan" <yan.chen@intel.com>
Date: Fri, 29 May 2020 05:04:30 +0000
Subject: [PATCH] mariadb: use utf8_general_ci collation as default
Mariadb is using utf8_general_ci as the default collation:
- https://mariadb.com/kb/en/mariadb/supported-character-sets-and-collations/
Thus the collation server in the helm charts should be utf8_general_ci
instead of utf8_unicode_ci.
Signed-off-by: Chen, Yan <yan.chen@intel.com>
---
mariadb/values.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index c7a70d2..7bc4497 100755
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -307,7 +307,7 @@ conf:
[mysqld]
# Charset
character_set_server=utf8
- collation_server=utf8_unicode_ci
+ collation_server=utf8_general_ci
skip-character-set-client-handshake
# Logging
--
1.8.3.1

View File

@ -46,11 +46,12 @@ diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index 444bba3..880b31e 100644
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -550,3 +550,4 @@ manifests:
@@ -671,4 +671,5 @@ manifests:
service_error: true
service: true
statefulset: true
+ config_ipv6: false
...
--
1.8.3.1

View File

@ -1,365 +0,0 @@
From 77afb812d696e25e5f889a54bcedbb6a898656b8 Mon Sep 17 00:00:00 2001
From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Date: Thu, 22 Jul 2021 09:01:02 -0300
Subject: [PATCH] Add Trust ingress support to helm-toolkit
This patch enables the following OpenStack services to trust
public ingress certificate: keystone, horizon, glance,
cinder, heat, nova, placement and neutron.
This patch is roughly based on
https://review.opendev.org/c/openstack/openstack-helm-infra/+/737194
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
---
.../templates/manifests/_job-bootstrap.tpl | 5 +-
.../templates/manifests/_job-ks-endpoints.tpl | 5 +-
.../templates/manifests/_job-ks-service.tpl | 5 +-
.../templates/manifests/_job-ks-user.yaml.tpl | 5 +-
.../templates/scripts/_rally_test.sh.tpl | 2 +-
.../snippets/_keystone_openrc_env_vars.tpl | 13 +++
.../snippets/_keystone_secret_openrc.tpl | 3 +
.../_keystone_user_create_env_vars.tpl | 1 +
.../templates/snippets/_tls_volume.tpl | 47 +++++++++++
.../templates/snippets/_tls_volume_mount.tpl | 82 +++++++++++++++++++
10 files changed, 163 insertions(+), 5 deletions(-)
create mode 100644 helm-toolkit/templates/snippets/_tls_volume.tpl
create mode 100644 helm-toolkit/templates/snippets/_tls_volume_mount.tpl
diff --git a/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/helm-toolkit/templates/manifests/_job-bootstrap.tpl
index 9c1f9aae..c67a4a70 100644
--- a/helm-toolkit/templates/manifests/_job-bootstrap.tpl
+++ b/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -29,6 +29,7 @@ limitations under the License.
{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
{{- $openrc := index . "openrc" | default "true" -}}
{{- $secretBin := index . "secretBin" -}}
@@ -68,7 +69,7 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{- if eq $openrc "true" }}
env:
-{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }}
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
{{- end }}
@@ -93,6 +94,7 @@ spec:
mountPath: {{ $logConfigFile | quote }}
subPath: {{ base $logConfigFile | quote }}
readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- if $podVolMounts }}
{{ $podVolMounts | toYaml | indent 12 }}
{{- end }}
@@ -115,6 +117,7 @@ spec:
secret:
secretName: {{ $configMapEtc | quote }}
defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- if $podVols }}
{{ $podVols | toYaml | indent 8 }}
{{- end }}
diff --git a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
index 11e77335..674bb214 100644
--- a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -25,6 +25,7 @@ limitations under the License.
{{- $serviceTypes := index . "serviceTypes" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
@@ -73,8 +74,9 @@ spec:
mountPath: /tmp/ks-endpoints.sh
subPath: ks-endpoints.sh
readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
@@ -100,4 +102,5 @@ spec:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
diff --git a/helm-toolkit/templates/manifests/_job-ks-service.tpl b/helm-toolkit/templates/manifests/_job-ks-service.tpl
index 71cc9094..f3a9503e 100644
--- a/helm-toolkit/templates/manifests/_job-ks-service.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -25,6 +25,7 @@ limitations under the License.
{{- $serviceTypes := index . "serviceTypes" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
@@ -72,8 +73,9 @@ spec:
mountPath: /tmp/ks-service.sh
subPath: ks-service.sh
readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
@@ -94,4 +96,5 @@ spec:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
diff --git a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
index 1003e4f7..2fafaa16 100644
--- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -26,6 +26,7 @@ limitations under the License.
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
@@ -71,8 +72,9 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@@ -100,4 +102,5 @@ spec:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end -}}
diff --git a/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/helm-toolkit/templates/scripts/_rally_test.sh.tpl
index a7b614a6..ccaf435b 100644
--- a/helm-toolkit/templates/scripts/_rally_test.sh.tpl
+++ b/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -68,7 +68,7 @@ cat > /tmp/rally-config.json << EOF
}
],
"https_insecure": false,
- "https_cacert": ""
+ "https_cacert": "${OS_CACERT}"
}
}
EOF
diff --git a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
index d856ab21..dcbb361a 100644
--- a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
+++ b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -67,9 +67,15 @@ return: |
secretKeyRef:
name: example-keystone-admin
key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
*/}}
{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
{{- $ksUserSecret := .ksUserSecret }}
- name: OS_IDENTITY_API_VERSION
value: "3"
@@ -118,4 +124,11 @@ return: |
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
{{- end }}
diff --git a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
index f6083b9b..e328ea4a 100644
--- a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
+++ b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -28,4 +28,7 @@ OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
OS_USERNAME: {{ $userContext.username | b64enc }}
OS_PASSWORD: {{ $userContext.password | b64enc }}
OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
{{- end }}
diff --git a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
index 622757bc..ff717ef3 100644
--- a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
+++ b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -24,6 +24,7 @@ values: |
service_user: example-keystone-user
usage: |
{{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user ) }}
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
return: |
- name: SERVICE_OS_REGION_NAME
valueFrom:
diff --git a/helm-toolkit/templates/snippets/_tls_volume.tpl b/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 00000000..41fe3d96
--- /dev/null
+++ b/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 00000000..9cfa8195
--- /dev/null
+++ b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--
2.17.1

View File

@ -0,0 +1,40 @@
From 823eadb9068287c48121b9f3e1d63fee1d941493 Mon Sep 17 00:00:00 2001
From: Thiago Brito <thiago.brito@windriver.com>
Date: Fri, 24 Sep 2021 21:52:43 -0300
Subject: [PATCH] Disabling helm3_hooks
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
---
mariadb/values.yaml | 2 +-
rabbitmq/values.yaml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index 0144f91b..be9b1f60 100644
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -635,7 +635,7 @@ network_policy:
# Helm hook breaks for helm2.
# Set helm3_hook: false in case helm2 is used.
-helm3_hook: true
+helm3_hook: false
manifests:
certificates: false
diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml
index 9f0e83d5..d16ba167 100644
--- a/rabbitmq/values.yaml
+++ b/rabbitmq/values.yaml
@@ -382,7 +382,7 @@ volume:
# Hook break for helm2.
# Set helm3_hook to false while using helm2
-helm3_hook: true
+helm3_hook: false
io_thread_pool:
enabled: false
--
2.17.1

View File

@ -1,365 +0,0 @@
From 77afb812d696e25e5f889a54bcedbb6a898656b8 Mon Sep 17 00:00:00 2001
From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Date: Thu, 22 Jul 2021 09:01:02 -0300
Subject: [PATCH] Add Trust ingress support to helm-toolkit
This patch enables the following OpenStack services to trust
public ingress certificate: keystone, horizon, glance,
cinder, heat, nova, placement and neutron.
This patch is roughly based on
https://review.opendev.org/c/openstack/openstack-helm-infra/+/737194
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
---
.../templates/manifests/_job-bootstrap.tpl | 5 +-
.../templates/manifests/_job-ks-endpoints.tpl | 5 +-
.../templates/manifests/_job-ks-service.tpl | 5 +-
.../templates/manifests/_job-ks-user.yaml.tpl | 5 +-
.../templates/scripts/_rally_test.sh.tpl | 2 +-
.../snippets/_keystone_openrc_env_vars.tpl | 13 +++
.../snippets/_keystone_secret_openrc.tpl | 3 +
.../_keystone_user_create_env_vars.tpl | 1 +
.../templates/snippets/_tls_volume.tpl | 47 +++++++++++
.../templates/snippets/_tls_volume_mount.tpl | 82 +++++++++++++++++++
10 files changed, 163 insertions(+), 5 deletions(-)
create mode 100644 helm-toolkit/templates/snippets/_tls_volume.tpl
create mode 100644 helm-toolkit/templates/snippets/_tls_volume_mount.tpl
diff --git a/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/helm-toolkit/templates/manifests/_job-bootstrap.tpl
index 9c1f9aae..c67a4a70 100644
--- a/helm-toolkit/templates/manifests/_job-bootstrap.tpl
+++ b/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -29,6 +29,7 @@ limitations under the License.
{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
{{- $openrc := index . "openrc" | default "true" -}}
{{- $secretBin := index . "secretBin" -}}
@@ -68,7 +69,7 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{- if eq $openrc "true" }}
env:
-{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }}
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
{{- end }}
@@ -93,6 +94,7 @@ spec:
mountPath: {{ $logConfigFile | quote }}
subPath: {{ base $logConfigFile | quote }}
readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- if $podVolMounts }}
{{ $podVolMounts | toYaml | indent 12 }}
{{- end }}
@@ -115,6 +117,7 @@ spec:
secret:
secretName: {{ $configMapEtc | quote }}
defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- if $podVols }}
{{ $podVols | toYaml | indent 8 }}
{{- end }}
diff --git a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
index 11e77335..674bb214 100644
--- a/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -25,6 +25,7 @@ limitations under the License.
{{- $serviceTypes := index . "serviceTypes" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
@@ -73,8 +74,9 @@ spec:
mountPath: /tmp/ks-endpoints.sh
subPath: ks-endpoints.sh
readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SVC_ENDPOINT
@@ -100,4 +102,5 @@ spec:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
diff --git a/helm-toolkit/templates/manifests/_job-ks-service.tpl b/helm-toolkit/templates/manifests/_job-ks-service.tpl
index 71cc9094..f3a9503e 100644
--- a/helm-toolkit/templates/manifests/_job-ks-service.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -25,6 +25,7 @@ limitations under the License.
{{- $serviceTypes := index . "serviceTypes" -}}
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $secretBin := index . "secretBin" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
@@ -72,8 +73,9 @@ spec:
mountPath: /tmp/ks-service.sh
subPath: ks-service.sh
readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: OS_SERVICE_NAME
@@ -94,4 +96,5 @@ spec:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
diff --git a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
index 1003e4f7..2fafaa16 100644
--- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -26,6 +26,7 @@ limitations under the License.
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
@@ -71,8 +72,9 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@@ -100,4 +102,5 @@ spec:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end -}}
diff --git a/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/helm-toolkit/templates/scripts/_rally_test.sh.tpl
index a7b614a6..ccaf435b 100644
--- a/helm-toolkit/templates/scripts/_rally_test.sh.tpl
+++ b/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -68,7 +68,7 @@ cat > /tmp/rally-config.json << EOF
}
],
"https_insecure": false,
- "https_cacert": ""
+ "https_cacert": "${OS_CACERT}"
}
}
EOF
diff --git a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
index d856ab21..dcbb361a 100644
--- a/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
+++ b/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -67,9 +67,15 @@ return: |
secretKeyRef:
name: example-keystone-admin
key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
*/}}
{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
{{- $ksUserSecret := .ksUserSecret }}
- name: OS_IDENTITY_API_VERSION
value: "3"
@@ -118,4 +124,11 @@ return: |
secretKeyRef:
name: {{ $ksUserSecret }}
key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
{{- end }}
diff --git a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
index f6083b9b..e328ea4a 100644
--- a/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
+++ b/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -28,4 +28,7 @@ OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
OS_USERNAME: {{ $userContext.username | b64enc }}
OS_PASSWORD: {{ $userContext.password | b64enc }}
OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
{{- end }}
diff --git a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
index 622757bc..ff717ef3 100644
--- a/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
+++ b/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -24,6 +24,7 @@ values: |
service_user: example-keystone-user
usage: |
{{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user ) }}
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
return: |
- name: SERVICE_OS_REGION_NAME
valueFrom:
diff --git a/helm-toolkit/templates/snippets/_tls_volume.tpl b/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 00000000..41fe3d96
--- /dev/null
+++ b/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 00000000..9cfa8195
--- /dev/null
+++ b/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--
2.17.1

View File

@ -1,6 +1,6 @@
%global sha 34a7533b6484a157c8725889d0d68e792e13fc8d
%global helm_folder /usr/lib/helm
%global toolkit_version 0.1.0
%global toolkit_version 0.2.19
%global helmchart_version 0.1.0
%global _default_patch_flags --no-backup-if-mismatch --prefix=/tmp/junk
@ -30,6 +30,7 @@ Patch08: 0008-Allow-set-public-endpoint-url-for-keystone-endpoints.patch
Patch09: 0009-Wrong-usage-of-rbd_store_chunk_size.patch
Patch10: 0010-Add-stx_admin-account.patch
Patch11: 0011-Trust-public-ingress-certificate.patch
Patch12: 0012-Update-helm-tookit-dependencies-to-0.2.19.patch
BuildRequires: helm
BuildRequires: openstack-helm-infra
@ -52,6 +53,7 @@ Openstack Helm charts
%patch09 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%build
# Stage helm-toolkit in the local repo

View File

@ -0,0 +1,220 @@
From 5eafbeb89313b1bc45369720ba1b700d3cf3c609 Mon Sep 17 00:00:00 2001
From: Thiago Brito <thiago.brito@windriver.com>
Date: Thu, 16 Sep 2021 11:43:02 -0300
Subject: [PATCH] Update helm-tookit dependencies to >=0.1.0
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
diff --git a/aodh/requirements.yaml b/aodh/requirements.yaml
index 780e525c..fbba94ae 100644
--- a/aodh/requirements.yaml
+++ b/aodh/requirements.yaml
@@ -15,4 +15,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/barbican/requirements.yaml b/barbican/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/barbican/requirements.yaml
+++ b/barbican/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/ceilometer/requirements.yaml b/ceilometer/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/ceilometer/requirements.yaml
+++ b/ceilometer/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/cinder/requirements.yaml b/cinder/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/cinder/requirements.yaml
+++ b/cinder/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/congress/requirements.yaml b/congress/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/congress/requirements.yaml
+++ b/congress/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/designate/requirements.yaml b/designate/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/designate/requirements.yaml
+++ b/designate/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/glance/requirements.yaml b/glance/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/glance/requirements.yaml
+++ b/glance/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/heat/requirements.yaml b/heat/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/heat/requirements.yaml
+++ b/heat/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/horizon/requirements.yaml b/horizon/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/horizon/requirements.yaml
+++ b/horizon/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/ironic/requirements.yaml b/ironic/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/ironic/requirements.yaml
+++ b/ironic/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/keystone/requirements.yaml b/keystone/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/keystone/requirements.yaml
+++ b/keystone/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/magnum/requirements.yaml b/magnum/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/magnum/requirements.yaml
+++ b/magnum/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/mistral/requirements.yaml b/mistral/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/mistral/requirements.yaml
+++ b/mistral/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/neutron/requirements.yaml b/neutron/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/neutron/requirements.yaml
+++ b/neutron/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/nova/requirements.yaml b/nova/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/nova/requirements.yaml
+++ b/nova/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/octavia/requirements.yaml b/octavia/requirements.yaml
index 35cf13c6..c09473b3 100644
--- a/octavia/requirements.yaml
+++ b/octavia/requirements.yaml
@@ -15,4 +15,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/panko/requirements.yaml b/panko/requirements.yaml
index 780e525c..fbba94ae 100644
--- a/panko/requirements.yaml
+++ b/panko/requirements.yaml
@@ -15,4 +15,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/placement/requirements.yaml b/placement/requirements.yaml
index 551fd91c..7efb17a3 100644
--- a/placement/requirements.yaml
+++ b/placement/requirements.yaml
@@ -15,4 +15,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/rally/requirements.yaml b/rally/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/rally/requirements.yaml
+++ b/rally/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/senlin/requirements.yaml b/senlin/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/senlin/requirements.yaml
+++ b/senlin/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
diff --git a/tempest/requirements.yaml b/tempest/requirements.yaml
index 5669e12c..432e28c1 100644
--- a/tempest/requirements.yaml
+++ b/tempest/requirements.yaml
@@ -13,4 +13,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
- version: 0.1.0
+ version: ">= 0.1.0"
--
2.17.1

View File

@ -1,7 +1,7 @@
%global helm_folder /usr/lib/helm
%global armada_folder /usr/lib/armada
%global app_folder /usr/lib/application
%global toolkit_version 0.1.0
%global toolkit_version 0.2.19
%global helmchart_version 0.1.0
Summary: StarlingX Openstack Application Helm charts

View File

@ -7,4 +7,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
version: 0.1.0
version: ">= 0.1.0"

View File

@ -15,4 +15,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
version: 0.1.0
version: ">= 0.1.0"

View File

@ -7,4 +7,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
version: 0.1.0
version: ">= 0.1.0"

View File

@ -7,4 +7,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
version: 0.1.0
version: ">= 0.1.0"

View File

@ -40,7 +40,7 @@ data:
values: {}
source:
type: tar
location: http://172.17.0.1/helm_charts/starlingx/helm-toolkit-0.1.0.tgz
location: http://172.17.0.1/helm_charts/starlingx/helm-toolkit-0.2.19.tgz
subpath: helm-toolkit
reference: master
dependencies: []
@ -94,7 +94,7 @@ data:
bind-address: "::"
source:
type: tar
location: http://172.17.0.1/helm_charts/starlingx/ingress-0.1.0.tgz
location: http://172.17.0.1/helm_charts/starlingx/ingress-0.2.3.tgz
subpath: ingress
reference: master
dependencies:
@ -198,7 +198,7 @@ data:
operator: Exists
source:
type: tar
location: http://172.17.0.1/helm_charts/starlingx/mariadb-0.1.0.tgz
location: http://172.17.0.1/helm_charts/starlingx/mariadb-0.2.5.tgz
subpath: mariadb
dependencies:
- helm-toolkit
@ -278,7 +278,7 @@ data:
prometheus_memcached_exporter: null
source:
type: tar
location: http://172.17.0.1/helm_charts/starlingx/memcached-0.1.0.tgz
location: http://172.17.0.1/helm_charts/starlingx/memcached-0.1.4.tgz
subpath: memcached
reference: master
dependencies:
@ -351,7 +351,7 @@ data:
operator: Exists
source:
type: tar
location: http://172.17.0.1/helm_charts/starlingx/rabbitmq-0.1.0.tgz
location: http://172.17.0.1/helm_charts/starlingx/rabbitmq-0.1.13.tgz
subpath: rabbitmq
reference: master
dependencies:
@ -691,7 +691,7 @@ data:
default: requiredDuringSchedulingIgnoredDuringExecution
source:
type: tar
location: http://172.17.0.1/helm_charts/starlingx/ceph-rgw-0.1.0.tgz
location: http://172.17.0.1/helm_charts/starlingx/ceph-rgw-0.1.15.tgz
subpath: ceph-rgw
reference: master
dependencies:
@ -920,7 +920,7 @@ data:
ceph_config_helper: docker.io/starlingx/ceph-config-helper:v1.15.0
source:
type: tar
location: http://172.17.0.1/helm_charts/starlingx/libvirt-0.1.0.tgz
location: http://172.17.0.1/helm_charts/starlingx/libvirt-0.1.7.tgz
subpath: libvirt
reference: master
dependencies:
@ -959,7 +959,7 @@ data:
openvswitch_vswitchd: docker.io/starlingx/stx-ovs:master-centos-stable-latest
source:
type: tar
location: http://172.17.0.1/helm_charts/starlingx/openvswitch-0.1.0.tgz
location: http://172.17.0.1/helm_charts/starlingx/openvswitch-0.1.5.tgz
subpath: openvswitch
reference: master
dependencies: