diff --git a/centos_tarball-dl.lst b/centos_tarball-dl.lst index 460ee30e..ab95f687 100644 --- a/centos_tarball-dl.lst +++ b/centos_tarball-dl.lst @@ -1,2 +1,2 @@ -openstack-helm-34a7533b6484a157c8725889d0d68e792e13fc8d.tar.gz#openstack-helm#https://github.com/openstack/openstack-helm/archive/34a7533b6484a157c8725889d0d68e792e13fc8d.tar.gz#http## +openstack-helm-7803000a545687ec40b0ddc41d46a6b377dea45f.tar.gz#openstack-helm#https://github.com/openstack/openstack-helm/archive/7803000a545687ec40b0ddc41d46a6b377dea45f.tar.gz#http## openstack-helm-infra-8351fdd0f1228717342c2accc96977b0cdc36dc3.tar.gz#openstack-helm-infra#https://github.com/openstack/openstack-helm-infra/archive/8351fdd0f1228717342c2accc96977b0cdc36dc3.tar.gz#http## diff --git a/openstack-helm/centos/build_srpm.data b/openstack-helm/centos/build_srpm.data index 9fced4ac..05a384aa 100644 --- a/openstack-helm/centos/build_srpm.data +++ b/openstack-helm/centos/build_srpm.data @@ -1,5 +1,5 @@ TAR_NAME=openstack-helm -SHA=34a7533b6484a157c8725889d0d68e792e13fc8d +SHA=7803000a545687ec40b0ddc41d46a6b377dea45f VERSION=1.0.0 TAR="$TAR_NAME-$SHA.tar.gz" diff --git a/openstack-helm/centos/openstack-helm.spec b/openstack-helm/centos/openstack-helm.spec index 51ab0ad0..8d08003d 100644 --- a/openstack-helm/centos/openstack-helm.spec +++ b/openstack-helm/centos/openstack-helm.spec @@ -1,4 +1,4 @@ -%global sha 34a7533b6484a157c8725889d0d68e792e13fc8d +%global sha 7803000a545687ec40b0ddc41d46a6b377dea45f %global helm_folder /usr/lib/helm %global toolkit_version 0.2.19 %global helmchart_version 0.1.0 @@ -23,14 +23,11 @@ Patch01: 0001-Ceilometer-chart-add-the-ability-to-publish-events-t.patch Patch02: 0002-Remove-stale-Apache2-service-pids-when-a-POD-starts.patch Patch03: 0003-Nova-console-ip-address-search-optionality.patch Patch04: 0004-Nova-chart-Support-ephemeral-pool-creation.patch -Patch05: 0005-Nova-Add-support-for-disabling-Readiness-Liveness-pr.patch -Patch06: 0006-Support-ingress-creation-for-keystone-admin-endpoint.patch -Patch07: 0007-Allow-more-generic-overrides-for-placeme.patch -Patch08: 0008-Allow-set-public-endpoint-url-for-keystone-endpoints.patch -Patch09: 0009-Wrong-usage-of-rbd_store_chunk_size.patch -Patch10: 0010-Add-stx_admin-account.patch -Patch11: 0011-Trust-public-ingress-certificate.patch -Patch12: 0012-Update-helm-tookit-dependencies-to-0.2.19.patch +Patch05: 0005-Support-ingress-creation-for-keystone-admin-endpoint.patch +Patch06: 0006-Allow-set-public-endpoint-url-for-keystone-endpoints.patch +Patch07: 0007-Wrong-usage-of-rbd_store_chunk_size.patch +Patch08: 0008-Add-stx_admin-account.patch +Patch09: 0009-Disabling-helm3_hook.patch BuildRequires: helm BuildRequires: openstack-helm-infra @@ -51,9 +48,6 @@ Openstack Helm charts %patch07 -p1 %patch08 -p1 %patch09 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 %build # Stage helm-toolkit in the local repo @@ -95,4 +89,3 @@ install -p -D -m 755 *.tgz ${RPM_BUILD_ROOT}%{helm_folder} #helm_folder is owned by openstack-helm-infra %defattr(-,root,root,-) %{helm_folder}/* - diff --git a/openstack-helm/files/0003-Nova-console-ip-address-search-optionality.patch b/openstack-helm/files/0003-Nova-console-ip-address-search-optionality.patch index 5dca0248..a4a451a7 100644 --- a/openstack-helm/files/0003-Nova-console-ip-address-search-optionality.patch +++ b/openstack-helm/files/0003-Nova-console-ip-address-search-optionality.patch @@ -45,15 +45,15 @@ diff --git a/nova/values.yaml b/nova/values.yaml index 6fb6237..ca92907 100644 --- a/nova/values.yaml +++ b/nova/values.yaml -@@ -512,6 +512,7 @@ console: +@@ -527,6 +527,7 @@ console: vncproxy: # IF blank, search default routing interface vncserver_proxyclient_interface: + address_search_enabled: true - - ssh: - key_types: -@@ -1658,6 +1659,7 @@ conf: + + ceph_client: + configmap: ceph-etc +@@ -1666,6 +1666,7 @@ conf: # If this option is set to None, the hostname of the migration target compute node will be used. live_migration_interface: hypervisor: diff --git a/openstack-helm/files/0004-Nova-chart-Support-ephemeral-pool-creation.patch b/openstack-helm/files/0004-Nova-chart-Support-ephemeral-pool-creation.patch index d8538704..afd6c51f 100644 --- a/openstack-helm/files/0004-Nova-chart-Support-ephemeral-pool-creation.patch +++ b/openstack-helm/files/0004-Nova-chart-Support-ephemeral-pool-creation.patch @@ -105,15 +105,15 @@ diff --git a/nova/templates/configmap-bin.yaml b/nova/templates/configmap-bin.ya index c4e47fb..54571ac 100644 --- a/nova/templates/configmap-bin.yaml +++ b/nova/templates/configmap-bin.yaml -@@ -85,6 +85,8 @@ data: +@@ -93,6 +93,8 @@ data: {{ tuple "bin/_nova-console-proxy-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} nova-console-proxy-init-assets.sh: | {{ tuple "bin/_nova-console-proxy-init-assets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + nova-storage-init.sh: | +{{ tuple "bin/_nova-storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + ssh-init.sh: | + {{ tuple "bin/_ssh-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} ssh-start.sh: | - {{ tuple "bin/_ssh-start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - cell-setup.sh: | diff --git a/nova/templates/job-storage-init.yaml b/nova/templates/job-storage-init.yaml new file mode 100644 index 0000000..3963926 @@ -277,15 +277,15 @@ diff --git a/nova/values.yaml b/nova/values.yaml index ca92907..3179231 100644 --- a/nova/values.yaml +++ b/nova/values.yaml -@@ -85,6 +85,7 @@ images: +@@ -87,6 +87,7 @@ images: nova_service_cleaner: 'docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_xenial' nova_spiceproxy: docker.io/openstackhelm/nova:stein-ubuntu_bionic nova_spiceproxy_assets: docker.io/openstackhelm/nova:stein-ubuntu_bionic + nova_storage_init: 'docker.io/port/ceph-config-helper:v1.10.3' - test: docker.io/xrally/xrally-openstack:1.3.0 + test: docker.io/xrally/xrally-openstack:2.0.0 image_repo_sync: docker.io/docker:17.07.0 nova_wait_for_computes_init: gcr.io/google_containers/hyperkube-amd64:v1.11.6 -@@ -608,6 +609,14 @@ conf: +@@ -616,6 +617,14 @@ conf: user: "cinder" keyring: null secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337 @@ -297,15 +297,15 @@ index ca92907..3179231 100644 + rbd_crush_rule: 0 + rbd_replication: 3 + rbd_chunk_size: 64 - ssh: | - Host * - StrictHostKeyChecking no -@@ -1865,6 +1874,7 @@ secrets: - placement: - placement: - public: placement-tls-public + rally_tests: + run_tempest: false + clean_up: | +@@ -1893,6 +1902,7 @@ secrets: + compute_spice_proxy: + spiceproxy: + internal: nova-tls-spiceproxy + ephemeral: nova-ephemeral - + # typically overridden by environmental # values, but should include all endpoints @@ -2572,6 +2582,13 @@ pod: diff --git a/openstack-helm/files/0005-Nova-Add-support-for-disabling-Readiness-Liveness-pr.patch b/openstack-helm/files/0005-Nova-Add-support-for-disabling-Readiness-Liveness-pr.patch deleted file mode 100644 index bcbe97a9..00000000 --- a/openstack-helm/files/0005-Nova-Add-support-for-disabling-Readiness-Liveness-pr.patch +++ /dev/null @@ -1,226 +0,0 @@ -From 6126b916d6fc135d07203651434e37a3bd54454b Mon Sep 17 00:00:00 2001 -From: Robert Church -Date: Fri, 22 Mar 2019 03:42:08 -0400 -Subject: [PATCH] Nova: Add support for disabling Readiness/Liveness probes - -With the introduction of Readiness/Liveness probes in -Ib8e4b93486588320fd2d562c3bc90b65844e52e5, some probes are failing and -preventing successful armada manifest applies. - -Add support to disable the probes. - -Change-Id: Iebe7327055f58fa78ce3fcac968c1fa617c30c2f -Signed-off-by: Robert Church ---- - nova/templates/daemonset-compute.yaml | 4 ++++ - nova/templates/deployment-conductor.yaml | 4 ++++ - nova/templates/deployment-consoleauth.yaml | 4 ++++ - nova/templates/deployment-novncproxy.yaml | 4 ++++ - nova/templates/deployment-scheduler.yaml | 4 ++++ - nova/templates/deployment-spiceproxy.yaml | 4 ++++ - nova/values.yaml | 27 +++++++++++++++++++++++++++ - 7 files changed, 51 insertions(+) - -diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml -index c623f52..3d0908f 100644 ---- a/nova/templates/daemonset-compute.yaml -+++ b/nova/templates/daemonset-compute.yaml -@@ -194,6 +194,7 @@ spec: - - name: LIBVIRT_CEPH_SECRET_UUID - value: "{{ .Values.conf.ceph.secret_uuid }}" - {{ end }} -+ {{- if .Values.pod.probes.readiness.nova_compute.enabled }} - readinessProbe: - exec: - command: -@@ -209,6 +210,8 @@ spec: - initialDelaySeconds: 80 - periodSeconds: 190 - timeoutSeconds: 185 -+ {{- end }} -+ {{- if .Values.pod.probes.liveness.nova_compute.enabled }} - livenessProbe: - exec: - command: -@@ -225,6 +228,7 @@ spec: - initialDelaySeconds: 120 - periodSeconds: 600 - timeoutSeconds: 580 -+ {{- end }} - command: - - /tmp/nova-compute.sh - terminationMessagePath: /var/log/termination-log -diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml -index 7fe578a..a4d3852 100644 ---- a/nova/templates/deployment-conductor.yaml -+++ b/nova/templates/deployment-conductor.yaml -@@ -58,6 +58,7 @@ spec: - {{ tuple $envAll "nova_conductor" | include "helm-toolkit.snippets.image" | indent 10 }} - {{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - {{ dict "envAll" $envAll "application" "nova" "container" "nova_conductor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} -+ {{- if .Values.pod.probes.readiness.nova_conductor.enabled }} - readinessProbe: - exec: - command: -@@ -70,6 +71,8 @@ spec: - initialDelaySeconds: 80 - periodSeconds: 190 - timeoutSeconds: 185 -+ {{- end }} -+ {{- if .Values.pod.probes.liveness.nova_conductor.enabled }} - livenessProbe: - exec: - command: -@@ -83,6 +86,7 @@ spec: - initialDelaySeconds: 120 - periodSeconds: 600 - timeoutSeconds: 580 -+ {{- end }} - command: - - /tmp/nova-conductor.sh - volumeMounts: -diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml -index 575896c..a9a58b2 100644 ---- a/nova/templates/deployment-consoleauth.yaml -+++ b/nova/templates/deployment-consoleauth.yaml -@@ -58,6 +58,7 @@ spec: - {{ tuple $envAll "nova_consoleauth" | include "helm-toolkit.snippets.image" | indent 10 }} - {{ tuple $envAll $envAll.Values.pod.resources.consoleauth | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - {{ dict "envAll" $envAll "application" "nova" "container" "nova_consoleauth" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} -+ {{- if .Values.pod.probes.readiness.nova_consoleauth.enabled }} - readinessProbe: - exec: - command: -@@ -70,6 +71,8 @@ spec: - initialDelaySeconds: 80 - periodSeconds: 190 - timeoutSeconds: 185 -+ {{- end }} -+ {{- if .Values.pod.probes.liveness.nova_consoleauth.enabled }} - livenessProbe: - exec: - command: -@@ -83,6 +86,7 @@ spec: - initialDelaySeconds: 120 - periodSeconds: 600 - timeoutSeconds: 580 -+ {{- end }} - command: - - /tmp/nova-consoleauth.sh - volumeMounts: -diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml -index 1291523..723ee88 100644 ---- a/nova/templates/deployment-novncproxy.yaml -+++ b/nova/templates/deployment-novncproxy.yaml -@@ -102,14 +102,18 @@ spec: - {{ tuple $envAll "nova_novncproxy" | include "helm-toolkit.snippets.image" | indent 10 }} - {{ tuple $envAll $envAll.Values.pod.resources.novncproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - {{ dict "envAll" $envAll "application" "nova" "container" "nova_novncproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} -+ {{- if .Values.pod.probes.readiness.nova_novcnproxy.enabled }} - readinessProbe: - tcpSocket: - port: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - initialDelaySeconds: 30 -+ {{- end }} -+ {{- if .Values.pod.probes.liveness.nova_novcnproxy.enabled }} - livenessProbe: - tcpSocket: - port: {{ tuple "compute_novnc_proxy" "internal" "novnc_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - initialDelaySeconds: 30 -+ {{- end }} - command: - - /tmp/nova-console-proxy.sh - ports: -diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml -index d49682c..cdee77f 100644 ---- a/nova/templates/deployment-scheduler.yaml -+++ b/nova/templates/deployment-scheduler.yaml -@@ -58,6 +58,7 @@ spec: - {{ tuple $envAll "nova_scheduler" | include "helm-toolkit.snippets.image" | indent 10 }} - {{ tuple $envAll $envAll.Values.pod.resources.scheduler | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - {{ dict "envAll" $envAll "application" "nova" "container" "nova_scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} -+ {{- if .Values.pod.probes.readiness.nova_scheduler.enabled }} - readinessProbe: - exec: - command: -@@ -70,6 +71,8 @@ spec: - initialDelaySeconds: 80 - periodSeconds: 190 - timeoutSeconds: 185 -+ {{- end }} -+ {{- if .Values.pod.probes.liveness.nova_scheduler.enabled }} - livenessProbe: - exec: - command: -@@ -83,6 +86,7 @@ spec: - initialDelaySeconds: 120 - periodSeconds: 600 - timeoutSeconds: 580 -+ {{- end }} - command: - - /tmp/nova-scheduler.sh - volumeMounts: -diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml -index 7278829..13e273e 100644 ---- a/nova/templates/deployment-spiceproxy.yaml -+++ b/nova/templates/deployment-spiceproxy.yaml -@@ -99,14 +99,18 @@ spec: - {{ tuple $envAll "nova_spiceproxy" | include "helm-toolkit.snippets.image" | indent 10 }} - {{ tuple $envAll $envAll.Values.pod.resources.spiceproxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - {{ dict "envAll" $envAll "application" "nova" "container" "nova_spiceproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} -+ {{- if .Values.pod.probes.readiness.nova_spiceproxy.enabled }} - readinessProbe: - tcpSocket: - port: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - initialDelaySeconds: 30 -+ {{- end }} -+ {{- if .Values.pod.probes.liveness.nova_spiceproxy.enabled }} - livenessProbe: - tcpSocket: - port: {{ tuple "compute_spice_proxy" "internal" "spice_proxy" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - initialDelaySeconds: 30 -+ {{- end }} - command: - - /tmp/nova-console-proxy.sh - ports: -diff --git a/nova/values.yaml b/nova/values.yaml -index 3179231..c445d15 100644 ---- a/nova/values.yaml -+++ b/nova/values.yaml -@@ -2589,6 +2589,33 @@ pod: - limits: - memory: "1024Mi" - cpu: "2000m" -+ probes: -+ readiness: -+ nova_compute: -+ enabled: true -+ nova_conductor: -+ enabled: true -+ nova_consoleauth: -+ enabled: true -+ nova_novcnproxy: -+ enabled: true -+ nova_scheduler: -+ enabled: true -+ nova_spiceproxy: -+ enabled: true -+ liveness: -+ nova_compute: -+ enabled: true -+ nova_conductor: -+ enabled: true -+ nova_consoleauth: -+ enabled: true -+ nova_novcnproxy: -+ enabled: true -+ nova_scheduler: -+ enabled: true -+ nova_spiceproxy: -+ enabled: true - - network_policy: - nova: --- -1.8.3.1 - diff --git a/openstack-helm/files/0006-Support-ingress-creation-for-keystone-admin-endpoint.patch b/openstack-helm/files/0005-Support-ingress-creation-for-keystone-admin-endpoint.patch similarity index 90% rename from openstack-helm/files/0006-Support-ingress-creation-for-keystone-admin-endpoint.patch rename to openstack-helm/files/0005-Support-ingress-creation-for-keystone-admin-endpoint.patch index 4d9aae5b..3b6737de 100644 --- a/openstack-helm/files/0006-Support-ingress-creation-for-keystone-admin-endpoint.patch +++ b/openstack-helm/files/0005-Support-ingress-creation-for-keystone-admin-endpoint.patch @@ -18,11 +18,10 @@ diff --git a/keystone/templates/ingress-api.yaml b/keystone/templates/ingress-ap index de36571..37c3013 100644 --- a/keystone/templates/ingress-api.yaml +++ b/keystone/templates/ingress-api.yaml -@@ -18,3 +18,12 @@ limitations under the License. - {{- $ingressOpts := dict "envAll" . "backendServiceType" "identity" "backendPort" "ks-pub" -}} +@@ -21,3 +21,11 @@ limitations under the License. + {{- end -}} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{- end }} -+ +{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.admin }} +{{ $ingressNamePublic := tuple "identity" "public" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} +{{ $ingressNameAdmin := tuple "identity" "admin" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} @@ -33,4 +32,3 @@ index de36571..37c3013 100644 +{{- end }} -- 1.8.3.1 - diff --git a/openstack-helm/files/0008-Allow-set-public-endpoint-url-for-keystone-endpoints.patch b/openstack-helm/files/0006-Allow-set-public-endpoint-url-for-keystone-endpoints.patch similarity index 100% rename from openstack-helm/files/0008-Allow-set-public-endpoint-url-for-keystone-endpoints.patch rename to openstack-helm/files/0006-Allow-set-public-endpoint-url-for-keystone-endpoints.patch diff --git a/openstack-helm/files/0007-Allow-more-generic-overrides-for-placeme.patch b/openstack-helm/files/0007-Allow-more-generic-overrides-for-placeme.patch deleted file mode 100644 index 25a96395..00000000 --- a/openstack-helm/files/0007-Allow-more-generic-overrides-for-placeme.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 17e0d2616389aabd4f07c561698fa4870b121bd4 Mon Sep 17 00:00:00 2001 -From: Zhipeng Liu -Date: Thu, 14 May 2020 06:20:38 +0000 -Subject: [PATCH] Allow more generic overrides for placement.patch - -Signed-off-by: Zhipeng Liu ---- - placement/templates/bin/_placement-api.sh.tpl | 21 +++++++++++++++++---- - placement/values.yaml | 12 ++++++++++++ - 2 files changed, 29 insertions(+), 4 deletions(-) - -diff --git a/placement/templates/bin/_placement-api.sh.tpl b/placement/templates/bin/_placement-api.sh.tpl -index 5cd8918..7c5acb3 100644 ---- a/placement/templates/bin/_placement-api.sh.tpl -+++ b/placement/templates/bin/_placement-api.sh.tpl -@@ -24,19 +24,32 @@ function start () { - cp -a $(type -p placement-api) /var/www/cgi-bin/placement/ - - if [ -f /etc/apache2/envvars ]; then -- # Loading Apache2 ENV variables -- source /etc/apache2/envvars -+ # Loading Apache2 ENV variables -+ source /etc/apache2/envvars -+ # The directory below has to be created due to the fact that -+ # libapache2-mod-wsgi-py3 doesn't create it in contrary by libapache2-mod-wsgi -+ mkdir -p ${APACHE_RUN_DIR} - fi - - # Get rid of stale pid file if present. - rm -f /var/run/apache2/*.pid - - # Start Apache2 -- exec apache2ctl -DFOREGROUND -+ {{- if .Values.conf.software.apache2.a2enmod }} -+ {{- range .Values.conf.software.apache2.a2enmod }} -+ a2enmod {{ . }} -+ {{- end }} -+ {{- end }} -+ {{- if .Values.conf.software.apache2.a2dismod }} -+ {{- range .Values.conf.software.apache2.a2dismod }} -+ a2dismod {{ . }} -+ {{- end }} -+ {{- end }} -+ exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }} - } - - function stop () { -- apache2ctl -k graceful-stop -+ {{ .Values.conf.software.apache2.binary }} -k graceful-stop - } - - $COMMAND -diff --git a/placement/values.yaml b/placement/values.yaml -index 9cff0dc..f16fd5d 100644 ---- a/placement/values.yaml -+++ b/placement/values.yaml -@@ -65,6 +65,18 @@ conf: - segregation: 'rule:context_is_admin' - admin_or_owner: 'rule:context_is_admin or project_id:%(project_id)s' - default: 'rule:admin_or_owner' -+ software: -+ apache2: -+ binary: apache2 -+ start_parameters: -DFOREGROUND -+ # Enable/Disable modules -+ # a2enmod: -+ # - headers -+ # - rewrite -+ # a2dismod: -+ # - status -+ a2enmod: null -+ a2dismod: null - placement: - DEFAULT: - debug: false --- -1.8.3.1 - diff --git a/openstack-helm/files/0009-Wrong-usage-of-rbd_store_chunk_size.patch b/openstack-helm/files/0007-Wrong-usage-of-rbd_store_chunk_size.patch similarity index 100% rename from openstack-helm/files/0009-Wrong-usage-of-rbd_store_chunk_size.patch rename to openstack-helm/files/0007-Wrong-usage-of-rbd_store_chunk_size.patch diff --git a/openstack-helm/files/0010-Add-stx_admin-account.patch b/openstack-helm/files/0008-Add-stx_admin-account.patch similarity index 80% rename from openstack-helm/files/0010-Add-stx_admin-account.patch rename to openstack-helm/files/0008-Add-stx_admin-account.patch index 56879cdd..4b2fa2e9 100644 --- a/openstack-helm/files/0010-Add-stx_admin-account.patch +++ b/openstack-helm/files/0008-Add-stx_admin-account.patch @@ -4,20 +4,24 @@ Date: Wed, 28 Oct 2020 15:17:34 +0800 Subject: [PATCH] Add stx_admin account for host to communicate with openstack app +lcavalca: changed content to support tls keystone + Signed-off-by: Shuicheng Lin +Signed-off-by: Lucas Cavalcante +Change-Id: Iedcd131578f4e33efd3c3d7c47cbef83331b143a --- - keystone/templates/job-ks-user.yaml | 18 ++++++++++++++++++ + keystone/templates/job-ks-user.yaml | 21 +++++++++++++++++++++ keystone/templates/secret-keystone.yaml | 2 +- keystone/values.yaml | 17 +++++++++++++++++ - 3 files changed, 36 insertions(+), 1 deletion(-) + 3 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 keystone/templates/job-ks-user.yaml diff --git a/keystone/templates/job-ks-user.yaml b/keystone/templates/job-ks-user.yaml new file mode 100644 -index 0000000..aec4641 +index 00000000..91f990f3 --- /dev/null +++ b/keystone/templates/job-ks-user.yaml -@@ -0,0 +1,18 @@ +@@ -0,0 +1,21 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. @@ -34,10 +38,13 @@ index 0000000..aec4641 + +{{- if .Values.manifests.job_ks_user }} +{{- $ksUserJob := dict "envAll" . "serviceName" "keystone" "serviceUser" "stx_admin" -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}} ++{{- end -}} +{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} +{{- end }} diff --git a/keystone/templates/secret-keystone.yaml b/keystone/templates/secret-keystone.yaml -index 5aa87ab..0e471f1 100644 +index 5aa87ab5..0e471f13 100644 --- a/keystone/templates/secret-keystone.yaml +++ b/keystone/templates/secret-keystone.yaml @@ -14,7 +14,7 @@ limitations under the License. @@ -50,10 +57,10 @@ index 5aa87ab..0e471f1 100644 --- apiVersion: v1 diff --git a/keystone/values.yaml b/keystone/values.yaml -index 473379d..68bbcdd 100644 +index 5f0e7aa1..ff4493f3 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml -@@ -146,6 +146,10 @@ dependencies: +@@ -141,6 +141,10 @@ dependencies: services: - endpoint: internal service: oslo_db @@ -61,10 +68,10 @@ index 473379d..68bbcdd 100644 + services: + - endpoint: internal + service: identity - rabbit_init: + domain_manage: services: - - service: oslo_messaging -@@ -1062,6 +1066,7 @@ secrets: + - endpoint: internal +@@ -1047,6 +1051,7 @@ secrets: identity: admin: keystone-keystone-admin test: keystone-keystone-test @@ -72,7 +79,7 @@ index 473379d..68bbcdd 100644 oslo_db: admin: keystone-db-admin keystone: keystone-db-user -@@ -1104,6 +1109,17 @@ endpoints: +@@ -1090,6 +1095,17 @@ endpoints: user_domain_name: default project_domain_name: default default_domain_id: default @@ -90,7 +97,7 @@ index 473379d..68bbcdd 100644 test: role: admin region_name: RegionOne -@@ -1254,6 +1270,7 @@ manifests: +@@ -1247,6 +1263,7 @@ manifests: job_domain_manage: true job_fernet_setup: true job_image_repo_sync: true @@ -99,4 +106,5 @@ index 473379d..68bbcdd 100644 pdb_api: true pod_rally_test: true -- -2.7.4 +2.17.1 + diff --git a/openstack-helm/files/0009-Disabling-helm3_hook.patch b/openstack-helm/files/0009-Disabling-helm3_hook.patch new file mode 100644 index 00000000..12b7646e --- /dev/null +++ b/openstack-helm/files/0009-Disabling-helm3_hook.patch @@ -0,0 +1,130 @@ +198597ee329c4c205f8852779e6a49 Mon Sep 17 00:00:00 2001 +From: Thiago Brito +Date: Mon, 4 Oct 2021 10:04:21 -0300 +Subject: [PATCH] Disabling helm3_hook + +Since openstack-helm now defaults to use helmv3 hooks, this +changes disables it to maintain compatibility with the helm +version in use on StarlingX. + +Signed-off-by: Thiago Brito +Change-Id: I2a343805be2bb20f39b2dd8cc8d2e8716961ea28 +--- + barbican/values.yaml | 2 +- + cinder/values.yaml | 2 +- + glance/values.yaml | 2 +- + heat/values.yaml | 2 +- + keystone/values.yaml | 2 +- + neutron/values.yaml | 2 +- + nova/values.yaml | 2 +- + placement/values.yaml | 2 +- + 8 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/barbican/values.yaml b/barbican/values.yaml +index 72efd88c..44d3b76b 100644 +--- a/barbican/values.yaml ++++ b/barbican/values.yaml +@@ -31,7 +31,7 @@ release_group: null + + # NOTE(philsphicas): the pre-install hook breaks upgrade for helm2 + # Set to false to upgrade using helm2 +-helm3_hook: true ++helm3_hook: false + + images: + tags: +diff --git a/cinder/values.yaml b/cinder/values.yaml +index a70ed72a..30a2e47a 100644 +--- a/cinder/values.yaml ++++ b/cinder/values.yaml +@@ -1516,7 +1516,7 @@ network_policy: + + # NOTE(helm_hook): helm_hook might break for helm2 binary. + # set helm3_hook: false when using the helm2 binary. +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +diff --git a/glance/values.yaml b/glance/values.yaml +index a03a69a1..459f04bc 100644 +--- a/glance/values.yaml ++++ b/glance/values.yaml +@@ -1052,7 +1052,7 @@ pod: + + # NOTE(helm_hook): helm_hook might break for helm2 binary. + # set helm3_hook: false when using the helm2 binary. +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +diff --git a/heat/values.yaml b/heat/values.yaml +index 58f786b6..9e9ea64b 100644 +--- a/heat/values.yaml ++++ b/heat/values.yaml +@@ -1293,7 +1293,7 @@ network_policy: + + # NOTE(helm_hook): helm_hook might break for helm2 binary. + # set helm3_hook: false when using the helm2 binary. +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +diff --git a/keystone/values.yaml b/keystone/values.yaml +index ff4493f3..84b8fe48 100644 +--- a/keystone/values.yaml ++++ b/keystone/values.yaml +@@ -31,7 +31,7 @@ release_group: null + + # NOTE(gagehugo): the pre-install hook breaks upgrade for helm2 + # Set to false to upgrade using helm2 +-helm3_hook: true ++helm3_hook: false + + images: + tags: +diff --git a/neutron/values.yaml b/neutron/values.yaml +index c72a55b5..6073c6a3 100644 +--- a/neutron/values.yaml ++++ b/neutron/values.yaml +@@ -2514,7 +2514,7 @@ network_policy: + egress: + - {} + +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +diff --git a/nova/values.yaml b/nova/values.yaml +index 6b51b3d5..56f1dc9a 100644 +--- a/nova/values.yaml ++++ b/nova/values.yaml +@@ -2563,7 +2563,7 @@ network_policy: + + # NOTE(helm_hook): helm_hook might break for helm2 binary. + # set helm3_hook: false when using the helm2 binary. +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +diff --git a/placement/values.yaml b/placement/values.yaml +index 57d9eb48..2811b200 100644 +--- a/placement/values.yaml ++++ b/placement/values.yaml +@@ -485,7 +485,7 @@ dependencies: + + # NOTE(helm_hook): helm_hook might break for helm2 binary. + # set helm3_hook: false when using the helm2 binary. +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +-- +2.17.1 + + diff --git a/openstack-helm/files/0011-Trust-public-ingress-certificate.patch b/openstack-helm/files/0011-Trust-public-ingress-certificate.patch deleted file mode 100644 index 6c443464..00000000 --- a/openstack-helm/files/0011-Trust-public-ingress-certificate.patch +++ /dev/null @@ -1,1333 +0,0 @@ -From 0213e7bc58629ec045964fcf480631bc977a9124 Mon Sep 17 00:00:00 2001 -From: Lucas Cavalcante -Date: Tue, 27 Jul 2021 11:55:01 -0300 -Subject: [PATCH] Trust public ingress certificate - -This patch enables the following OpenStack services to trust -public ingress certificate: keystone, horizon, glance, -cinder, heat, nova, placement and neutron. - -This path is roughly based on -https://review.opendev.org/c/openstack/openstack-helm/+/737899 -and considers starlingx workaround that forces services to use -public ingress - -Signed-off-by: Lucas Cavalcante ---- - cinder/templates/deployment-api.yaml | 6 ++++++ - cinder/templates/deployment-volume.yaml | 6 +++--- - cinder/templates/job-bootstrap.yaml | 3 +++ - cinder/templates/job-create-internal-tenant.yaml | 4 +++- - cinder/templates/job-ks-endpoints.yaml | 3 +++ - cinder/templates/job-ks-service.yaml | 3 +++ - cinder/templates/job-ks-user.yaml | 3 +++ - cinder/templates/pod-rally-test.yaml | 7 +++++-- - cinder/values.yaml | 1 + - glance/templates/deployment-api.yaml | 2 ++ - glance/templates/deployment-registry.yaml | 2 ++ - glance/templates/job-bootstrap.yaml | 3 +++ - glance/templates/job-ks-endpoints.yaml | 3 +++ - glance/templates/job-ks-service.yaml | 3 +++ - glance/templates/job-ks-user.yaml | 3 +++ - glance/values.yaml | 1 + - heat/templates/deployment-api.yaml | 2 ++ - heat/templates/deployment-cfn.yaml | 2 ++ - heat/templates/deployment-engine.yaml | 2 ++ - heat/templates/job-bootstrap.yaml | 3 +++ - heat/templates/job-ks-endpoints.yaml | 3 +++ - heat/templates/job-ks-service.yaml | 3 +++ - heat/templates/job-ks-user-domain.yaml | 4 +++- - heat/templates/job-ks-user-trustee.yaml | 3 +++ - heat/templates/job-ks-user.yaml | 3 +++ - heat/templates/job-trusts.yaml | 4 +++- - heat/templates/pod-rally-test.yaml | 7 +++++-- - heat/values.yaml | 1 + - horizon/templates/deployment.yaml | 2 ++ - horizon/values.yaml | 4 +++- - keystone/templates/deployment-api.yaml | 2 ++ - keystone/templates/job-bootstrap.yaml | 3 +++ - keystone/templates/job-ks-user.yaml | 3 +++ - keystone/templates/pod-rally-test.yaml | 7 +++++-- - keystone/values.yaml | 1 + - neutron/templates/daemonset-metadata-agent.yaml | 2 ++ - neutron/templates/deployment-server.yaml | 2 ++ - neutron/templates/job-bootstrap.yaml | 3 +++ - neutron/templates/job-ks-endpoints.yaml | 3 +++ - neutron/templates/job-ks-service.yaml | 3 +++ - neutron/templates/job-ks-user.yaml | 3 +++ - neutron/templates/pod-rally-test.yaml | 10 +++++++--- - neutron/values.yaml | 1 + - nova/templates/cron-job-service-cleaner.yaml | 4 +++- - nova/templates/daemonset-compute.yaml | 3 +++ - nova/templates/deployment-api-metadata.yaml | 2 ++ - nova/templates/deployment-api-osapi.yaml | 2 ++ - nova/templates/deployment-conductor.yaml | 2 ++ - nova/templates/deployment-novncproxy.yaml | 2 ++ - nova/templates/deployment-placement.yaml | 2 ++ - nova/templates/deployment-scheduler.yaml | 2 ++ - nova/templates/deployment-spiceproxy.yaml | 2 ++ - nova/templates/job-bootstrap.yaml | 4 +++- - nova/templates/job-cell-setup.yaml | 4 +++- - nova/templates/job-ks-endpoints.yaml | 3 +++ - nova/templates/job-ks-placement-endpoints.yaml | 3 +++ - nova/templates/job-ks-placement-service.yaml | 3 +++ - nova/templates/job-ks-placement-user.yaml | 3 +++ - nova/templates/job-ks-service.yaml | 3 +++ - nova/templates/job-ks-user.yaml | 3 +++ - nova/templates/pod-rally-test.yaml | 7 +++++-- - nova/values.yaml | 4 ++++ - placement/templates/deployment.yaml | 2 ++ - placement/templates/job-ks-endpoints.yaml | 3 +++ - placement/templates/job-ks-service.yaml | 3 +++ - placement/templates/job-ks-user.yaml | 3 +++ - placement/values.yaml | 1 + - 67 files changed, 188 insertions(+), 21 deletions(-) - -diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml -index 34f0e730..fcc97bd2 100644 ---- a/cinder/templates/deployment-api.yaml -+++ b/cinder/templates/deployment-api.yaml -@@ -74,6 +74,10 @@ spec: - {{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }} - {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - {{ dict "envAll" $envAll "application" "cinder_api" "container" "cinder_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} -+ env: -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} -+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} -+{{- end }} - command: - - /tmp/cinder-api.sh - - start -@@ -134,6 +138,7 @@ spec: - - name: cinder-coordination - mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }} - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -152,5 +157,6 @@ spec: - - name: cinder-coordination - emptyDir: {} - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml -index af8a8d9c..7922f3b5 100755 ---- a/cinder/templates/deployment-volume.yaml -+++ b/cinder/templates/deployment-volume.yaml -@@ -111,19 +111,18 @@ spec: - readOnly: true - - name: pod-shared - mountPath: /tmp/pod-shared -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} - {{- end }} - - name: INTERNAL_PROJECT_NAME - value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }} - - name: INTERNAL_USER_NAME - value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }} -- - {{- with $env := dict "ksUserSecret" (index .Values.secrets.identity "cinder" ) }} - {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} - {{- end }} -- - containers: - - name: cinder-volume - {{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }} -@@ -259,5 +258,6 @@ spec: - - name: usrlocalsbin - emptyDir: {} - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml -index 4867099c..e78f965c 100644 ---- a/cinder/templates/job-bootstrap.yaml -+++ b/cinder/templates/job-bootstrap.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} - {{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} -+{{- end -}} - {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} - {{- end }} -diff --git a/cinder/templates/job-create-internal-tenant.yaml b/cinder/templates/job-create-internal-tenant.yaml -index 2cb722e2..0d983cb4 100644 ---- a/cinder/templates/job-create-internal-tenant.yaml -+++ b/cinder/templates/job-create-internal-tenant.yaml -@@ -54,8 +54,9 @@ spec: - mountPath: /tmp/create-internal-tenant.sh - subPath: create-internal-tenant.sh - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - env: --{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} - {{- end }} - - name: SERVICE_OS_SERVICE_NAME -@@ -82,4 +83,5 @@ spec: - configMap: - name: {{ $configMapBin | quote }} - defaultMode: 0555 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{- end -}} -diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml -index 60f5beca..413e6650 100644 ---- a/cinder/templates/job-ks-endpoints.yaml -+++ b/cinder/templates/job-ks-endpoints.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_endpoints }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} - {{- end }} -diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml -index bfdad1e2..05411dcf 100644 ---- a/cinder/templates/job-ks-service.yaml -+++ b/cinder/templates/job-ks-service.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_service }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} - {{- end }} -diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml -index 4d10dfe1..7e78a510 100644 ---- a/cinder/templates/job-ks-user.yaml -+++ b/cinder/templates/job-ks-user.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_user }} - {{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.public -}} -+{{- end -}} - {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} - {{- end }} -diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml -index 2575263a..933e1ff4 100644 ---- a/cinder/templates/pod-rally-test.yaml -+++ b/cinder/templates/pod-rally-test.yaml -@@ -49,8 +49,9 @@ spec: - mountPath: /tmp/ks-user.sh - subPath: ks-user.sh - readOnly: true -+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - {{- end }} - - name: SERVICE_OS_SERVICE_NAME -@@ -65,7 +66,7 @@ spec: - {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} - {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - {{- end }} - {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} -@@ -88,6 +89,7 @@ spec: - readOnly: true - - name: rally-db - mountPath: /var/lib/rally -+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} - {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} - volumes: - - name: pod-tmp -@@ -102,5 +104,6 @@ spec: - defaultMode: 0555 - - name: rally-db - emptyDir: {} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} - {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} - {{- end }} -diff --git a/cinder/values.yaml b/cinder/values.yaml -index 85344d83..865f9e33 100644 ---- a/cinder/values.yaml -+++ b/cinder/values.yaml -@@ -1445,6 +1445,7 @@ network_policy: - - {} - - manifests: -+ certificates: false - configmap_bin: true - configmap_etc: true - cron_volume_usage_audit: true -diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml -index 76f8655c..844f7824 100644 ---- a/glance/templates/deployment-api.yaml -+++ b/glance/templates/deployment-api.yaml -@@ -164,6 +164,7 @@ spec: - subPath: key - readOnly: true - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -197,5 +198,6 @@ spec: - secret: - secretName: {{ .Values.secrets.rbd | quote }} - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml -index 5928c2bb..2bf24767 100644 ---- a/glance/templates/deployment-registry.yaml -+++ b/glance/templates/deployment-registry.yaml -@@ -109,6 +109,7 @@ spec: - mountPath: /etc/glance/policy.json - subPath: policy.json - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -123,5 +124,6 @@ spec: - secret: - secretName: glance-etc - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml -index 3fe72b4c..cb5661fa 100644 ---- a/glance/templates/job-bootstrap.yaml -+++ b/glance/templates/job-bootstrap.yaml -@@ -25,5 +25,8 @@ volumes: - {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} - {{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }} - {{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.public -}} -+{{- end -}} - {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} - {{- end }} -diff --git a/glance/templates/job-ks-endpoints.yaml b/glance/templates/job-ks-endpoints.yaml -index 5ac03006..5a1575b0 100644 ---- a/glance/templates/job-ks-endpoints.yaml -+++ b/glance/templates/job-ks-endpoints.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_endpoints }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} - {{- end }} -diff --git a/glance/templates/job-ks-service.yaml b/glance/templates/job-ks-service.yaml -index d323ba3b..8c0f0eb5 100644 ---- a/glance/templates/job-ks-service.yaml -+++ b/glance/templates/job-ks-service.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_service }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} - {{- end }} -diff --git a/glance/templates/job-ks-user.yaml b/glance/templates/job-ks-user.yaml -index d39d6a35..69a351c9 100644 ---- a/glance/templates/job-ks-user.yaml -+++ b/glance/templates/job-ks-user.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_user }} - {{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.public -}} -+{{- end -}} - {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} - {{- end }} -diff --git a/glance/values.yaml b/glance/values.yaml -index 5ffa2cc1..b6e12e62 100644 ---- a/glance/values.yaml -+++ b/glance/values.yaml -@@ -990,6 +990,7 @@ pod: - cpu: "2000m" - - manifests: -+ certificates: false - configmap_bin: true - configmap_etc: true - deployment_api: true -diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml -index f76093b5..6c3c9b70 100644 ---- a/heat/templates/deployment-api.yaml -+++ b/heat/templates/deployment-api.yaml -@@ -109,6 +109,7 @@ spec: - mountPath: /etc/heat/api_audit_map.conf - subPath: api_audit_map.conf - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -123,5 +124,6 @@ spec: - secret: - secretName: heat-etc - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml -index 65be294e..adbd6ee3 100644 ---- a/heat/templates/deployment-cfn.yaml -+++ b/heat/templates/deployment-cfn.yaml -@@ -109,6 +109,7 @@ spec: - mountPath: /etc/heat/api_audit_map.conf - subPath: api_audit_map.conf - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -123,5 +124,6 @@ spec: - secret: - secretName: heat-etc - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml -index da007ef7..2c1913c3 100644 ---- a/heat/templates/deployment-engine.yaml -+++ b/heat/templates/deployment-engine.yaml -@@ -99,6 +99,7 @@ spec: - mountPath: /etc/heat/policy.json - subPath: policy.json - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -113,5 +114,6 @@ spec: - secret: - secretName: heat-etc - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/heat/templates/job-bootstrap.yaml b/heat/templates/job-bootstrap.yaml -index 8334e12f..b7218488 100644 ---- a/heat/templates/job-bootstrap.yaml -+++ b/heat/templates/job-bootstrap.yaml -@@ -15,5 +15,8 @@ limitations under the License. - - {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} - {{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} -+{{- end -}} - {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} - {{- end }} -diff --git a/heat/templates/job-ks-endpoints.yaml b/heat/templates/job-ks-endpoints.yaml -index 61989035..d8b1bb34 100644 ---- a/heat/templates/job-ks-endpoints.yaml -+++ b/heat/templates/job-ks-endpoints.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_endpoints }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} - {{- end }} -diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml -index b468ff23..f50a73e1 100644 ---- a/heat/templates/job-ks-service.yaml -+++ b/heat/templates/job-ks-service.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_service }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} - {{- end }} -diff --git a/heat/templates/job-ks-user-domain.yaml b/heat/templates/job-ks-user-domain.yaml -index 91584020..18ec80a2 100644 ---- a/heat/templates/job-ks-user-domain.yaml -+++ b/heat/templates/job-ks-user-domain.yaml -@@ -53,8 +53,9 @@ spec: - mountPath: /tmp/ks-domain-user.sh - subPath: ks-domain-user.sh - readOnly: true -+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - env: --{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} - {{- end }} - - name: SERVICE_OS_SERVICE_NAME -@@ -88,4 +89,5 @@ spec: - configMap: - name: heat-bin - defaultMode: 0555 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{- end }} -diff --git a/heat/templates/job-ks-user-trustee.yaml b/heat/templates/job-ks-user-trustee.yaml -index a9fadc8f..2e0771a8 100644 ---- a/heat/templates/job-ks-user-trustee.yaml -+++ b/heat/templates/job-ks-user-trustee.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_user_trustee }} - {{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} -+{{- end -}} - {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} - {{- end }} -diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml -index 6a08b355..c5b787df 100644 ---- a/heat/templates/job-ks-user.yaml -+++ b/heat/templates/job-ks-user.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_user }} - {{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}} -+{{- end -}} - {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} - {{- end }} -diff --git a/heat/templates/job-trusts.yaml b/heat/templates/job-trusts.yaml -index 10f156d9..de796293 100644 ---- a/heat/templates/job-trusts.yaml -+++ b/heat/templates/job-trusts.yaml -@@ -57,9 +57,10 @@ spec: - mountPath: /tmp/trusts.sh - subPath: trusts.sh - readOnly: true -+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }} - env: --{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} - {{- end }} - - name: SERVICE_OS_ROLES -@@ -75,4 +76,5 @@ spec: - configMap: - name: heat-bin - defaultMode: 0555 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }} -diff --git a/heat/templates/pod-rally-test.yaml b/heat/templates/pod-rally-test.yaml -index 52d2aee7..d9352a68 100644 ---- a/heat/templates/pod-rally-test.yaml -+++ b/heat/templates/pod-rally-test.yaml -@@ -50,7 +50,8 @@ spec: - subPath: ks-user.sh - readOnly: true - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - {{- end }} - - name: SERVICE_OS_SERVICE_NAME -@@ -65,7 +66,7 @@ spec: - {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} - {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - {{- end }} - {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} -@@ -94,6 +95,7 @@ spec: - subPath: {{ printf "test_template_%d" $key }} - readOnly: true - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} - {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} - volumes: - - name: pod-tmp -@@ -108,5 +110,6 @@ spec: - defaultMode: 0555 - - name: rally-db - emptyDir: {} -+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} - {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} - {{- end }} -diff --git a/heat/values.yaml b/heat/values.yaml -index c6eabbe1..d388e6bb 100644 ---- a/heat/values.yaml -+++ b/heat/values.yaml -@@ -1261,6 +1261,7 @@ network_policy: - - {} - - manifests: -+ certificates: false - configmap_bin: true - configmap_etc: true - cron_job_engine_cleaner: true -diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml -index 519fb826..049fe01e 100644 ---- a/horizon/templates/deployment.yaml -+++ b/horizon/templates/deployment.yaml -@@ -129,6 +129,7 @@ spec: - subPath: {{ base $policyFile }} - readOnly: true - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -145,5 +146,6 @@ spec: - secret: - secretName: horizon-etc - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/horizon/values.yaml b/horizon/values.yaml -index 31bbe109..2b27c462 100644 ---- a/horizon/values.yaml -+++ b/horizon/values.yaml -@@ -423,8 +423,10 @@ conf: - # Disable SSL certificate checks (useful for self-signed certificates): - #OPENSTACK_SSL_NO_VERIFY = True - -+ {{- if .Values.manifests.certificates }} - # The CA certificate to use to verify SSL connections -- #OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' -+ OPENSTACK_SSL_CACERT = '/etc/ssl/certs/openstack-helm.crt' -+ {{- end }} - - # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the - # capabilities of the auth backend for Keystone. -diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml -index 03891187..a0cd5d26 100644 ---- a/keystone/templates/deployment-api.yaml -+++ b/keystone/templates/deployment-api.yaml -@@ -147,6 +147,7 @@ spec: - {{- end }} - - name: keystone-credential-keys - mountPath: {{ .Values.conf.keystone.credential.key_repository }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -180,5 +181,6 @@ spec: - - name: keystone-credential-keys - secret: - secretName: keystone-credential-keys -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml -index c874746c..9f06b880 100644 ---- a/keystone/templates/job-bootstrap.yaml -+++ b/keystone/templates/job-bootstrap.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} - {{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.public -}} -+{{- end -}} - {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} - {{- end }} -diff --git a/keystone/templates/job-ks-user.yaml b/keystone/templates/job-ks-user.yaml -index aec4641c..d0086925 100644 ---- a/keystone/templates/job-ks-user.yaml -+++ b/keystone/templates/job-ks-user.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_user }} - {{- $ksUserJob := dict "envAll" . "serviceName" "keystone" "serviceUser" "stx_admin" -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.public -}} -+{{- end -}} - {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} - {{- end }} -diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml -index 8d9972e4..f1106829 100644 ---- a/keystone/templates/pod-rally-test.yaml -+++ b/keystone/templates/pod-rally-test.yaml -@@ -50,7 +50,8 @@ spec: - subPath: ks-user.sh - readOnly: true - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - {{- end }} - - name: SERVICE_OS_SERVICE_NAME -@@ -65,7 +66,7 @@ spec: - {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} - {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - {{- end }} - {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} -@@ -88,6 +89,7 @@ spec: - readOnly: true - - name: rally-db - mountPath: /var/lib/rally -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} - {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} - volumes: - - name: pod-tmp -@@ -102,5 +104,6 @@ spec: - defaultMode: 0555 - - name: rally-db - emptyDir: {} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} - {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} - {{- end }} -diff --git a/keystone/values.yaml b/keystone/values.yaml -index 198c7f22..2e09b9d5 100644 ---- a/keystone/values.yaml -+++ b/keystone/values.yaml -@@ -1250,6 +1250,7 @@ endpoints: - default: 80 - - manifests: -+ certificates: false - configmap_bin: true - configmap_etc: true - cron_credential_rotate: true -diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml -index 4f6a6265..24067e25 100644 ---- a/neutron/templates/daemonset-metadata-agent.yaml -+++ b/neutron/templates/daemonset-metadata-agent.yaml -@@ -184,6 +184,7 @@ spec: - mountPath: /run/netns - mountPropagation: Bidirectional - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -206,6 +207,7 @@ spec: - hostPath: - path: /run/netns - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }} - {{- end }} - {{- end }} -diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml -index 09e6249a..38e0d70b 100644 ---- a/neutron/templates/deployment-server.yaml -+++ b/neutron/templates/deployment-server.yaml -@@ -138,6 +138,7 @@ spec: - mountPath: /etc/neutron/policy.json - subPath: policy.json - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -152,5 +153,6 @@ spec: - secret: - secretName: neutron-etc - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/neutron/templates/job-bootstrap.yaml b/neutron/templates/job-bootstrap.yaml -index b3c8287c..8d85a107 100644 ---- a/neutron/templates/job-bootstrap.yaml -+++ b/neutron/templates/job-bootstrap.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }} - {{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.public -}} -+{{- end -}} - {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} - {{- end }} -diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml -index 6493fd30..9259051b 100644 ---- a/neutron/templates/job-ks-endpoints.yaml -+++ b/neutron/templates/job-ks-endpoints.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_endpoints }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} - {{- end }} -diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml -index 9afd0368..e92cc83a 100644 ---- a/neutron/templates/job-ks-service.yaml -+++ b/neutron/templates/job-ks-service.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_service }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} - {{- end }} -diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml -index f80551c5..a8b99153 100644 ---- a/neutron/templates/job-ks-user.yaml -+++ b/neutron/templates/job-ks-user.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_user }} - {{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.public -}} -+{{- end -}} - {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} - {{- end }} -diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml -index 7ebaced3..b655372d 100644 ---- a/neutron/templates/pod-rally-test.yaml -+++ b/neutron/templates/pod-rally-test.yaml -@@ -50,8 +50,9 @@ spec: - mountPath: /tmp/ks-user.sh - subPath: ks-user.sh - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - {{- end }} - - name: SERVICE_OS_SERVICE_NAME -@@ -65,7 +66,7 @@ spec: - - name: {{ .Release.Name }}-reset - {{ tuple $envAll "purge_test" | include "helm-toolkit.snippets.image" | indent 6 }} - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - {{- end }} - {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} -@@ -94,13 +95,14 @@ spec: - readOnly: true - - name: pod-tmp - mountPath: /tmp/pod-tmp -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} - {{ end }} - containers: - - name: {{ .Release.Name }}-test - {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} - {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - {{- end }} - {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} -@@ -123,6 +125,7 @@ spec: - readOnly: true - - name: rally-db - mountPath: /var/lib/rally -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} - {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} - volumes: - - name: pod-tmp -@@ -137,5 +140,6 @@ spec: - defaultMode: 0555 - - name: rally-db - emptyDir: {} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} - {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} - {{- end }} -diff --git a/neutron/values.yaml b/neutron/values.yaml -index afb7de25..aa766662 100644 ---- a/neutron/values.yaml -+++ b/neutron/values.yaml -@@ -2403,6 +2403,7 @@ network_policy: - - {} - - manifests: -+ certificates: false - configmap_bin: true - configmap_etc: true - daemonset_dhcp_agent: true -diff --git a/nova/templates/cron-job-service-cleaner.yaml b/nova/templates/cron-job-service-cleaner.yaml -index 0d897b8e..7276dd78 100644 ---- a/nova/templates/cron-job-service-cleaner.yaml -+++ b/nova/templates/cron-job-service-cleaner.yaml -@@ -53,7 +53,7 @@ spec: - {{ tuple $envAll "nova_service_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }} - {{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }} - env: --{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova }} -+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" .Values.manifests.certificates}} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }} - {{- end }} - command: -@@ -67,6 +67,7 @@ spec: - readOnly: true - - name: etcnova - mountPath: /etc/nova -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} - volumes: - - name: pod-tmp - emptyDir: {} -@@ -80,4 +81,5 @@ spec: - configMap: - name: nova-bin - defaultMode: 0555 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 12 }} - {{- end }} -diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml -index 3d0908f2..efc0032f 100644 ---- a/nova/templates/daemonset-compute.yaml -+++ b/nova/templates/daemonset-compute.yaml -@@ -344,6 +344,7 @@ spec: - mountPath: /usr/local/sbin/iscsiadm - subPath: iscsiadm - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} - {{- if .Values.network.sshd.enabled }} - - name: nova-compute-ssh -@@ -379,6 +380,7 @@ spec: - mountPath: /tmp/ssh-start.sh - subPath: ssh-start.sh - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ end }} - volumes: - - name: pod-tmp -@@ -442,6 +444,7 @@ spec: - - name: usrlocalsbin - emptyDir: {} - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }} - {{- end }} - {{- end }} -diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml -index d5da3acf..85f30ebf 100644 ---- a/nova/templates/deployment-api-metadata.yaml -+++ b/nova/templates/deployment-api-metadata.yaml -@@ -161,6 +161,7 @@ spec: - - name: pod-shared - mountPath: /tmp/pod-shared - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -175,5 +176,6 @@ spec: - defaultMode: 0444 - - name: pod-shared - emptyDir: {} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml -index 89e75a79..9832ec3b 100644 ---- a/nova/templates/deployment-api-osapi.yaml -+++ b/nova/templates/deployment-api-osapi.yaml -@@ -109,6 +109,7 @@ spec: - mountPath: /etc/nova/api_audit_map.conf - subPath: api_audit_map.conf - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -123,5 +124,6 @@ spec: - secret: - secretName: nova-etc - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml -index a4d38529..fbc5e111 100644 ---- a/nova/templates/deployment-conductor.yaml -+++ b/nova/templates/deployment-conductor.yaml -@@ -114,6 +114,7 @@ spec: - mountPath: /etc/nova/policy.yaml - subPath: policy.yaml - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -126,5 +127,6 @@ spec: - secret: - secretName: nova-etc - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml -index 723ee884..fef8a51d 100644 ---- a/nova/templates/deployment-novncproxy.yaml -+++ b/nova/templates/deployment-novncproxy.yaml -@@ -139,6 +139,7 @@ spec: - readOnly: true - - name: pod-shared - mountPath: /tmp/pod-shared -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -155,5 +156,6 @@ spec: - emptyDir: {} - - name: pod-shared - emptyDir: {} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/nova/templates/deployment-placement.yaml b/nova/templates/deployment-placement.yaml -index d6faa30f..bdd8e51f 100644 ---- a/nova/templates/deployment-placement.yaml -+++ b/nova/templates/deployment-placement.yaml -@@ -118,6 +118,7 @@ spec: - subPath: security.conf - readOnly: true - {{- end }} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -132,5 +133,6 @@ spec: - secret: - secretName: nova-etc - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml -index cdee77f6..dd5e3273 100644 ---- a/nova/templates/deployment-scheduler.yaml -+++ b/nova/templates/deployment-scheduler.yaml -@@ -114,6 +114,7 @@ spec: - mountPath: /etc/nova/policy.yaml - subPath: policy.yaml - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -126,5 +127,6 @@ spec: - secret: - secretName: nova-etc - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml -index 13e273e7..58edd39e 100644 ---- a/nova/templates/deployment-spiceproxy.yaml -+++ b/nova/templates/deployment-spiceproxy.yaml -@@ -138,6 +138,7 @@ spec: - readOnly: true - - name: pod-shared - mountPath: /tmp/pod-shared -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -154,5 +155,6 @@ spec: - emptyDir: {} - - name: pod-shared - emptyDir: {} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml -index 45dfac1c..a1343352 100644 ---- a/nova/templates/job-bootstrap.yaml -+++ b/nova/templates/job-bootstrap.yaml -@@ -63,7 +63,7 @@ spec: - imagePullPolicy: {{ $envAll.Values.images.pull_policy }} - {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - env: --{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }} -+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} - {{- end }} - - name: WAIT_PERCENTAGE -@@ -91,6 +91,7 @@ spec: - mountPath: {{ $logConfigFile | quote }} - subPath: {{ base $logConfigFile | quote }} - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - volumes: - - name: pod-tmp - emptyDir: {} -@@ -104,6 +105,7 @@ spec: - secret: - secretName: {{ $configMapEtc | quote }} - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - --- - kind: ClusterRole - apiVersion: rbac.authorization.k8s.io/v1 -diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml -index 675dac34..bbb13ccf 100644 ---- a/nova/templates/job-cell-setup.yaml -+++ b/nova/templates/job-cell-setup.yaml -@@ -42,7 +42,7 @@ spec: - {{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }} - {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - env: --{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} - {{- end }} - command: -@@ -54,6 +54,7 @@ spec: - mountPath: /tmp/cell-setup-init.sh - subPath: cell-setup-init.sh - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - containers: - - name: nova-cell-setup - {{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }} -@@ -96,4 +97,5 @@ spec: - configMap: - name: nova-bin - defaultMode: 0555 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{- end }} -diff --git a/nova/templates/job-ks-endpoints.yaml b/nova/templates/job-ks-endpoints.yaml -index c9177499..cf606b96 100644 ---- a/nova/templates/job-ks-endpoints.yaml -+++ b/nova/templates/job-ks-endpoints.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_endpoints }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} - {{- end }} -diff --git a/nova/templates/job-ks-placement-endpoints.yaml b/nova/templates/job-ks-placement-endpoints.yaml -index d907e772..3380c629 100644 ---- a/nova/templates/job-ks-placement-endpoints.yaml -+++ b/nova/templates/job-ks-placement-endpoints.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_placement_endpoints }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} - {{- end }} -diff --git a/nova/templates/job-ks-placement-service.yaml b/nova/templates/job-ks-placement-service.yaml -index aa85c77f..05511388 100644 ---- a/nova/templates/job-ks-placement-service.yaml -+++ b/nova/templates/job-ks-placement-service.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_placement_service }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} - {{- end }} -diff --git a/nova/templates/job-ks-placement-user.yaml b/nova/templates/job-ks-placement-user.yaml -index d24e540c..930ea097 100644 ---- a/nova/templates/job-ks-placement-user.yaml -+++ b/nova/templates/job-ks-placement-user.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_placement_user }} - {{- $ksUserJob := dict "envAll" . "serviceName" "placement" "serviceUser" "placement" "configMapBin" "nova-bin" -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}} -+{{- end -}} - {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} - {{- end }} -diff --git a/nova/templates/job-ks-service.yaml b/nova/templates/job-ks-service.yaml -index 123da415..70ac7220 100644 ---- a/nova/templates/job-ks-service.yaml -+++ b/nova/templates/job-ks-service.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_service }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} - {{- end }} -diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml -index c2f8df36..8a390101 100644 ---- a/nova/templates/job-ks-user.yaml -+++ b/nova/templates/job-ks-user.yaml -@@ -14,5 +14,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_user }} - {{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}} -+{{- end -}} - {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} - {{- end }} -diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml -index e025ee26..2553f106 100644 ---- a/nova/templates/pod-rally-test.yaml -+++ b/nova/templates/pod-rally-test.yaml -@@ -49,8 +49,9 @@ spec: - mountPath: /tmp/ks-user.sh - subPath: ks-user.sh - readOnly: true -+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - {{- end }} - - name: SERVICE_OS_SERVICE_NAME -@@ -65,7 +66,7 @@ spec: - {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }} - {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} - env: --{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates}} - {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }} - {{- end }} - {{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }} -@@ -88,6 +89,7 @@ spec: - readOnly: true - - name: rally-db - mountPath: /var/lib/rally -+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }} - {{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }} - volumes: - - name: pod-tmp -@@ -102,5 +104,6 @@ spec: - defaultMode: 0555 - - name: rally-db - emptyDir: {} -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }} - {{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }} - {{- end }} -diff --git a/nova/values.yaml b/nova/values.yaml -index c445d156..a2efbc03 100644 ---- a/nova/values.yaml -+++ b/nova/values.yaml -@@ -1865,6 +1865,9 @@ secrets: - admin: nova-rabbitmq-admin - nova: nova-rabbitmq-user - tls: -+ compute_metadata: -+ metadata: -+ public: metadata-tls-public - compute: - osapi: - public: nova-tls-public -@@ -2632,6 +2635,7 @@ network_policy: - - {} - - manifests: -+ certificate: false - configmap_bin: true - configmap_etc: true - cron_job_cell_setup: true -diff --git a/placement/templates/deployment.yaml b/placement/templates/deployment.yaml -index 65bbf6d0..329fa08e 100644 ---- a/placement/templates/deployment.yaml -+++ b/placement/templates/deployment.yaml -@@ -106,6 +106,7 @@ spec: - mountPath: /etc/apache2/conf-enabled/wsgi-placement.conf - subPath: wsgi-placement.conf - readOnly: true -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - {{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }} - volumes: - - name: pod-tmp -@@ -120,5 +121,6 @@ spec: - secret: - secretName: placement-etc - defaultMode: 0444 -+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - {{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }} - {{- end }} -diff --git a/placement/templates/job-ks-endpoints.yaml b/placement/templates/job-ks-endpoints.yaml -index 19269f95..a755fb6a 100644 ---- a/placement/templates/job-ks-endpoints.yaml -+++ b/placement/templates/job-ks-endpoints.yaml -@@ -16,5 +16,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_endpoints }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} - {{- end }} -diff --git a/placement/templates/job-ks-service.yaml b/placement/templates/job-ks-service.yaml -index 87151af0..737999c4 100644 ---- a/placement/templates/job-ks-service.yaml -+++ b/placement/templates/job-ks-service.yaml -@@ -16,5 +16,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_service }} - {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.public -}} -+{{- end -}} - {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} - {{- end }} -diff --git a/placement/templates/job-ks-user.yaml b/placement/templates/job-ks-user.yaml -index 1dd4d11d..c53a0fe0 100644 ---- a/placement/templates/job-ks-user.yaml -+++ b/placement/templates/job-ks-user.yaml -@@ -16,5 +16,8 @@ limitations under the License. - - {{- if .Values.manifests.job_ks_user }} - {{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}} -+{{- if .Values.manifests.certificates -}} -+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.public -}} -+{{- end -}} - {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} - {{- end }} -diff --git a/placement/values.yaml b/placement/values.yaml -index f16fd5d0..f0342d1e 100644 ---- a/placement/values.yaml -+++ b/placement/values.yaml -@@ -415,6 +415,7 @@ dependencies: - service: oslo_db - - manifests: -+ certificates: false - configmap_bin: true - configmap_etc: true - deployment: true --- -2.17.1 - diff --git a/openstack-helm/files/0012-Update-helm-tookit-dependencies-to-0.2.19.patch b/openstack-helm/files/0012-Update-helm-tookit-dependencies-to-0.2.19.patch deleted file mode 100644 index 119701e5..00000000 --- a/openstack-helm/files/0012-Update-helm-tookit-dependencies-to-0.2.19.patch +++ /dev/null @@ -1,220 +0,0 @@ -From 5eafbeb89313b1bc45369720ba1b700d3cf3c609 Mon Sep 17 00:00:00 2001 -From: Thiago Brito -Date: Thu, 16 Sep 2021 11:43:02 -0300 -Subject: [PATCH] Update helm-tookit dependencies to >=0.1.0 - -Signed-off-by: Thiago Brito - -diff --git a/aodh/requirements.yaml b/aodh/requirements.yaml -index 780e525c..fbba94ae 100644 ---- a/aodh/requirements.yaml -+++ b/aodh/requirements.yaml -@@ -15,4 +15,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/barbican/requirements.yaml b/barbican/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/barbican/requirements.yaml -+++ b/barbican/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/ceilometer/requirements.yaml b/ceilometer/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/ceilometer/requirements.yaml -+++ b/ceilometer/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/cinder/requirements.yaml b/cinder/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/cinder/requirements.yaml -+++ b/cinder/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/congress/requirements.yaml b/congress/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/congress/requirements.yaml -+++ b/congress/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/designate/requirements.yaml b/designate/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/designate/requirements.yaml -+++ b/designate/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/glance/requirements.yaml b/glance/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/glance/requirements.yaml -+++ b/glance/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/heat/requirements.yaml b/heat/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/heat/requirements.yaml -+++ b/heat/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/horizon/requirements.yaml b/horizon/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/horizon/requirements.yaml -+++ b/horizon/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/ironic/requirements.yaml b/ironic/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/ironic/requirements.yaml -+++ b/ironic/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/keystone/requirements.yaml b/keystone/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/keystone/requirements.yaml -+++ b/keystone/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/magnum/requirements.yaml b/magnum/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/magnum/requirements.yaml -+++ b/magnum/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/mistral/requirements.yaml b/mistral/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/mistral/requirements.yaml -+++ b/mistral/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/neutron/requirements.yaml b/neutron/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/neutron/requirements.yaml -+++ b/neutron/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/nova/requirements.yaml b/nova/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/nova/requirements.yaml -+++ b/nova/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/octavia/requirements.yaml b/octavia/requirements.yaml -index 35cf13c6..c09473b3 100644 ---- a/octavia/requirements.yaml -+++ b/octavia/requirements.yaml -@@ -15,4 +15,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/panko/requirements.yaml b/panko/requirements.yaml -index 780e525c..fbba94ae 100644 ---- a/panko/requirements.yaml -+++ b/panko/requirements.yaml -@@ -15,4 +15,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/placement/requirements.yaml b/placement/requirements.yaml -index 551fd91c..7efb17a3 100644 ---- a/placement/requirements.yaml -+++ b/placement/requirements.yaml -@@ -15,4 +15,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/rally/requirements.yaml b/rally/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/rally/requirements.yaml -+++ b/rally/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/senlin/requirements.yaml b/senlin/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/senlin/requirements.yaml -+++ b/senlin/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" -diff --git a/tempest/requirements.yaml b/tempest/requirements.yaml -index 5669e12c..432e28c1 100644 ---- a/tempest/requirements.yaml -+++ b/tempest/requirements.yaml -@@ -13,4 +13,4 @@ - dependencies: - - name: helm-toolkit - repository: http://localhost:8879/charts -- version: 0.1.0 -+ version: ">= 0.1.0" --- -2.17.1 - diff --git a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/cinder.py b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/cinder.py index 6206ca63..b3220a49 100644 --- a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/cinder.py +++ b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/cinder.py @@ -11,11 +11,13 @@ import tsconfig.tsconfig as tsc from sysinv.common import constants from sysinv.common import exception from sysinv.common import utils -from sysinv.common.storage_backend_conf import StorageBackendConfig - +from sysinv.common import storage_backend_conf from sysinv.helm import common +ROOK_CEPH_BACKEND_NAME = 'ceph-store' + + class CinderHelm(openstack.OpenstackBaseHelm): """Class to encapsulate helm operations for the cinder chart""" @@ -45,10 +47,12 @@ class CinderHelm(openstack.OpenstackBaseHelm): cinder_override = self._get_conf_rook_cinder_overrides() ceph_override = self._get_conf_rook_ceph_overrides() backend_override = self._get_conf_rook_backends_overrides() + ceph_client_override = self._get_ceph_client_rook_overrides() else: cinder_override = self._get_conf_cinder_overrides() ceph_override = self._get_conf_ceph_overrides() backend_override = self._get_conf_backends_overrides() + ceph_client_override = self._get_ceph_client_overrides() overrides = { common.HELM_NS_OPENSTACK: { @@ -71,7 +75,7 @@ class CinderHelm(openstack.OpenstackBaseHelm): 'backends': backend_override, }, 'endpoints': self._get_endpoints_overrides(), - 'ceph_client': self._get_ceph_client_overrides() + 'ceph_client': ceph_client_override } } @@ -91,8 +95,8 @@ class CinderHelm(openstack.OpenstackBaseHelm): primary_tier_name =\ constants.SB_TIER_DEFAULT_NAMES[constants.SB_TIER_TYPE_CEPH] - replication, min_replication =\ - StorageBackendConfig.get_ceph_pool_replication(self.dbapi) + replication, min_replication = storage_backend_conf\ + .StorageBackendConfig.get_ceph_pool_replication(self.dbapi) pools = {} for backend in self.dbapi.storage_ceph_get_list(): @@ -325,9 +329,9 @@ class CinderHelm(openstack.OpenstackBaseHelm): 'volume_driver': '' } - conf_backends['ceph-store'] = { + conf_backends[ROOK_CEPH_BACKEND_NAME] = { 'image_volume_cache_enabled': 'True', - 'volume_backend_name': 'ceph-store', + 'volume_backend_name': ROOK_CEPH_BACKEND_NAME, 'volume_driver': 'cinder.volume.drivers.rbd.RBDDriver', 'rbd_pool': 'cinder-volumes', 'rbd_user': 'cinder', @@ -336,3 +340,20 @@ class CinderHelm(openstack.OpenstackBaseHelm): constants.SB_TYPE_CEPH_CONF_FILENAME), } return conf_backends + + def _get_ceph_client_rook_overrides(self): + return { + 'user_secret_name': constants.K8S_RBD_PROV_ADMIN_SECRET_NAME, + 'internal_ceph_backend': ROOK_CEPH_BACKEND_NAME, + } + + def _get_ceph_client_overrides(self): + # A secret is required by the chart for ceph client access. Use the + # secret for the kube-rbd pool associated with the primary ceph tier + ceph_backend_name = constants.SB_DEFAULT_NAMES[constants.SB_TYPE_CEPH] + user_secret_name = storage_backend_conf.K8RbdProvisioner\ + .get_user_secret_name({'name': ceph_backend_name}) + return { + 'user_secret_name': user_secret_name, + 'internal_ceph_backend': ceph_backend_name, + } diff --git a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py index 2e2c8cb6..5279118f 100644 --- a/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py +++ b/python-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/nova.py @@ -169,17 +169,7 @@ class NovaHelm(openstack.OpenstackBaseHelm): return overrides def _get_mount_overrides(self): - overrides = self._get_mount_uefi_overrides() - # mount /dev/pts in order to get console log - overrides['volumes'].append({ - 'name': 'dev-pts', - 'hostPath': {'path': '/dev/pts'} - }) - overrides['volumeMounts'].append({ - 'name': 'dev-pts', - 'mountPath': '/dev/pts' - }) - return overrides + return self._get_mount_uefi_overrides() def _get_compute_ironic_manifests(self): ironic_operator = self._operator.chart_operators[ diff --git a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml index 0cf22d94..022f3946 100644 --- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml +++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/deployment.yaml @@ -74,7 +74,7 @@ spec: mountPath: /etc/proxy/api-proxy-paste.ini subPath: api-proxy-paste.ini readOnly: true -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_api_proxy.volumeMounts }}{{ toYaml $mounts_nova_api_proxy.volumeMounts | indent 12 }}{{ end }} volumes: - name: nova-api-proxy-bin @@ -85,6 +85,6 @@ spec: configMap: name: nova-api-proxy-etc defaultMode: 0777 -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.api_proxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_api_proxy.volumes}}{{ toYaml $mounts_nova_api_proxy.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml index 560d0a9a..28cc4272 100644 --- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml +++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/templates/job-ks-endpoints.yaml @@ -9,7 +9,7 @@ {{- if .Values.manifests.job_ks_endpoints }} {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} {{- if .Values.manifests.certificates -}} -{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.api_proxy.public -}} +{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.api_proxy.internal -}} {{- end -}} {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} {{- end }} diff --git a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/values.yaml b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/values.yaml index 6013b312..551eb520 100644 --- a/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/values.yaml +++ b/stx-openstack-helm/stx-openstack-helm/helm-charts/nova-api-proxy/values.yaml @@ -292,6 +292,7 @@ secrets: compute: api_proxy: public: nova-tls-public + internal: nova-tls-api manifests: configmap_bin: true diff --git a/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml b/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml index 965ffd87..3a333cd8 100644 --- a/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml +++ b/stx-openstack-helm/stx-openstack-helm/manifests/manifest.yaml @@ -485,7 +485,7 @@ data: curl -X PATCH -H "X-Auth-Token: ${TOKEN}" -H "Content-Type: application/json" -d "${DATA_JSON}" "${REQ_URL}" source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/keystone-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/keystone-0.2.13.tgz subpath: keystone reference: master dependencies: @@ -609,7 +609,7 @@ data: auth_url: http://keystone.openstack.svc.cluster.local:80/v3 source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/barbican-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/barbican-0.2.7.tgz subpath: barbican reference: master dependencies: @@ -779,7 +779,7 @@ data: auth_url: http://keystone.openstack.svc.cluster.local:80/v3 source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/glance-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/glance-0.2.9.tgz subpath: glance reference: master dependencies: @@ -876,7 +876,7 @@ data: storage: rbd source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/cinder-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/cinder-0.2.10.tgz subpath: cinder reference: master dependencies: @@ -1228,7 +1228,7 @@ data: source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/nova-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/nova-0.2.21.tgz subpath: nova reference: master dependencies: @@ -1327,7 +1327,7 @@ data: source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/placement-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/placement-0.2.4.tgz subpath: placement reference: master dependencies: @@ -1645,7 +1645,7 @@ data: firewall_driver: openvswitch source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/neutron-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/neutron-0.2.9.tgz subpath: neutron reference: master dependencies: @@ -1765,7 +1765,7 @@ data: force_public_endpoint: true source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/ironic-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/ironic-0.2.1.tgz subpath: ironic reference: master dependencies: @@ -1871,7 +1871,7 @@ data: default: requiredDuringSchedulingIgnoredDuringExecution source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/heat-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/heat-0.2.7.tgz subpath: heat reference: master dependencies: @@ -1972,7 +1972,7 @@ data: source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/aodh-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/aodh-0.2.1.tgz subpath: aodh reference: master dependencies: @@ -2825,7 +2825,7 @@ data: default: requiredDuringSchedulingIgnoredDuringExecution source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/ceilometer-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/ceilometer-0.2.1.tgz subpath: ceilometer reference: master dependencies: @@ -3765,7 +3765,7 @@ data: HORIZON_CONFIG["password_autocomplete"] = "off" source: type: tar - location: http://172.17.0.1/helm_charts/starlingx/horizon-0.1.0.tgz + location: http://172.17.0.1/helm_charts/starlingx/horizon-0.2.10.tgz subpath: horizon reference: master dependencies: