diff --git a/openstack-helm/debian/deb_folder/patches/0001-Remove-stale-Apache2-service-pids-when-a-POD-starts.patch b/openstack-helm/debian/deb_folder/patches/0001-Remove-stale-Apache2-service-pids-when-a-POD-starts.patch new file mode 100644 index 00000000..7d0e7051 --- /dev/null +++ b/openstack-helm/debian/deb_folder/patches/0001-Remove-stale-Apache2-service-pids-when-a-POD-starts.patch @@ -0,0 +1,55 @@ +From b620ae1fa40aeadb4bbe2164fad7cb5c330acb78 Mon Sep 17 00:00:00 2001 +From: Chris Friesen +Date: Wed, 28 Nov 2018 01:33:39 -0500 +Subject: [PATCH] Remove stale Apache2 service pids when a POD starts. + +Stale Apache2 pids will prevent Apache2 from starting and will leave +the POD in a crashed state. + +Note: the pid file is somewhat confusingly called +/var/run/httpd/httpd.pid and /var/run/apache2 is just a symlink to +/var/run/httpd. + +This is loosely based off the in-review upstream commit at +https://review.openstack.org/#/c/619747 + +Signed-off-by: Robert Church +--- + ceilometer/templates/bin/_ceilometer-api.sh.tpl | 3 +++ + keystone/templates/bin/_keystone-api.sh.tpl | 6 ++---- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/ceilometer/templates/bin/_ceilometer-api.sh.tpl b/ceilometer/templates/bin/_ceilometer-api.sh.tpl +index 3ba90d9..4b77452 100644 +--- a/ceilometer/templates/bin/_ceilometer-api.sh.tpl ++++ b/ceilometer/templates/bin/_ceilometer-api.sh.tpl +@@ -40,6 +40,9 @@ function start () { + fi + fi + ++ # Get rid of stale pid file if present. ++ rm -f /var/run/apache2/*.pid ++ + # Start Apache2 + exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }} + } +diff --git a/keystone/templates/bin/_keystone-api.sh.tpl b/keystone/templates/bin/_keystone-api.sh.tpl +index 5d4286a..85740a0 100644 +--- a/keystone/templates/bin/_keystone-api.sh.tpl ++++ b/keystone/templates/bin/_keystone-api.sh.tpl +@@ -41,10 +41,8 @@ function start () { + source /etc/apache2/envvars + fi + +- if [ -f /var/run/apache2/apache2.pid ]; then +- # Remove the stale pid for debian/ubuntu images +- rm -f /var/run/apache2/apache2.pid +- fi ++ # Get rid of stale pid, shared memory segment and wsgi sock files if present. ++ rm -f /var/run/apache2/* + + # Start Apache2 + exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }} +-- +1.8.3.1 + diff --git a/openstack-helm/debian/deb_folder/patches/0002-Nova-console-ip-address-search-optionality.patch b/openstack-helm/debian/deb_folder/patches/0002-Nova-console-ip-address-search-optionality.patch new file mode 100644 index 00000000..a4a451a7 --- /dev/null +++ b/openstack-helm/debian/deb_folder/patches/0002-Nova-console-ip-address-search-optionality.patch @@ -0,0 +1,66 @@ +From b5ff7217bca8b5af345a8630ce76b360022336b3 Mon Sep 17 00:00:00 2001 +From: Gerry Kopec +Date: Wed, 27 Mar 2019 00:35:57 -0400 +Subject: [PATCH] Nova console/ip address search optionality + +Add options to nova to enable/disable the use of: +1. the vnc or spice server proxyclient address found by the console + compute init container +2. my_ip hypervisor address found by compute init container + +These options can be used to prevent cases where the found addresses +overwrite what has already been defined in nova.conf by per host nova +compute daemonset overrides. + +Story: 2005259 +Task: 30066 +Change-Id: Idf490f8b19dcd1e71a9b5fa8934461f1198a8af8 +Signed-off-by: Gerry Kopec +(cherry picked from commit f5e8ad20e35b770e5967f75f6f93f0a4dc6e3b41) +Signed-off-by: Robert Church +--- + nova/templates/bin/_nova-compute.sh.tpl | 4 ++++ + nova/values.yaml | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/nova/templates/bin/_nova-compute.sh.tpl b/nova/templates/bin/_nova-compute.sh.tpl +index 23ce347..60b0272 100644 +--- a/nova/templates/bin/_nova-compute.sh.tpl ++++ b/nova/templates/bin/_nova-compute.sh.tpl +@@ -18,9 +18,13 @@ set -ex + + exec nova-compute \ + --config-file /etc/nova/nova.conf \ ++{{- if .Values.console.address_search_enabled }} + --config-file /tmp/pod-shared/nova-console.conf \ ++{{- end }} + --config-file /tmp/pod-shared/nova-libvirt.conf \ + {{- if and ( empty .Values.conf.nova.DEFAULT.host ) ( .Values.pod.use_fqdn.compute ) }} + --config-file /tmp/pod-shared/nova-compute-fqdn.conf \ + {{- end }} ++{{- if .Values.conf.hypervisor.address_search_enabled }} + --config-file /tmp/pod-shared/nova-hypervisor.conf ++{{- end }} +diff --git a/nova/values.yaml b/nova/values.yaml +index 6fb6237..ca92907 100644 +--- a/nova/values.yaml ++++ b/nova/values.yaml +@@ -527,6 +527,7 @@ console: + vncproxy: + # IF blank, search default routing interface + vncserver_proxyclient_interface: ++ address_search_enabled: true + + ceph_client: + configmap: ceph-etc +@@ -1666,6 +1666,7 @@ conf: + # If this option is set to None, the hostname of the migration target compute node will be used. + live_migration_interface: + hypervisor: ++ address_search_enabled: true + # my_ip can be set automatically through this interface name. + host_interface: + # This list is the keys to exclude from the config file ingested by nova-compute +-- +1.8.3.1 + diff --git a/openstack-helm/debian/deb_folder/patches/0003-Nova-chart-Support-ephemeral-pool-creation.patch b/openstack-helm/debian/deb_folder/patches/0003-Nova-chart-Support-ephemeral-pool-creation.patch new file mode 100644 index 00000000..21a824c2 --- /dev/null +++ b/openstack-helm/debian/deb_folder/patches/0003-Nova-chart-Support-ephemeral-pool-creation.patch @@ -0,0 +1,338 @@ +From 8d1a2f90284bc5c3a7fcfbae73f0bdb2e5b03320 Mon Sep 17 00:00:00 2001 +From: Irina Mihai +Date: Tue, 26 Feb 2019 17:43:53 +0000 +Subject: [PATCH] Nova chart: Support ephemeral pool creation + +If libvirt images_type is rbd, then we need to have the +images_rbd_pool present. These changes add a new job +to make sure this pool exists. + +Change-Id: Iee307cb54384d1c4583d00a8d28f7b1a0676d7d8 +Story: 2004922 +Task: 29285 +Signed-off-by: Irina Mihai +(cherry picked from commit 0afcb0b37cdcf57436e44867bac9242d8684ce81) +Signed-off-by: Robert Church +--- + nova/templates/bin/_nova-storage-init.sh.tpl | 73 +++++++++++++ + nova/templates/configmap-bin.yaml | 2 + + nova/templates/job-storage-init.yaml | 153 +++++++++++++++++++++++++++ + nova/values.yaml | 18 ++++ + 4 files changed, 246 insertions(+) + create mode 100644 nova/templates/bin/_nova-storage-init.sh.tpl + create mode 100644 nova/templates/job-storage-init.yaml + +diff --git a/nova/templates/bin/_nova-storage-init.sh.tpl b/nova/templates/bin/_nova-storage-init.sh.tpl +new file mode 100644 +index 0000000..416297f +--- /dev/null ++++ b/nova/templates/bin/_nova-storage-init.sh.tpl +@@ -0,0 +1,73 @@ ++#!/bin/bash ++ ++{{/* ++Licensed under the Apache License, Version 2.0 (the "License"); ++you may not use this file except in compliance with the License. ++You may obtain a copy of the License at ++ ++ http://www.apache.org/licenses/LICENSE-2.0 ++ ++Unless required by applicable law or agreed to in writing, software ++distributed under the License is distributed on an "AS IS" BASIS, ++WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++See the License for the specific language governing permissions and ++limitations under the License. ++*/}} ++ ++set -x ++if [ "x$STORAGE_BACKEND" == "xrbd" ]; then ++ SECRET=$(mktemp --suffix .yaml) ++ KEYRING=$(mktemp --suffix .keyring) ++ function cleanup { ++ rm -f ${SECRET} ${KEYRING} ++ } ++ trap cleanup EXIT ++fi ++ ++set -ex ++if [ "x$STORAGE_BACKEND" == "xrbd" ]; then ++ ceph -s ++ function ensure_pool () { ++ ceph osd pool stats $1 || ceph osd pool create $1 $2 ++ local test_version=$(ceph tell osd.* version | egrep -c "mimic|luminous" | xargs echo) ++ if [[ ${test_version} -gt 0 ]]; then ++ ceph osd pool application enable $1 $3 ++ fi ++ size_protection=$(ceph osd pool get $1 nosizechange | cut -f2 -d: | tr -d '[:space:]') ++ ceph osd pool set $1 nosizechange 0 ++ ceph osd pool set $1 size ${RBD_POOL_REPLICATION} ++ ceph osd pool set $1 nosizechange ${size_protection} ++ ceph osd pool set $1 crush_rule "${RBD_POOL_CRUSH_RULE}" ++ } ++ ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "nova-ephemeral" ++ ++ if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then ++ echo "Cephx user client.${RBD_POOL_USER} already exist." ++ echo "Update its cephx caps" ++ ceph auth caps client.${RBD_POOL_USER} \ ++ mon "profile rbd" \ ++ osd "profile rbd" ++ ceph auth get client.${RBD_POOL_USER} -o ${KEYRING} ++ else ++ # NOTE: Restrict Nova permissions to what is needed. ++ # MON Read only and RBD access to the Nova ephemeral pool only. ++ ceph auth get-or-create client.${RBD_POOL_USER} \ ++ mon "profile rbd" \ ++ osd "profile rbd" \ ++ -o ${KEYRING} ++ fi ++ ++ ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' ${KEYRING} | base64 -w0) ++ cat > ${SECRET} < +Date: Wed, 4 Dec 2019 13:35:44 -0500 +Subject: [PATCH] Support ingress creation for keystone admin endpoint + +This update added support to create ingress for custom keystone admin +endpoint. It can be used by deployment to expose keytone admin endpoint +to outside of the cluster by ingress. + +Story: 2006588 +Task: 37747 +Signed-off-by: Andy Ning +--- + keystone/templates/ingress-api.yaml | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/keystone/templates/ingress-api.yaml b/keystone/templates/ingress-api.yaml +index de36571..37c3013 100644 +--- a/keystone/templates/ingress-api.yaml ++++ b/keystone/templates/ingress-api.yaml +@@ -21,3 +21,11 @@ limitations under the License. + {{- end -}} + {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} + {{- end }} ++{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.admin }} ++{{ $ingressNamePublic := tuple "identity" "public" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} ++{{ $ingressNameAdmin := tuple "identity" "admin" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} ++{{- if not (eq $ingressNamePublic $ingressNameAdmin) }} ++{{- $ingressOpts := dict "envAll" . "backendServiceType" "identity" "backendPort" "ks-pub" "endpoint" "admin" -}} ++{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} ++{{- end }} ++{{- end }} +-- +1.8.3.1 diff --git a/openstack-helm/debian/deb_folder/patches/0005-Allow-set-public-endpoint-url-for-keystone-endpoints.patch b/openstack-helm/debian/deb_folder/patches/0005-Allow-set-public-endpoint-url-for-keystone-endpoints.patch new file mode 100644 index 00000000..78333911 --- /dev/null +++ b/openstack-helm/debian/deb_folder/patches/0005-Allow-set-public-endpoint-url-for-keystone-endpoints.patch @@ -0,0 +1,28 @@ +From b272e8ff3a78f38ab82df7995233705611e99f81 Mon Sep 17 00:00:00 2001 +From: Angie Wang +Date: Tue, 1 Sep 2020 00:00:22 -0400 +Subject: [PATCH 1/1] Allow set public endpoint url for keystone endpoints + +--- + keystone/templates/job-db-sync.yaml | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml +index 56a39b8..3d0681e 100644 +--- a/keystone/templates/job-db-sync.yaml ++++ b/keystone/templates/job-db-sync.yaml +@@ -20,7 +20,11 @@ env: + - name: OS_BOOTSTRAP_ADMIN_URL + value: {{ tuple "identity" "admin" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + - name: OS_BOOTSTRAP_INTERNAL_URL ++ {{- if and (hasKey $envAll.Values.endpoints.identity "force_public_endpoint") $envAll.Values.endpoints.identity.force_public_endpoint }} ++ value: {{ tuple "identity" "public" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} ++ {{- else }} + value: {{ tuple "identity" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} ++ {{- end }} + - name: OS_BOOTSTRAP_PUBLIC_URL + value: {{ tuple "identity" "public" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + - name: OPENSTACK_CONFIG_FILE +-- +1.8.3.1 + diff --git a/openstack-helm/debian/deb_folder/patches/0006-Wrong-usage-of-rbd_store_chunk_size.patch b/openstack-helm/debian/deb_folder/patches/0006-Wrong-usage-of-rbd_store_chunk_size.patch new file mode 100644 index 00000000..b183242e --- /dev/null +++ b/openstack-helm/debian/deb_folder/patches/0006-Wrong-usage-of-rbd_store_chunk_size.patch @@ -0,0 +1,45 @@ +From 2892d1bedf30e7260aa67ad93d94677fad55a760 Mon Sep 17 00:00:00 2001 +From: Elena Taivan +Date: Wed, 30 Sep 2020 14:14:32 +0000 +Subject: [PATCH] Wrong usage of 'rbd_store_chunk_size' + +'rbd_store_chunk_size' option represents the size of the chunks +of the objects into which an image is chuncked. +It does not represent the 'pg_num' value of 'images' ceph pool. + +Solution: replace 'rdb_store_chunk_size' with 'chunk_size' custom +option. +--- + glance/templates/job-storage-init.yaml | 2 +- + glance/values.yaml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/glance/templates/job-storage-init.yaml b/glance/templates/job-storage-init.yaml +index 82524086..77ab1c60 100644 +--- a/glance/templates/job-storage-init.yaml ++++ b/glance/templates/job-storage-init.yaml +@@ -114,7 +114,7 @@ spec: + - name: RBD_POOL_CRUSH_RULE + value: {{ .Values.conf.glance.glance_store.rbd_store_crush_rule | quote }} + - name: RBD_POOL_CHUNK_SIZE +- value: {{ .Values.conf.glance.glance_store.rbd_store_chunk_size | quote }} ++ value: {{ .Values.conf.glance.glance_store.chunk_size | quote }} + - name: RBD_POOL_SECRET + value: {{ .Values.secrets.rbd | quote }} + {{ end }} +diff --git a/glance/values.yaml b/glance/values.yaml +index 1428c299..a4f74379 100644 +--- a/glance/values.yaml ++++ b/glance/values.yaml +@@ -256,7 +256,7 @@ conf: + auth_version: v3 + memcache_security_strategy: ENCRYPT + glance_store: +- rbd_store_chunk_size: 8 ++ chunk_size: 8 + rbd_store_replication: 3 + rbd_store_crush_rule: replicated_rule + rbd_store_pool: glance.images +-- +2.17.1 + diff --git a/openstack-helm/debian/deb_folder/patches/0007-Add-stx_admin-account.patch b/openstack-helm/debian/deb_folder/patches/0007-Add-stx_admin-account.patch new file mode 100644 index 00000000..640a9a39 --- /dev/null +++ b/openstack-helm/debian/deb_folder/patches/0007-Add-stx_admin-account.patch @@ -0,0 +1,113 @@ +From 50e5e101857767fa5b20a3f548e3f28ffb8664ed Mon Sep 17 00:00:00 2001 +From: Shuicheng Lin +Date: Wed, 28 Oct 2020 15:17:34 +0800 +Subject: [PATCH] Add stx_admin account for host to communicate with openstack + app + +lcavalca: changed content to support tls keystone + +Signed-off-by: Shuicheng Lin +Signed-off-by: Lucas Cavalcante +Change-Id: Iedcd131578f4e33efd3c3d7c47cbef83331b143a +--- + keystone/templates/job-ks-user.yaml | 21 +++++++++++++++++++++ + keystone/templates/secret-keystone.yaml | 2 +- + keystone/values.yaml | 17 +++++++++++++++++ + 3 files changed, 39 insertions(+), 1 deletion(-) + create mode 100644 keystone/templates/job-ks-user.yaml + +diff --git a/keystone/templates/job-ks-user.yaml b/keystone/templates/job-ks-user.yaml +new file mode 100644 +index 00000000..91f990f3 +--- /dev/null ++++ b/keystone/templates/job-ks-user.yaml +@@ -0,0 +1,24 @@ ++{{/* ++Licensed under the Apache License, Version 2.0 (the "License"); ++you may not use this file except in compliance with the License. ++You may obtain a copy of the License at ++ ++ http://www.apache.org/licenses/LICENSE-2.0 ++ ++Unless required by applicable law or agreed to in writing, software ++distributed under the License is distributed on an "AS IS" BASIS, ++WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++See the License for the specific language governing permissions and ++limitations under the License. ++*/}} ++ ++{{- if .Values.manifests.job_ks_user }} ++{{- $ksUserJob := dict "envAll" . "serviceName" "keystone" "serviceUser" "stx_admin" -}} ++{{- if .Values.manifests.certificates -}} ++{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}} ++{{- end -}} ++{{- if .Values.pod.tolerations.keystone.enabled -}} ++{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} ++{{- end -}} ++{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} ++{{- end }} +diff --git a/keystone/templates/secret-keystone.yaml b/keystone/templates/secret-keystone.yaml +index 5aa87ab5..0e471f13 100644 +--- a/keystone/templates/secret-keystone.yaml ++++ b/keystone/templates/secret-keystone.yaml +@@ -14,7 +14,7 @@ limitations under the License. + + {{- if .Values.manifests.secret_keystone }} + {{- $envAll := . }} +-{{- range $key1, $userClass := tuple "admin" "test" }} ++{{- range $key1, $userClass := tuple "admin" "test" "stx_admin" }} + {{- $secretName := index $envAll.Values.secrets.identity $userClass }} + --- + apiVersion: v1 +diff --git a/keystone/values.yaml b/keystone/values.yaml +index 5f0e7aa1..ff4493f3 100644 +--- a/keystone/values.yaml ++++ b/keystone/values.yaml +@@ -141,6 +141,10 @@ dependencies: + services: + - endpoint: internal + service: oslo_db ++ ks_user: ++ services: ++ - endpoint: internal ++ service: identity + domain_manage: + services: + - endpoint: internal +@@ -1047,6 +1051,7 @@ secrets: + identity: + admin: keystone-keystone-admin + test: keystone-keystone-test ++ stx_admin: keystone-keystone-stxadmin + oslo_db: + admin: keystone-db-admin + keystone: keystone-db-user +@@ -1090,6 +1095,17 @@ endpoints: + user_domain_name: default + project_domain_name: default + default_domain_id: default ++ stx_admin: ++ role: ++ - admin ++ - member ++ region_name: RegionOne ++ username: stx_admin ++ password: password ++ project_name: admin ++ user_domain_name: default ++ project_domain_name: default ++ default_domain_id: default + test: + role: admin + region_name: RegionOne +@@ -1247,6 +1263,7 @@ manifests: + job_domain_manage: true + job_fernet_setup: true + job_image_repo_sync: true ++ job_ks_user: true + job_rabbit_init: true + pdb_api: true + pod_rally_test: true +-- +2.17.1 + diff --git a/openstack-helm/debian/deb_folder/patches/0008-Disabling-helm3_hook.patch b/openstack-helm/debian/deb_folder/patches/0008-Disabling-helm3_hook.patch new file mode 100644 index 00000000..12b7646e --- /dev/null +++ b/openstack-helm/debian/deb_folder/patches/0008-Disabling-helm3_hook.patch @@ -0,0 +1,130 @@ +198597ee329c4c205f8852779e6a49 Mon Sep 17 00:00:00 2001 +From: Thiago Brito +Date: Mon, 4 Oct 2021 10:04:21 -0300 +Subject: [PATCH] Disabling helm3_hook + +Since openstack-helm now defaults to use helmv3 hooks, this +changes disables it to maintain compatibility with the helm +version in use on StarlingX. + +Signed-off-by: Thiago Brito +Change-Id: I2a343805be2bb20f39b2dd8cc8d2e8716961ea28 +--- + barbican/values.yaml | 2 +- + cinder/values.yaml | 2 +- + glance/values.yaml | 2 +- + heat/values.yaml | 2 +- + keystone/values.yaml | 2 +- + neutron/values.yaml | 2 +- + nova/values.yaml | 2 +- + placement/values.yaml | 2 +- + 8 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/barbican/values.yaml b/barbican/values.yaml +index 72efd88c..44d3b76b 100644 +--- a/barbican/values.yaml ++++ b/barbican/values.yaml +@@ -31,7 +31,7 @@ release_group: null + + # NOTE(philsphicas): the pre-install hook breaks upgrade for helm2 + # Set to false to upgrade using helm2 +-helm3_hook: true ++helm3_hook: false + + images: + tags: +diff --git a/cinder/values.yaml b/cinder/values.yaml +index a70ed72a..30a2e47a 100644 +--- a/cinder/values.yaml ++++ b/cinder/values.yaml +@@ -1516,7 +1516,7 @@ network_policy: + + # NOTE(helm_hook): helm_hook might break for helm2 binary. + # set helm3_hook: false when using the helm2 binary. +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +diff --git a/glance/values.yaml b/glance/values.yaml +index a03a69a1..459f04bc 100644 +--- a/glance/values.yaml ++++ b/glance/values.yaml +@@ -1052,7 +1052,7 @@ pod: + + # NOTE(helm_hook): helm_hook might break for helm2 binary. + # set helm3_hook: false when using the helm2 binary. +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +diff --git a/heat/values.yaml b/heat/values.yaml +index 58f786b6..9e9ea64b 100644 +--- a/heat/values.yaml ++++ b/heat/values.yaml +@@ -1293,7 +1293,7 @@ network_policy: + + # NOTE(helm_hook): helm_hook might break for helm2 binary. + # set helm3_hook: false when using the helm2 binary. +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +diff --git a/keystone/values.yaml b/keystone/values.yaml +index ff4493f3..84b8fe48 100644 +--- a/keystone/values.yaml ++++ b/keystone/values.yaml +@@ -31,7 +31,7 @@ release_group: null + + # NOTE(gagehugo): the pre-install hook breaks upgrade for helm2 + # Set to false to upgrade using helm2 +-helm3_hook: true ++helm3_hook: false + + images: + tags: +diff --git a/neutron/values.yaml b/neutron/values.yaml +index c72a55b5..6073c6a3 100644 +--- a/neutron/values.yaml ++++ b/neutron/values.yaml +@@ -2514,7 +2514,7 @@ network_policy: + egress: + - {} + +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +diff --git a/nova/values.yaml b/nova/values.yaml +index 6b51b3d5..56f1dc9a 100644 +--- a/nova/values.yaml ++++ b/nova/values.yaml +@@ -2563,7 +2563,7 @@ network_policy: + + # NOTE(helm_hook): helm_hook might break for helm2 binary. + # set helm3_hook: false when using the helm2 binary. +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +diff --git a/placement/values.yaml b/placement/values.yaml +index 57d9eb48..2811b200 100644 +--- a/placement/values.yaml ++++ b/placement/values.yaml +@@ -485,7 +485,7 @@ dependencies: + + # NOTE(helm_hook): helm_hook might break for helm2 binary. + # set helm3_hook: false when using the helm2 binary. +-helm3_hook: true ++helm3_hook: false + + manifests: + certificates: false +-- +2.17.1 + + diff --git a/openstack-helm/debian/deb_folder/patches/0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch b/openstack-helm/debian/deb_folder/patches/0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch new file mode 100644 index 00000000..4d0673c9 --- /dev/null +++ b/openstack-helm/debian/deb_folder/patches/0009-Add-flavor-extra-spec-hw-pci_irq_affinity_mask.patch @@ -0,0 +1,75 @@ +From 6d54af3aa180b3b82614ebc0cedd8b4d7d9f5db6 Mon Sep 17 00:00:00 2001 +From: rferraz +Date: Wed, 17 Nov 2021 11:32:23 -0300 +Subject: [PATCH] Add-flavor-extra-spec-hw-pci_irq_affinity_mask + +--- + glance/templates/configmap-etc.yaml | 3 +++ + glance/templates/deployment-api.yaml | 6 ++++++ + glance/templates/job-metadefs-load.yaml | 6 ++++++ + glance/values.yaml | 1 + + 4 files changed, 16 insertions(+) + +diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml +index 97f19fbc..f9be6bfb 100644 +--- a/glance/templates/configmap-etc.yaml ++++ b/glance/templates/configmap-etc.yaml +@@ -195,6 +195,9 @@ data: + glance-api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }} + glance-registry.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.glance_registry | b64enc }} + glance-registry-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste_registry | b64enc }} ++{{- range $key, $val := .Values.conf.extra_metadata }} ++ compute_{{ $key }}.json: {{ toJson $val | b64enc }} ++{{- end }} + policy.yaml: {{ toYaml .Values.conf.policy | b64enc }} + api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }} + {{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }} +diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml +index 78e16715..81711967 100644 +--- a/glance/templates/deployment-api.yaml ++++ b/glance/templates/deployment-api.yaml +@@ -183,6 +183,12 @@ spec: + mountPath: /etc/glance/glance-api.conf + subPath: glance-api.conf + readOnly: true ++ {{- range $key, $val := .Values.conf.extra_metadata }} ++ - name: glance-etc ++ mountPath: /var/lib/openstack/etc/glance/metadefs/compute_{{ $key }}.json ++ subPath: compute_{{ $key }}.json ++ readOnly: true ++ {{- end }} + {{- if .Values.conf.glance.DEFAULT.log_config_append }} + - name: glance-etc + mountPath: {{ .Values.conf.glance.DEFAULT.log_config_append }} +diff --git a/glance/templates/job-metadefs-load.yaml b/glance/templates/job-metadefs-load.yaml +index 5c162a5f..47c4286a 100644 +--- a/glance/templates/job-metadefs-load.yaml ++++ b/glance/templates/job-metadefs-load.yaml +@@ -64,6 +64,12 @@ spec: + mountPath: /tmp/metadefs-load.sh + subPath: metadefs-load.sh + readOnly: true ++ {{- range $key, $val := .Values.conf.extra_metadata }} ++ - name: glance-etc ++ mountPath: /var/lib/openstack/etc/glance/metadefs/compute_{{ $key }}.json ++ subPath: compute_{{ $key }}.json ++ readOnly: true ++ {{- end }} + - name: etcglance + mountPath: /etc/glance + - name: glance-etc +diff --git a/glance/values.yaml b/glance/values.yaml +index 459f04bc..0d1c2fdb 100644 +--- a/glance/values.yaml ++++ b/glance/values.yaml +@@ -193,6 +193,7 @@ conf: + oslo_config_program: glance-api + filter:http_proxy_to_wsgi: + paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory ++ extra_metadata: {} + policy: + metadef_default: '' + metadef_admin: 'role:admin' +-- +2.17.1 + diff --git a/openstack-helm/debian/deb_folder/patches/0010-Enable-taint-toleration-for-Openstack-services.patch b/openstack-helm/debian/deb_folder/patches/0010-Enable-taint-toleration-for-Openstack-services.patch new file mode 100644 index 00000000..42cf38b5 --- /dev/null +++ b/openstack-helm/debian/deb_folder/patches/0010-Enable-taint-toleration-for-Openstack-services.patch @@ -0,0 +1,2027 @@ +From afa951333e70f1771683d4c51edba1a9c4eeed8a Mon Sep 17 00:00:00 2001 +From: Lucas Cavalcante +Date: Wed, 6 Oct 2021 14:49:17 -0300 +Subject: [PATCH] Enable taint toleration for Openstack services + +This changes use the helm-toolkit template for toleration +in openstack services + +Signed-off-by: Lucas Cavalcante +Story: 2009276 +Task: 43531 +Change-Id: I8f63c285cb53090cd7eb0b663bb94fc892dc1a3f +Depends-On: I1c731c94e58895bd8bfc26d4300aac40a9111f12 +--- + cinder/templates/cron-job-cinder-volume-usage-audit.yaml | 3 +++ + cinder/templates/deployment-api.yaml | 3 +++ + cinder/templates/deployment-backup.yaml | 3 +++ + cinder/templates/deployment-scheduler.yaml | 3 +++ + cinder/templates/deployment-volume.yaml | 3 +++ + cinder/templates/job-backup-storage-init.yaml | 3 +++ + cinder/templates/job-bootstrap.yaml | 3 +++ + cinder/templates/job-clean.yaml | 3 +++ + cinder/templates/job-create-internal-tenant.yaml | 3 +++ + cinder/templates/job-db-drop.yaml | 3 +++ + cinder/templates/job-db-init.yaml | 3 +++ + cinder/templates/job-db-sync.yaml | 3 +++ + cinder/templates/job-image-repo-sync.yaml | 3 +++ + cinder/templates/job-ks-endpoints.yaml | 3 +++ + cinder/templates/job-ks-service.yaml | 3 +++ + cinder/templates/job-ks-user.yaml | 3 +++ + cinder/templates/job-rabbit-init.yaml | 3 +++ + cinder/templates/job-storage-init.yaml | 3 +++ + cinder/templates/pod-rally-test.yaml | 3 +++ + cinder/values.yaml | 7 +++++++ + glance/templates/deployment-api.yaml | 3 +++ + glance/templates/deployment-registry.yaml | 3 +++ + glance/templates/job-bootstrap.yaml | 3 +++ + glance/templates/job-clean.yaml | 3 +++ + glance/templates/job-db-drop.yaml | 3 +++ + glance/templates/job-db-init.yaml | 3 +++ + glance/templates/job-db-sync.yaml | 3 +++ + glance/templates/job-image-repo-sync.yaml | 3 +++ + glance/templates/job-ks-endpoints.yaml | 3 +++ + glance/templates/job-ks-service.yaml | 3 +++ + glance/templates/job-ks-user.yaml | 3 +++ + glance/templates/job-metadefs-load.yaml | 3 +++ + glance/templates/job-rabbit-init.yaml | 3 +++ + glance/templates/job-storage-init.yaml | 3 +++ + glance/templates/pod-rally-test.yaml | 3 +++ + glance/values.yaml | 7 +++++++ + heat/templates/cron-job-engine-cleaner.yaml | 3 +++ + heat/templates/cron-job-purge-deleted.yaml | 3 +++ + heat/templates/deployment-api.yaml | 3 +++ + heat/templates/deployment-cfn.yaml | 3 +++ + heat/templates/deployment-cloudwatch.yaml | 3 +++ + heat/templates/deployment-engine.yaml | 3 +++ + heat/templates/job-bootstrap.yaml | 3 +++ + heat/templates/job-db-drop.yaml | 3 +++ + heat/templates/job-db-init.yaml | 3 +++ + heat/templates/job-db-sync.yaml | 3 +++ + heat/templates/job-image-repo-sync.yaml | 3 +++ + heat/templates/job-ks-endpoints.yaml | 3 +++ + heat/templates/job-ks-service.yaml | 3 +++ + heat/templates/job-ks-user-domain.yaml | 3 +++ + heat/templates/job-ks-user-trustee.yaml | 3 +++ + heat/templates/job-ks-user.yaml | 3 +++ + heat/templates/job-rabbit-init.yaml | 3 +++ + heat/templates/job-trusts.yaml | 3 +++ + heat/templates/pod-rally-test.yaml | 3 +++ + heat/values.yaml | 7 +++++++ + horizon/templates/deployment.yaml | 3 +++ + horizon/templates/job-db-drop.yaml | 3 +++ + horizon/templates/job-db-init.yaml | 3 +++ + horizon/templates/job-db-sync.yaml | 3 +++ + horizon/templates/job-image-repo-sync.yaml | 3 +++ + horizon/templates/pod-helm-tests.yaml | 3 +++ + horizon/values.yaml | 7 +++++++ + keystone/templates/cron-job-credential-rotate.yaml | 3 +++ + keystone/templates/cron-job-fernet-rotate.yaml | 3 +++ + keystone/templates/deployment-api.yaml | 3 +++ + keystone/templates/job-bootstrap.yaml | 3 +++ + keystone/templates/job-credential-cleanup.yaml | 3 +++ + keystone/templates/job-credential-setup.yaml | 3 +++ + keystone/templates/job-db-drop.yaml | 3 +++ + keystone/templates/job-db-init.yaml | 3 +++ + keystone/templates/job-db-sync.yaml | 3 +++ + keystone/templates/job-domain-manage.yaml | 3 +++ + keystone/templates/job-fernet-setup.yaml | 3 +++ + keystone/templates/job-image-repo-sync.yaml | 3 +++ + keystone/templates/job-rabbit-init.yaml | 3 +++ + keystone/values.yaml | 7 +++++++ + neutron/templates/daemonset-bagpipe-bgp.yaml | 3 +++ + neutron/templates/daemonset-dhcp-agent.yaml | 3 +++ + neutron/templates/daemonset-l2gw-agent.yaml | 3 +++ + neutron/templates/daemonset-l3-agent.yaml | 3 +++ + neutron/templates/daemonset-lb-agent.yaml | 3 +++ + neutron/templates/daemonset-metadata-agent.yaml | 3 +++ + neutron/templates/daemonset-netns-cleanup-cron.yaml | 3 +++ + neutron/templates/daemonset-ovs-agent.yaml | 3 +++ + neutron/templates/daemonset-sriov-agent.yaml | 3 +++ + neutron/templates/deployment-ironic-agent.yaml | 3 +++ + neutron/templates/deployment-server.yaml | 3 +++ + neutron/templates/job-bootstrap.yaml | 3 +++ + neutron/templates/job-db-drop.yaml | 3 +++ + neutron/templates/job-db-init.yaml | 3 +++ + neutron/templates/job-db-sync.yaml | 3 +++ + neutron/templates/job-image-repo-sync.yaml | 3 +++ + neutron/templates/job-ks-endpoints.yaml | 3 +++ + neutron/templates/job-ks-service.yaml | 3 +++ + neutron/templates/job-ks-user.yaml | 3 +++ + neutron/templates/job-rabbit-init.yaml | 3 +++ + neutron/templates/pod-rally-test.yaml | 3 +++ + neutron/values.yaml | 7 +++++++ + nova/templates/cron-job-archive-deleted-rows.yaml | 3 +++ + nova/templates/cron-job-cell-setup.yaml | 3 +++ + nova/templates/cron-job-service-cleaner.yaml | 3 +++ + nova/templates/daemonset-compute.yaml | 3 +++ + nova/templates/deployment-api-metadata.yaml | 3 +++ + nova/templates/deployment-api-osapi.yaml | 3 +++ + nova/templates/deployment-conductor.yaml | 3 +++ + nova/templates/deployment-consoleauth.yaml | 3 +++ + nova/templates/deployment-novncproxy.yaml | 3 +++ + nova/templates/deployment-placement.yaml | 3 +++ + nova/templates/deployment-scheduler.yaml | 3 +++ + nova/templates/deployment-spiceproxy.yaml | 3 +++ + nova/templates/job-bootstrap.yaml | 3 +++ + nova/templates/job-cell-setup.yaml | 3 +++ + nova/templates/job-db-drop.yaml | 3 +++ + nova/templates/job-db-init.yaml | 3 +++ + nova/templates/job-db-sync.yaml | 3 +++ + nova/templates/job-image-repo-sync.yaml | 3 +++ + nova/templates/job-ks-endpoints.yaml | 3 +++ + nova/templates/job-ks-placement-endpoints.yaml | 3 +++ + nova/templates/job-ks-placement-service.yaml | 3 +++ + nova/templates/job-ks-placement-user.yaml | 3 +++ + nova/templates/job-ks-service.yaml | 3 +++ + nova/templates/job-ks-user.yaml | 3 +++ + nova/templates/job-rabbit-init.yaml | 3 +++ + nova/templates/pod-rally-test.yaml | 3 +++ + nova/values.yaml | 7 +++++++ + placement/templates/deployment.yaml | 3 +++ + placement/templates/job-db-drop.yaml | 3 +++ + placement/templates/job-db-init.yaml | 3 +++ + placement/templates/job-db-migrate.yaml | 3 +++ + placement/templates/job-db-sync.yaml | 3 +++ + placement/templates/job-image-repo-sync.yaml | 3 +++ + placement/templates/job-ks-endpoints.yaml | 3 +++ + placement/templates/job-ks-service.yaml | 3 +++ + placement/templates/job-ks-user.yaml | 3 +++ + placement/values.yaml | 7 +++++++ + 138 files changed, 440 insertions(+) + +diff --git a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml +index 3d13af36..4b152081 100644 +--- a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml ++++ b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml +@@ -52,6 +52,9 @@ spec: + {{ dict "envAll" $envAll "application" "volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }} + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.cinder.enabled }} ++{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml +index 2f684ec0..7925c60f 100644 +--- a/cinder/templates/deployment-api.yaml ++++ b/cinder/templates/deployment-api.yaml +@@ -49,6 +49,9 @@ spec: + {{ dict "envAll" $envAll "application" "cinder_api" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: + {{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} ++{{ if $envAll.Values.pod.tolerations.cinder.enabled }} ++{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }} +diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml +index 91683e29..55c7289c 100755 +--- a/cinder/templates/deployment-backup.yaml ++++ b/cinder/templates/deployment-backup.yaml +@@ -51,6 +51,9 @@ spec: + {{ dict "envAll" $envAll "application" "cinder_backup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: + {{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} ++{{ if $envAll.Values.pod.tolerations.cinder.enabled }} ++{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.backup.node_selector_key }}: {{ .Values.labels.backup.node_selector_value }} + {{- if .Values.pod.useHostNetwork.backup }} +diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml +index a4a43dbc..59c35971 100644 +--- a/cinder/templates/deployment-scheduler.yaml ++++ b/cinder/templates/deployment-scheduler.yaml +@@ -49,6 +49,9 @@ spec: + {{ dict "envAll" $envAll "application" "cinder_scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: + {{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} ++{{ if $envAll.Values.pod.tolerations.cinder.enabled }} ++{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.scheduler.node_selector_key }}: {{ .Values.labels.scheduler.node_selector_value }} + initContainers: +diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml +index bc1b6500..537b712e 100755 +--- a/cinder/templates/deployment-volume.yaml ++++ b/cinder/templates/deployment-volume.yaml +@@ -51,6 +51,9 @@ spec: + {{ dict "envAll" $envAll "application" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: + {{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} ++{{ if $envAll.Values.pod.tolerations.cinder.enabled }} ++{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.volume.node_selector_key }}: {{ .Values.labels.volume.node_selector_value }} + {{- if .Values.pod.useHostNetwork.volume }} +diff --git a/cinder/templates/job-backup-storage-init.yaml b/cinder/templates/job-backup-storage-init.yaml +index f37fb68b..8168b90f 100644 +--- a/cinder/templates/job-backup-storage-init.yaml ++++ b/cinder/templates/job-backup-storage-init.yaml +@@ -65,6 +65,9 @@ spec: + serviceAccountName: {{ $serviceAccountName }} + {{ dict "envAll" $envAll "application" "storage_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.cinder.enabled }} ++{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml +index 7f9cfdab..8af3b7e6 100644 +--- a/cinder/templates/job-bootstrap.yaml ++++ b/cinder/templates/job-bootstrap.yaml +@@ -17,5 +17,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.cinder.enabled -}} ++{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} + {{- end }} +diff --git a/cinder/templates/job-clean.yaml b/cinder/templates/job-clean.yaml +index 738e145b..57a42437 100755 +--- a/cinder/templates/job-clean.yaml ++++ b/cinder/templates/job-clean.yaml +@@ -64,6 +64,9 @@ spec: + serviceAccountName: {{ $serviceAccountName }} + {{ dict "envAll" $envAll "application" "clean" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.cinder.enabled }} ++{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +diff --git a/cinder/templates/job-create-internal-tenant.yaml b/cinder/templates/job-create-internal-tenant.yaml +index 497e2c7e..b298e369 100644 +--- a/cinder/templates/job-create-internal-tenant.yaml ++++ b/cinder/templates/job-create-internal-tenant.yaml +@@ -46,6 +46,9 @@ spec: + {{ dict "envAll" $envAll "application" "create_internal_tenant" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName | quote }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.cinder.enabled }} ++{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ toYaml $nodeSelector | indent 8 }} + initContainers: +diff --git a/cinder/templates/job-db-drop.yaml b/cinder/templates/job-db-drop.yaml +index 052d3bce..1115af50 100644 +--- a/cinder/templates/job-db-drop.yaml ++++ b/cinder/templates/job-db-drop.yaml +@@ -17,5 +17,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.cinder.enabled -}} ++{{- $_ := set $dbDropJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} + {{- end }} +diff --git a/cinder/templates/job-db-init.yaml b/cinder/templates/job-db-init.yaml +index 8e47f551..c7e450ad 100644 +--- a/cinder/templates/job-db-init.yaml ++++ b/cinder/templates/job-db-init.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-5" + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.cinder.enabled -}} ++{{- $_ := set $dbInitJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} + {{- end }} +diff --git a/cinder/templates/job-db-sync.yaml b/cinder/templates/job-db-sync.yaml +index 1b815bc7..1bab87b0 100644 +--- a/cinder/templates/job-db-sync.yaml ++++ b/cinder/templates/job-db-sync.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-4" + {{- if .Values.helm3_hook }} + {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.cinder.enabled -}} ++{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} + {{- end }} +diff --git a/cinder/templates/job-image-repo-sync.yaml b/cinder/templates/job-image-repo-sync.yaml +index e56c6f3b..2d1f1f71 100644 +--- a/cinder/templates/job-image-repo-sync.yaml ++++ b/cinder/templates/job-image-repo-sync.yaml +@@ -21,5 +21,8 @@ helm.sh/hook: post-install,post-upgrade + {{- if .Values.helm3_hook }} + {{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.cinder.enabled -}} ++{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} + {{- end }} +diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml +index ae7238a6..6b0493d9 100644 +--- a/cinder/templates/job-ks-endpoints.yaml ++++ b/cinder/templates/job-ks-endpoints.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-2" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.cinder.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml +index 827b39f8..3cd59f35 100644 +--- a/cinder/templates/job-ks-service.yaml ++++ b/cinder/templates/job-ks-service.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-3" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.cinder.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml +index 5f530b99..4cd671d8 100644 +--- a/cinder/templates/job-ks-user.yaml ++++ b/cinder/templates/job-ks-user.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-1" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.cinder.enabled -}} ++{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/cinder/templates/job-rabbit-init.yaml b/cinder/templates/job-rabbit-init.yaml +index 8cf33c9a..43d23922 100644 +--- a/cinder/templates/job-rabbit-init.yaml ++++ b/cinder/templates/job-rabbit-init.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-4" + {{- if .Values.helm3_hook }} + {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.cinder.enabled -}} ++{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} + {{- end }} +diff --git a/cinder/templates/job-storage-init.yaml b/cinder/templates/job-storage-init.yaml +index 6a7adc3c..badfe5fc 100755 +--- a/cinder/templates/job-storage-init.yaml ++++ b/cinder/templates/job-storage-init.yaml +@@ -63,6 +63,9 @@ spec: + serviceAccountName: {{ $serviceAccountName }} + {{ dict "envAll" $envAll "application" "cinder" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.cinder.enabled }} ++{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml +index 3725e035..34316c65 100644 +--- a/cinder/templates/pod-rally-test.yaml ++++ b/cinder/templates/pod-rally-test.yaml +@@ -33,6 +33,9 @@ metadata: + {{ dict "envAll" $envAll "podName" "cinder-test" "containerNames" (list "init" "cinder-test" "cinder-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} + spec: + restartPolicy: Never ++{{ if $envAll.Values.pod.tolerations.cinder.enabled }} ++{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} + serviceAccountName: {{ $serviceAccountName }} +diff --git a/cinder/values.yaml b/cinder/values.yaml +index 9882d30c..f781714c 100644 +--- a/cinder/values.yaml ++++ b/cinder/values.yaml +@@ -173,6 +173,13 @@ pod: + default: kubernetes.io/hostname + weight: + default: 10 ++ tolerations: ++ cinder: ++ enabled: false ++ tolerations: ++ - key: node-role.kubernetes.io/master ++ operator: Exists ++ effect: NoSchedule + useHostNetwork: + volume: false + backup: false +diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml +index 78e16715..aee6edaa 100644 +--- a/glance/templates/deployment-api.yaml ++++ b/glance/templates/deployment-api.yaml +@@ -49,6 +49,9 @@ spec: + {{ dict "envAll" $envAll "application" "glance" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: + {{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} ++{{ if $envAll.Values.pod.tolerations.glance.enabled }} ++{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "600" }} +diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml +index f771e013..2cbeac14 100644 +--- a/glance/templates/deployment-registry.yaml ++++ b/glance/templates/deployment-registry.yaml +@@ -49,6 +49,9 @@ spec: + {{ dict "envAll" $envAll "application" "glance" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: + {{ tuple $envAll "glance" "registry" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} ++{{ if $envAll.Values.pod.tolerations.glance.enabled }} ++{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.registry.node_selector_key }}: {{ .Values.labels.registry.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.registry.timeout | default "600" }} +diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml +index d51cbd3e..461c52af 100644 +--- a/glance/templates/job-bootstrap.yaml ++++ b/glance/templates/job-bootstrap.yaml +@@ -36,5 +36,8 @@ volumes: + {{- if .Values.helm3_hook }} + {{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.glance.enabled -}} ++{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} + {{- end }} +diff --git a/glance/templates/job-clean.yaml b/glance/templates/job-clean.yaml +index b4241f41..26977c08 100644 +--- a/glance/templates/job-clean.yaml ++++ b/glance/templates/job-clean.yaml +@@ -64,6 +64,9 @@ spec: + serviceAccountName: {{ $serviceAccountName }} + {{ dict "envAll" $envAll "application" "clean" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.glance.enabled }} ++{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +diff --git a/glance/templates/job-db-drop.yaml b/glance/templates/job-db-drop.yaml +index 67ed9399..66f3a189 100644 +--- a/glance/templates/job-db-drop.yaml ++++ b/glance/templates/job-db-drop.yaml +@@ -19,5 +19,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $dbToDrop "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.glance.enabled -}} ++{{- $_ := set $dbDropJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} + {{- end }} +diff --git a/glance/templates/job-db-init.yaml b/glance/templates/job-db-init.yaml +index d9b46ca7..6f797814 100644 +--- a/glance/templates/job-db-init.yaml ++++ b/glance/templates/job-db-init.yaml +@@ -27,5 +27,8 @@ helm.sh/hook-weight: "-5" + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.glance.enabled -}} ++{{- $_ := set $dbInitJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} + {{- end }} +diff --git a/glance/templates/job-db-sync.yaml b/glance/templates/job-db-sync.yaml +index e62b42cf..1434edd1 100644 +--- a/glance/templates/job-db-sync.yaml ++++ b/glance/templates/job-db-sync.yaml +@@ -26,5 +26,8 @@ helm.sh/hook-weight: "-4" + {{- if .Values.helm3_hook }} + {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.glance.enabled -}} ++{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} + {{- end }} +diff --git a/glance/templates/job-image-repo-sync.yaml b/glance/templates/job-image-repo-sync.yaml +index fa3f7782..dc9d3226 100644 +--- a/glance/templates/job-image-repo-sync.yaml ++++ b/glance/templates/job-image-repo-sync.yaml +@@ -21,5 +21,8 @@ helm.sh/hook: post-install,post-upgrade + {{- if .Values.helm3_hook }} + {{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.glance.enabled -}} ++{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} + {{- end }} +diff --git a/glance/templates/job-ks-endpoints.yaml b/glance/templates/job-ks-endpoints.yaml +index 3fdf635f..992ee37f 100644 +--- a/glance/templates/job-ks-endpoints.yaml ++++ b/glance/templates/job-ks-endpoints.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-2" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.glance.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/glance/templates/job-ks-service.yaml b/glance/templates/job-ks-service.yaml +index e5d3b1d7..21bb1302 100644 +--- a/glance/templates/job-ks-service.yaml ++++ b/glance/templates/job-ks-service.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-3" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.glance.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/glance/templates/job-ks-user.yaml b/glance/templates/job-ks-user.yaml +index dddc2ed9..226be718 100644 +--- a/glance/templates/job-ks-user.yaml ++++ b/glance/templates/job-ks-user.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-1" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.glance.enabled -}} ++{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/glance/templates/job-metadefs-load.yaml b/glance/templates/job-metadefs-load.yaml +index 5c162a5f..1c2efaaa 100644 +--- a/glance/templates/job-metadefs-load.yaml ++++ b/glance/templates/job-metadefs-load.yaml +@@ -41,6 +41,9 @@ spec: + serviceAccountName: {{ $serviceAccountName }} + {{ dict "envAll" $envAll "application" "metadefs_load" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.glance.enabled }} ++{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +diff --git a/glance/templates/job-rabbit-init.yaml b/glance/templates/job-rabbit-init.yaml +index 9c9387dd..6bd14d6e 100644 +--- a/glance/templates/job-rabbit-init.yaml ++++ b/glance/templates/job-rabbit-init.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-4" + {{- if .Values.helm3_hook }} + {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.glance.enabled -}} ++{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} + {{- end }} +diff --git a/glance/templates/job-storage-init.yaml b/glance/templates/job-storage-init.yaml +index 562c097b..d8aee237 100644 +--- a/glance/templates/job-storage-init.yaml ++++ b/glance/templates/job-storage-init.yaml +@@ -69,6 +69,9 @@ spec: + serviceAccountName: {{ $serviceAccountName }} + {{ dict "envAll" $envAll "application" "storage_init" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.glance.enabled }} ++{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +diff --git a/glance/templates/pod-rally-test.yaml b/glance/templates/pod-rally-test.yaml +index f0624270..938c040d 100644 +--- a/glance/templates/pod-rally-test.yaml ++++ b/glance/templates/pod-rally-test.yaml +@@ -31,6 +31,9 @@ metadata: + "helm.sh/hook": test-success + {{ dict "envAll" $envAll "podName" "glance-test" "containerNames" (list "init" "glance-test" "glance-test-ks-user") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }} + spec: ++{{ if $envAll.Values.pod.tolerations.glance.enabled }} ++{{ tuple $envAll "glance" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} + {{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} +diff --git a/glance/values.yaml b/glance/values.yaml +index ea3dd8e5..828c0847 100644 +--- a/glance/values.yaml ++++ b/glance/values.yaml +@@ -907,6 +907,13 @@ pod: + default: kubernetes.io/hostname + weight: + default: 10 ++ tolerations: ++ glance: ++ enabled: false ++ tolerations: ++ - key: node-role.kubernetes.io/master ++ operator: Exists ++ effect: NoSchedule + mounts: + glance_api: + init_container: null +diff --git a/heat/templates/cron-job-engine-cleaner.yaml b/heat/templates/cron-job-engine-cleaner.yaml +index 1e7e6f31..329193cb 100644 +--- a/heat/templates/cron-job-engine-cleaner.yaml ++++ b/heat/templates/cron-job-engine-cleaner.yaml +@@ -55,6 +55,9 @@ spec: + serviceAccountName: {{ $serviceAccountName }} + {{ dict "envAll" $envAll "application" "engine_cleaner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.heat.enabled }} ++{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +diff --git a/heat/templates/cron-job-purge-deleted.yaml b/heat/templates/cron-job-purge-deleted.yaml +index dd275d75..987b572c 100644 +--- a/heat/templates/cron-job-purge-deleted.yaml ++++ b/heat/templates/cron-job-purge-deleted.yaml +@@ -49,6 +49,9 @@ spec: + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.heat.enabled }} ++{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml +index a17ddaef..d3cebb0a 100644 +--- a/heat/templates/deployment-api.yaml ++++ b/heat/templates/deployment-api.yaml +@@ -49,6 +49,9 @@ spec: + {{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: + {{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} ++{{ if $envAll.Values.pod.tolerations.heat.enabled }} ++{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }} +diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml +index 9fab9e64..dc05f6f5 100644 +--- a/heat/templates/deployment-cfn.yaml ++++ b/heat/templates/deployment-cfn.yaml +@@ -49,6 +49,9 @@ spec: + {{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: + {{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} ++{{ if $envAll.Values.pod.tolerations.heat.enabled }} ++{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.cfn.node_selector_key }}: {{ .Values.labels.cfn.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.cfn.timeout | default "30" }} +diff --git a/heat/templates/deployment-cloudwatch.yaml b/heat/templates/deployment-cloudwatch.yaml +index 092feac1..2fc5a491 100644 +--- a/heat/templates/deployment-cloudwatch.yaml ++++ b/heat/templates/deployment-cloudwatch.yaml +@@ -48,6 +48,9 @@ spec: + {{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + affinity: + {{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} ++{{ if $envAll.Values.pod.tolerations.heat.enabled }} ++{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.cloudwatch.node_selector_key }}: {{ .Values.labels.cloudwatch.node_selector_value }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.cloudwatch.timeout | default "30" }} +diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml +index 4ae0197b..da9c905f 100644 +--- a/heat/templates/deployment-engine.yaml ++++ b/heat/templates/deployment-engine.yaml +@@ -59,6 +59,9 @@ spec: + {{- tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.engine.node_selector_key }}: {{ .Values.labels.engine.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.heat.enabled }} ++{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.engine.timeout | default "30" }} + initContainers: + {{ tuple $envAll "engine" $mounts_heat_engine_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +diff --git a/heat/templates/job-bootstrap.yaml b/heat/templates/job-bootstrap.yaml +index 5dfe56fa..ee321545 100644 +--- a/heat/templates/job-bootstrap.yaml ++++ b/heat/templates/job-bootstrap.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "5" + {{- if .Values.helm3_hook }} + {{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.heat.enabled -}} ++{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} + {{- end }} +diff --git a/heat/templates/job-db-drop.yaml b/heat/templates/job-db-drop.yaml +index d74fa7bf..7caa9619 100644 +--- a/heat/templates/job-db-drop.yaml ++++ b/heat/templates/job-db-drop.yaml +@@ -17,5 +17,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.heat.enabled -}} ++{{- $_ := set $dbDropJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} + {{- end }} +diff --git a/heat/templates/job-db-init.yaml b/heat/templates/job-db-init.yaml +index b3b44fe8..442a2fa4 100644 +--- a/heat/templates/job-db-init.yaml ++++ b/heat/templates/job-db-init.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-5" + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.heat.enabled -}} ++{{- $_ := set $dbInitJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} + {{- end }} +diff --git a/heat/templates/job-db-sync.yaml b/heat/templates/job-db-sync.yaml +index 56707926..a25faf84 100644 +--- a/heat/templates/job-db-sync.yaml ++++ b/heat/templates/job-db-sync.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-4" + {{- if .Values.helm3_hook }} + {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.heat.enabled -}} ++{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} + {{- end }} +diff --git a/heat/templates/job-image-repo-sync.yaml b/heat/templates/job-image-repo-sync.yaml +index a9da3252..83a84bbd 100644 +--- a/heat/templates/job-image-repo-sync.yaml ++++ b/heat/templates/job-image-repo-sync.yaml +@@ -21,5 +21,8 @@ helm.sh/hook: post-install,post-upgrade + {{- if .Values.helm3_hook }} + {{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.heat.enabled -}} ++{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} + {{- end }} +diff --git a/heat/templates/job-ks-endpoints.yaml b/heat/templates/job-ks-endpoints.yaml +index 93888061..9c7daeee 100644 +--- a/heat/templates/job-ks-endpoints.yaml ++++ b/heat/templates/job-ks-endpoints.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-2" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.heat.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml +index 5947c0e7..6505cefe 100644 +--- a/heat/templates/job-ks-service.yaml ++++ b/heat/templates/job-ks-service.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-3" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.heat.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/heat/templates/job-ks-user-domain.yaml b/heat/templates/job-ks-user-domain.yaml +index a7096087..89b73dd9 100644 +--- a/heat/templates/job-ks-user-domain.yaml ++++ b/heat/templates/job-ks-user-domain.yaml +@@ -46,6 +46,9 @@ spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.heat.enabled }} ++{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + initContainers: + {{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +diff --git a/heat/templates/job-ks-user-trustee.yaml b/heat/templates/job-ks-user-trustee.yaml +index 21f1b578..934c6021 100644 +--- a/heat/templates/job-ks-user-trustee.yaml ++++ b/heat/templates/job-ks-user-trustee.yaml +@@ -24,5 +24,8 @@ helm.sh/hook: post-install,post-upgrade + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.heat_trust" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.heat.enabled -}} ++{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml +index bf23eebb..db39a556 100644 +--- a/heat/templates/job-ks-user.yaml ++++ b/heat/templates/job-ks-user.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-1" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.heat.enabled -}} ++{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/heat/templates/job-rabbit-init.yaml b/heat/templates/job-rabbit-init.yaml +index 8da178b5..bd6b228c 100644 +--- a/heat/templates/job-rabbit-init.yaml ++++ b/heat/templates/job-rabbit-init.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-4" + {{- if .Values.helm3_hook }} + {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.heat.enabled -}} ++{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} + {{- end }} +diff --git a/heat/templates/job-trusts.yaml b/heat/templates/job-trusts.yaml +index afa6bdec..e713d278 100644 +--- a/heat/templates/job-trusts.yaml ++++ b/heat/templates/job-trusts.yaml +@@ -48,6 +48,9 @@ spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.heat.enabled }} ++{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + initContainers: + {{ tuple $envAll "trusts" $mounts_heat_trusts_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +diff --git a/heat/templates/pod-rally-test.yaml b/heat/templates/pod-rally-test.yaml +index 9aa6373e..3b7d95da 100644 +--- a/heat/templates/pod-rally-test.yaml ++++ b/heat/templates/pod-rally-test.yaml +@@ -33,6 +33,9 @@ metadata: + spec: + nodeSelector: + {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.heat.enabled }} ++{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }} ++{{ end }} + restartPolicy: Never + serviceAccountName: {{ $serviceAccountName }} + initContainers: +diff --git a/heat/values.yaml b/heat/values.yaml +index 58f786b6..36017d63 100644 +--- a/heat/values.yaml ++++ b/heat/values.yaml +@@ -1082,6 +1082,13 @@ pod: + default: kubernetes.io/hostname + weight: + default: 10 ++ tolerations: ++ heat: ++ enabled: false ++ tolerations: ++ - key: node-role.kubernetes.io/master ++ operator: Exists ++ effect: NoSchedule + mounts: + heat_api: + init_container: null +diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml +index 1922423f..b7c24836 100644 +--- a/horizon/templates/deployment.yaml ++++ b/horizon/templates/deployment.yaml +@@ -51,6 +51,9 @@ spec: + {{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.dashboard.node_selector_key }}: {{ .Values.labels.dashboard.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.horizon.enabled }} ++{{ tuple $envAll "horizon" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.horizon.timeout | default "30" }} + initContainers: + {{ tuple $envAll "dashboard" $mounts_horizon_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +diff --git a/horizon/templates/job-db-drop.yaml b/horizon/templates/job-db-drop.yaml +index 25458452..6f761d7c 100644 +--- a/horizon/templates/job-db-drop.yaml ++++ b/horizon/templates/job-db-drop.yaml +@@ -18,5 +18,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.horizon.enabled -}} ++{{- $_ := set $dbDropJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} + {{- end }} +diff --git a/horizon/templates/job-db-init.yaml b/horizon/templates/job-db-init.yaml +index f92c1838..095a1f3d 100644 +--- a/horizon/templates/job-db-init.yaml ++++ b/horizon/templates/job-db-init.yaml +@@ -18,5 +18,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.horizon.enabled -}} ++{{- $_ := set $dbInitJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} + {{- end }} +diff --git a/horizon/templates/job-db-sync.yaml b/horizon/templates/job-db-sync.yaml +index 648a5b21..fe5a213b 100644 +--- a/horizon/templates/job-db-sync.yaml ++++ b/horizon/templates/job-db-sync.yaml +@@ -42,6 +42,9 @@ spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.horizon.enabled }} ++{{ tuple $envAll "horizon" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + initContainers: + {{ tuple $envAll "db_sync" $mounts_horizon_db_sync_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +diff --git a/horizon/templates/job-image-repo-sync.yaml b/horizon/templates/job-image-repo-sync.yaml +index 37b14a8c..e98bbb24 100644 +--- a/horizon/templates/job-image-repo-sync.yaml ++++ b/horizon/templates/job-image-repo-sync.yaml +@@ -14,5 +14,8 @@ limitations under the License. + + {{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} + {{- $imageRepoSyncJob := dict "envAll" . "serviceName" "horizon" -}} ++{{- if .Values.pod.tolerations.horizon.enabled -}} ++{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} + {{- end }} +diff --git a/horizon/templates/pod-helm-tests.yaml b/horizon/templates/pod-helm-tests.yaml +index 76f5b353..dbcb9a3c 100644 +--- a/horizon/templates/pod-helm-tests.yaml ++++ b/horizon/templates/pod-helm-tests.yaml +@@ -35,6 +35,9 @@ spec: + {{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }} + restartPolicy: Never + serviceAccountName: {{ $serviceAccountName }} ++{{ if $envAll.Values.pod.tolerations.horizon.enabled }} ++{{ tuple $envAll "horizon" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} + initContainers: +diff --git a/horizon/values.yaml b/horizon/values.yaml +index 9b138c0c..f2bc5b9f 100644 +--- a/horizon/values.yaml ++++ b/horizon/values.yaml +@@ -1116,6 +1116,13 @@ pod: + default: kubernetes.io/hostname + weight: + default: 10 ++ tolerations: ++ horizon: ++ enabled: false ++ tolerations: ++ - key: node-role.kubernetes.io/master ++ operator: Exists ++ effect: NoSchedule + mounts: + horizon_db_init: + init_container: null +diff --git a/keystone/templates/cron-job-credential-rotate.yaml b/keystone/templates/cron-job-credential-rotate.yaml +index fd26b230..8e9f82fc 100644 +--- a/keystone/templates/cron-job-credential-rotate.yaml ++++ b/keystone/templates/cron-job-credential-rotate.yaml +@@ -74,6 +74,9 @@ spec: + initContainers: + {{ tuple $envAll "credential_rotate" $mounts_keystone_credential_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.keystone.enabled }} ++{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + containers: +diff --git a/keystone/templates/cron-job-fernet-rotate.yaml b/keystone/templates/cron-job-fernet-rotate.yaml +index 8f4f4f9a..96dcc74d 100644 +--- a/keystone/templates/cron-job-fernet-rotate.yaml ++++ b/keystone/templates/cron-job-fernet-rotate.yaml +@@ -76,6 +76,9 @@ spec: + initContainers: + {{ tuple $envAll "fernet_rotate" $mounts_keystone_fernet_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.keystone.enabled }} ++{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + containers: +diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml +index b9f5701f..fefbc47f 100644 +--- a/keystone/templates/deployment-api.yaml ++++ b/keystone/templates/deployment-api.yaml +@@ -58,6 +58,9 @@ spec: + {{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.keystone.enabled }} ++{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }} + initContainers: + {{ tuple $envAll "api" $mounts_keystone_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml +index e9089274..04833279 100644 +--- a/keystone/templates/job-bootstrap.yaml ++++ b/keystone/templates/job-bootstrap.yaml +@@ -22,5 +22,8 @@ helm.sh/hook-weight: "5" + {{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}} + {{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.keystone.enabled -}} ++{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} + {{- end }} +diff --git a/keystone/templates/job-credential-cleanup.yaml b/keystone/templates/job-credential-cleanup.yaml +index 854c5b67..fcd7f11f 100644 +--- a/keystone/templates/job-credential-cleanup.yaml ++++ b/keystone/templates/job-credential-cleanup.yaml +@@ -46,6 +46,9 @@ spec: + spec: + serviceAccountName: {{ $serviceName }} + restartPolicy: Never ++{{ if $envAll.Values.pod.tolerations.keystone.enabled }} ++{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ toYaml $nodeSelector | indent 8 }} + initContainers: +diff --git a/keystone/templates/job-credential-setup.yaml b/keystone/templates/job-credential-setup.yaml +index 1d30eb14..5e6edc6f 100644 +--- a/keystone/templates/job-credential-setup.yaml ++++ b/keystone/templates/job-credential-setup.yaml +@@ -78,6 +78,9 @@ spec: + initContainers: + {{ tuple $envAll "credential_setup" $mounts_keystone_credential_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.keystone.enabled }} ++{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + containers: +diff --git a/keystone/templates/job-db-drop.yaml b/keystone/templates/job-db-drop.yaml +index 512b8eb2..df270ff6 100644 +--- a/keystone/templates/job-db-drop.yaml ++++ b/keystone/templates/job-db-drop.yaml +@@ -17,5 +17,8 @@ limitations under the License. + {{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.keystone.enabled -}} ++{{- $_ := set $dbDropJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} + {{- end }} +diff --git a/keystone/templates/job-db-init.yaml b/keystone/templates/job-db-init.yaml +index 53e9573d..757b705e 100644 +--- a/keystone/templates/job-db-init.yaml ++++ b/keystone/templates/job-db-init.yaml +@@ -24,5 +24,8 @@ helm.sh/hook-weight: "-5" + {{- if and .Values.manifests.certificates .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.keystone.enabled -}} ++{{- $_ := set $dbInitJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} + {{- end }} +diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml +index c3e73157..a4ff67d8 100644 +--- a/keystone/templates/job-db-sync.yaml ++++ b/keystone/templates/job-db-sync.yaml +@@ -79,5 +79,8 @@ volumes: + {{- end }} + {{- $podEnvVars := tuple . | include "keystone.templates._job_db_sync.env_vars" | toString | fromYaml }} + {{- $dbSyncJob := dict "envAll" . "serviceName" "keystone" "podVolMounts" $local.podVolMounts "podVols" $local.podVols "podEnvVars" $podEnvVars.env "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) -}} ++{{- if .Values.pod.tolerations.keystone.enabled -}} ++{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} + {{- end }} +diff --git a/keystone/templates/job-domain-manage.yaml b/keystone/templates/job-domain-manage.yaml +index 5a1c8e2b..8acd192e 100644 +--- a/keystone/templates/job-domain-manage.yaml ++++ b/keystone/templates/job-domain-manage.yaml +@@ -44,6 +44,9 @@ spec: + serviceAccountName: {{ $serviceAccountName }} + {{ dict "envAll" $envAll "application" "domain_manage" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.keystone.enabled }} ++{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + initContainers: +diff --git a/keystone/templates/job-fernet-setup.yaml b/keystone/templates/job-fernet-setup.yaml +index 786772d0..1505ffad 100644 +--- a/keystone/templates/job-fernet-setup.yaml ++++ b/keystone/templates/job-fernet-setup.yaml +@@ -78,6 +78,9 @@ spec: + initContainers: + {{ tuple $envAll "fernet_setup" $mounts_keystone_fernet_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + restartPolicy: OnFailure ++{{ if $envAll.Values.pod.tolerations.keystone.enabled }} ++{{ tuple $envAll "keystone" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} + containers: +diff --git a/keystone/templates/job-image-repo-sync.yaml b/keystone/templates/job-image-repo-sync.yaml +index fd301c35..c8cfc5d0 100644 +--- a/keystone/templates/job-image-repo-sync.yaml ++++ b/keystone/templates/job-image-repo-sync.yaml +@@ -17,5 +17,8 @@ helm.sh/hook: post-install,post-upgrade + + {{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} + {{- $imageRepoSyncJob := dict "envAll" . "serviceName" "keystone" "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) -}} ++{{- if .Values.pod.tolerations.keystone.enabled -}} ++{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} + {{- end }} +diff --git a/keystone/templates/job-rabbit-init.yaml b/keystone/templates/job-rabbit-init.yaml +index 2bb258e7..02390adf 100644 +--- a/keystone/templates/job-rabbit-init.yaml ++++ b/keystone/templates/job-rabbit-init.yaml +@@ -22,5 +22,8 @@ helm.sh/hook-weight: "-4" + {{- if and .Values.manifests.certificates .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} + {{- $_ := set $rmqUserJob "tlsSecret" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.keystone.enabled -}} ++{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} + {{- end }} +diff --git a/keystone/values.yaml b/keystone/values.yaml +index 8031bcea..de450e3a 100644 +--- a/keystone/values.yaml ++++ b/keystone/values.yaml +@@ -219,6 +219,13 @@ pod: + default: kubernetes.io/hostname + weight: + default: 10 ++ tolerations: ++ keystone: ++ enabled: false ++ tolerations: ++ - key: node-role.kubernetes.io/master ++ operator: Exists ++ effect: NoSchedule + mounts: + keystone_db_init: + init_container: null +diff --git a/neutron/templates/daemonset-bagpipe-bgp.yaml b/neutron/templates/daemonset-bagpipe-bgp.yaml +index abf823f8..df128929 100644 +--- a/neutron/templates/daemonset-bagpipe-bgp.yaml ++++ b/neutron/templates/daemonset-bagpipe-bgp.yaml +@@ -57,6 +57,9 @@ spec: + spec: + {{ dict "envAll" $envAll "application" "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.bagpipe_bgp.node_selector_key }}: {{ .Values.labels.bagpipe_bgp.node_selector_value }} + dnsPolicy: ClusterFirstWithHostNet +diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml +index e7f863f8..bc924e7e 100644 +--- a/neutron/templates/daemonset-dhcp-agent.yaml ++++ b/neutron/templates/daemonset-dhcp-agent.yaml +@@ -79,6 +79,9 @@ spec: + spec: + {{ dict "envAll" $envAll "application" "neutron_dhcp_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.agent.dhcp.node_selector_key }}: {{ .Values.labels.agent.dhcp.node_selector_value }} + dnsPolicy: ClusterFirstWithHostNet +diff --git a/neutron/templates/daemonset-l2gw-agent.yaml b/neutron/templates/daemonset-l2gw-agent.yaml +index d2149b73..2bb2fdcd 100644 +--- a/neutron/templates/daemonset-l2gw-agent.yaml ++++ b/neutron/templates/daemonset-l2gw-agent.yaml +@@ -80,6 +80,9 @@ spec: + spec: + {{ dict "envAll" $envAll "application" "neutron_l2gw_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.agent.l2gw.node_selector_key }}: {{ .Values.labels.agent.l2gw.node_selector_value }} + dnsPolicy: ClusterFirstWithHostNet +diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml +index b59402a1..d70a6351 100644 +--- a/neutron/templates/daemonset-l3-agent.yaml ++++ b/neutron/templates/daemonset-l3-agent.yaml +@@ -80,6 +80,9 @@ spec: + spec: + {{ dict "envAll" $envAll "application" "neutron_l3_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.agent.l3.node_selector_key }}: {{ .Values.labels.agent.l3.node_selector_value }} + dnsPolicy: ClusterFirstWithHostNet +diff --git a/neutron/templates/daemonset-lb-agent.yaml b/neutron/templates/daemonset-lb-agent.yaml +index 9c5f298a..7cb86372 100644 +--- a/neutron/templates/daemonset-lb-agent.yaml ++++ b/neutron/templates/daemonset-lb-agent.yaml +@@ -55,6 +55,9 @@ spec: + spec: + {{ dict "envAll" $envAll "application" "neutron_lb_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.lb.node_selector_key }}: {{ .Values.labels.lb.node_selector_value }} + dnsPolicy: ClusterFirstWithHostNet +diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml +index af035e8b..edfa0a10 100644 +--- a/neutron/templates/daemonset-metadata-agent.yaml ++++ b/neutron/templates/daemonset-metadata-agent.yaml +@@ -76,6 +76,9 @@ spec: + spec: + {{ dict "envAll" $envAll "application" "neutron_metadata_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.agent.metadata.node_selector_key }}: {{ .Values.labels.agent.metadata.node_selector_value }} + dnsPolicy: ClusterFirstWithHostNet +diff --git a/neutron/templates/daemonset-netns-cleanup-cron.yaml b/neutron/templates/daemonset-netns-cleanup-cron.yaml +index 8b91c94c..78acf039 100644 +--- a/neutron/templates/daemonset-netns-cleanup-cron.yaml ++++ b/neutron/templates/daemonset-netns-cleanup-cron.yaml +@@ -48,6 +48,9 @@ spec: + spec: + {{ dict "envAll" $envAll "application" "neutron_netns_cleanup_cron" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + nodeSelector: + {{ .Values.labels.netns_cleanup_cron.node_selector_key }}: {{ .Values.labels.netns_cleanup_cron.node_selector_value }} + dnsPolicy: ClusterFirstWithHostNet +diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml +index 80403c38..59e33f0f 100644 +--- a/neutron/templates/daemonset-ovs-agent.yaml ++++ b/neutron/templates/daemonset-ovs-agent.yaml +@@ -72,6 +72,9 @@ spec: + serviceAccountName: {{ $serviceAccountName }} + nodeSelector: + {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} +diff --git a/neutron/templates/daemonset-sriov-agent.yaml b/neutron/templates/daemonset-sriov-agent.yaml +index 8f32221a..4bf00216 100644 +--- a/neutron/templates/daemonset-sriov-agent.yaml ++++ b/neutron/templates/daemonset-sriov-agent.yaml +@@ -64,6 +64,9 @@ spec: + serviceAccountName: {{ $serviceAccountName }} + nodeSelector: + {{ .Values.labels.sriov.node_selector_key }}: {{ .Values.labels.sriov.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} +diff --git a/neutron/templates/deployment-ironic-agent.yaml b/neutron/templates/deployment-ironic-agent.yaml +index 7e9e3283..431225f0 100644 +--- a/neutron/templates/deployment-ironic-agent.yaml ++++ b/neutron/templates/deployment-ironic-agent.yaml +@@ -53,6 +53,9 @@ spec: + {{ tuple $envAll "neutron" "ironic_agent" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.ironic_agent.node_selector_key }}: {{ .Values.labels.ironic_agent.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 8 }} ++{{ end }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.ironic_agent.timeout | default "30" }} + initContainers: + {{ tuple $envAll "pod_dependency" $mounts_neutron_ironic_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml +index e44aa53d..94c4e1a2 100644 +--- a/neutron/templates/deployment-server.yaml ++++ b/neutron/templates/deployment-server.yaml +@@ -81,6 +81,9 @@ spec: + {{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.server.timeout | default "30" }} + initContainers: + {{ tuple $envAll "pod_dependency" $mounts_neutron_server_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +diff --git a/neutron/templates/job-bootstrap.yaml b/neutron/templates/job-bootstrap.yaml +index 504400eb..3a3faba0 100644 +--- a/neutron/templates/job-bootstrap.yaml ++++ b/neutron/templates/job-bootstrap.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "5" + {{- if .Values.helm3_hook }} + {{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.neutron.enabled -}} ++{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }} + {{- end }} +diff --git a/neutron/templates/job-db-drop.yaml b/neutron/templates/job-db-drop.yaml +index 9f322bd9..67d4174d 100644 +--- a/neutron/templates/job-db-drop.yaml ++++ b/neutron/templates/job-db-drop.yaml +@@ -18,5 +18,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.neutron.enabled -}} ++{{- $_ := set $dbDropJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} + {{- end }} +diff --git a/neutron/templates/job-db-init.yaml b/neutron/templates/job-db-init.yaml +index 6056aab4..184ec97d 100644 +--- a/neutron/templates/job-db-init.yaml ++++ b/neutron/templates/job-db-init.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-5" + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.neutron.enabled -}} ++{{- $_ := set $dbInitJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} + {{- end }} +diff --git a/neutron/templates/job-db-sync.yaml b/neutron/templates/job-db-sync.yaml +index 60f7abb9..1d224079 100644 +--- a/neutron/templates/job-db-sync.yaml ++++ b/neutron/templates/job-db-sync.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-4" + {{- if .Values.helm3_hook }} + {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.neutron.enabled -}} ++{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} + {{- end }} +diff --git a/neutron/templates/job-image-repo-sync.yaml b/neutron/templates/job-image-repo-sync.yaml +index ac1c61f7..890c57ed 100644 +--- a/neutron/templates/job-image-repo-sync.yaml ++++ b/neutron/templates/job-image-repo-sync.yaml +@@ -21,5 +21,8 @@ helm.sh/hook: post-install,post-upgrade + {{- if .Values.helm3_hook }} + {{- $_ := set $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.neutron.enabled -}} ++{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} + {{- end }} +diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml +index 8e755c4d..39b9387f 100644 +--- a/neutron/templates/job-ks-endpoints.yaml ++++ b/neutron/templates/job-ks-endpoints.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-2" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksEndpointsJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.neutron.enabled -}} ++{{- $_ := set $ksEndpointsJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksEndpointsJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml +index b2e5b661..84fb56d4 100644 +--- a/neutron/templates/job-ks-service.yaml ++++ b/neutron/templates/job-ks-service.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-3" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.neutron.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml +index 2c025c5b..80a19bc9 100644 +--- a/neutron/templates/job-ks-user.yaml ++++ b/neutron/templates/job-ks-user.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-1" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.neutron.enabled -}} ++{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/neutron/templates/job-rabbit-init.yaml b/neutron/templates/job-rabbit-init.yaml +index 56785569..0d08170d 100644 +--- a/neutron/templates/job-rabbit-init.yaml ++++ b/neutron/templates/job-rabbit-init.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-4" + {{- if .Values.helm3_hook }} + {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.neutron.enabled -}} ++{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} + {{- end }} +diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml +index 0fb96ece..cd6899c2 100644 +--- a/neutron/templates/pod-rally-test.yaml ++++ b/neutron/templates/pod-rally-test.yaml +@@ -34,6 +34,9 @@ metadata: + spec: + nodeSelector: + {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.neutron.enabled }} ++{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }} ++{{ end }} + restartPolicy: Never + serviceAccountName: {{ $serviceAccountName }} + initContainers: +diff --git a/neutron/values.yaml b/neutron/values.yaml +index c72a55b5..b767c7ae 100644 +--- a/neutron/values.yaml ++++ b/neutron/values.yaml +@@ -555,6 +555,13 @@ pod: + default: kubernetes.io/hostname + weight: + default: 10 ++ tolerations: ++ neutron: ++ enabled: false ++ tolerations: ++ - key: node-role.kubernetes.io/master ++ operator: Exists ++ effect: NoSchedule + mounts: + neutron_server: + init_container: null +diff --git a/nova/templates/cron-job-archive-deleted-rows.yaml b/nova/templates/cron-job-archive-deleted-rows.yaml +index 7baa3307..29a6e705 100644 +--- a/nova/templates/cron-job-archive-deleted-rows.yaml ++++ b/nova/templates/cron-job-archive-deleted-rows.yaml +@@ -47,6 +47,9 @@ spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }} ++{{ end }} + initContainers: + {{ tuple $envAll "archive-deleted-rows" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }} + containers: +diff --git a/nova/templates/cron-job-cell-setup.yaml b/nova/templates/cron-job-cell-setup.yaml +index 18b661a7..f2d2801e 100644 +--- a/nova/templates/cron-job-cell-setup.yaml ++++ b/nova/templates/cron-job-cell-setup.yaml +@@ -47,6 +47,9 @@ spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }} ++{{ end }} + initContainers: + {{ tuple $envAll "cell_setup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }} + containers: +diff --git a/nova/templates/cron-job-service-cleaner.yaml b/nova/templates/cron-job-service-cleaner.yaml +index bbe3fabd..9f745ace 100644 +--- a/nova/templates/cron-job-service-cleaner.yaml ++++ b/nova/templates/cron-job-service-cleaner.yaml +@@ -47,6 +47,9 @@ spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }} ++{{ end }} + initContainers: + {{ tuple $envAll "service_cleaner" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }} + containers: +diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml +index 4c690d61..927f5ad1 100644 +--- a/nova/templates/daemonset-compute.yaml ++++ b/nova/templates/daemonset-compute.yaml +@@ -78,6 +78,9 @@ spec: + {{ dict "envAll" $envAll "application" "nova" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + nodeSelector: + {{ .Values.labels.agent.compute.node_selector_key }}: {{ .Values.labels.agent.compute.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + hostNetwork: true + hostPID: true + hostIPC: true +diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml +index c663a233..44d3a492 100644 +--- a/nova/templates/deployment-api-metadata.yaml ++++ b/nova/templates/deployment-api-metadata.yaml +@@ -61,6 +61,9 @@ spec: + {{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.api_metadata.node_selector_key }}: {{ .Values.labels.api_metadata.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.metadata.timeout | default "30" }} + initContainers: + {{ tuple $envAll "api_metadata" $mounts_nova_api_metadata_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml +index 41c1faf5..29c80ba9 100644 +--- a/nova/templates/deployment-api-osapi.yaml ++++ b/nova/templates/deployment-api-osapi.yaml +@@ -61,6 +61,9 @@ spec: + {{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.osapi.node_selector_key }}: {{ .Values.labels.osapi.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.osapi.timeout | default "30" }} + initContainers: + {{ tuple $envAll "api" $mounts_nova_api_osapi_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml +index 5335a4ce..ba301abe 100644 +--- a/nova/templates/deployment-conductor.yaml ++++ b/nova/templates/deployment-conductor.yaml +@@ -74,6 +74,9 @@ spec: + {{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.conductor.node_selector_key }}: {{ .Values.labels.conductor.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + initContainers: + {{ tuple $envAll "conductor" $mounts_nova_conductor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml +index c4a781f2..1af01430 100644 +--- a/nova/templates/deployment-consoleauth.yaml ++++ b/nova/templates/deployment-consoleauth.yaml +@@ -74,6 +74,9 @@ spec: + {{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.consoleauth.node_selector_key }}: {{ .Values.labels.consoleauth.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + initContainers: + {{ tuple $envAll "consoleauth" $mounts_nova_consoleauth_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml +index 68db32ac..517005d9 100644 +--- a/nova/templates/deployment-novncproxy.yaml ++++ b/nova/templates/deployment-novncproxy.yaml +@@ -61,6 +61,9 @@ spec: + {{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.novncproxy.node_selector_key }}: {{ .Values.labels.novncproxy.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + {{- if .Values.pod.useHostNetwork.novncproxy }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +diff --git a/nova/templates/deployment-placement.yaml b/nova/templates/deployment-placement.yaml +index 1391cd9a..8d5e508b 100644 +--- a/nova/templates/deployment-placement.yaml ++++ b/nova/templates/deployment-placement.yaml +@@ -61,6 +61,9 @@ spec: + {{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.placement.node_selector_key }}: {{ .Values.labels.placement.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.placement.timeout | default "30" }} + initContainers: + {{ tuple $envAll "api" $mounts_nova_placement_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml +index b8a465ea..52e46958 100644 +--- a/nova/templates/deployment-scheduler.yaml ++++ b/nova/templates/deployment-scheduler.yaml +@@ -74,6 +74,9 @@ spec: + {{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.scheduler.node_selector_key }}: {{ .Values.labels.scheduler.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + initContainers: + {{ tuple $envAll "scheduler" $mounts_nova_scheduler_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml +index 98046a01..e430d257 100644 +--- a/nova/templates/deployment-spiceproxy.yaml ++++ b/nova/templates/deployment-spiceproxy.yaml +@@ -60,6 +60,9 @@ spec: + {{ tuple $envAll "nova" "spice-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.spiceproxy.node_selector_key }}: {{ .Values.labels.spiceproxy.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + initContainers: +diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml +index c105f567..80d53d08 100644 +--- a/nova/templates/job-bootstrap.yaml ++++ b/nova/templates/job-bootstrap.yaml +@@ -43,6 +43,9 @@ spec: + restartPolicy: OnFailure + nodeSelector: + {{ toYaml $nodeSelector | indent 8 }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + initContainers: + {{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + {{- if $envAll.Values.bootstrap.wait_for_computes.enabled }} +diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml +index cdcdf251..44ef618e 100644 +--- a/nova/templates/job-cell-setup.yaml ++++ b/nova/templates/job-cell-setup.yaml +@@ -38,6 +38,9 @@ spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + initContainers: + {{ tuple $envAll "cell_setup" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: nova-cell-setup-init +diff --git a/nova/templates/job-db-drop.yaml b/nova/templates/job-db-drop.yaml +index 9a6b1a0f..b0471ef2 100644 +--- a/nova/templates/job-db-drop.yaml ++++ b/nova/templates/job-db-drop.yaml +@@ -22,5 +22,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.nova.enabled -}} ++{{- $_ := set $dbDropJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} + {{- end }} +diff --git a/nova/templates/job-db-init.yaml b/nova/templates/job-db-init.yaml +index b1ca8705..72b0a808 100644 +--- a/nova/templates/job-db-init.yaml ++++ b/nova/templates/job-db-init.yaml +@@ -30,5 +30,8 @@ helm.sh/hook-weight: "-5" + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.nova.enabled -}} ++{{- $_ := set $dbInitJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} + {{- end }} +diff --git a/nova/templates/job-db-sync.yaml b/nova/templates/job-db-sync.yaml +index 3cd8cac7..061e18f1 100644 +--- a/nova/templates/job-db-sync.yaml ++++ b/nova/templates/job-db-sync.yaml +@@ -46,5 +46,8 @@ env: + {{- if .Values.helm3_hook }} + {{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.nova.enabled -}} ++{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} + {{- end }} +diff --git a/nova/templates/job-image-repo-sync.yaml b/nova/templates/job-image-repo-sync.yaml +index fe488dd2..e2ee66df 100644 +--- a/nova/templates/job-image-repo-sync.yaml ++++ b/nova/templates/job-image-repo-sync.yaml +@@ -21,5 +21,8 @@ helm.sh/hook: post-install,post-upgrade + {{- if .Values.helm3_hook }} + {{- $_ := set $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.nova.enabled -}} ++{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} + {{- end }} +diff --git a/nova/templates/job-ks-endpoints.yaml b/nova/templates/job-ks-endpoints.yaml +index 5057ebc1..52ec50e4 100644 +--- a/nova/templates/job-ks-endpoints.yaml ++++ b/nova/templates/job-ks-endpoints.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-2" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.nova.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/nova/templates/job-ks-placement-endpoints.yaml b/nova/templates/job-ks-placement-endpoints.yaml +index 2147f3cf..b5a10aed 100644 +--- a/nova/templates/job-ks-placement-endpoints.yaml ++++ b/nova/templates/job-ks-placement-endpoints.yaml +@@ -17,5 +17,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.nova.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/nova/templates/job-ks-placement-service.yaml b/nova/templates/job-ks-placement-service.yaml +index c2c8865c..d5846517 100644 +--- a/nova/templates/job-ks-placement-service.yaml ++++ b/nova/templates/job-ks-placement-service.yaml +@@ -17,5 +17,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.nova.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/nova/templates/job-ks-placement-user.yaml b/nova/templates/job-ks-placement-user.yaml +index 035c2f02..f6de6f6b 100644 +--- a/nova/templates/job-ks-placement-user.yaml ++++ b/nova/templates/job-ks-placement-user.yaml +@@ -17,5 +17,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.nova.enabled -}} ++{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/nova/templates/job-ks-service.yaml b/nova/templates/job-ks-service.yaml +index d9eb3b5b..9d1eebe5 100644 +--- a/nova/templates/job-ks-service.yaml ++++ b/nova/templates/job-ks-service.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-3" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.nova.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml +index e5613cc9..65e5055a 100644 +--- a/nova/templates/job-ks-user.yaml ++++ b/nova/templates/job-ks-user.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-1" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}} + {{- end }} ++{{- if .Values.pod.tolerations.nova.enabled -}} ++{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/nova/templates/job-rabbit-init.yaml b/nova/templates/job-rabbit-init.yaml +index ffbb2707..b5133d30 100644 +--- a/nova/templates/job-rabbit-init.yaml ++++ b/nova/templates/job-rabbit-init.yaml +@@ -25,5 +25,8 @@ helm.sh/hook-weight: "-4" + {{- if .Values.helm3_hook }} + {{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.nova.enabled -}} ++{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }} + {{- end }} +diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml +index eabe8b6c..019596f1 100644 +--- a/nova/templates/pod-rally-test.yaml ++++ b/nova/templates/pod-rally-test.yaml +@@ -34,6 +34,9 @@ metadata: + spec: + nodeSelector: + {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.nova.enabled }} ++{{ tuple $envAll "nova" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }} ++{{ end }} + restartPolicy: Never + serviceAccountName: {{ $serviceAccountName }} + initContainers: +diff --git a/nova/values.yaml b/nova/values.yaml +index cdb14575..4e6ce0ac 100644 +--- a/nova/values.yaml ++++ b/nova/values.yaml +@@ -2259,6 +2259,13 @@ pod: + default: kubernetes.io/hostname + weight: + default: 10 ++ tolerations: ++ nova: ++ enabled: false ++ tolerations: ++ - key: node-role.kubernetes.io/master ++ operator: Exists ++ effect: NoSchedule + mounts: + nova_compute: + init_container: null +diff --git a/placement/templates/deployment.yaml b/placement/templates/deployment.yaml +index f10b135d..9dcde008 100644 +--- a/placement/templates/deployment.yaml ++++ b/placement/templates/deployment.yaml +@@ -53,6 +53,9 @@ spec: + {{ tuple $envAll "placement" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.placement.enabled }} ++{{ tuple $envAll "placement" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }} + initContainers: + {{ tuple $envAll "api" $mounts_placement_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +diff --git a/placement/templates/job-db-drop.yaml b/placement/templates/job-db-drop.yaml +index af8cd247..f6e26e73 100644 +--- a/placement/templates/job-db-drop.yaml ++++ b/placement/templates/job-db-drop.yaml +@@ -20,5 +20,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.placement.enabled -}} ++{{- $_ := set $dbDropJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }} + {{- end }} +diff --git a/placement/templates/job-db-init.yaml b/placement/templates/job-db-init.yaml +index 31e1aec7..6edd4175 100644 +--- a/placement/templates/job-db-init.yaml ++++ b/placement/templates/job-db-init.yaml +@@ -30,5 +30,8 @@ helm.sh/hook-weight: "-5" + {{- if .Values.helm3_hook }} + {{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) -}} + {{- end }} ++{{- if .Values.pod.tolerations.placement.enabled -}} ++{{- $_ := set $dbInitJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }} + {{- end }} +diff --git a/placement/templates/job-db-migrate.yaml b/placement/templates/job-db-migrate.yaml +index b63ff0b7..ef733778 100644 +--- a/placement/templates/job-db-migrate.yaml ++++ b/placement/templates/job-db-migrate.yaml +@@ -39,6 +39,9 @@ spec: + restartPolicy: OnFailure + nodeSelector: + {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} ++{{ if $envAll.Values.pod.tolerations.placement.enabled }} ++{{ tuple $envAll "placement" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} ++{{ end }} + initContainers: + {{ tuple $envAll $service list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: +diff --git a/placement/templates/job-db-sync.yaml b/placement/templates/job-db-sync.yaml +index be791da4..e1c59360 100644 +--- a/placement/templates/job-db-sync.yaml ++++ b/placement/templates/job-db-sync.yaml +@@ -19,5 +19,8 @@ limitations under the License. + {{- if .Values.manifests.certificates -}} + {{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}} + {{- end -}} ++{{- if .Values.pod.tolerations.placement.enabled -}} ++{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }} + {{- end }} +diff --git a/placement/templates/job-image-repo-sync.yaml b/placement/templates/job-image-repo-sync.yaml +index dd892276..2cda817e 100644 +--- a/placement/templates/job-image-repo-sync.yaml ++++ b/placement/templates/job-image-repo-sync.yaml +@@ -23,5 +23,8 @@ helm.sh/hook: post-install,post-upgrade + {{- if .Values.helm3_hook }} + {{- $_ := set $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }} + {{- end }} ++{{- if .Values.pod.tolerations.placement.enabled -}} ++{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} + {{- end }} +diff --git a/placement/templates/job-ks-endpoints.yaml b/placement/templates/job-ks-endpoints.yaml +index abd7994c..111ba33a 100644 +--- a/placement/templates/job-ks-endpoints.yaml ++++ b/placement/templates/job-ks-endpoints.yaml +@@ -27,5 +27,8 @@ helm.sh/hook-weight: "1" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}} + {{- end }} ++{{- if .Values.pod.tolerations.placement.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} + {{- end }} +diff --git a/placement/templates/job-ks-service.yaml b/placement/templates/job-ks-service.yaml +index f972aba4..10e45bd6 100644 +--- a/placement/templates/job-ks-service.yaml ++++ b/placement/templates/job-ks-service.yaml +@@ -27,5 +27,8 @@ helm.sh/hook-weight: "-2" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}} + {{- end }} ++{{- if .Values.pod.tolerations.placement.enabled -}} ++{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} + {{- end }} +diff --git a/placement/templates/job-ks-user.yaml b/placement/templates/job-ks-user.yaml +index 66709133..2c1a0023 100644 +--- a/placement/templates/job-ks-user.yaml ++++ b/placement/templates/job-ks-user.yaml +@@ -27,5 +27,8 @@ helm.sh/hook-weight: "-1" + {{- if .Values.helm3_hook }} + {{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}} + {{- end }} ++{{- if .Values.pod.tolerations.placement.enabled -}} ++{{- $_ := set $ksUserJob "tolerationsEnabled" true -}} ++{{- end -}} + {{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} + {{- end }} +diff --git a/placement/values.yaml b/placement/values.yaml +index 57d9eb48..d3bd052d 100644 +--- a/placement/values.yaml ++++ b/placement/values.yaml +@@ -333,6 +333,13 @@ pod: + default: preferredDuringSchedulingIgnoredDuringExecution + topologyKey: + default: kubernetes.io/hostname ++ tolerations: ++ placement: ++ enabled: false ++ tolerations: ++ - key: node-role.kubernetes.io/master ++ operator: Exists ++ effect: NoSchedule + mounts: + placement: + init_container: null +-- +2.17.1 + diff --git a/openstack-helm/debian/deb_folder/patches/0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch b/openstack-helm/debian/deb_folder/patches/0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch new file mode 100644 index 00000000..d4c3afcc --- /dev/null +++ b/openstack-helm/debian/deb_folder/patches/0011-Fix-nova-compute-ssh-init-to-execute-as-runAsUser.patch @@ -0,0 +1,172 @@ +From fc736ec3993ff18b6380d2016060991e2c3a11f4 Mon Sep 17 00:00:00 2001 +From: Thiago Brito +Date: Fri, 7 Jan 2022 15:59:41 -0300 +Subject: [PATCH] Fix nova-compute-ssh init to execute as runAsUser + +On _ssh-init.sh.tpl, despite one change the runAsUser for the +nova-compute container on the securityContext, the ssh keys are always +being copied into the 'nova' user's folder. This change fixes it by +getting the correct user defined on the securityContext and copying the +keys to its correct folder. + +Signed-off-by: Thiago Brito +Change-Id: Ia7883dc4626a295892eb4637ef717b0b1725ac89 +--- + nova/templates/bin/_ssh-init.sh.tpl | 13 ++++++++----- + nova/templates/daemonset-compute.yaml | 16 ++++++++++++---- + nova/values.yaml | 4 +++- + 3 files changed, 23 insertions(+), 10 deletions(-) + +diff --git a/nova/templates/bin/_ssh-init.sh.tpl b/nova/templates/bin/_ssh-init.sh.tpl +index be2e33a4..fbd96f04 100644 +--- a/nova/templates/bin/_ssh-init.sh.tpl ++++ b/nova/templates/bin/_ssh-init.sh.tpl +@@ -16,10 +16,13 @@ limitations under the License. + + set -ex + +-mkdir -p ~nova/.ssh +-chown -R nova:nova ~nova/.ssh ++export NOVA_USERNAME=$(id -u ${NOVA_USER_UID} -n) ++export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME}) + +-cat > ~nova/.ssh/config < ${NOVA_USER_HOME}/.ssh/config <