starlingx/openstack-armada-app
Code Issues Proposed changes
5d949b63ba
openstack-armada-app/openstack-helm/files/0013-Remove-TLS-from-openstack-services.patch
Lucas Cavalcante 27c4d562c8 Fixes Application Apply failing when HTTPS enabled 
Openstack-helm provides the option to terminate TLS at the services.
However, at Starlingx TLS termination is done at the reverse
proxy (ingress) and therefore is unecessary for the OpenStack itself
be HTTPS and terminate tls a second time. Furthermore,  it is not
possible to have https enabled on openstack services with the
current centos based containers that we have, openstack-helm only
supports tls using debian based containers.

Manually working arroud this creates a cumbersome override file, so
to diminish this overrides this patch 0020 and 0013(osh-i) disables
https at the backend, thus maitaining the same behaviour as stx 5.0

Mariadb and RabbitMQ tls does not seem to be working very well within
Starlingx, so we also disable TLS for them. I am not confident that
current openstack-helm and openstack-helm-infra supports production level
openstack with mariadb in TLS mode. Furthermore, from the way everything
is redirected in StarlingX I do see too many performance and stability
issues using both of them with tls enabled.

Disclaimer I did not test with either only mairiadb tls or
rabbitmq activated, but with both of them on the system is not usable.

Test Plan:

PASS: Openstack is Applied. (https disabled)
PASS: enable https. Opensatck is Applied (WITHOUT service.conf
overrides)

Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Change-Id: Ifb7946e9a289234047934b52d200b951a59c1a3f
Partial-bug: 1960354
Related-to: https://review.opendev.org/c/starlingx/helm-charts/+/828815
2022-02-11 16:59:37 +00:00

2395 lines
139 KiB
Diff
Raw Blame History

From 6741666ec144c447508db3d1500f11db5955bf7a Mon Sep 17 00:00:00 2001
From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
Date: Thu, 10 Feb 2022 16:23:26 -0300
Subject: [PATCH 13/14] Remove TLS from openstack services at backend
Openstack-helm provides the option to terminate TLS at the services.
However, at Starlingx TLS termination is done at the reverse
proxy (ingress) and therefore is unecessary for the OpenStack to be
HTTPS. Removing this option creates a cumbersome override file, so
to diminish this overrides this patches disables https at the backend
Change-Id: Ibc0e53d95cfe43e0e04c9cc14bc81469fb919a40
---
cinder/templates/bin/_cinder-api.sh.tpl | 40 -----------
cinder/templates/certificates.yaml | 17 -----
cinder/templates/configmap-etc.yaml | 4 --
cinder/templates/deployment-api.yaml | 28 ++------
cinder/templates/deployment-scheduler.yaml | 4 +-
cinder/templates/deployment-volume.yaml | 6 +-
cinder/templates/ingress-api.yaml | 7 +-
cinder/templates/job-bootstrap.yaml | 2 +-
.../templates/job-create-internal-tenant.yaml | 4 +-
cinder/templates/job-ks-endpoints.yaml | 2 +-
cinder/templates/job-ks-service.yaml | 2 +-
cinder/templates/job-ks-user.yaml | 2 +-
cinder/templates/pod-rally-test.yaml | 6 +-
glance/templates/certificates.yaml | 18 -----
glance/templates/deployment-api.yaml | 60 +---------------
glance/templates/deployment-registry.yaml | 4 +-
glance/templates/ingress-api.yaml | 7 +-
glance/templates/ingress-registry.yaml | 2 +-
glance/templates/job-bootstrap.yaml | 2 +-
glance/templates/job-ks-endpoints.yaml | 2 +-
glance/templates/job-ks-service.yaml | 2 +-
glance/templates/job-ks-user.yaml | 2 +-
glance/templates/job-storage-init.yaml | 4 +-
glance/templates/pod-rally-test.yaml | 6 +-
heat/templates/bin/_heat-api.sh.tpl | 35 ----------
heat/templates/bin/_heat-cfn.sh.tpl | 37 ----------
heat/templates/certificates.yaml | 18 -----
heat/templates/deployment-api.yaml | 14 +---
heat/templates/deployment-cfn.yaml | 14 +---
heat/templates/deployment-engine.yaml | 4 +-
heat/templates/ingress-api.yaml | 4 --
heat/templates/ingress-cfn.yaml | 4 --
heat/templates/job-bootstrap.yaml | 2 +-
heat/templates/job-ks-endpoints.yaml | 2 +-
heat/templates/job-ks-service.yaml | 2 +-
heat/templates/job-ks-user-domain.yaml | 4 +-
heat/templates/job-ks-user-trustee.yaml | 2 +-
heat/templates/job-ks-user.yaml | 2 +-
heat/templates/job-trusts.yaml | 4 +-
heat/templates/pod-rally-test.yaml | 6 +-
horizon/templates/certificates.yaml | 17 -----
horizon/templates/deployment.yaml | 4 +-
horizon/templates/ingress-api.yaml | 4 --
horizon/templates/pod-helm-tests.yaml | 4 +-
keystone/templates/bin/_keystone-api.sh.tpl | 4 --
keystone/templates/certificates.yaml | 17 -----
keystone/templates/deployment-api.yaml | 8 +--
keystone/templates/ingress-api.yaml | 7 +-
keystone/templates/job-bootstrap.yaml | 4 +-
keystone/templates/job-domain-manage.yaml | 14 +---
keystone/templates/pod-rally-test.yaml | 16 ++---
neutron/templates/certificates.yaml | 17 -----
.../templates/daemonset-metadata-agent.yaml | 4 +-
neutron/templates/deployment-server.yaml | 68 +------------------
neutron/templates/ingress-server.yaml | 4 --
neutron/templates/job-bootstrap.yaml | 2 +-
neutron/templates/job-ks-endpoints.yaml | 2 +-
neutron/templates/job-ks-service.yaml | 2 +-
neutron/templates/job-ks-user.yaml | 2 +-
neutron/templates/pod-rally-test.yaml | 8 +--
neutron/values.yaml | 1 +
nova/templates/bin/_nova-api-metadata.sh.tpl | 38 -----------
nova/templates/bin/_nova-api.sh.tpl | 39 -----------
nova/templates/certificates.yaml | 27 --------
nova/templates/cron-job-service-cleaner.yaml | 4 +-
nova/templates/daemonset-compute.yaml | 10 +--
nova/templates/deployment-api-metadata.yaml | 16 +----
nova/templates/deployment-api-osapi.yaml | 16 +----
nova/templates/deployment-conductor.yaml | 6 +-
nova/templates/deployment-novncproxy.yaml | 4 +-
nova/templates/deployment-placement.yaml | 4 +-
nova/templates/deployment-scheduler.yaml | 6 +-
nova/templates/deployment-spiceproxy.yaml | 4 +-
nova/templates/ingress-metadata.yaml | 4 --
nova/templates/ingress-novncproxy.yaml | 4 --
nova/templates/ingress-osapi.yaml | 4 --
nova/templates/ingress-placement.yaml | 4 --
nova/templates/job-bootstrap.yaml | 4 +-
nova/templates/job-cell-setup.yaml | 4 +-
nova/templates/job-ks-endpoints.yaml | 2 +-
.../templates/job-ks-placement-endpoints.yaml | 2 +-
nova/templates/job-ks-placement-service.yaml | 2 +-
nova/templates/job-ks-placement-user.yaml | 2 +-
nova/templates/job-ks-service.yaml | 2 +-
nova/templates/job-ks-user.yaml | 2 +-
nova/templates/pod-rally-test.yaml | 6 +-
placement/templates/certificates.yaml | 17 -----
placement/templates/deployment.yaml | 4 +-
placement/templates/ingress.yaml | 4 --
placement/templates/job-db-migrate.yaml | 4 +-
placement/templates/job-ks-endpoints.yaml | 2 +-
placement/templates/job-ks-service.yaml | 2 +-
placement/templates/job-ks-user.yaml | 2 +-
93 files changed, 130 insertions(+), 717 deletions(-)
delete mode 100644 cinder/templates/certificates.yaml
delete mode 100644 glance/templates/certificates.yaml
delete mode 100644 heat/templates/certificates.yaml
delete mode 100644 horizon/templates/certificates.yaml
delete mode 100644 keystone/templates/certificates.yaml
delete mode 100644 neutron/templates/certificates.yaml
delete mode 100644 nova/templates/certificates.yaml
delete mode 100644 placement/templates/certificates.yaml
diff --git a/cinder/templates/bin/_cinder-api.sh.tpl b/cinder/templates/bin/_cinder-api.sh.tpl
index 3b64745c..b883d007 100644
--- a/cinder/templates/bin/_cinder-api.sh.tpl
+++ b/cinder/templates/bin/_cinder-api.sh.tpl
@@ -18,52 +18,12 @@ set -ex
COMMAND="${@:-start}"
function start () {
-{{- if .Values.manifests.certificates }}
- for WSGI_SCRIPT in cinder-wsgi; do
- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/cinder/
- done
-
- if [ -f /etc/apache2/envvars ]; then
- # Loading Apache2 ENV variables
- source /etc/apache2/envvars
- mkdir -p ${APACHE_RUN_DIR}
- fi
-
-{{- if .Values.conf.software.apache2.a2enmod }}
- {{- range .Values.conf.software.apache2.a2enmod }}
- a2enmod {{ . }}
- {{- end }}
-{{- end }}
-
-{{- if .Values.conf.software.apache2.a2dismod }}
- {{- range .Values.conf.software.apache2.a2dismod }}
- a2dismod {{ . }}
- {{- end }}
-{{- end }}
-
- if [ -f /var/run/apache2/apache2.pid ]; then
- # Remove the stale pid for debian/ubuntu images
- rm -f /var/run/apache2/apache2.pid
- fi
- # Starts Apache2
- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
-{{- else }}
exec cinder-api \
--config-file /etc/cinder/cinder.conf
-{{- end }}
}
function stop () {
-{{- if .Values.manifests.certificates }}
- if [ -f /etc/apache2/envvars ]; then
- # Loading Apache2 ENV variables
- source /etc/apache2/envvars
- mkdir -p ${APACHE_RUN_DIR}
- fi
- {{ .Values.conf.software.apache2.binary }} -k graceful-stop
-{{- else }}
kill -TERM 1
-{{- end }}
}
$COMMAND
diff --git a/cinder/templates/certificates.yaml b/cinder/templates/certificates.yaml
deleted file mode 100644
index 7ccf6ca1..00000000
--- a/cinder/templates/certificates.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.certificates -}}
-{{ dict "envAll" . "service" "volumev3" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end -}}
diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml
index ee84bbda..239d729c 100644
--- a/cinder/templates/configmap-etc.yaml
+++ b/cinder/templates/configmap-etc.yaml
@@ -146,10 +146,6 @@ data:
backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }}
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
-{{- if .Values.manifests.certificates }}
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cinder "key" "wsgi-cinder.conf" "format" "Secret" ) | indent 2 }}
-{{- end }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml
index db4dd8d9..300226b5 100644
--- a/cinder/templates/deployment-api.yaml
+++ b/cinder/templates/deployment-api.yaml
@@ -77,6 +77,10 @@ spec:
{{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "cinder_api" "container" "cinder_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ env:
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
command:
- /tmp/cinder-api.sh
- start
@@ -103,8 +107,6 @@ spec:
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- - name: wsgi-cinder
- mountPath: /var/www/cgi-bin/cinder
- name: cinder-bin
mountPath: /tmp/cinder-api.sh
subPath: cinder-api.sh
@@ -135,35 +137,17 @@ spec:
mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
subPath: resource_filters.json
readOnly: true
-{{- if .Values.conf.security }}
- - name: cinder-etc
- mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
- subPath: security.conf
- readOnly: true
-{{- end }}
{{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
- name: cinder-coordination
mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
{{- end }}
- {{- if .Values.manifests.certificates }}
- - name: cinder-etc
- mountPath: {{ .Values.conf.software.apache2.site_dir }}/cinder-api.conf
- subPath: wsgi-cinder.conf
- readOnly: true
- - name: cinder-etc
- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
- subPath: mpm_event.conf
- readOnly: true
- {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- - name: wsgi-cinder
- emptyDir: {}
- name: cinder-bin
configMap:
name: cinder-bin
@@ -179,7 +163,7 @@ spec:
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml
index cf69dd1e..8108b3e2 100644
--- a/cinder/templates/deployment-scheduler.yaml
+++ b/cinder/templates/deployment-scheduler.yaml
@@ -107,7 +107,7 @@ spec:
- name: cinder-coordination
mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
{{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }}
@@ -128,7 +128,7 @@ spec:
- name: cinder-coordination
emptyDir: {}
{{- end }}
- {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+ {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }}
diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml
index 2e5f0f4a..6a10f764 100755
--- a/cinder/templates/deployment-volume.yaml
+++ b/cinder/templates/deployment-volume.yaml
@@ -131,7 +131,7 @@ spec:
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
@@ -269,7 +269,7 @@ spec:
mountPropagation: HostToContainer
{{- end }}
{{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
@@ -333,7 +333,7 @@ spec:
path: /sys
{{- end }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/cinder/templates/ingress-api.yaml b/cinder/templates/ingress-api.yaml
index 4586d3a1..a514adfd 100644
--- a/cinder/templates/ingress-api.yaml
+++ b/cinder/templates/ingress-api.yaml
@@ -13,11 +13,6 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
-{{- $envAll := . -}}
-{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volume" "backendPort" "c-api" -}}
-{{- $secretName := $envAll.Values.secrets.tls.volume.api.internal -}}
-{{- if and .Values.manifests.certificates $secretName -}}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volume.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end -}}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "volume" "backendPort" "c-api" -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml
index be387e3b..571b50bd 100644
--- a/cinder/templates/job-bootstrap.yaml
+++ b/cinder/templates/job-bootstrap.yaml
@@ -15,7 +15,7 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.public -}}
{{- end -}}
{{- if .Values.pod.tolerations.cinder.enabled -}}
{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
diff --git a/cinder/templates/job-create-internal-tenant.yaml b/cinder/templates/job-create-internal-tenant.yaml
index 0e95c72f..d80ae445 100644
--- a/cinder/templates/job-create-internal-tenant.yaml
+++ b/cinder/templates/job-create-internal-tenant.yaml
@@ -68,7 +68,7 @@ spec:
mountPath: /tmp/create-internal-tenant.sh
subPath: create-internal-tenant.sh
readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
@@ -97,5 +97,5 @@ spec:
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end -}}
diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml
index 8509edce..e2a8eff2 100644
--- a/cinder/templates/job-ks-endpoints.yaml
+++ b/cinder/templates/job-ks-endpoints.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2"
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml
index ab416e8c..ca3e808d 100644
--- a/cinder/templates/job-ks-service.yaml
+++ b/cinder/templates/job-ks-service.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3"
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml
index f72e36cc..72e87cba 100644
--- a/cinder/templates/job-ks-user.yaml
+++ b/cinder/templates/job-ks-user.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1"
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml
index 3ed52cde..14b83620 100644
--- a/cinder/templates/pod-rally-test.yaml
+++ b/cinder/templates/pod-rally-test.yaml
@@ -53,7 +53,7 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
@@ -93,7 +93,7 @@ spec:
readOnly: true
- name: rally-db
mountPath: /var/lib/rally
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@@ -108,6 +108,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}
diff --git a/glance/templates/certificates.yaml b/glance/templates/certificates.yaml
deleted file mode 100644
index 55f3751b..00000000
--- a/glance/templates/certificates.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.certificates -}}
-{{ dict "envAll" . "service" "image" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{ dict "envAll" . "service" "image_registry" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end -}}
diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml
index 18d45c2c..80b398c6 100644
--- a/glance/templates/deployment-api.yaml
+++ b/glance/templates/deployment-api.yaml
@@ -95,46 +95,6 @@ spec:
readOnly: true
{{ end }}
containers:
- {{- if $envAll.Values.manifests.certificates }}
- - name: nginx
-{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "glance" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
- ports:
- - name: g-api
- containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- env:
- - name: PORT
- value: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- - name: POD_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: SHORTNAME
- value: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
- readinessProbe:
- tcpSocket:
- port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- command:
- - /tmp/nginx.sh
- - start
- lifecycle:
- preStop:
- exec:
- command:
- - /tmp/nginx.sh
- - stop
- volumeMounts:
- - name: glance-bin
- mountPath: /tmp/nginx.sh
- subPath: nginx.sh
- readOnly: true
- - name: glance-etc
- mountPath: /etc/nginx/nginx.conf
- subPath: nginx.conf
- readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
- {{- end }}
- name: glance-api
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@@ -148,21 +108,6 @@ spec:
command:
- /tmp/glance-api.sh
- stop
- {{- if $envAll.Values.manifests.certificates }}
- readinessProbe:
- exec:
- command:
- - python
- - -c
- - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
- livenessProbe:
- exec:
- command:
- - python
- - -c
- - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
- initialDelaySeconds: 30
- {{- else }}
ports:
- name: g-api
containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@@ -172,7 +117,6 @@ spec:
livenessProbe:
tcpSocket:
port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- {{- end }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
@@ -229,7 +173,7 @@ spec:
readOnly: true
{{- end }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -265,7 +209,7 @@ spec:
secretName: {{ .Values.secrets.rbd | quote }}
{{- end }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml
index 2cbeac14..f88d4784 100644
--- a/glance/templates/deployment-registry.yaml
+++ b/glance/templates/deployment-registry.yaml
@@ -111,7 +111,7 @@ spec:
mountPath: /etc/glance/policy.yaml
subPath: policy.yaml
readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -127,7 +127,7 @@ spec:
secret:
secretName: glance-etc
defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/glance/templates/ingress-api.yaml b/glance/templates/ingress-api.yaml
index 939855e0..497d96ad 100644
--- a/glance/templates/ingress-api.yaml
+++ b/glance/templates/ingress-api.yaml
@@ -13,11 +13,6 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
-{{- $envAll := . }}
-{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "image" "backendPort" "g-api" -}}
-{{- $secretName := $envAll.Values.secrets.tls.image.api.internal -}}
-{{- if and .Values.manifests.certificates $secretName -}}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end -}}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "image" "backendPort" "g-api" -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/glance/templates/ingress-registry.yaml b/glance/templates/ingress-registry.yaml
index b9bbaa36..01e39e99 100644
--- a/glance/templates/ingress-registry.yaml
+++ b/glance/templates/ingress-registry.yaml
@@ -15,7 +15,7 @@ limitations under the License.
{{- if and .Values.manifests.ingress_registry .Values.network.registry.ingress.public }}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "image_registry" "backendPort" "g-reg" -}}
-{{- $secretName := $envAll.Values.secrets.tls.image_registry.api.internal -}}
+{{- $secretName := $envAll.Values.secrets.tls.image_registry.api.public -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image_registry.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml
index 461c52af..0c334d07 100644
--- a/glance/templates/job-bootstrap.yaml
+++ b/glance/templates/job-bootstrap.yaml
@@ -31,7 +31,7 @@ volumes:
{{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
diff --git a/glance/templates/job-ks-endpoints.yaml b/glance/templates/job-ks-endpoints.yaml
index 992ee37f..14355331 100644
--- a/glance/templates/job-ks-endpoints.yaml
+++ b/glance/templates/job-ks-endpoints.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2"
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
diff --git a/glance/templates/job-ks-service.yaml b/glance/templates/job-ks-service.yaml
index 21bb1302..f36ceec9 100644
--- a/glance/templates/job-ks-service.yaml
+++ b/glance/templates/job-ks-service.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3"
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
diff --git a/glance/templates/job-ks-user.yaml b/glance/templates/job-ks-user.yaml
index 226be718..bf09fda4 100644
--- a/glance/templates/job-ks-user.yaml
+++ b/glance/templates/job-ks-user.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1"
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
diff --git a/glance/templates/job-storage-init.yaml b/glance/templates/job-storage-init.yaml
index f6ac0a10..133e12be 100644
--- a/glance/templates/job-storage-init.yaml
+++ b/glance/templates/job-storage-init.yaml
@@ -168,7 +168,7 @@ spec:
- name: glance-images
mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
{{ end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes:
- name: pod-tmp
emptyDir: {}
@@ -194,5 +194,5 @@ spec:
persistentVolumeClaim:
claimName: glance-images
{{ end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
diff --git a/glance/templates/pod-rally-test.yaml b/glance/templates/pod-rally-test.yaml
index 938c040d..7d1021ac 100644
--- a/glance/templates/pod-rally-test.yaml
+++ b/glance/templates/pod-rally-test.yaml
@@ -54,7 +54,7 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
@@ -97,7 +97,7 @@ spec:
mountPath: /var/lib/rally
- name: rally-work
mountPath: /home/rally/.rally
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@@ -114,6 +114,6 @@ spec:
emptyDir: {}
- name: rally-work
emptyDir: {}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}
diff --git a/heat/templates/bin/_heat-api.sh.tpl b/heat/templates/bin/_heat-api.sh.tpl
index b756d59e..e737562c 100644
--- a/heat/templates/bin/_heat-api.sh.tpl
+++ b/heat/templates/bin/_heat-api.sh.tpl
@@ -19,47 +19,12 @@ COMMAND="${@:-start}"
function start () {
-{{- if .Values.manifests.certificates }}
- for WSGI_SCRIPT in heat-wsgi-api; do
- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
- done
-
- if [ -f /etc/apache2/envvars ]; then
- # Loading Apache2 ENV variables
- source /etc/apache2/envvars
- mkdir -p ${APACHE_RUN_DIR}
- fi
-
-{{- if .Values.conf.software.apache2.a2enmod }}
- {{- range .Values.conf.software.apache2.a2enmod }}
- a2enmod {{ . }}
- {{- end }}
-{{- end }}
-
-{{- if .Values.conf.software.apache2.a2dismod }}
- {{- range .Values.conf.software.apache2.a2dismod }}
- a2dismod {{ . }}
- {{- end }}
-{{- end }}
-
- if [ -f /var/run/apache2/apache2.pid ]; then
- # Remove the stale pid for debian/ubuntu images
- rm -f /var/run/apache2/apache2.pid
- fi
- # Starts Apache2
- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
-{{- else }}
exec heat-api \
--config-file /etc/heat/heat.conf
-{{- end }}
}
function stop () {
-{{- if .Values.manifests.certificates }}
- {{ .Values.conf.software.apache2.binary }} -k graceful-stop
-{{- else }}
kill -TERM 1
-{{- end }}
}
$COMMAND
diff --git a/heat/templates/bin/_heat-cfn.sh.tpl b/heat/templates/bin/_heat-cfn.sh.tpl
index 757b59af..97f82798 100644
--- a/heat/templates/bin/_heat-cfn.sh.tpl
+++ b/heat/templates/bin/_heat-cfn.sh.tpl
@@ -18,49 +18,12 @@ set -ex
COMMAND="${@:-start}"
function start () {
-{{- if .Values.manifests.certificates }}
- for WSGI_SCRIPT in heat-wsgi-api-cfn; do
- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
- done
-
- if [ -f /etc/apache2/envvars ]; then
- # Loading Apache2 ENV variables
- source /etc/apache2/envvars
- mkdir -p ${APACHE_RUN_DIR}
- fi
-
-
-{{- if .Values.conf.software.apache2.a2enmod }}
- {{- range .Values.conf.software.apache2.a2enmod }}
- a2enmod {{ . }}
- {{- end }}
-{{- end }}
-
-{{- if .Values.conf.software.apache2.a2dismod }}
- {{- range .Values.conf.software.apache2.a2dismod }}
- a2dismod {{ . }}
- {{- end }}
-{{- end }}
-
-
- if [ -f /var/run/apache2/apache2.pid ]; then
- # Remove the stale pid for debian/ubuntu images
- rm -f /var/run/apache2/apache2.pid
- fi
- # Starts Apache2
- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
-{{- else }}
exec heat-api-cfn \
--config-file /etc/heat/heat.conf
-{{- end }}
}
function stop () {
-{{- if .Values.manifests.certificates }}
- {{ .Values.conf.software.apache2.binary }} -k graceful-stop
-{{- else }}
kill -TERM 1
-{{- end }}
}
$COMMAND
diff --git a/heat/templates/certificates.yaml b/heat/templates/certificates.yaml
deleted file mode 100644
index 353dfd69..00000000
--- a/heat/templates/certificates.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.certificates -}}
-{{ dict "envAll" . "service" "orchestration" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{ dict "envAll" . "service" "cloudformation" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end -}}
diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml
index d3cebb0a..8f83a631 100644
--- a/heat/templates/deployment-api.yaml
+++ b/heat/templates/deployment-api.yaml
@@ -114,17 +114,7 @@ spec:
mountPath: /etc/heat/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
- {{- if .Values.manifests.certificates }}
- - name: heat-etc
- mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api.conf
- subPath: wsgi-heat.conf
- readOnly: true
- - name: heat-etc
- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
- subPath: mpm_event.conf
- readOnly: true
- {{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -142,7 +132,7 @@ spec:
secret:
secretName: heat-etc
defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml
index dc05f6f5..3b62539a 100644
--- a/heat/templates/deployment-cfn.yaml
+++ b/heat/templates/deployment-cfn.yaml
@@ -114,17 +114,7 @@ spec:
mountPath: /etc/heat/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
- {{- if .Values.manifests.certificates }}
- - name: heat-etc
- mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api-cfn.conf
- subPath: wsgi-cnf.conf
- readOnly: true
- - name: heat-etc
- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
- subPath: mpm_event.conf
- readOnly: true
- {{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@@ -141,6 +131,6 @@ spec:
secret:
secretName: heat-etc
defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml
index da9c905f..e9d5873c 100644
--- a/heat/templates/deployment-engine.yaml
+++ b/heat/templates/deployment-engine.yaml
@@ -103,7 +103,7 @@ spec:
subPath: policy.yaml
readOnly: true
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -120,7 +120,7 @@ spec:
secretName: heat-etc
defaultMode: 0444
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/heat/templates/ingress-api.yaml b/heat/templates/ingress-api.yaml
index 8d5c9a03..47a3bbaf 100644
--- a/heat/templates/ingress-api.yaml
+++ b/heat/templates/ingress-api.yaml
@@ -15,9 +15,5 @@ limitations under the License.
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "orchestration" "backendPort" "h-api" -}}
-{{- $secretName := $envAll.Values.secrets.tls.orchestration.api.internal -}}
-{{- if and .Values.manifests.certificates $secretName -}}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.orchestration.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/heat/templates/ingress-cfn.yaml b/heat/templates/ingress-cfn.yaml
index d9653384..8bcb7884 100644
--- a/heat/templates/ingress-cfn.yaml
+++ b/heat/templates/ingress-cfn.yaml
@@ -15,9 +15,5 @@ limitations under the License.
{{- if and .Values.manifests.ingress_cfn .Values.network.cfn.ingress.public }}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}}
-{{- $secretName := $envAll.Values.secrets.tls.cloudformation.cfn.internal -}}
-{{- if and .Values.manifests.certificates $secretName -}}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.cloudformation.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/heat/templates/job-bootstrap.yaml b/heat/templates/job-bootstrap.yaml
index ee321545..cd0a77eb 100644
--- a/heat/templates/job-bootstrap.yaml
+++ b/heat/templates/job-bootstrap.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "5"
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
diff --git a/heat/templates/job-ks-endpoints.yaml b/heat/templates/job-ks-endpoints.yaml
index 9c7daeee..09aa9862 100644
--- a/heat/templates/job-ks-endpoints.yaml
+++ b/heat/templates/job-ks-endpoints.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2"
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml
index 6505cefe..96107695 100644
--- a/heat/templates/job-ks-service.yaml
+++ b/heat/templates/job-ks-service.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3"
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
diff --git a/heat/templates/job-ks-user-domain.yaml b/heat/templates/job-ks-user-domain.yaml
index 89b73dd9..1eabf4cf 100644
--- a/heat/templates/job-ks-user-domain.yaml
+++ b/heat/templates/job-ks-user-domain.yaml
@@ -64,7 +64,7 @@ spec:
mountPath: /tmp/ks-domain-user.sh
subPath: ks-domain-user.sh
readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
@@ -100,5 +100,5 @@ spec:
configMap:
name: heat-bin
defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
diff --git a/heat/templates/job-ks-user-trustee.yaml b/heat/templates/job-ks-user-trustee.yaml
index 934c6021..984951d2 100644
--- a/heat/templates/job-ks-user-trustee.yaml
+++ b/heat/templates/job-ks-user-trustee.yaml
@@ -19,7 +19,7 @@ helm.sh/hook: post-install,post-upgrade
{{- if .Values.manifests.job_ks_user_trustee }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.heat_trust" . | fromYaml) }}
diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml
index db39a556..a7cd5747 100644
--- a/heat/templates/job-ks-user.yaml
+++ b/heat/templates/job-ks-user.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1"
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
diff --git a/heat/templates/job-trusts.yaml b/heat/templates/job-trusts.yaml
index e713d278..16a87950 100644
--- a/heat/templates/job-trusts.yaml
+++ b/heat/templates/job-trusts.yaml
@@ -68,7 +68,7 @@ spec:
mountPath: /tmp/trusts.sh
subPath: trusts.sh
readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }}
@@ -87,5 +87,5 @@ spec:
configMap:
name: heat-bin
defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}
diff --git a/heat/templates/pod-rally-test.yaml b/heat/templates/pod-rally-test.yaml
index 3b7d95da..ebf4b12d 100644
--- a/heat/templates/pod-rally-test.yaml
+++ b/heat/templates/pod-rally-test.yaml
@@ -52,7 +52,7 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
@@ -98,7 +98,7 @@ spec:
subPath: {{ printf "test_template_%d" $key }}
readOnly: true
{{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@@ -113,6 +113,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}
diff --git a/horizon/templates/certificates.yaml b/horizon/templates/certificates.yaml
deleted file mode 100644
index 8dbb884a..00000000
--- a/horizon/templates/certificates.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.certificates -}}
-{{ dict "envAll" . "service" "dashboard" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end -}}
diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml
index 3bb0a3a8..0e646b9e 100644
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@@ -132,7 +132,7 @@ spec:
subPath: {{ base $policyFile }}
readOnly: true
{{- end }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal "path" "/etc/openstack-dashboard/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -151,6 +151,6 @@ spec:
secretName: horizon-etc
defaultMode: 0444
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/horizon/templates/ingress-api.yaml b/horizon/templates/ingress-api.yaml
index 252ac523..22f13814 100644
--- a/horizon/templates/ingress-api.yaml
+++ b/horizon/templates/ingress-api.yaml
@@ -15,9 +15,5 @@ limitations under the License.
{{- if and .Values.manifests.ingress_api .Values.network.dashboard.ingress.public }}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}}
-{{- $secretName := $envAll.Values.secrets.tls.dashboard.dashboard.internal -}}
-{{- if and .Values.manifests.certificates $secretName -}}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.dashboard.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/horizon/templates/pod-helm-tests.yaml b/horizon/templates/pod-helm-tests.yaml
index dbcb9a3c..bb7abc89 100644
--- a/horizon/templates/pod-helm-tests.yaml
+++ b/horizon/templates/pod-helm-tests.yaml
@@ -62,7 +62,7 @@ spec:
mountPath: /tmp/selenium-test.py
subPath: selenium-test.py
readOnly: true
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@@ -71,6 +71,6 @@ spec:
configMap:
name: horizon-bin
defaultMode: 0555
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}
diff --git a/keystone/templates/bin/_keystone-api.sh.tpl b/keystone/templates/bin/_keystone-api.sh.tpl
index f6216df1..85740a05 100644
--- a/keystone/templates/bin/_keystone-api.sh.tpl
+++ b/keystone/templates/bin/_keystone-api.sh.tpl
@@ -49,10 +49,6 @@ function start () {
}
function stop () {
- if [ -f /etc/apache2/envvars ]; then
- # Loading Apache2 ENV variables
- source /etc/apache2/envvars
- fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
}
diff --git a/keystone/templates/certificates.yaml b/keystone/templates/certificates.yaml
deleted file mode 100644
index f8a73c4b..00000000
--- a/keystone/templates/certificates.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
-{{ dict "envAll" . "service" "identity" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end -}}
diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
index 94e705b8..ed2c3d54 100644
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@@ -153,8 +153,8 @@ spec:
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
-{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.public }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
@@ -195,8 +195,8 @@ spec:
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
-{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.public }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
{{- if and $envAll.Values.manifests.certificates $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
diff --git a/keystone/templates/ingress-api.yaml b/keystone/templates/ingress-api.yaml
index 525c2121..b7b0e238 100644
--- a/keystone/templates/ingress-api.yaml
+++ b/keystone/templates/ingress-api.yaml
@@ -13,12 +13,7 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
-{{- $envAll := . }}
-{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "identity" "backendPort" "ks-pub" -}}
-{{- $secretName := $envAll.Values.secrets.tls.identity.api.internal -}}
-{{- if and .Values.manifests.certificates $secretName -}}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.identity.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end -}}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "identity" "backendPort" "ks-pub" -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.admin }}
diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml
index 04833279..3e3ff2aa 100644
--- a/keystone/templates/job-bootstrap.yaml
+++ b/keystone/templates/job-bootstrap.yaml
@@ -19,8 +19,8 @@ helm.sh/hook-weight: "5"
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.public -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.public -}}
{{- end -}}
{{- if .Values.pod.tolerations.keystone.enabled -}}
{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
diff --git a/keystone/templates/job-domain-manage.yaml b/keystone/templates/job-domain-manage.yaml
index 8acd192e..679a009c 100644
--- a/keystone/templates/job-domain-manage.yaml
+++ b/keystone/templates/job-domain-manage.yaml
@@ -56,7 +56,7 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
command:
@@ -68,18 +68,12 @@ spec:
mountPath: /tmp/domain-manage-init.sh
subPath: domain-manage-init.sh
readOnly: true
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- end }}
containers:
- name: keystone-domain-manage
{{ tuple $envAll "keystone_domain_manage" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
-{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
-{{- end }}
command:
- /tmp/domain-manage.sh
volumeMounts:
@@ -119,9 +113,6 @@ spec:
{{- end }}
- name: keystone-credential-keys
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- end }}
{{ if $mounts_keystone_domain_manage.volumeMounts }}{{ toYaml $mounts_keystone_domain_manage.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@@ -146,8 +137,5 @@ spec:
- name: keystone-credential-keys
secret:
secretName: keystone-credential-keys
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- end }}
{{ if $mounts_keystone_domain_manage.volumes }}{{ toYaml $mounts_keystone_domain_manage.volumes | indent 9 }}{{ end }}
{{- end }}
diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml
index c3730cc3..8474b639 100644
--- a/keystone/templates/pod-rally-test.yaml
+++ b/keystone/templates/pod-rally-test.yaml
@@ -52,11 +52,11 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.public }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{- end }}
env:
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.public) }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@@ -72,7 +72,7 @@ spec:
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
{{ dict "envAll" $envAll "application" "test" "container" "keystone_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6}}
env:
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.public) }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@@ -97,8 +97,8 @@ spec:
mountPath: /var/lib/rally
- name: rally-work
mountPath: /home/rally/.rally
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.public }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{- end }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
@@ -116,8 +116,8 @@ spec:
emptyDir: {}
- name: rally-work
emptyDir: {}
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.public }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{- end }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}
diff --git a/neutron/templates/certificates.yaml b/neutron/templates/certificates.yaml
deleted file mode 100644
index f65396d0..00000000
--- a/neutron/templates/certificates.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.certificates -}}
-{{ dict "envAll" . "service" "network" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end -}}
diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml
index edfa0a10..8474ff38 100644
--- a/neutron/templates/daemonset-metadata-agent.yaml
+++ b/neutron/templates/daemonset-metadata-agent.yaml
@@ -192,7 +192,7 @@ spec:
mountPath: /run/netns
mountPropagation: Bidirectional
{{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -216,7 +216,7 @@ spec:
hostPath:
path: /run/netns
{{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml
index 94c4e1a2..3a8b6e8b 100644
--- a/neutron/templates/deployment-server.yaml
+++ b/neutron/templates/deployment-server.yaml
@@ -13,31 +13,13 @@ limitations under the License.
*/}}
{{- define "serverReadinessProbeTemplate" }}
-{{- if .Values.manifests.certificates }}
-exec:
- command:
- - python
- - -c
- - "import requests; requests.get('http://127.0.0.1:{{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
-initialDelaySeconds: 30
-{{- else }}
tcpSocket:
port: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
-{{- end }}
{{- define "serverLivenessProbeTemplate" }}
-{{- if .Values.manifests.certificates }}
-exec:
- command:
- - python
- - -c
- - "import requests; requests.get('http://127.0.0.1:{{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
-initialDelaySeconds: 30
-{{- else }}
tcpSocket:
port: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
-{{- end }}
{{- if .Values.manifests.deployment_server }}
{{- $envAll := . }}
@@ -102,48 +84,6 @@ spec:
mountPath: /opt/plugin
{{- end }}
containers:
- {{- if $envAll.Values.manifests.certificates }}
- - name: nginx
-{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
-{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-{{ dict "envAll" $envAll "application" "neutron_server" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
- ports:
- - name: q-api
- containerPort: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- env:
- - name: PORT
- value: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- - name: POD_IP
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: SHORTNAME
- value: {{ tuple "network" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
- readinessProbe:
- tcpSocket:
- port: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- command:
- - /tmp/nginx.sh
- - start
- lifecycle:
- preStop:
- exec:
- command:
- - /tmp/nginx.sh
- - stop
- volumeMounts:
- - name: pod-tmp
- mountPath: /tmp
- - name: neutron-bin
- mountPath: /tmp/nginx.sh
- subPath: nginx.sh
- readOnly: true
- - name: neutron-etc
- mountPath: /etc/nginx/nginx.conf
- subPath: nginx.conf
- readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
- {{- end }}
- name: neutron-server
{{ tuple $envAll "neutron_server" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@@ -241,16 +181,12 @@ spec:
subPath: policy.yaml
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- {{- if .Values.manifests.certificates }}
- - name: wsgi-neutron
- emptyDir: {}
- {{- end }}
- name: pod-var-neutron
emptyDir: {}
- name: neutron-bin
@@ -266,7 +202,7 @@ spec:
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/neutron/templates/ingress-server.yaml b/neutron/templates/ingress-server.yaml
index 6e6eb735..43526fa8 100644
--- a/neutron/templates/ingress-server.yaml
+++ b/neutron/templates/ingress-server.yaml
@@ -15,9 +15,5 @@ limitations under the License.
{{- if and .Values.manifests.ingress_server .Values.network.server.ingress.public }}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}}
-{{- $secretName := $envAll.Values.secrets.tls.network.server.internal -}}
-{{- if and .Values.manifests.certificates $secretName }}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.network.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/neutron/templates/job-bootstrap.yaml b/neutron/templates/job-bootstrap.yaml
index 3a3faba0..a385fa22 100644
--- a/neutron/templates/job-bootstrap.yaml
+++ b/neutron/templates/job-bootstrap.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "5"
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml
index 39b9387f..47c5bcad 100644
--- a/neutron/templates/job-ks-endpoints.yaml
+++ b/neutron/templates/job-ks-endpoints.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2"
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksEndpointsJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksEndpointsJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- $_ := set $ksEndpointsJob "tlsSecret" .Values.secrets.tls.network.server.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksEndpointsJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml
index 84fb56d4..9d05ed13 100644
--- a/neutron/templates/job-ks-service.yaml
+++ b/neutron/templates/job-ks-service.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3"
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml
index 80a19bc9..c4ea8957 100644
--- a/neutron/templates/job-ks-user.yaml
+++ b/neutron/templates/job-ks-user.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1"
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml
index cd6899c2..e288c870 100644
--- a/neutron/templates/pod-rally-test.yaml
+++ b/neutron/templates/pod-rally-test.yaml
@@ -53,7 +53,7 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
@@ -98,7 +98,7 @@ spec:
readOnly: true
- name: pod-tmp
mountPath: /tmp/pod-tmp
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ end }}
containers:
- name: neutron-test
@@ -128,7 +128,7 @@ spec:
readOnly: true
- name: rally-db
mountPath: /var/lib/rally
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@@ -143,6 +143,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}
diff --git a/neutron/values.yaml b/neutron/values.yaml
index 80834331..29917a59 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -2226,6 +2226,7 @@ secrets:
compute_metadata:
metadata:
internal: metadata-tls-metadata
+ public: neutron-tls-public
network:
server:
public: neutron-tls-public
diff --git a/nova/templates/bin/_nova-api-metadata.sh.tpl b/nova/templates/bin/_nova-api-metadata.sh.tpl
index 18195f26..246a11c6 100644
--- a/nova/templates/bin/_nova-api-metadata.sh.tpl
+++ b/nova/templates/bin/_nova-api-metadata.sh.tpl
@@ -18,51 +18,13 @@ set -ex
COMMAND="${@:-start}"
function start () {
-{{- if .Values.manifests.certificates }}
- for WSGI_SCRIPT in nova-metadata-wsgi; do
- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
- done
-
- if [ -f /etc/apache2/envvars ]; then
- # Loading Apache2 ENV variables
- source /etc/apache2/envvars
- mkdir -p ${APACHE_RUN_DIR}
- fi
-
-{{- if .Values.conf.software.apache2.a2enmod }}
- {{- range .Values.conf.software.apache2.a2enmod }}
- a2enmod {{ . }}
- {{- end }}
-{{- end }}
-
-{{- if .Values.conf.software.apache2.a2dismod }}
- {{- range .Values.conf.software.apache2.a2dismod }}
- a2dismod {{ . }}
- {{- end }}
-{{- end }}
-
- if [ -f /var/run/apache2/apache2.pid ]; then
- # Remove the stale pid for debian/ubuntu images
- rm -f /var/run/apache2/apache2.pid
- fi
- # Starts Apache2
- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
-{{- else }}
exec nova-api-metadata \
--config-file /etc/nova/nova.conf \
--config-file /tmp/pod-shared/nova-api-metadata.ini
-{{- end }}
}
function stop () {
-{{- if .Values.manifests.certificates }}
- if [ -f /etc/apache2/envvars ]; then
- source /etc/apache2/envvars
- fi
- {{ .Values.conf.software.apache2.binary }} -k graceful-stop
-{{- else }}
kill -TERM 1
-{{- end }}
}
$COMMAND
diff --git a/nova/templates/bin/_nova-api.sh.tpl b/nova/templates/bin/_nova-api.sh.tpl
index c62de9a6..95fcb130 100644
--- a/nova/templates/bin/_nova-api.sh.tpl
+++ b/nova/templates/bin/_nova-api.sh.tpl
@@ -18,51 +18,12 @@ set -ex
COMMAND="${@:-start}"
function start () {
-{{- if .Values.manifests.certificates }}
- for WSGI_SCRIPT in nova-api-wsgi; do
- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
- done
-
- if [ -f /etc/apache2/envvars ]; then
- # Loading Apache2 ENV variables
- source /etc/apache2/envvars
- mkdir -p ${APACHE_RUN_DIR}
- fi
-
-{{- if .Values.conf.software.apache2.a2enmod }}
- {{- range .Values.conf.software.apache2.a2enmod }}
- a2enmod {{ . }}
- {{- end }}
-{{- end }}
-
-{{- if .Values.conf.software.apache2.a2dismod }}
- {{- range .Values.conf.software.apache2.a2dismod }}
- a2dismod {{ . }}
- {{- end }}
-{{- end }}
-
-
- if [ -f /var/run/apache2/apache2.pid ]; then
- # Remove the stale pid for debian/ubuntu images
- rm -f /var/run/apache2/apache2.pid
- fi
- # Starts Apache2
- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
-{{- else }}
exec nova-api-os-compute \
--config-file /etc/nova/nova.conf
-{{- end }}
}
function stop () {
-{{- if .Values.manifests.certificates }}
- if [ -f /etc/apache2/envvars ]; then
- source /etc/apache2/envvars
- fi
- {{ .Values.conf.software.apache2.binary }} -k graceful-stop
-{{- else }}
kill -TERM 1
-{{- end }}
}
$COMMAND
diff --git a/nova/templates/certificates.yaml b/nova/templates/certificates.yaml
deleted file mode 100644
index 3bf6c8db..00000000
--- a/nova/templates/certificates.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.certificates -}}
-{{ dict "envAll" . "service" "compute" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- if .Values.manifests.deployment_novncproxy }}
-{{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end }}
-{{- if .Values.manifests.deployment_placement }}
-{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end }}
-{{ dict "envAll" . "service" "compute_metadata" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- if .Values.manifests.deployment_spiceproxy }}
-{{ dict "envAll" . "service" "compute_spice_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end }}
-{{- end -}}
diff --git a/nova/templates/cron-job-service-cleaner.yaml b/nova/templates/cron-job-service-cleaner.yaml
index 9f745ace..e64251d1 100644
--- a/nova/templates/cron-job-service-cleaner.yaml
+++ b/nova/templates/cron-job-service-cleaner.yaml
@@ -72,7 +72,7 @@ spec:
readOnly: true
- name: etcnova
mountPath: /etc/nova
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
volumes:
- name: pod-tmp
emptyDir: {}
@@ -86,5 +86,5 @@ spec:
configMap:
name: nova-bin
defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
{{- end }}
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
index 6b162481..7cb3c2cd 100644
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@@ -278,7 +278,7 @@ spec:
value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
- value: "/etc/nova/certs/ca.crt"
+ value: "/etc/ssl/certs/openstack-helm.crt"
{{- end }}
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
@@ -435,7 +435,7 @@ spec:
subPath: tf-plugin.pth
readOnly: true
{{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.network.ssh.enabled }}
@@ -450,7 +450,7 @@ spec:
value: {{ .Values.network.ssh.port | quote }}
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
- value: "/etc/nova/certs/ca.crt"
+ value: "/etc/ssl/certs/openstack-helm.crt"
{{- end }}
ports:
- containerPort: {{ .Values.network.ssh.port }}
@@ -464,7 +464,7 @@ spec:
mountPath: /tmp/ssh-start.sh
subPath: ssh-start.sh
readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{ end }}
volumes:
@@ -550,7 +550,7 @@ spec:
- name: tf-plugin-bin
emptyDir: {}
{{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml
index 44d3a492..8b131241 100644
--- a/nova/templates/deployment-api-metadata.yaml
+++ b/nova/templates/deployment-api-metadata.yaml
@@ -169,20 +169,8 @@ spec:
- name: pod-shared
mountPath: /tmp/pod-shared
readOnly: true
- {{- if .Values.manifests.certificates }}
- - name: wsgi-nova
- mountPath: /var/www/cgi-bin/nova
- - name: nova-etc
- mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-metadata.conf
- subPath: wsgi-metadata.conf
- readOnly: true
- - name: nova-etc
- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
- subPath: mpm_event.conf
- readOnly: true
- {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@@ -202,6 +190,6 @@ spec:
- name: pod-shared
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml
index 29c80ba9..64122cf7 100644
--- a/nova/templates/deployment-api-osapi.yaml
+++ b/nova/templates/deployment-api-osapi.yaml
@@ -117,20 +117,8 @@ spec:
mountPath: /etc/nova/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
- {{- if .Values.manifests.certificates }}
- - name: wsgi-nova
- mountPath: /var/www/cgi-bin/nova
- - name: nova-etc
- mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-api.conf
- subPath: wsgi-api.conf
- readOnly: true
- - name: nova-etc
- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
- subPath: mpm_event.conf
- readOnly: true
- {{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -151,7 +139,7 @@ spec:
secretName: nova-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml
index ba301abe..d92f55f9 100644
--- a/nova/templates/deployment-conductor.yaml
+++ b/nova/templates/deployment-conductor.yaml
@@ -93,7 +93,7 @@ spec:
value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
- value: "/etc/nova/certs/ca.crt"
+ value: "/etc/ssl/certs/openstack-helm.crt"
{{- end }}
command:
- /tmp/nova-conductor.sh
@@ -122,7 +122,7 @@ spec:
mountPath: /etc/nova/policy.yaml
subPath: policy.yaml
readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
@@ -137,7 +137,7 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml
index 517005d9..c9aae286 100644
--- a/nova/templates/deployment-novncproxy.yaml
+++ b/nova/templates/deployment-novncproxy.yaml
@@ -143,7 +143,7 @@ spec:
- name: pod-shared
mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -162,7 +162,7 @@ spec:
- name: pod-shared
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/nova/templates/deployment-placement.yaml b/nova/templates/deployment-placement.yaml
index 8d5e508b..c8237732 100644
--- a/nova/templates/deployment-placement.yaml
+++ b/nova/templates/deployment-placement.yaml
@@ -124,7 +124,7 @@ spec:
readOnly: true
{{- end }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@@ -140,6 +140,6 @@ spec:
secretName: nova-etc
defaultMode: 0444
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml
index 52e46958..f94d6a79 100644
--- a/nova/templates/deployment-scheduler.yaml
+++ b/nova/templates/deployment-scheduler.yaml
@@ -93,7 +93,7 @@ spec:
value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
- value: "/etc/nova/certs/ca.crt"
+ value: "/etc/ssl/certs/openstack-helm.crt"
{{- end }}
command:
- /tmp/nova-scheduler.sh
@@ -123,7 +123,7 @@ spec:
subPath: policy.yaml
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -138,7 +138,7 @@ spec:
secretName: nova-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml
index e430d257..66aa26dd 100644
--- a/nova/templates/deployment-spiceproxy.yaml
+++ b/nova/templates/deployment-spiceproxy.yaml
@@ -141,7 +141,7 @@ spec:
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@@ -158,6 +158,6 @@ spec:
emptyDir: {}
- name: pod-shared
emptyDir: {}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/nova/templates/ingress-metadata.yaml b/nova/templates/ingress-metadata.yaml
index 36eb8647..8c88cfdc 100644
--- a/nova/templates/ingress-metadata.yaml
+++ b/nova/templates/ingress-metadata.yaml
@@ -15,9 +15,5 @@ limitations under the License.
{{- if and .Values.manifests.ingress_metadata .Values.network.metadata.ingress.public }}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}}
-{{- $secretName := $envAll.Values.secrets.tls.compute_metadata.metadata.internal -}}
-{{- if and .Values.manifests.certificates $secretName }}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_metadata.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/nova/templates/ingress-novncproxy.yaml b/nova/templates/ingress-novncproxy.yaml
index cad53cf3..04643569 100644
--- a/nova/templates/ingress-novncproxy.yaml
+++ b/nova/templates/ingress-novncproxy.yaml
@@ -15,9 +15,5 @@ limitations under the License.
{{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public }}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
-{{- $secretName := $envAll.Values.secrets.tls.compute_novnc_proxy.novncproxy.internal -}}
-{{- if and .Values.manifests.certificates $secretName }}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_novnc_proxy.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/nova/templates/ingress-osapi.yaml b/nova/templates/ingress-osapi.yaml
index b78f80f4..6f9a4f74 100644
--- a/nova/templates/ingress-osapi.yaml
+++ b/nova/templates/ingress-osapi.yaml
@@ -15,9 +15,5 @@ limitations under the License.
{{- if and .Values.manifests.ingress_osapi .Values.network.osapi.ingress.public }}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}}
-{{- $secretName := $envAll.Values.secrets.tls.compute.osapi.internal -}}
-{{- if and .Values.manifests.certificates $secretName }}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/nova/templates/ingress-placement.yaml b/nova/templates/ingress-placement.yaml
index 28b0f0d3..1161676f 100644
--- a/nova/templates/ingress-placement.yaml
+++ b/nova/templates/ingress-placement.yaml
@@ -15,9 +15,5 @@ limitations under the License.
{{- if and .Values.manifests.ingress_placement .Values.network.placement.ingress.public }}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}}
-{{- $secretName := $envAll.Values.secrets.tls.placement.placement.internal -}}
-{{- if and .Values.manifests.certificates $secretName }}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml
index dac8754d..1229acec 100644
--- a/nova/templates/job-bootstrap.yaml
+++ b/nova/templates/job-bootstrap.yaml
@@ -99,7 +99,7 @@ spec:
mountPath: {{ $logConfigFile | quote }}
subPath: {{ base $logConfigFile | quote }}
readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes:
- name: pod-tmp
emptyDir: {}
@@ -113,7 +113,7 @@ spec:
secret:
secretName: {{ $configMapEtc | quote }}
defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml
index e2bd2889..1f9c5dbc 100644
--- a/nova/templates/job-cell-setup.yaml
+++ b/nova/templates/job-cell-setup.yaml
@@ -60,7 +60,7 @@ spec:
mountPath: /tmp/cell-setup-init.sh
subPath: cell-setup-init.sh
readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
containers:
- name: nova-cell-setup
{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -106,5 +106,5 @@ spec:
name: nova-bin
defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
diff --git a/nova/templates/job-ks-endpoints.yaml b/nova/templates/job-ks-endpoints.yaml
index 52ec50e4..247fb76c 100644
--- a/nova/templates/job-ks-endpoints.yaml
+++ b/nova/templates/job-ks-endpoints.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2"
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
diff --git a/nova/templates/job-ks-placement-endpoints.yaml b/nova/templates/job-ks-placement-endpoints.yaml
index b5a10aed..287e30b7 100644
--- a/nova/templates/job-ks-placement-endpoints.yaml
+++ b/nova/templates/job-ks-placement-endpoints.yaml
@@ -15,7 +15,7 @@ limitations under the License.
{{- if .Values.manifests.job_ks_placement_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}}
{{- end -}}
{{- if .Values.pod.tolerations.nova.enabled -}}
{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
diff --git a/nova/templates/job-ks-placement-service.yaml b/nova/templates/job-ks-placement-service.yaml
index d5846517..88d20b62 100644
--- a/nova/templates/job-ks-placement-service.yaml
+++ b/nova/templates/job-ks-placement-service.yaml
@@ -15,7 +15,7 @@ limitations under the License.
{{- if .Values.manifests.job_ks_placement_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}}
{{- end -}}
{{- if .Values.pod.tolerations.nova.enabled -}}
{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
diff --git a/nova/templates/job-ks-placement-user.yaml b/nova/templates/job-ks-placement-user.yaml
index f6de6f6b..7524df9a 100644
--- a/nova/templates/job-ks-placement-user.yaml
+++ b/nova/templates/job-ks-placement-user.yaml
@@ -15,7 +15,7 @@ limitations under the License.
{{- if .Values.manifests.job_ks_placement_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "placement" "serviceUser" "placement" "configMapBin" "nova-bin" -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.public -}}
{{- end -}}
{{- if .Values.pod.tolerations.nova.enabled -}}
{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
diff --git a/nova/templates/job-ks-service.yaml b/nova/templates/job-ks-service.yaml
index 9d1eebe5..97963d51 100644
--- a/nova/templates/job-ks-service.yaml
+++ b/nova/templates/job-ks-service.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3"
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml
index 65e5055a..c4327f89 100644
--- a/nova/templates/job-ks-user.yaml
+++ b/nova/templates/job-ks-user.yaml
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1"
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml
index 019596f1..b9599d21 100644
--- a/nova/templates/pod-rally-test.yaml
+++ b/nova/templates/pod-rally-test.yaml
@@ -53,7 +53,7 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
@@ -93,7 +93,7 @@ spec:
readOnly: true
- name: rally-db
mountPath: /var/lib/rally
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@@ -108,6 +108,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}
diff --git a/placement/templates/certificates.yaml b/placement/templates/certificates.yaml
deleted file mode 100644
index ada7fde1..00000000
--- a/placement/templates/certificates.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.certificates -}}
-{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
-{{- end -}}
diff --git a/placement/templates/deployment.yaml b/placement/templates/deployment.yaml
index 9dcde008..8418753f 100644
--- a/placement/templates/deployment.yaml
+++ b/placement/templates/deployment.yaml
@@ -115,7 +115,7 @@ spec:
subPath: wsgi-placement.conf
readOnly: true
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@@ -131,6 +131,6 @@ spec:
secretName: placement-etc
defaultMode: 0444
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/placement/templates/ingress.yaml b/placement/templates/ingress.yaml
index 68ce111a..779b2fe6 100644
--- a/placement/templates/ingress.yaml
+++ b/placement/templates/ingress.yaml
@@ -17,9 +17,5 @@ limitations under the License.
{{- if and .Values.manifests.ingress .Values.network.api.ingress.public }}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "placement" "backendPort" "p-api" -}}
-{{- $secretName := $envAll.Values.secrets.tls.placement.api.internal -}}
-{{- if and .Values.manifests.certificates $secretName -}}
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
-{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}
diff --git a/placement/templates/job-db-migrate.yaml b/placement/templates/job-db-migrate.yaml
index ef733778..7a17df8d 100644
--- a/placement/templates/job-db-migrate.yaml
+++ b/placement/templates/job-db-migrate.yaml
@@ -86,7 +86,7 @@ spec:
mountPath: /etc/placement/placement.conf
subPath: placement.conf
readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes:
- name: pod-tmp
@@ -100,5 +100,5 @@ spec:
secretName: placement-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
diff --git a/placement/templates/job-ks-endpoints.yaml b/placement/templates/job-ks-endpoints.yaml
index 111ba33a..5177f5b9 100644
--- a/placement/templates/job-ks-endpoints.yaml
+++ b/placement/templates/job-ks-endpoints.yaml
@@ -22,7 +22,7 @@ helm.sh/hook-weight: "1"
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
diff --git a/placement/templates/job-ks-service.yaml b/placement/templates/job-ks-service.yaml
index 10e45bd6..7aac55f0 100644
--- a/placement/templates/job-ks-service.yaml
+++ b/placement/templates/job-ks-service.yaml
@@ -22,7 +22,7 @@ helm.sh/hook-weight: "-2"
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
diff --git a/placement/templates/job-ks-user.yaml b/placement/templates/job-ks-user.yaml
index 2c1a0023..4b13c106 100644
--- a/placement/templates/job-ks-user.yaml
+++ b/placement/templates/job-ks-user.yaml
@@ -22,7 +22,7 @@ helm.sh/hook-weight: "-1"
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}}
{{- if .Values.manifests.certificates -}}
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.public -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
--
2.17.1
View Git Blame Copy Permalink