f234218dba
This patchset allows enabling vencrypt for VNC, based on a downstream patchset. [1] Primary differences: - script to generate pod-specific certs has been moved under values.conf.vencrypt.cert_init_sh to allow for it to be overridden if necessary - leaves the creation of a (sub)issuer for vencrypt as outside the scope of this (and the nova) chart - issuer to use to sign these certs configurable under: values.conf.vencrypt.issuer.kind values.conf.vencrypt.issuer.name - added manifests.role_cert_manager to control creation of roles needed to create/update certs 1. https://github.com/vexxhost/atmosphere/pull/483 Change-Id: I955015874fed2b24570251c4cad01412bbab6045
329 lines
8.5 KiB
YAML
329 lines
8.5 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for libvirt.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
---
|
|
release_group: null
|
|
|
|
labels:
|
|
agent:
|
|
libvirt:
|
|
node_selector_key: openstack-compute-node
|
|
node_selector_value: enabled
|
|
|
|
images:
|
|
tags:
|
|
libvirt: docker.io/openstackhelm/libvirt:latest-ubuntu_focal
|
|
libvirt_exporter: vexxhost/libvirtd-exporter:latest
|
|
ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_focal_17.2.6-1-20230508'
|
|
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
|
image_repo_sync: docker.io/library/docker:17.07.0
|
|
kubectl: docker.io/bitnami/kubectl:latest
|
|
pull_policy: "IfNotPresent"
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
network:
|
|
# provide what type of network wiring will be used
|
|
# possible options: openvswitch, linuxbridge, sriov
|
|
backend:
|
|
- openvswitch
|
|
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
oci_image_registry:
|
|
name: oci-image-registry
|
|
namespace: oci-image-registry
|
|
auth:
|
|
enabled: false
|
|
libvirt:
|
|
username: libvirt
|
|
password: password
|
|
hosts:
|
|
default: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
default: null
|
|
libvirt_exporter:
|
|
port:
|
|
metrics:
|
|
default: 9474
|
|
|
|
network_policy:
|
|
libvirt:
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- {}
|
|
|
|
ceph_client:
|
|
configmap: ceph-etc
|
|
user_secret_name: pvc-ceph-client-key
|
|
|
|
conf:
|
|
ceph:
|
|
enabled: true
|
|
admin_keyring: null
|
|
cinder:
|
|
user: "cinder"
|
|
keyring: null
|
|
secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
|
|
# Cinder Ceph backend that is not configured by the k8s cluter
|
|
external_ceph:
|
|
enabled: false
|
|
user: null
|
|
secret_uuid: null
|
|
user_secret_name: null
|
|
libvirt:
|
|
listen_tcp: "1"
|
|
listen_tls: "0"
|
|
auth_tcp: "none"
|
|
ca_file: "/etc/pki/CA/cacert.pem"
|
|
cert_file: "/etc/pki/libvirt/servercert.pem"
|
|
key_file: "/etc/pki/libvirt/private/serverkey.pem"
|
|
auth_unix_rw: "none"
|
|
listen_addr: 127.0.0.1
|
|
log_level: "3"
|
|
log_outputs: "1:file:/var/log/libvirt/libvirtd.log"
|
|
qemu:
|
|
vnc_tls: "0"
|
|
vnc_tls_x509_verify: "0"
|
|
stdio_handler: "file"
|
|
user: "nova"
|
|
group: "kvm"
|
|
kubernetes:
|
|
cgroup: "kubepods.slice"
|
|
vencrypt:
|
|
# Issuer to use for the vencrypt certs.
|
|
issuer:
|
|
kind: ClusterIssuer
|
|
name: ca-clusterissuer
|
|
# Script is included here (vs in bin/) to allow overriding, in the case that
|
|
# communication happens over an IP other than the pod IP for some reason.
|
|
cert_init_sh: |
|
|
#!/bin/bash
|
|
set -x
|
|
|
|
# Script to create certs for each libvirt pod based on pod IP (by default).
|
|
|
|
cat <<EOF | kubectl apply -f -
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: ${POD_NAME}-${TYPE}
|
|
namespace: ${POD_NAMESPACE}
|
|
ownerReferences:
|
|
- apiVersion: v1
|
|
kind: Pod
|
|
name: ${POD_NAME}
|
|
uid: ${POD_UID}
|
|
spec:
|
|
secretName: ${POD_NAME}-${TYPE}
|
|
commonName: ${POD_IP}
|
|
usages:
|
|
- client auth
|
|
- server auth
|
|
dnsNames:
|
|
- ${HOSTNAME}
|
|
ipAddresses:
|
|
- ${POD_IP}
|
|
issuerRef:
|
|
kind: ${ISSUER_KIND}
|
|
name: ${ISSUER_NAME}
|
|
EOF
|
|
|
|
kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
|
|
certificate/${POD_NAME}-${TYPE}
|
|
|
|
# NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
|
|
# is deleted, so we should add an owner reference to the secret
|
|
# to ensure that it is cleaned up when the pod is deleted.
|
|
kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
|
|
--type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'
|
|
|
|
kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
|
|
kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
|
|
kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt
|
|
|
|
pod:
|
|
probes:
|
|
libvirt:
|
|
libvirt:
|
|
liveness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 60
|
|
timeoutSeconds: 5
|
|
readiness:
|
|
enabled: true
|
|
params:
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 60
|
|
timeoutSeconds: 5
|
|
security_context:
|
|
libvirt:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
ceph_admin_keyring_placement:
|
|
readOnlyRootFilesystem: false
|
|
ceph_keyring_placement:
|
|
readOnlyRootFilesystem: false
|
|
libvirt:
|
|
privileged: true
|
|
readOnlyRootFilesystem: false
|
|
libvirt_exporter:
|
|
privileged: true
|
|
sidecars:
|
|
libvirt_exporter: false
|
|
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
weight:
|
|
default: 10
|
|
tolerations:
|
|
libvirt:
|
|
enabled: false
|
|
tolerations:
|
|
- key: node-role.kubernetes.io/master
|
|
operator: Exists
|
|
effect: NoSchedule
|
|
- key: node-role.kubernetes.io/control-plane
|
|
operator: Exists
|
|
effect: NoSchedule
|
|
dns_policy: "ClusterFirstWithHostNet"
|
|
mounts:
|
|
libvirt:
|
|
init_container: null
|
|
libvirt:
|
|
lifecycle:
|
|
upgrades:
|
|
daemonsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
libvirt:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
resources:
|
|
enabled: false
|
|
libvirt:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
libvirt_exporter:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "256Mi"
|
|
cpu: "500m"
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- libvirt-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
targeted:
|
|
ovn:
|
|
libvirt:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: ovn
|
|
component: ovn-controller
|
|
openvswitch:
|
|
libvirt:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-ovs-agent
|
|
linuxbridge:
|
|
libvirt:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-lb-agent
|
|
sriov:
|
|
libvirt:
|
|
pod:
|
|
- requireSameNode: true
|
|
labels:
|
|
application: neutron
|
|
component: neutron-sriov-agent
|
|
static:
|
|
libvirt:
|
|
services: null
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_etc: true
|
|
daemonset_libvirt: true
|
|
job_image_repo_sync: true
|
|
network_policy: false
|
|
role_cert_manager: false
|
|
secret_registry: true
|
|
|
|
secrets:
|
|
oci_image_registry:
|
|
libvirt: libvirt-oci-image-registry-key
|
|
tls:
|
|
server: libvirt-tls-server
|
|
client: libvirt-tls-client
|
|
...
|