openstack-helm-infra/libvirt/values.yaml
Mosher, Jaymes (jm616v) f234218dba Allow enabling vencrypt for VNC
This patchset allows enabling vencrypt for VNC, based on a
downstream patchset. [1]

Primary differences:
- script to generate pod-specific certs has been moved under
  values.conf.vencrypt.cert_init_sh to allow for it to be
  overridden if necessary
- leaves the creation of a (sub)issuer for vencrypt as
  outside the scope of this (and the nova) chart
- issuer to use to sign these certs configurable under:
  values.conf.vencrypt.issuer.kind
  values.conf.vencrypt.issuer.name
- added manifests.role_cert_manager to control creation of
  roles needed to create/update certs

1. https://github.com/vexxhost/atmosphere/pull/483

Change-Id: I955015874fed2b24570251c4cad01412bbab6045
2023-08-29 09:18:44 -06:00

329 lines
8.5 KiB
YAML

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for libvirt.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
---
release_group: null
labels:
agent:
libvirt:
node_selector_key: openstack-compute-node
node_selector_value: enabled
images:
tags:
libvirt: docker.io/openstackhelm/libvirt:latest-ubuntu_focal
libvirt_exporter: vexxhost/libvirtd-exporter:latest
ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_focal_17.2.6-1-20230508'
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/library/docker:17.07.0
kubectl: docker.io/bitnami/kubectl:latest
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
network:
# provide what type of network wiring will be used
# possible options: openvswitch, linuxbridge, sriov
backend:
- openvswitch
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oci_image_registry:
name: oci-image-registry
namespace: oci-image-registry
auth:
enabled: false
libvirt:
username: libvirt
password: password
hosts:
default: localhost
host_fqdn_override:
default: null
port:
registry:
default: null
libvirt_exporter:
port:
metrics:
default: 9474
network_policy:
libvirt:
ingress:
- {}
egress:
- {}
ceph_client:
configmap: ceph-etc
user_secret_name: pvc-ceph-client-key
conf:
ceph:
enabled: true
admin_keyring: null
cinder:
user: "cinder"
keyring: null
secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
# Cinder Ceph backend that is not configured by the k8s cluter
external_ceph:
enabled: false
user: null
secret_uuid: null
user_secret_name: null
libvirt:
listen_tcp: "1"
listen_tls: "0"
auth_tcp: "none"
ca_file: "/etc/pki/CA/cacert.pem"
cert_file: "/etc/pki/libvirt/servercert.pem"
key_file: "/etc/pki/libvirt/private/serverkey.pem"
auth_unix_rw: "none"
listen_addr: 127.0.0.1
log_level: "3"
log_outputs: "1:file:/var/log/libvirt/libvirtd.log"
qemu:
vnc_tls: "0"
vnc_tls_x509_verify: "0"
stdio_handler: "file"
user: "nova"
group: "kvm"
kubernetes:
cgroup: "kubepods.slice"
vencrypt:
# Issuer to use for the vencrypt certs.
issuer:
kind: ClusterIssuer
name: ca-clusterissuer
# Script is included here (vs in bin/) to allow overriding, in the case that
# communication happens over an IP other than the pod IP for some reason.
cert_init_sh: |
#!/bin/bash
set -x
# Script to create certs for each libvirt pod based on pod IP (by default).
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ${POD_NAME}-${TYPE}
namespace: ${POD_NAMESPACE}
ownerReferences:
- apiVersion: v1
kind: Pod
name: ${POD_NAME}
uid: ${POD_UID}
spec:
secretName: ${POD_NAME}-${TYPE}
commonName: ${POD_IP}
usages:
- client auth
- server auth
dnsNames:
- ${HOSTNAME}
ipAddresses:
- ${POD_IP}
issuerRef:
kind: ${ISSUER_KIND}
name: ${ISSUER_NAME}
EOF
kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
certificate/${POD_NAME}-${TYPE}
# NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
# is deleted, so we should add an owner reference to the secret
# to ensure that it is cleaned up when the pod is deleted.
kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
--type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'
kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt
pod:
probes:
libvirt:
libvirt:
liveness:
enabled: true
params:
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 5
readiness:
enabled: true
params:
initialDelaySeconds: 15
periodSeconds: 60
timeoutSeconds: 5
security_context:
libvirt:
pod:
runAsUser: 0
container:
ceph_admin_keyring_placement:
readOnlyRootFilesystem: false
ceph_keyring_placement:
readOnlyRootFilesystem: false
libvirt:
privileged: true
readOnlyRootFilesystem: false
libvirt_exporter:
privileged: true
sidecars:
libvirt_exporter: false
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
tolerations:
libvirt:
enabled: false
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
dns_policy: "ClusterFirstWithHostNet"
mounts:
libvirt:
init_container: null
libvirt:
lifecycle:
upgrades:
daemonsets:
pod_replacement_strategy: RollingUpdate
libvirt:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
resources:
enabled: false
libvirt:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
libvirt_exporter:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "500m"
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- libvirt-image-repo-sync
services:
- endpoint: node
service: local_image_registry
targeted:
ovn:
libvirt:
pod:
- requireSameNode: true
labels:
application: ovn
component: ovn-controller
openvswitch:
libvirt:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-ovs-agent
linuxbridge:
libvirt:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-lb-agent
sriov:
libvirt:
pod:
- requireSameNode: true
labels:
application: neutron
component: neutron-sriov-agent
static:
libvirt:
services: null
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
manifests:
configmap_bin: true
configmap_etc: true
daemonset_libvirt: true
job_image_repo_sync: true
network_policy: false
role_cert_manager: false
secret_registry: true
secrets:
oci_image_registry:
libvirt: libvirt-oci-image-registry-key
tls:
server: libvirt-tls-server
client: libvirt-tls-client
...