From 0a965cf4c75345fd6236ef58efbe0719fd6b40f4 Mon Sep 17 00:00:00 2001
From: Manuel Buil <mbuil@suse.com>
Date: Thu, 9 May 2019 12:05:09 +0200
Subject: [PATCH] Allow keystone pods to connect to kube-dns

When deploying keystone, two pods fail with error:

Temporary failure in name resolution

These pods are executing fernet_manage.py and fetch secrets using:
https://github.com/openstack/openstack-helm/blob/master/keystone/templates/bin/_fernet-manage.py.tpl#L60

However, the current network policy blocks the connection to kube-dns.
This patch fixes it

Change-Id: I4ae6722a5bcb350e64995fbd2e1010153b0c29e6
Signed-off-by: Manuel Buil <mbuil@suse.com>
---
 keystone/values.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/keystone/values.yaml b/keystone/values.yaml
index 4b05ec3b73..a9163d91cd 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -460,7 +460,11 @@ network_policy:
         - podSelector:
             matchLabels:
               application: ceph
-
+      - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
 conf:
   security: |
     #