Create Openstack common components umbrella chart

ADD openstack chart with values_overrides
    * rabbitmq
    * mariadb
    * memcached
    * keystone
    * heat
    * glance

    This adds umbrella chart that references other charts via
    symlink and include global values.

    Because chart valeus_overrides yaml apply to the main chart,
    the umbrella chart has a chart-scoped replacement

  ADD openstack.sh deploy script
    This script deploys all components with a single release.

  ADD corresponding release notes

  CHG wait-for-pods-sh to accept timeout arguement

  CHG get-values-overrides.sh to modify file path for subchart

Change-Id: I25cd9d6785c61540d6329657c0358f27299d3647

glance/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Glance
 name: glance
-version: 0.3.2
+version: 0.3.3
 home: https://docs.openstack.org/glance/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
 sources:

glance/templates/configmap-etc.yaml

@@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
 {{- if .Values.manifests.configmap_etc }}
 {{- $envAll := . }}
 
@@ -97,7 +103,7 @@ limitations under the License.
 {{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
 {{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
 {{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
 {{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
 {{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
 {{- end -}}

glance/templates/pod-rally-test.yaml

@@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
 {{- if .Values.manifests.pod_rally_test }}
 {{- $envAll := . }}
 
 {{- $mounts_tests := .Values.pod.mounts.glance_tests.glance_tests }}
 {{- $mounts_tests_init := .Values.pod.mounts.glance_tests.init_container }}
 
-{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
 {{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: v1
 kind: Pod
 metadata:
-  name: {{ print $envAll.Release.Name "-test" }}
+  name: {{ print $envAll.Chart.Name "-test" }}
   labels:
 {{ tuple $envAll "glance" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
   annotations:
@@ -79,7 +85,7 @@ spec:
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
 {{- end }}
         - name: RALLY_ENV_NAME
-          value: {{.Release.Name}}
+          value: {{.Chart.Name}}
       command:
         - /tmp/rally-test.sh
       volumeMounts:

glance/values_overrides/netpol.yaml

@@ -27,8 +27,6 @@ network_policy:
             matchLabels:
               application: cinder
         ports:
-        - protocol: TCP
-          port: 9191
         - protocol: TCP
           port: 9292
     egress:

heat/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Heat
 name: heat
-version: 0.2.9
+version: 0.2.10
 home: https://docs.openstack.org/heat/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
 sources:

heat/templates/configmap-etc.yaml

@@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
 {{- if .Values.manifests.configmap_etc }}
 {{- $envAll := . }}
 
@@ -120,7 +126,7 @@ limitations under the License.
 {{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
 {{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
 {{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
 {{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
 {{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
 {{- end -}}

heat/templates/pod-rally-test.yaml

@@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
 {{- if .Values.manifests.pod_rally_test }}
 {{- $envAll := . }}
 
 {{- $mounts_tests := .Values.pod.mounts.heat_tests.heat_tests }}
 {{- $mounts_tests_init := .Values.pod.mounts.heat_tests.init_container }}
 
-{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
 {{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: v1
 kind: Pod
 metadata:
-  name: {{ print $envAll.Release.Name "-test" }}
+  name: {{ print $envAll.deployment_name "-test" }}
   labels:
 {{ tuple $envAll "heat" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
   annotations:
@@ -40,7 +46,7 @@ spec:
   serviceAccountName: {{ $serviceAccountName }}
   initContainers:
 {{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
-    - name: {{ .Release.Name }}-test-ks-user
+    - name: {{ .deployment_name }}-test-ks-user
 {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
       command:
@@ -65,7 +71,7 @@ spec:
         - name: SERVICE_OS_ROLE
           value: {{ .Values.endpoints.identity.auth.test.role | quote }}
   containers:
-    - name: {{ .Release.Name }}-test
+    - name: {{ .deployment_name }}-test
 {{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
       env:
@@ -76,7 +82,7 @@ spec:
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
 {{- end }}
         - name: RALLY_ENV_NAME
-          value: {{.Release.Name}}
+          value: {{.deployment_name}}
       command:
         - /tmp/rally-test.sh
       volumeMounts:

heat/values_overrides/ocata-ubuntu_xenial.yaml

@@ -1,17 +1,18 @@
 ---
-images:
+heat:
-  tags:
+  images:
-    bootstrap: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+    tags:
-    db_init: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      bootstrap: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
-    db_drop: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      db_init: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
-    ks_user: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      db_drop: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
-    ks_service: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      ks_user: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
-    ks_endpoints: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      ks_service: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
-    heat_db_sync: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      ks_endpoints: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
-    heat_api: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      heat_db_sync: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
-    heat_cfn: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      heat_api: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
-    heat_cloudwatch: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      heat_cfn: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
-    heat_engine: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      heat_cloudwatch: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
-    heat_engine_cleaner: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      heat_engine: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
-    heat_purge_deleted: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      heat_engine_cleaner: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
+      heat_purge_deleted: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
 ...

keystone/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Keystone
 name: keystone
-version: 0.2.20
+version: 0.2.21
 home: https://docs.openstack.org/keystone/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
 sources:

keystone/templates/configmap-etc.yaml

@@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
 {{- if .Values.manifests.configmap_etc }}
 {{- $envAll := . }}
 
@@ -35,7 +41,7 @@ limitations under the License.
 {{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
 {{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
 {{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
 {{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
 {{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
 {{- end -}}

keystone/templates/pod-rally-test.yaml

@@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
 {{- if .Values.manifests.pod_rally_test }}
 {{- $envAll := . }}
 
 {{- $mounts_tests := .Values.pod.mounts.keystone_tests.keystone_tests }}
 {{- $mounts_tests_init := .Values.pod.mounts.keystone_tests.init_container }}
 
-{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
 {{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: v1
 kind: Pod
 metadata:
-  name: {{ print $envAll.Release.Name "-test" }}
+  name: {{ print $envAll.deployment_name "-test" }}
   labels:
 {{ tuple $envAll "keystone" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
   annotations:
@@ -79,7 +85,7 @@ spec:
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
 {{- end }}
         - name: RALLY_ENV_NAME
-          value: {{.Release.Name}}
+          value: {{.deployment_name}}
       command:
         - /tmp/rally-test.sh
       volumeMounts:

keystone/values.yaml

@@ -68,7 +68,6 @@ bootstrap:
           --domain="${OS_DEFAULT_DOMAIN}" \
           "admin"
 
-
 network:
   api:
     ingress:

openstack/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

openstack/Chart.yaml

@@ -0,0 +1,31 @@
+apiVersion: v2
+appVersion: 1.16.0
+dependencies:
+- name: helm-toolkit
+  repository: file://../../openstack-helm-infra/helm-toolkit
+  version: ">0.1.0"
+- name: mariadb
+  repository: file://../../openstack-helm-infra/mariadb
+  version: ">0.1.0"
+- name: rabbitmq
+  repository: file://../../openstack-helm-infra/rabbitmq
+  version: ">0.1.0"
+- name: memcached
+  repository: file://../../openstack-helm-infra/memcached
+  version: ">0.1.0"
+- name: keystone
+  repository: file://../keystone
+  version: ">0.1.0"
+- name: heat
+  repository: file://../heat
+  version: ">0.1.0"
+- name: glance
+  repository: file://../glance
+  version: ">0.1.0"
+
+description: A chart for openstack helm commmon deployment items
+name: openstack
+type: application
+version: 0.1.0
+maintainers:
+  - name: OpenStack-Helm Authors

openstack/charts/glance

@@ -0,0 +1 @@
+../../glance/

openstack/charts/heat

@@ -0,0 +1 @@
+../../heat

openstack/charts/helm-toolkit

@@ -0,0 +1 @@
+../../../openstack-helm-infra/helm-toolkit

openstack/charts/keystone

@@ -0,0 +1 @@
+../../keystone/

openstack/charts/mariadb

@@ -0,0 +1 @@
+../../../openstack-helm-infra/mariadb

openstack/charts/memcached

@@ -0,0 +1 @@
+../../../openstack-helm-infra/memcached/

openstack/charts/rabbitmq

@@ -0,0 +1 @@
+../../../openstack-helm-infra/rabbitmq/

openstack/values.yaml

@@ -0,0 +1,42 @@
+---
+# default values for openstack umbrella chart
+# Global overrides for subcharts
+
+global:
+  subchart_release_name: true
+
+helm-toolkit:
+  enabled: true
+
+rabbitmq:
+  enabled: true
+  volume:
+    enabled: false
+  pod:
+    replicas:
+      server: 1
+
+mariadb:
+  enabled: true
+  pod:
+    replicas:
+      server: 1
+  volume:
+    enabled: false
+    use_local_path_for_single_pod_cluster:
+      enabled: true
+
+memcached:
+  enabled: true
+
+keystone:
+  enabled: true
+
+heat:
+  enabled: true
+
+glance:
+  enabled: true
+  storage: pvc
+  volume:
+    class_name: standard

openstack/values_overrides/glance/apparmor.yaml

@@ -0,0 +1,23 @@
+---
+glance:
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      glance-api:
+        glance-api: runtime/default
+        glance-perms: runtime/default
+        init: runtime/default
+        nginx: runtime/default
+      glance-metadefs-load:
+        init: runtime/default
+        glance-metadefs-load: runtime/default
+      glance-storage-init:
+        init: runtime/default
+        glance-storage-init: runtime/default
+      glance-test:
+        init: runtime/default
+        glance-test: runtime/default
+        glance-test-ks-user: runtime/default
+  manifests:
+    certificates: true
+...

openstack/values_overrides/glance/netpol.yaml

@@ -0,0 +1,46 @@
+---
+glance:
+  manifests:
+    network_policy: true
+  network_policy:
+    glance:
+      ingress:
+        - from:
+          - podSelector:
+              matchLabels:
+                application: glance
+          - podSelector:
+              matchLabels:
+                application: nova
+          - podSelector:
+              matchLabels:
+                application: horizon
+          - podSelector:
+              matchLabels:
+                application: ingress
+          - podSelector:
+              matchLabels:
+                application: heat
+          - podSelector:
+              matchLabels:
+                application: ironic
+          - podSelector:
+              matchLabels:
+                application: cinder
+          ports:
+          - protocol: TCP
+            port: 9292
+      egress:
+        - to:
+          ports:
+            - protocol: TCP
+              port: 80
+            - protocol: TCP
+              port: 443
+        - to:
+          - ipBlock:
+              cidr: %%%REPLACE_API_ADDR%%%/32
+          ports:
+            - protocol: TCP
+              port: %%%REPLACE_API_PORT%%%
+...

openstack/values_overrides/glance/tls.yaml

@@ -0,0 +1,128 @@
+---
+glance:
+  images:
+    tags:
+      nginx: docker.io/nginx:1.18.0
+  conf:
+    glance:
+      DEFAULT:
+        bind_host: 127.0.0.1
+      keystone_authtoken:
+        cafile: /etc/glance/certs/ca.crt
+      glance_store:
+        https_ca_certificates_file: /etc/glance/certs/ca.crt
+        swift_store_cacert: /etc/glance/certs/ca.crt
+      oslo_messaging_rabbit:
+        ssl: true
+        ssl_ca_file: /etc/rabbitmq/certs/ca.crt
+        ssl_cert_file: /etc/rabbitmq/certs/tls.crt
+        ssl_key_file: /etc/rabbitmq/certs/tls.key
+    nginx: |
+      worker_processes 1;
+      daemon off;
+      user nginx;
+
+      events {
+        worker_connections 1024;
+      }
+
+      http {
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        sendfile on;
+        keepalive_timeout 65s;
+        tcp_nodelay on;
+
+        log_format main '[nginx] method=$request_method path=$request_uri '
+                        'status=$status upstream_status=$upstream_status duration=$request_time size=$body_bytes_sent '
+                        '"$remote_user" "$http_referer" "$http_user_agent"';
+
+        access_log /dev/stdout  main;
+
+        upstream websocket {
+          server 127.0.0.1:$PORT;
+        }
+
+        server {
+          server_name {{ printf "%s.%s.svc.%s" "${SHORTNAME}" .Release.Namespace .Values.endpoints.cluster_domain_suffix }};
+          listen $POD_IP:$PORT ssl;
+
+          client_max_body_size  0;
+
+          ssl_certificate      /etc/nginx/certs/tls.crt;
+          ssl_certificate_key  /etc/nginx/certs/tls.key;
+          ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+
+          location / {
+            proxy_pass_request_headers on;
+
+            proxy_http_version  1.1;
+            proxy_pass          http://websocket;
+            proxy_read_timeout  90;
+          }
+        }
+      }
+  network:
+    api:
+      ingress:
+        annotations:
+          nginx.ingress.kubernetes.io/backend-protocol: "https"
+
+  endpoints:
+    identity:
+      name: keystone
+      auth:
+        admin:
+          cacert: /etc/ssl/certs/openstack-helm.crt
+        glance:
+          cacert: /etc/ssl/certs/openstack-helm.crt
+        test:
+          cacert: /etc/ssl/certs/openstack-helm.crt
+      scheme:
+        default: https
+      port:
+        api:
+          default: 443
+    image:
+      host_fqdn_override:
+        default:
+          tls:
+            secretName: glance-tls-api
+            issuerRef:
+              name: ca-issuer
+              kind: ClusterIssuer
+      scheme:
+        default: https
+        public: https
+      port:
+        api:
+          public: 443
+    dashboard:
+      scheme:
+        default: https
+        public: https
+      port:
+        web:
+          default: 80
+          public: 443
+    oslo_messaging:
+      port:
+        https:
+          default: 15680
+  pod:
+    security_context:
+      glance:
+        pod:
+          runAsUser: 0
+    resources:
+      nginx:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+  manifests:
+    certificates: true
+...

openstack/values_overrides/glance/train-ubuntu_bionic.yaml

@@ -0,0 +1,15 @@
+---
+glance:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      ks_service: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      ks_endpoints: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      glance_db_sync: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
+      glance_api: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
+      glance_metadefs_load: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
+      glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
+...

openstack/values_overrides/glance/ussuri-ubuntu_bionic.yaml

@@ -0,0 +1,15 @@
+---
+glance:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      ks_service: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      ks_endpoints: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      glance_db_sync: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
+      glance_api: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
+      glance_metadefs_load: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
+      glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
+...

openstack/values_overrides/glance/victoria-ubuntu_focal.yaml

@@ -0,0 +1,15 @@
+---
+glance:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      ks_service: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      ks_endpoints: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      glance_db_sync: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
+      glance_api: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
+      glance_metadefs_load: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
+      glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
+...

openstack/values_overrides/glance/wallaby-ubuntu_focal.yaml

@@ -0,0 +1,15 @@
+---
+glance:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      ks_service: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      ks_endpoints: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      glance_db_sync: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
+      glance_api: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
+      glance_metadefs_load: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
+      glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
+...

openstack/values_overrides/heat/apparmor.yaml

@@ -0,0 +1,27 @@
+---
+heat:
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      heat-api:
+        heat-api: runtime/default
+        init: runtime/default
+      heat-cfn:
+        heat-cfn: runtime/default
+        init: runtime/default
+      heat-engine:
+        heat-engine: runtime/default
+        init: runtime/default
+      heat-engine-cleaner:
+        heat-engine-cleaner: runtime/default
+        init: runtime/default
+      heat-domain-ks-user:
+        heat-ks-domain-user: runtime/default
+        init: runtime/default
+      heat-trusts:
+        heat-trusts: runtime/default
+        init: runtime/default
+      heat-purge-deleted:
+        heat-purge-deleted: runtime/default
+        init: runtime/default
+...

openstack/values_overrides/heat/netpol.yaml

@@ -0,0 +1,48 @@
+---
+heat:
+  manifests:
+    network_policy: true
+  network_policy:
+    heat:
+      ingress:
+        - from:
+          - podSelector:
+              matchLabels:
+                application: heat
+          - podSelector:
+              matchLabels:
+                application: ingress
+          - podSelector:
+              matchLabels:
+                application: horizon
+          ports:
+          - protocol: TCP
+            port: 8000
+          - protocol: TCP
+            port: 8003
+          - protocol: TCP
+            port: 8004
+      egress:
+        - to:
+          - podSelector:
+              matchLabels:
+                application: neutron
+        - to:
+          - podSelector:
+              matchLabels:
+                application: nova
+        - to:
+          - podSelector:
+              matchLabels:
+                application: glance
+        - to:
+          - podSelector:
+              matchLabels:
+                application: cinder
+        - to:
+          - ipBlock:
+              cidr: %%%REPLACE_API_ADDR%%%/32
+          ports:
+            - protocol: TCP
+              port: %%%REPLACE_API_PORT%%%
+...

openstack/values_overrides/heat/tls.yaml

@@ -0,0 +1,191 @@
+---
+heat:
+  conf:
+    software:
+      apache2:
+        binary: apache2
+        start_parameters: -DFOREGROUND
+        site_dir: /etc/apache2/sites-enabled
+        conf_dir: /etc/apache2/conf-enabled
+        mods_dir: /etc/apache2/mods-available
+        a2enmod:
+          - ssl
+        a2dismod: null
+    mpm_event: |
+      <IfModule mpm_event_module>
+        ServerLimit         1024
+        StartServers        32
+        MinSpareThreads     32
+        MaxSpareThreads     256
+        ThreadsPerChild     25
+        MaxRequestsPerChild 128
+        ThreadLimit         720
+      </IfModule>
+    wsgi_heat: |
+      {{- $portInt := tuple "orchestration" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      Listen {{ $portInt }}
+      <VirtualHost *:{{ $portInt }}>
+        ServerName {{ printf "%s.%s.svc.%s" "heat-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
+        WSGIDaemonProcess heat-api processes=1 threads=1 user=heat display-name=%{GROUP}
+        WSGIProcessGroup heat-api
+        WSGIScriptAlias /  /var/www/cgi-bin/heat/heat-wsgi-api
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+        AllowEncodedSlashes On
+        <IfVersion >= 2.4>
+          ErrorLogFormat "%{cu}t %M"
+        </IfVersion>
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+        ErrorLog /dev/stdout
+        CustomLog /dev/stdout combined env=!forwarded
+        CustomLog /dev/stdout proxy env=forwarded
+
+        SSLEngine on
+        SSLCertificateFile      /etc/heat/certs/tls.crt
+        SSLCertificateKeyFile   /etc/heat/certs/tls.key
+        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+        SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+        SSLHonorCipherOrder     on
+      </VirtualHost>
+
+    wsgi_cfn: |
+      {{- $portInt := tuple "cloudformation" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      Listen {{ $portInt }}
+      <VirtualHost *:{{ $portInt }}>
+        ServerName {{ printf "%s.%s.svc.%s" "heat-api-cfn" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
+        WSGIDaemonProcess heat-api-cfn processes=1 threads=1 user=heat display-name=%{GROUP}
+        WSGIProcessGroup heat-api-cfn
+        WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api-cfn
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+        AllowEncodedSlashes On
+        <IfVersion >= 2.4>
+          ErrorLogFormat "%{cu}t %M"
+        </IfVersion>
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+        ErrorLog /dev/stdout
+        CustomLog /dev/stdout combined env=!forwarded
+        CustomLog /dev/stdout proxy env=forwarded
+
+        SSLEngine on
+        SSLCertificateFile      /etc/heat/certs/tls.crt
+        SSLCertificateKeyFile   /etc/heat/certs/tls.key
+        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+        SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+        SSLHonorCipherOrder     on
+      </VirtualHost>
+
+    heat:
+      clients_neutron:
+        ca_file: /etc/heat/certs/ca.crt
+      clients_cinder:
+        ca_file: /etc/heat/certs/ca.crt
+      clients_glance:
+        ca_file: /etc/heat/certs/ca.crt
+      clients_nova:
+        ca_file: /etc/heat/certs/ca.crt
+      clients_swift:
+        ca_file: /etc/heat/certs/ca.crt
+      ssl:
+        ca_file: /etc/heat/certs/ca.crt
+      keystone_authtoken:
+        cafile: /etc/heat/certs/ca.crt
+      clients:
+        ca_file: /etc/heat/certs/ca.crt
+      clients_keystone:
+        ca_file: /etc/heat/certs/ca.crt
+      oslo_messaging_rabbit:
+        ssl: true
+        ssl_ca_file: /etc/rabbitmq/certs/ca.crt
+        ssl_cert_file: /etc/rabbitmq/certs/tls.crt
+        ssl_key_file: /etc/rabbitmq/certs/tls.key
+
+  network:
+    api:
+      ingress:
+        annotations:
+          nginx.ingress.kubernetes.io/backend-protocol: "https"
+    cfn:
+      ingress:
+        annotations:
+          nginx.ingress.kubernetes.io/backend-protocol: "https"
+    cloudwatch:
+      ingress:
+        annotations:
+          nginx.ingress.kubernetes.io/backend-protocol: "https"
+
+  pod:
+    security_context:
+      heat:
+        container:
+          heat_api:
+            readOnlyRootFilesystem: false
+            runAsUser: 0
+          heat_cfn:
+            readOnlyRootFilesystem: false
+            runAsUser: 0
+
+  endpoints:
+    identity:
+      auth:
+        admin:
+          cacert: /etc/ssl/certs/openstack-helm.crt
+        heat:
+          cacert: /etc/ssl/certs/openstack-helm.crt
+        heat_trustee:
+          cacert: /etc/ssl/certs/openstack-helm.crt
+        heat_stack_user:
+          cacert: /etc/ssl/certs/openstack-helm.crt
+        test:
+          cacert: /etc/ssl/certs/openstack-helm.crt
+      scheme:
+        default: https
+      port:
+        api:
+          default: 443
+    orchestration:
+      host_fqdn_override:
+        default:
+          tls:
+            secretName: heat-tls-api
+            issuerRef:
+              name: ca-issuer
+              kind: ClusterIssuer
+      scheme:
+        default: https
+      port:
+        api:
+          public: 443
+    cloudformation:
+      host_fqdn_override:
+        default:
+          tls:
+            secretName: heat-tls-cfn
+            issuerRef:
+              name: ca-issuer
+              kind: ClusterIssuer
+      scheme:
+        default: https
+      port:
+        api:
+          public: 443
+    # Cloudwatch does not get an entry in the keystone service catalog
+    cloudwatch:
+      host_fqdn_override:
+        default:
+          tls:
+            secretName: heat-tls-cloudwatch
+            issuerRef:
+              name: ca-issuer
+              kind: ClusterIssuer
+    ingress:
+      port:
+        ingress:
+          default: 443
+    oslo_messaging:
+      port:
+        https:
+          default: 15680
+  manifests:
+    certificates: true
+...

openstack/values_overrides/heat/train-ubuntu_bionic.yaml

@@ -0,0 +1,18 @@
+---
+heat:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      ks_service: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      ks_endpoints: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      heat_db_sync: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      heat_api: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      heat_cfn: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      heat_cloudwatch: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      heat_engine: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      heat_engine_cleaner: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      heat_purge_deleted: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+...

openstack/values_overrides/heat/ussuri-ubuntu_bionic.yaml

@@ -0,0 +1,18 @@
+---
+heat:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      ks_service: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      ks_endpoints: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      heat_db_sync: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      heat_api: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      heat_cfn: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      heat_cloudwatch: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      heat_engine: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      heat_engine_cleaner: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      heat_purge_deleted: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+...

openstack/values_overrides/heat/victoria-ubuntu_focal.yaml

@@ -0,0 +1,18 @@
+---
+heat:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      ks_service: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      ks_endpoints: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      heat_db_sync: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      heat_api: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      heat_cfn: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      heat_cloudwatch: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      heat_engine: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      heat_engine_cleaner: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      heat_purge_deleted: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+...

openstack/values_overrides/heat/wallaby-ubuntu_focal.yaml

@@ -0,0 +1,18 @@
+---
+heat:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      ks_service: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      ks_endpoints: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      heat_db_sync: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      heat_api: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      heat_cfn: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      heat_cloudwatch: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      heat_engine: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      heat_engine_cleaner: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      heat_purge_deleted: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+...

openstack/values_overrides/keystone/apparmor.yaml

@@ -0,0 +1,21 @@
+---
+keystone:
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      keystone-api:
+        keystone-api: runtime/default
+      keystone-credential-setup:
+        keystone-credential-setup: runtime/default
+      keystone-fernet-setup:
+        keystone-fernet-setup: runtime/default
+      keystone-credential-cleanup:
+        keystone-credential-cleanup: runtime/default
+      keystone-domain-manage:
+        keystone-domain-manage: runtime/default
+        keystone-domain-manage-init: runtime/default
+      keystone-test:
+        init: runtime/default
+        keystone-test: runtime/default
+        keystone-test-ks-user: runtime/default
+...

openstack/values_overrides/keystone/ldap.yaml

@@ -0,0 +1,59 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+keystone:
+  conf:
+    keystone:
+      identity:
+        driver: sql
+        default_domain_id: default
+        domain_specific_drivers_enabled: True
+        domain_configurations_from_database: True
+        domain_config_dir: /etc/keystone/domains
+    ks_domains:
+      ldapdomain:
+        identity:
+          driver: ldap
+        ldap:
+          url: "ldap://ldap.openstack.svc.cluster.local:389"
+          user: "cn=admin,dc=cluster,dc=local"
+          password: password
+          suffix: "dc=cluster,dc=local"
+          user_attribute_ignore: "enabled,email,tenants,default_project_id"
+          query_scope: sub
+          user_enabled_emulation: True
+          user_enabled_emulation_dn: "cn=overwatch,ou=Groups,dc=cluster,dc=local"
+          user_tree_dn: "ou=People,dc=cluster,dc=local"
+          user_enabled_mask: 2
+          user_enabled_default: 512
+          user_name_attribute: cn
+          user_id_attribute: sn
+          user_mail_attribute: mail
+          user_pass_attribute: userPassword
+          group_tree_dn: "ou=Groups,dc=cluster,dc=local"
+          group_filter: ""
+          group_objectclass: posixGroup
+          group_id_attribute: cn
+          group_name_attribute: cn
+          group_desc_attribute: description
+          group_member_attribute: memberUID
+          use_pool: true
+          pool_size: 27
+          pool_retry_max: 3
+          pool_retry_delay: 0.1
+          pool_connection_timeout: 15
+          pool_connection_lifetime: 600
+          use_auth_pool: true
+          auth_pool_size: 100
+          auth_pool_connection_lifetime: 60
+...

openstack/values_overrides/keystone/netpol.yaml

@@ -0,0 +1,70 @@
+---
+keystone:
+  manifests:
+    network_policy: true
+  network_policy:
+    keystone:
+      ingress:
+        - from:
+          - podSelector:
+              matchLabels:
+                application: ceph
+          - podSelector:
+              matchLabels:
+                application: ingress
+          - podSelector:
+              matchLabels:
+                application: keystone
+          - podSelector:
+              matchLabels:
+                application: heat
+          - podSelector:
+              matchLabels:
+                application: glance
+          - podSelector:
+              matchLabels:
+                application: cinder
+          - podSelector:
+              matchLabels:
+                application: barbican
+          - podSelector:
+              matchLabels:
+                application: ceilometer
+          - podSelector:
+              matchLabels:
+                application: horizon
+          - podSelector:
+              matchLabels:
+                application: ironic
+          - podSelector:
+              matchLabels:
+                application: magnum
+          - podSelector:
+              matchLabels:
+                application: mistral
+          - podSelector:
+              matchLabels:
+                application: nova
+          - podSelector:
+              matchLabels:
+                application: neutron
+          - podSelector:
+              matchLabels:
+                application: senlin
+          - podSelector:
+              matchLabels:
+                application: placement
+          - podSelector:
+              matchLabels:
+                application: prometheus-openstack-exporter
+          ports:
+          - protocol: TCP
+            port: 5000
+      egress:
+        - to:
+          - ipBlock:
+              cidr: %%%REPLACE_API_ADDR%%%/32
+          ports:
+            - protocol: TCP
+              port: %%%REPLACE_API_PORT%%%
+...

openstack/values_overrides/keystone/tls.yaml

@@ -0,0 +1,91 @@
+---
+keystone:
+  network:
+    api:
+      ingress:
+        annotations:
+          nginx.ingress.kubernetes.io/rewrite-target: null
+          nginx.ingress.kubernetes.io/backend-protocol: "https"
+  pod:
+    security_context:
+      keystone:
+        pod:
+          runAsUser: 0
+        container:
+          keystone_api:
+            readOnlyRootFilesystem: false
+            allowPrivilegeEscalation: false
+  conf:
+    software:
+      apache2:
+        a2enmod:
+          - ssl
+    keystone:
+      oslo_messaging_rabbit:
+        ssl: true
+        ssl_ca_file: /etc/rabbitmq/certs/ca.crt
+        ssl_cert_file: /etc/rabbitmq/certs/tls.crt
+        ssl_key_file: /etc/rabbitmq/certs/tls.key
+    wsgi_keystone: |
+      {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+      {{- $vh := tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+
+      Listen 0.0.0.0:{{ $portInt }}
+
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+      LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+
+      SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+      CustomLog /dev/stdout combined env=!forwarded
+      CustomLog /dev/stdout proxy env=forwarded
+
+      <VirtualHost *:{{ tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
+        ServerName {{ printf "%s.%s.svc.%s" "keystone-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
+        WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
+        WSGIProcessGroup keystone-public
+        WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
+        WSGIApplicationGroup %{GLOBAL}
+        WSGIPassAuthorization On
+        <IfVersion >= 2.4>
+          ErrorLogFormat "%{cu}t %M"
+        </IfVersion>
+        ErrorLog /dev/stdout
+
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+        CustomLog /dev/stdout combined env=!forwarded
+        CustomLog /dev/stdout proxy env=forwarded
+
+        SSLEngine on
+        SSLCertificateFile      /etc/keystone/certs/tls.crt
+        SSLCertificateKeyFile   /etc/keystone/certs/tls.key
+        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+        SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+        SSLHonorCipherOrder     on
+      </VirtualHost>
+  endpoints:
+    identity:
+      auth:
+        admin:
+          cacert: /etc/ssl/certs/openstack-helm.crt
+        test:
+          cacert: /etc/ssl/certs/openstack-helm.crt
+      host_fqdn_override:
+        default:
+          tls:
+            secretName: keystone-tls-api
+            issuerRef:
+              name: ca-issuer
+              kind: ClusterIssuer
+      scheme:
+        default: https
+        public: https
+      port:
+        api:
+          default: 443
+    oslo_messaging:
+      port:
+        https:
+          default: 15680
+  manifests:
+    certificates: true
+...

openstack/values_overrides/keystone/train-ubuntu_bionic.yaml

@@ -0,0 +1,17 @@
+---
+keystone:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      keystone_api: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+      keystone_bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+      keystone_credential_rotate: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+      keystone_credential_setup: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+      keystone_db_sync: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+      keystone_domain_manage: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+      keystone_fernet_rotate: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+      keystone_fernet_setup: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
+      ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
+...

openstack/values_overrides/keystone/ussuri-ubuntu_bionic.yaml

@@ -0,0 +1,17 @@
+---
+keystone:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      keystone_api: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+      keystone_bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+      keystone_credential_rotate: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+      keystone_credential_setup: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+      keystone_db_sync: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+      keystone_domain_manage: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+      keystone_fernet_rotate: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+      keystone_fernet_setup: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
+      ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
+...

openstack/values_overrides/keystone/victoria-ubuntu_focal.yaml

@@ -0,0 +1,17 @@
+---
+keystone:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      keystone_api: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+      keystone_bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+      keystone_credential_rotate: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+      keystone_credential_setup: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+      keystone_db_sync: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+      keystone_domain_manage: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+      keystone_fernet_rotate: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+      keystone_fernet_setup: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
+      ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
+...

openstack/values_overrides/keystone/wallaby-ubuntu_focal.yaml

@@ -0,0 +1,17 @@
+---
+keystone:
+  images:
+    tags:
+      bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      keystone_api: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+      keystone_bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+      keystone_credential_rotate: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+      keystone_credential_setup: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+      keystone_db_sync: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+      keystone_domain_manage: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+      keystone_fernet_rotate: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+      keystone_fernet_setup: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
+      ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
+...

openstack/values_overrides/mariadb/apparmor.yaml

@@ -0,0 +1,35 @@
+---
+mariadb:
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      mariadb-ingress-error-pages:
+        init: runtime/default
+        ingress-error-pages: runtime/default
+      mariadb-ingress:
+        init: runtime/default
+        ingress: runtime/default
+      mariadb-server:
+        init: runtime/default
+        mariadb-perms: runtime/default
+        mariadb: runtime/default
+      mariadb-backup:
+        init: runtime/default
+        mariadb-backup: runtime/default
+      mariadb-test:
+        init: runtime/default
+        mariadb-test: runtime/default
+      prometheus-mysql-exporter:
+        init: runtime/default
+        mysql-exporter: runtime/default
+      create-sql-user:
+        init: runtime/default
+        exporter-create-sql-user: runtime/default
+
+  monitoring:
+    prometheus:
+      enabled: true
+
+  manifests:
+    cron_job_mariadb_backup: true
+...

openstack/values_overrides/mariadb/local-storage.yaml

@@ -0,0 +1,12 @@
+---
+mariadb:
+  pod:
+    replicas:
+      server: 1
+  volume:
+    size: 1Gi
+    class_name: local-storage
+  monitoring:
+    prometheus:
+      enabled: false
+...

openstack/values_overrides/mariadb/netpol.yaml

@@ -0,0 +1,85 @@
+---
+mariadb:
+  manifests:
+    network_policy: true
+  network_policy:
+    mariadb:
+      egress:
+        - to:
+          - ipBlock:
+              cidr: %%%REPLACE_API_ADDR%%%/32
+          ports:
+            - protocol: TCP
+              port: %%%REPLACE_API_PORT%%%
+      ingress:
+        - from:
+          - podSelector:
+              matchLabels:
+                application: keystone
+          - podSelector:
+              matchLabels:
+                application: heat
+          - podSelector:
+              matchLabels:
+                application: glance
+          - podSelector:
+              matchLabels:
+                application: cinder
+          - podSelector:
+              matchLabels:
+                application: aodh
+          - podSelector:
+              matchLabels:
+                application: barbican
+          - podSelector:
+              matchLabels:
+                application: ceilometer
+          - podSelector:
+              matchLabels:
+                application: designate
+          - podSelector:
+              matchLabels:
+                application: horizon
+          - podSelector:
+              matchLabels:
+                application: ironic
+          - podSelector:
+              matchLabels:
+                application: magnum
+          - podSelector:
+              matchLabels:
+                application: mistral
+          - podSelector:
+              matchLabels:
+                application: nova
+          - podSelector:
+              matchLabels:
+                application: neutron
+          - podSelector:
+              matchLabels:
+                application: rally
+          - podSelector:
+              matchLabels:
+                application: senlin
+          - podSelector:
+              matchLabels:
+                application: placement
+          - podSelector:
+              matchLabels:
+                application: prometheus-mysql-exporter
+          - podSelector:
+              matchLabels:
+                application: mariadb
+          - podSelector:
+              matchLabels:
+                application: mariadb-backup
+          ports:
+          - protocol: TCP
+            port: 3306
+          - protocol: TCP
+            port: 4567
+          - protocol: TCP
+            port: 80
+          - protocol: TCP
+            port: 8080
+...

openstack/values_overrides/mariadb/tls.yaml

@@ -0,0 +1,24 @@
+---
+mariadb:
+  pod:
+    security_context:
+      server:
+        container:
+          perms:
+            readOnlyRootFilesystem: false
+          mariadb:
+            runAsUser: 0
+            allowPrivilegeEscalation: true
+            readOnlyRootFilesystem: false
+  endpoints:
+    oslo_db:
+      host_fqdn_override:
+        default:
+          tls:
+            secretName: mariadb-tls-direct
+            issuerRef:
+              name: ca-issuer
+              kind: ClusterIssuer
+  manifests:
+    certificates: true
+...

openstack/values_overrides/memcached/apparmor.yaml

@@ -0,0 +1,16 @@
+---
+memcached:
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      prometheus_memcached_exporter:
+        init: runtime/default
+        memcached-exporter: runtime/default
+      memcached:
+        init: runtime/default
+        memcached: runtime/default
+
+  monitoring:
+    prometheus:
+      enabled: false
+...

openstack/values_overrides/memcached/netpol.yaml

@@ -0,0 +1,81 @@
+---
+memcached:
+  manifests:
+    network_policy: true
+  network_policy:
+    memcached:
+      ingress:
+        - from:
+          - podSelector:
+              matchLabels:
+                application: ingress
+          - podSelector:
+              matchLabels:
+                application: keystone
+          - podSelector:
+              matchLabels:
+                application: heat
+          - podSelector:
+              matchLabels:
+                application: glance
+          - podSelector:
+              matchLabels:
+                application: cinder
+          - podSelector:
+              matchLabels:
+                application: barbican
+          - podSelector:
+              matchLabels:
+                application: ceilometer
+          - podSelector:
+              matchLabels:
+                application: horizon
+          - podSelector:
+              matchLabels:
+                application: ironic
+          - podSelector:
+              matchLabels:
+                application: magnum
+          - podSelector:
+              matchLabels:
+                application: mistral
+          - podSelector:
+              matchLabels:
+                application: nova
+          - podSelector:
+              matchLabels:
+                application: neutron
+          - podSelector:
+              matchLabels:
+                application: senlin
+          - podSelector:
+              matchLabels:
+                application: placement
+          - podSelector:
+              matchLabels:
+                application: prometheus_memcached_exporter
+          - podSelector:
+              matchLabels:
+                application: aodh
+          - podSelector:
+              matchLabels:
+                application: rally
+          - podSelector:
+              matchLabels:
+                application: memcached
+          - podSelector:
+              matchLabels:
+                application: gnocchi
+          ports:
+          - port: 11211
+            protocol: TCP
+          - port: 9150
+            protocol: TCP
+      egress:
+        - to:
+          - ipBlock:
+              cidr: %%%REPLACE_API_ADDR%%%/32
+          ports:
+            - protocol: TCP
+              port: %%%REPLACE_API_PORT%%%
+...

openstack/values_overrides/rabbitmq/apparmor.yaml

@@ -0,0 +1,26 @@
+---
+rabbitmq:
+  pod:
+    mandatory_access_control:
+      type: apparmor
+      rabbitmq-cluster-wait:
+        init: runtime/default
+        rabbitmq-cookie: runtime/default
+        rabbitmq-rabbitmq-cluster-wait: runtime/default
+      rabbitmq:
+        init: runtime/default
+        rabbitmq-password: runtime/default
+        rabbitmq-cookie: runtime/default
+        rabbitmq-perms: runtime/default
+        rabbitmq: runtime/default
+      prometheus-rabbitmq-exporter:
+        init: runtime/default
+        rabbitmq-exporter: runtime/default
+      rabbitmq-rabbitmq-test:
+        rabbitmq-rabbitmq-test: runtime/default
+        init: runtime/default
+
+  monitoring:
+    prometheus:
+      enabled: true
+...

openstack/values_overrides/rabbitmq/netpol.yaml

@@ -0,0 +1,106 @@
+---
+rabbitmq:
+  network_policy:
+    rabbitmq:
+      ingress:
+        - from:
+          - podSelector:
+              matchLabels:
+                application: keystone
+          - podSelector:
+              matchLabels:
+                application: heat
+          - podSelector:
+              matchLabels:
+                application: glance
+          - podSelector:
+              matchLabels:
+                application: cinder
+          - podSelector:
+              matchLabels:
+                application: aodh
+          - podSelector:
+              matchLabels:
+                application: barbican
+          - podSelector:
+              matchLabels:
+                application: ceilometer
+          - podSelector:
+              matchLabels:
+                application: designate
+          - podSelector:
+              matchLabels:
+                application: ironic
+          - podSelector:
+              matchLabels:
+                application: magnum
+          - podSelector:
+              matchLabels:
+                application: mistral
+          - podSelector:
+              matchLabels:
+                application: nova
+          - podSelector:
+              matchLabels:
+                application: neutron
+          - podSelector:
+              matchLabels:
+                application: senlin
+          - podSelector:
+              matchLabels:
+                application: placement
+          - podSelector:
+              matchLabels:
+                application: rabbitmq
+          - podSelector:
+              matchLabels:
+                application: prometheus_rabbitmq_exporter
+          ports:
+            # AMQP port
+            - protocol: TCP
+              port: 5672
+            # HTTP API ports
+            - protocol: TCP
+              port: 15672
+            - protocol: TCP
+              port: 80
+        - from:
+          - podSelector:
+              matchLabels:
+                application: rabbitmq
+          ports:
+            # Clustering port AMQP + 20000
+            - protocol: TCP
+              port: 25672
+            # Erlang Port Mapper Daemon (epmd)
+            - protocol: TCP
+              port: 4369
+      egress:
+        - to:
+          - podSelector:
+              matchLabels:
+                application: rabbitmq
+          ports:
+            # Erlang port mapper daemon (epmd)
+            - protocol: TCP
+              port: 4369
+            # Rabbit clustering port AMQP + 20000
+            - protocol: TCP
+              port: 25672
+            # NOTE(lamt): Set by inet_dist_listen_{min/max}. Firewalls must
+            # permit traffic in this range to pass between clustered nodes.
+            # - protocol: TCP
+            #  port: 35197
+        - to:
+          - ipBlock:
+              cidr: %%%REPLACE_API_ADDR%%%/32
+          ports:
+            - protocol: TCP
+              port: %%%REPLACE_API_PORT%%%
+
+  manifests:
+    monitoring:
+      prometheus:
+        network_policy_exporter: true
+    network_policy: true
+...

openstack/values_overrides/rabbitmq/tls.yaml

@@ -0,0 +1,31 @@
+---
+rabbitmq:
+  conf:
+    rabbitmq:
+      ssl_options:
+        cacertfile: "/etc/rabbitmq/certs/ca.crt"
+        certfile: "/etc/rabbitmq/certs/tls.crt"
+        keyfile: "/etc/rabbitmq/certs/tls.key"
+        verify: verify_peer
+        fail_if_no_peer_cert: false
+      management:
+        ssl:
+          cacertfile: "/etc/rabbitmq/certs/ca.crt"
+          certfile: "/etc/rabbitmq/certs/tls.crt"
+          keyfile: "/etc/rabbitmq/certs/tls.key"
+  endpoints:
+    oslo_messaging:
+      host_fqdn_override:
+        default:
+          tls:
+            secretName: rabbitmq-tls-direct
+            issuerRef:
+              name: ca-issuer
+              kind: ClusterIssuer
+      port:
+        https:
+          default: 15680
+          public: 443
+  manifests:
+    certificates: true
+...

releasenotes/notes/glance.yaml

@@ -23,4 +23,5 @@ glance:
   - 0.3.0 Remove glance registry
   - 0.3.1 Enable taint toleration for Openstack services
   - 0.3.2 Decrease terminationGracePeriodSeconds on glance-api
+  - 0.3.3 Update naming for subchart compatibility
 ...

releasenotes/notes/heat.yaml

@@ -16,4 +16,5 @@ heat:
   - 0.2.7 Helm 3 - Fix Job Labels
   - 0.2.8 Update htk requirements repo
   - 0.2.9 Enable taint toleration for Openstack services
+  - 0.2.10 Updated naming for subchart compatibility
 ...

releasenotes/notes/keystone.yaml

@@ -36,4 +36,5 @@ keystone:
   - 0.2.18 Remove default policy
   - 0.2.19 Revert Reduce log chattiness
   - 0.2.20 Enable taint toleration for Openstack services
+  - 0.2.21 Updated naming for subchart compatibility
 ...

releasenotes/notes/openstack.yaml

@@ -0,0 +1,4 @@
+---
+openstack:
+  - 0.1.0 Initial Chart
+...

tools/deployment/common/get-values-overrides.sh

@@ -20,6 +20,7 @@
 
 set -e
 HELM_CHART="$1"
+SUBCHART="$2"
 : "${HELM_CHART_ROOT_PATH:="../openstack-helm"}"
 : "${OPENSTACK_RELEASE:="train"}"
 : "${CONTAINER_DISTRO_NAME:="ubuntu"}"
@@ -61,18 +62,33 @@ function replace_variables() {
 
 function override_file_args () {
     OVERRIDE_ARGS=""
-    echoerr "We will attempt to use values-override files with the following paths:"
+    if [ -z "$SUBCHART" ];then
-    for FILE in $(combination ${1//,/ } | uniq | tac); do
+      echoerr "We will attempt to use values-override files with the following paths:"
-      FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml"
+      for FILE in $(combination ${1//,/ } | uniq | tac); do
-      if [ -f "${FILE_PATH}" ]; then
+        FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml"
-        replace_variables ${FILE_PATH}
+        if [ -f "${FILE_PATH}" ]; then
-        OVERRIDE_ARGS+=" --values=${FILE_PATH} "
+          replace_variables ${FILE_PATH}
-      fi
+          OVERRIDE_ARGS+=" --values=${FILE_PATH} "
-        echoerr "${FILE_PATH}"
+        fi
-    done
+          echoerr "${FILE_PATH}"
+      done
+    else
+      echoerr "running as subchart"
+      echoerr "We will attempt to use values-override files with the following paths:"
+      for FILE in $(combination ${1//,/ } | uniq | tac); do
+        FILE_PATH="${HELM_CHART_ROOT_PATH}/values_overrides/${HELM_CHART}/${FILE}.yaml"
+        if [ -f "${FILE_PATH}" ]; then
+          replace_variables ${FILE_PATH}
+          OVERRIDE_ARGS+=" --values=${FILE_PATH} "
+        fi
+          echoerr "${FILE_PATH}"
+      done
+    fi
+
     echo "${OVERRIDE_ARGS}"
 }
 
+
 echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
 source ../openstack-helm/tools/deployment/common/env-variables.sh
 override_file_args "${OSH_FEATURE_MIX}"

tools/deployment/common/wait-for-pods.sh

@@ -12,11 +12,14 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 set -e
+if [[ "$2" -gt 0 ]];then
+    seconds=$2
+else
+    seconds=900
+fi
 
-# From Kolla-Kubernetes, orginal authors Kevin Fox & Serguei Bezverkhi
-# Default wait timeout is 900 seconds
 end=$(date +%s)
-timeout=${2:-900}
+timeout=${2:-$seconds}
 end=$((end + timeout))
 while true; do
     kubectl get pods --namespace=$1 -o json | jq -r \

tools/deployment/component/common/openstack.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+set -xe
+namespace=openstack
+chart=$namespace
+export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../openstack-helm/openstack"}"}"
+: ${OSH_EXTRA_HELM_ARGS_MARIADB:="$(./tools/deployment/common/get-values-overrides.sh mariadb subchart)"}
+: ${OSH_EXTRA_HELM_ARGS_RABBITMQ:="$(./tools/deployment/common/get-values-overrides.sh rabbitmq subchart)"}
+: ${OSH_EXTRA_HELM_ARGS_MEMCACHED:="$(./tools/deployment/common/get-values-overrides.sh memcached subchart)"}
+: ${OSH_EXTRA_HELM_ARGS_KEYSTONE:="$(./tools/deployment/common/get-values-overrides.sh keystone subchart)"}
+: ${OSH_EXTRA_HELM_ARGS_HEAT:="$(./tools/deployment/common/get-values-overrides.sh heat subchart)"}
+: ${OSH_EXTRA_HELM_ARGS_GLANCE:="$(./tools/deployment/common/get-values-overrides.sh glance subchart)"}
+
+#NOTE: Lint and package chart
+make -C ${HELM_CHART_ROOT_PATH} .
+
+echo "helm installing ..."
+helm upgrade --install $chart $chart/ \
+    ${OSH_EXTRA_HELM_ARGS_MARIADB} \
+    ${OSH_EXTRA_HELM_ARGS_RABBITMQ} \
+    ${OSH_EXTRA_HELM_ARGS_MEMCACHED} \
+    ${OSH_EXTRA_HELM_ARGS_KEYSTONE} \
+    ${OSH_EXTRA_HELM_ARGS_HEAT} \
+    ${OSH_EXTRA_HELM_ARGS_GLANCE} \
+    ${OSH_EXTRA_HELM_ARGS:=} \
+    --namespace=$namespace
+#NOTE: Wait for deploy
+./tools/deployment/common/wait-for-pods.sh $namespace 1800