Create Openstack common components umbrella chart
ADD openstack chart with values_overrides * rabbitmq * mariadb * memcached * keystone * heat * glance This adds umbrella chart that references other charts via symlink and include global values. Because chart valeus_overrides yaml apply to the main chart, the umbrella chart has a chart-scoped replacement ADD openstack.sh deploy script This script deploys all components with a single release. ADD corresponding release notes CHG wait-for-pods-sh to accept timeout arguement CHG get-values-overrides.sh to modify file path for subchart Change-Id: I25cd9d6785c61540d6329657c0358f27299d3647
This commit is contained in:
parent
3b780510be
commit
1157d95b71
@ -14,7 +14,7 @@ apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Glance
|
||||
name: glance
|
||||
version: 0.3.2
|
||||
version: 0.3.3
|
||||
home: https://docs.openstack.org/glance/latest/
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
|
||||
sources:
|
||||
|
@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if (.Values.global).subchart_release_name }}
|
||||
{{- $_ := set . "deployment_name" .Chart.Name }}
|
||||
{{- else }}
|
||||
{{- $_ := set . "deployment_name" .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.configmap_etc }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
@ -97,7 +103,7 @@ limitations under the License.
|
||||
{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
|
||||
{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
|
||||
{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
|
||||
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
|
||||
{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
|
||||
{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
|
||||
{{- end -}}
|
||||
|
@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if (.Values.global).subchart_release_name }}
|
||||
{{- $_ := set . "deployment_name" .Chart.Name }}
|
||||
{{- else }}
|
||||
{{- $_ := set . "deployment_name" .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.pod_rally_test }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
{{- $mounts_tests := .Values.pod.mounts.glance_tests.glance_tests }}
|
||||
{{- $mounts_tests_init := .Values.pod.mounts.glance_tests.init_container }}
|
||||
|
||||
{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
|
||||
{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
|
||||
{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: {{ print $envAll.Release.Name "-test" }}
|
||||
name: {{ print $envAll.Chart.Name "-test" }}
|
||||
labels:
|
||||
{{ tuple $envAll "glance" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
annotations:
|
||||
@ -79,7 +85,7 @@ spec:
|
||||
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
|
||||
{{- end }}
|
||||
- name: RALLY_ENV_NAME
|
||||
value: {{.Release.Name}}
|
||||
value: {{.Chart.Name}}
|
||||
command:
|
||||
- /tmp/rally-test.sh
|
||||
volumeMounts:
|
||||
|
@ -27,8 +27,6 @@ network_policy:
|
||||
matchLabels:
|
||||
application: cinder
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9191
|
||||
- protocol: TCP
|
||||
port: 9292
|
||||
egress:
|
||||
|
@ -14,7 +14,7 @@ apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Heat
|
||||
name: heat
|
||||
version: 0.2.9
|
||||
version: 0.2.10
|
||||
home: https://docs.openstack.org/heat/latest/
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
|
||||
sources:
|
||||
|
@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if (.Values.global).subchart_release_name }}
|
||||
{{- $_ := set . "deployment_name" .Chart.Name }}
|
||||
{{- else }}
|
||||
{{- $_ := set . "deployment_name" .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.configmap_etc }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
@ -120,7 +126,7 @@ limitations under the License.
|
||||
{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
|
||||
{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
|
||||
{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
|
||||
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
|
||||
{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
|
||||
{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
|
||||
{{- end -}}
|
||||
|
@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if (.Values.global).subchart_release_name }}
|
||||
{{- $_ := set . "deployment_name" .Chart.Name }}
|
||||
{{- else }}
|
||||
{{- $_ := set . "deployment_name" .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.pod_rally_test }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
{{- $mounts_tests := .Values.pod.mounts.heat_tests.heat_tests }}
|
||||
{{- $mounts_tests_init := .Values.pod.mounts.heat_tests.init_container }}
|
||||
|
||||
{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
|
||||
{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
|
||||
{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: {{ print $envAll.Release.Name "-test" }}
|
||||
name: {{ print $envAll.deployment_name "-test" }}
|
||||
labels:
|
||||
{{ tuple $envAll "heat" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
annotations:
|
||||
@ -40,7 +46,7 @@ spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
initContainers:
|
||||
{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
|
||||
- name: {{ .Release.Name }}-test-ks-user
|
||||
- name: {{ .deployment_name }}-test-ks-user
|
||||
{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
command:
|
||||
@ -65,7 +71,7 @@ spec:
|
||||
- name: SERVICE_OS_ROLE
|
||||
value: {{ .Values.endpoints.identity.auth.test.role | quote }}
|
||||
containers:
|
||||
- name: {{ .Release.Name }}-test
|
||||
- name: {{ .deployment_name }}-test
|
||||
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
||||
env:
|
||||
@ -76,7 +82,7 @@ spec:
|
||||
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
|
||||
{{- end }}
|
||||
- name: RALLY_ENV_NAME
|
||||
value: {{.Release.Name}}
|
||||
value: {{.deployment_name}}
|
||||
command:
|
||||
- /tmp/rally-test.sh
|
||||
volumeMounts:
|
||||
|
@ -1,5 +1,6 @@
|
||||
---
|
||||
images:
|
||||
heat:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
|
||||
db_init: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
|
||||
|
@ -14,7 +14,7 @@ apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Keystone
|
||||
name: keystone
|
||||
version: 0.2.20
|
||||
version: 0.2.21
|
||||
home: https://docs.openstack.org/keystone/latest/
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
|
||||
sources:
|
||||
|
@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if (.Values.global).subchart_release_name }}
|
||||
{{- $_ := set . "deployment_name" .Chart.Name }}
|
||||
{{- else }}
|
||||
{{- $_ := set . "deployment_name" .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.configmap_etc }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
@ -35,7 +41,7 @@ limitations under the License.
|
||||
{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
|
||||
{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
|
||||
{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
|
||||
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
|
||||
{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
|
||||
{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
|
||||
{{- end -}}
|
||||
|
@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if (.Values.global).subchart_release_name }}
|
||||
{{- $_ := set . "deployment_name" .Chart.Name }}
|
||||
{{- else }}
|
||||
{{- $_ := set . "deployment_name" .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.pod_rally_test }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
{{- $mounts_tests := .Values.pod.mounts.keystone_tests.keystone_tests }}
|
||||
{{- $mounts_tests_init := .Values.pod.mounts.keystone_tests.init_container }}
|
||||
|
||||
{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
|
||||
{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
|
||||
{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: {{ print $envAll.Release.Name "-test" }}
|
||||
name: {{ print $envAll.deployment_name "-test" }}
|
||||
labels:
|
||||
{{ tuple $envAll "keystone" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
annotations:
|
||||
@ -79,7 +85,7 @@ spec:
|
||||
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
|
||||
{{- end }}
|
||||
- name: RALLY_ENV_NAME
|
||||
value: {{.Release.Name}}
|
||||
value: {{.deployment_name}}
|
||||
command:
|
||||
- /tmp/rally-test.sh
|
||||
volumeMounts:
|
||||
|
@ -68,7 +68,6 @@ bootstrap:
|
||||
--domain="${OS_DEFAULT_DOMAIN}" \
|
||||
"admin"
|
||||
|
||||
|
||||
network:
|
||||
api:
|
||||
ingress:
|
||||
|
21
openstack/.helmignore
Normal file
21
openstack/.helmignore
Normal file
@ -0,0 +1,21 @@
|
||||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
31
openstack/Chart.yaml
Normal file
31
openstack/Chart.yaml
Normal file
@ -0,0 +1,31 @@
|
||||
apiVersion: v2
|
||||
appVersion: 1.16.0
|
||||
dependencies:
|
||||
- name: helm-toolkit
|
||||
repository: file://../../openstack-helm-infra/helm-toolkit
|
||||
version: ">0.1.0"
|
||||
- name: mariadb
|
||||
repository: file://../../openstack-helm-infra/mariadb
|
||||
version: ">0.1.0"
|
||||
- name: rabbitmq
|
||||
repository: file://../../openstack-helm-infra/rabbitmq
|
||||
version: ">0.1.0"
|
||||
- name: memcached
|
||||
repository: file://../../openstack-helm-infra/memcached
|
||||
version: ">0.1.0"
|
||||
- name: keystone
|
||||
repository: file://../keystone
|
||||
version: ">0.1.0"
|
||||
- name: heat
|
||||
repository: file://../heat
|
||||
version: ">0.1.0"
|
||||
- name: glance
|
||||
repository: file://../glance
|
||||
version: ">0.1.0"
|
||||
|
||||
description: A chart for openstack helm commmon deployment items
|
||||
name: openstack
|
||||
type: application
|
||||
version: 0.1.0
|
||||
maintainers:
|
||||
- name: OpenStack-Helm Authors
|
1
openstack/charts/glance
Symbolic link
1
openstack/charts/glance
Symbolic link
@ -0,0 +1 @@
|
||||
../../glance/
|
1
openstack/charts/heat
Symbolic link
1
openstack/charts/heat
Symbolic link
@ -0,0 +1 @@
|
||||
../../heat
|
1
openstack/charts/helm-toolkit
Symbolic link
1
openstack/charts/helm-toolkit
Symbolic link
@ -0,0 +1 @@
|
||||
../../../openstack-helm-infra/helm-toolkit
|
1
openstack/charts/keystone
Symbolic link
1
openstack/charts/keystone
Symbolic link
@ -0,0 +1 @@
|
||||
../../keystone/
|
1
openstack/charts/mariadb
Symbolic link
1
openstack/charts/mariadb
Symbolic link
@ -0,0 +1 @@
|
||||
../../../openstack-helm-infra/mariadb
|
1
openstack/charts/memcached
Symbolic link
1
openstack/charts/memcached
Symbolic link
@ -0,0 +1 @@
|
||||
../../../openstack-helm-infra/memcached/
|
1
openstack/charts/rabbitmq
Symbolic link
1
openstack/charts/rabbitmq
Symbolic link
@ -0,0 +1 @@
|
||||
../../../openstack-helm-infra/rabbitmq/
|
42
openstack/values.yaml
Normal file
42
openstack/values.yaml
Normal file
@ -0,0 +1,42 @@
|
||||
---
|
||||
# default values for openstack umbrella chart
|
||||
# Global overrides for subcharts
|
||||
|
||||
global:
|
||||
subchart_release_name: true
|
||||
|
||||
helm-toolkit:
|
||||
enabled: true
|
||||
|
||||
rabbitmq:
|
||||
enabled: true
|
||||
volume:
|
||||
enabled: false
|
||||
pod:
|
||||
replicas:
|
||||
server: 1
|
||||
|
||||
mariadb:
|
||||
enabled: true
|
||||
pod:
|
||||
replicas:
|
||||
server: 1
|
||||
volume:
|
||||
enabled: false
|
||||
use_local_path_for_single_pod_cluster:
|
||||
enabled: true
|
||||
|
||||
memcached:
|
||||
enabled: true
|
||||
|
||||
keystone:
|
||||
enabled: true
|
||||
|
||||
heat:
|
||||
enabled: true
|
||||
|
||||
glance:
|
||||
enabled: true
|
||||
storage: pvc
|
||||
volume:
|
||||
class_name: standard
|
23
openstack/values_overrides/glance/apparmor.yaml
Normal file
23
openstack/values_overrides/glance/apparmor.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
glance:
|
||||
pod:
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
glance-api:
|
||||
glance-api: runtime/default
|
||||
glance-perms: runtime/default
|
||||
init: runtime/default
|
||||
nginx: runtime/default
|
||||
glance-metadefs-load:
|
||||
init: runtime/default
|
||||
glance-metadefs-load: runtime/default
|
||||
glance-storage-init:
|
||||
init: runtime/default
|
||||
glance-storage-init: runtime/default
|
||||
glance-test:
|
||||
init: runtime/default
|
||||
glance-test: runtime/default
|
||||
glance-test-ks-user: runtime/default
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
46
openstack/values_overrides/glance/netpol.yaml
Normal file
46
openstack/values_overrides/glance/netpol.yaml
Normal file
@ -0,0 +1,46 @@
|
||||
---
|
||||
glance:
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
glance:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: glance
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: nova
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: horizon
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ingress
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: heat
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ironic
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: cinder
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9292
|
||||
egress:
|
||||
- to:
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
- protocol: TCP
|
||||
port: 443
|
||||
- to:
|
||||
- ipBlock:
|
||||
cidr: %%%REPLACE_API_ADDR%%%/32
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: %%%REPLACE_API_PORT%%%
|
||||
...
|
128
openstack/values_overrides/glance/tls.yaml
Normal file
128
openstack/values_overrides/glance/tls.yaml
Normal file
@ -0,0 +1,128 @@
|
||||
---
|
||||
glance:
|
||||
images:
|
||||
tags:
|
||||
nginx: docker.io/nginx:1.18.0
|
||||
conf:
|
||||
glance:
|
||||
DEFAULT:
|
||||
bind_host: 127.0.0.1
|
||||
keystone_authtoken:
|
||||
cafile: /etc/glance/certs/ca.crt
|
||||
glance_store:
|
||||
https_ca_certificates_file: /etc/glance/certs/ca.crt
|
||||
swift_store_cacert: /etc/glance/certs/ca.crt
|
||||
oslo_messaging_rabbit:
|
||||
ssl: true
|
||||
ssl_ca_file: /etc/rabbitmq/certs/ca.crt
|
||||
ssl_cert_file: /etc/rabbitmq/certs/tls.crt
|
||||
ssl_key_file: /etc/rabbitmq/certs/tls.key
|
||||
nginx: |
|
||||
worker_processes 1;
|
||||
daemon off;
|
||||
user nginx;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
sendfile on;
|
||||
keepalive_timeout 65s;
|
||||
tcp_nodelay on;
|
||||
|
||||
log_format main '[nginx] method=$request_method path=$request_uri '
|
||||
'status=$status upstream_status=$upstream_status duration=$request_time size=$body_bytes_sent '
|
||||
'"$remote_user" "$http_referer" "$http_user_agent"';
|
||||
|
||||
access_log /dev/stdout main;
|
||||
|
||||
upstream websocket {
|
||||
server 127.0.0.1:$PORT;
|
||||
}
|
||||
|
||||
server {
|
||||
server_name {{ printf "%s.%s.svc.%s" "${SHORTNAME}" .Release.Namespace .Values.endpoints.cluster_domain_suffix }};
|
||||
listen $POD_IP:$PORT ssl;
|
||||
|
||||
client_max_body_size 0;
|
||||
|
||||
ssl_certificate /etc/nginx/certs/tls.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/tls.key;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
||||
|
||||
location / {
|
||||
proxy_pass_request_headers on;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_pass http://websocket;
|
||||
proxy_read_timeout 90;
|
||||
}
|
||||
}
|
||||
}
|
||||
network:
|
||||
api:
|
||||
ingress:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||
|
||||
endpoints:
|
||||
identity:
|
||||
name: keystone
|
||||
auth:
|
||||
admin:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
glance:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
test:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
scheme:
|
||||
default: https
|
||||
port:
|
||||
api:
|
||||
default: 443
|
||||
image:
|
||||
host_fqdn_override:
|
||||
default:
|
||||
tls:
|
||||
secretName: glance-tls-api
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: ClusterIssuer
|
||||
scheme:
|
||||
default: https
|
||||
public: https
|
||||
port:
|
||||
api:
|
||||
public: 443
|
||||
dashboard:
|
||||
scheme:
|
||||
default: https
|
||||
public: https
|
||||
port:
|
||||
web:
|
||||
default: 80
|
||||
public: 443
|
||||
oslo_messaging:
|
||||
port:
|
||||
https:
|
||||
default: 15680
|
||||
pod:
|
||||
security_context:
|
||||
glance:
|
||||
pod:
|
||||
runAsUser: 0
|
||||
resources:
|
||||
nginx:
|
||||
requests:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
limits:
|
||||
memory: "1024Mi"
|
||||
cpu: "2000m"
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
15
openstack/values_overrides/glance/train-ubuntu_bionic.yaml
Normal file
15
openstack/values_overrides/glance/train-ubuntu_bionic.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
glance:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
ks_service: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
ks_endpoints: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
glance_db_sync: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
|
||||
glance_api: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
|
||||
glance_metadefs_load: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
|
||||
glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
|
||||
...
|
15
openstack/values_overrides/glance/ussuri-ubuntu_bionic.yaml
Normal file
15
openstack/values_overrides/glance/ussuri-ubuntu_bionic.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
glance:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
ks_service: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
ks_endpoints: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
glance_db_sync: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
|
||||
glance_api: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
|
||||
glance_metadefs_load: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
|
||||
glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
|
||||
...
|
15
openstack/values_overrides/glance/victoria-ubuntu_focal.yaml
Normal file
15
openstack/values_overrides/glance/victoria-ubuntu_focal.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
glance:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
ks_service: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
ks_endpoints: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
glance_db_sync: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
|
||||
glance_api: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
|
||||
glance_metadefs_load: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
|
||||
glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
|
||||
...
|
15
openstack/values_overrides/glance/wallaby-ubuntu_focal.yaml
Normal file
15
openstack/values_overrides/glance/wallaby-ubuntu_focal.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
glance:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
ks_service: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
ks_endpoints: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
glance_db_sync: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
|
||||
glance_api: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
|
||||
glance_metadefs_load: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
|
||||
glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
|
||||
...
|
27
openstack/values_overrides/heat/apparmor.yaml
Normal file
27
openstack/values_overrides/heat/apparmor.yaml
Normal file
@ -0,0 +1,27 @@
|
||||
---
|
||||
heat:
|
||||
pod:
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
heat-api:
|
||||
heat-api: runtime/default
|
||||
init: runtime/default
|
||||
heat-cfn:
|
||||
heat-cfn: runtime/default
|
||||
init: runtime/default
|
||||
heat-engine:
|
||||
heat-engine: runtime/default
|
||||
init: runtime/default
|
||||
heat-engine-cleaner:
|
||||
heat-engine-cleaner: runtime/default
|
||||
init: runtime/default
|
||||
heat-domain-ks-user:
|
||||
heat-ks-domain-user: runtime/default
|
||||
init: runtime/default
|
||||
heat-trusts:
|
||||
heat-trusts: runtime/default
|
||||
init: runtime/default
|
||||
heat-purge-deleted:
|
||||
heat-purge-deleted: runtime/default
|
||||
init: runtime/default
|
||||
...
|
48
openstack/values_overrides/heat/netpol.yaml
Normal file
48
openstack/values_overrides/heat/netpol.yaml
Normal file
@ -0,0 +1,48 @@
|
||||
---
|
||||
heat:
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
heat:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: heat
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ingress
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: horizon
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8000
|
||||
- protocol: TCP
|
||||
port: 8003
|
||||
- protocol: TCP
|
||||
port: 8004
|
||||
egress:
|
||||
- to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: neutron
|
||||
- to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: nova
|
||||
- to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: glance
|
||||
- to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: cinder
|
||||
- to:
|
||||
- ipBlock:
|
||||
cidr: %%%REPLACE_API_ADDR%%%/32
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: %%%REPLACE_API_PORT%%%
|
||||
...
|
191
openstack/values_overrides/heat/tls.yaml
Normal file
191
openstack/values_overrides/heat/tls.yaml
Normal file
@ -0,0 +1,191 @@
|
||||
---
|
||||
heat:
|
||||
conf:
|
||||
software:
|
||||
apache2:
|
||||
binary: apache2
|
||||
start_parameters: -DFOREGROUND
|
||||
site_dir: /etc/apache2/sites-enabled
|
||||
conf_dir: /etc/apache2/conf-enabled
|
||||
mods_dir: /etc/apache2/mods-available
|
||||
a2enmod:
|
||||
- ssl
|
||||
a2dismod: null
|
||||
mpm_event: |
|
||||
<IfModule mpm_event_module>
|
||||
ServerLimit 1024
|
||||
StartServers 32
|
||||
MinSpareThreads 32
|
||||
MaxSpareThreads 256
|
||||
ThreadsPerChild 25
|
||||
MaxRequestsPerChild 128
|
||||
ThreadLimit 720
|
||||
</IfModule>
|
||||
wsgi_heat: |
|
||||
{{- $portInt := tuple "orchestration" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
Listen {{ $portInt }}
|
||||
<VirtualHost *:{{ $portInt }}>
|
||||
ServerName {{ printf "%s.%s.svc.%s" "heat-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
|
||||
WSGIDaemonProcess heat-api processes=1 threads=1 user=heat display-name=%{GROUP}
|
||||
WSGIProcessGroup heat-api
|
||||
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
AllowEncodedSlashes On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||
ErrorLog /dev/stdout
|
||||
CustomLog /dev/stdout combined env=!forwarded
|
||||
CustomLog /dev/stdout proxy env=forwarded
|
||||
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/heat/certs/tls.crt
|
||||
SSLCertificateKeyFile /etc/heat/certs/tls.key
|
||||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
SSLHonorCipherOrder on
|
||||
</VirtualHost>
|
||||
|
||||
wsgi_cfn: |
|
||||
{{- $portInt := tuple "cloudformation" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
Listen {{ $portInt }}
|
||||
<VirtualHost *:{{ $portInt }}>
|
||||
ServerName {{ printf "%s.%s.svc.%s" "heat-api-cfn" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
|
||||
WSGIDaemonProcess heat-api-cfn processes=1 threads=1 user=heat display-name=%{GROUP}
|
||||
WSGIProcessGroup heat-api-cfn
|
||||
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api-cfn
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
AllowEncodedSlashes On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||
ErrorLog /dev/stdout
|
||||
CustomLog /dev/stdout combined env=!forwarded
|
||||
CustomLog /dev/stdout proxy env=forwarded
|
||||
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/heat/certs/tls.crt
|
||||
SSLCertificateKeyFile /etc/heat/certs/tls.key
|
||||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
SSLHonorCipherOrder on
|
||||
</VirtualHost>
|
||||
|
||||
heat:
|
||||
clients_neutron:
|
||||
ca_file: /etc/heat/certs/ca.crt
|
||||
clients_cinder:
|
||||
ca_file: /etc/heat/certs/ca.crt
|
||||
clients_glance:
|
||||
ca_file: /etc/heat/certs/ca.crt
|
||||
clients_nova:
|
||||
ca_file: /etc/heat/certs/ca.crt
|
||||
clients_swift:
|
||||
ca_file: /etc/heat/certs/ca.crt
|
||||
ssl:
|
||||
ca_file: /etc/heat/certs/ca.crt
|
||||
keystone_authtoken:
|
||||
cafile: /etc/heat/certs/ca.crt
|
||||
clients:
|
||||
ca_file: /etc/heat/certs/ca.crt
|
||||
clients_keystone:
|
||||
ca_file: /etc/heat/certs/ca.crt
|
||||
oslo_messaging_rabbit:
|
||||
ssl: true
|
||||
ssl_ca_file: /etc/rabbitmq/certs/ca.crt
|
||||
ssl_cert_file: /etc/rabbitmq/certs/tls.crt
|
||||
ssl_key_file: /etc/rabbitmq/certs/tls.key
|
||||
|
||||
network:
|
||||
api:
|
||||
ingress:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||
cfn:
|
||||
ingress:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||
cloudwatch:
|
||||
ingress:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||
|
||||
pod:
|
||||
security_context:
|
||||
heat:
|
||||
container:
|
||||
heat_api:
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
heat_cfn:
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
|
||||
endpoints:
|
||||
identity:
|
||||
auth:
|
||||
admin:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
heat:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
heat_trustee:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
heat_stack_user:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
test:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
scheme:
|
||||
default: https
|
||||
port:
|
||||
api:
|
||||
default: 443
|
||||
orchestration:
|
||||
host_fqdn_override:
|
||||
default:
|
||||
tls:
|
||||
secretName: heat-tls-api
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: ClusterIssuer
|
||||
scheme:
|
||||
default: https
|
||||
port:
|
||||
api:
|
||||
public: 443
|
||||
cloudformation:
|
||||
host_fqdn_override:
|
||||
default:
|
||||
tls:
|
||||
secretName: heat-tls-cfn
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: ClusterIssuer
|
||||
scheme:
|
||||
default: https
|
||||
port:
|
||||
api:
|
||||
public: 443
|
||||
# Cloudwatch does not get an entry in the keystone service catalog
|
||||
cloudwatch:
|
||||
host_fqdn_override:
|
||||
default:
|
||||
tls:
|
||||
secretName: heat-tls-cloudwatch
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: ClusterIssuer
|
||||
ingress:
|
||||
port:
|
||||
ingress:
|
||||
default: 443
|
||||
oslo_messaging:
|
||||
port:
|
||||
https:
|
||||
default: 15680
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
18
openstack/values_overrides/heat/train-ubuntu_bionic.yaml
Normal file
18
openstack/values_overrides/heat/train-ubuntu_bionic.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
heat:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
ks_service: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
ks_endpoints: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
heat_db_sync: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
heat_api: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
heat_cfn: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
heat_cloudwatch: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
heat_engine: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
heat_engine_cleaner: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
heat_purge_deleted: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
...
|
18
openstack/values_overrides/heat/ussuri-ubuntu_bionic.yaml
Normal file
18
openstack/values_overrides/heat/ussuri-ubuntu_bionic.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
heat:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
ks_service: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
ks_endpoints: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
heat_db_sync: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
heat_api: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
heat_cfn: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
heat_cloudwatch: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
heat_engine: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
heat_engine_cleaner: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
heat_purge_deleted: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
...
|
18
openstack/values_overrides/heat/victoria-ubuntu_focal.yaml
Normal file
18
openstack/values_overrides/heat/victoria-ubuntu_focal.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
heat:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
ks_service: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
ks_endpoints: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
heat_db_sync: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
heat_api: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
heat_cfn: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
heat_cloudwatch: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
heat_engine: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
heat_engine_cleaner: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
heat_purge_deleted: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
...
|
18
openstack/values_overrides/heat/wallaby-ubuntu_focal.yaml
Normal file
18
openstack/values_overrides/heat/wallaby-ubuntu_focal.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
heat:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
ks_service: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
ks_endpoints: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
heat_db_sync: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
heat_api: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
heat_cfn: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
heat_cloudwatch: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
heat_engine: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
heat_engine_cleaner: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
heat_purge_deleted: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
...
|
21
openstack/values_overrides/keystone/apparmor.yaml
Normal file
21
openstack/values_overrides/keystone/apparmor.yaml
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
keystone:
|
||||
pod:
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
keystone-api:
|
||||
keystone-api: runtime/default
|
||||
keystone-credential-setup:
|
||||
keystone-credential-setup: runtime/default
|
||||
keystone-fernet-setup:
|
||||
keystone-fernet-setup: runtime/default
|
||||
keystone-credential-cleanup:
|
||||
keystone-credential-cleanup: runtime/default
|
||||
keystone-domain-manage:
|
||||
keystone-domain-manage: runtime/default
|
||||
keystone-domain-manage-init: runtime/default
|
||||
keystone-test:
|
||||
init: runtime/default
|
||||
keystone-test: runtime/default
|
||||
keystone-test-ks-user: runtime/default
|
||||
...
|
59
openstack/values_overrides/keystone/ldap.yaml
Normal file
59
openstack/values_overrides/keystone/ldap.yaml
Normal file
@ -0,0 +1,59 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
keystone:
|
||||
conf:
|
||||
keystone:
|
||||
identity:
|
||||
driver: sql
|
||||
default_domain_id: default
|
||||
domain_specific_drivers_enabled: True
|
||||
domain_configurations_from_database: True
|
||||
domain_config_dir: /etc/keystone/domains
|
||||
ks_domains:
|
||||
ldapdomain:
|
||||
identity:
|
||||
driver: ldap
|
||||
ldap:
|
||||
url: "ldap://ldap.openstack.svc.cluster.local:389"
|
||||
user: "cn=admin,dc=cluster,dc=local"
|
||||
password: password
|
||||
suffix: "dc=cluster,dc=local"
|
||||
user_attribute_ignore: "enabled,email,tenants,default_project_id"
|
||||
query_scope: sub
|
||||
user_enabled_emulation: True
|
||||
user_enabled_emulation_dn: "cn=overwatch,ou=Groups,dc=cluster,dc=local"
|
||||
user_tree_dn: "ou=People,dc=cluster,dc=local"
|
||||
user_enabled_mask: 2
|
||||
user_enabled_default: 512
|
||||
user_name_attribute: cn
|
||||
user_id_attribute: sn
|
||||
user_mail_attribute: mail
|
||||
user_pass_attribute: userPassword
|
||||
group_tree_dn: "ou=Groups,dc=cluster,dc=local"
|
||||
group_filter: ""
|
||||
group_objectclass: posixGroup
|
||||
group_id_attribute: cn
|
||||
group_name_attribute: cn
|
||||
group_desc_attribute: description
|
||||
group_member_attribute: memberUID
|
||||
use_pool: true
|
||||
pool_size: 27
|
||||
pool_retry_max: 3
|
||||
pool_retry_delay: 0.1
|
||||
pool_connection_timeout: 15
|
||||
pool_connection_lifetime: 600
|
||||
use_auth_pool: true
|
||||
auth_pool_size: 100
|
||||
auth_pool_connection_lifetime: 60
|
||||
...
|
70
openstack/values_overrides/keystone/netpol.yaml
Normal file
70
openstack/values_overrides/keystone/netpol.yaml
Normal file
@ -0,0 +1,70 @@
|
||||
---
|
||||
keystone:
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
keystone:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ceph
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ingress
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: heat
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: glance
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: cinder
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: barbican
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ceilometer
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: horizon
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ironic
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: magnum
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: mistral
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: nova
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: neutron
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: senlin
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: placement
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: prometheus-openstack-exporter
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 5000
|
||||
egress:
|
||||
- to:
|
||||
- ipBlock:
|
||||
cidr: %%%REPLACE_API_ADDR%%%/32
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: %%%REPLACE_API_PORT%%%
|
||||
...
|
91
openstack/values_overrides/keystone/tls.yaml
Normal file
91
openstack/values_overrides/keystone/tls.yaml
Normal file
@ -0,0 +1,91 @@
|
||||
---
|
||||
keystone:
|
||||
network:
|
||||
api:
|
||||
ingress:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/rewrite-target: null
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||
pod:
|
||||
security_context:
|
||||
keystone:
|
||||
pod:
|
||||
runAsUser: 0
|
||||
container:
|
||||
keystone_api:
|
||||
readOnlyRootFilesystem: false
|
||||
allowPrivilegeEscalation: false
|
||||
conf:
|
||||
software:
|
||||
apache2:
|
||||
a2enmod:
|
||||
- ssl
|
||||
keystone:
|
||||
oslo_messaging_rabbit:
|
||||
ssl: true
|
||||
ssl_ca_file: /etc/rabbitmq/certs/ca.crt
|
||||
ssl_cert_file: /etc/rabbitmq/certs/tls.crt
|
||||
ssl_key_file: /etc/rabbitmq/certs/tls.key
|
||||
wsgi_keystone: |
|
||||
{{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{- $vh := tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
|
||||
Listen 0.0.0.0:{{ $portInt }}
|
||||
|
||||
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
||||
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
|
||||
|
||||
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||
CustomLog /dev/stdout combined env=!forwarded
|
||||
CustomLog /dev/stdout proxy env=forwarded
|
||||
|
||||
<VirtualHost *:{{ tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
|
||||
ServerName {{ printf "%s.%s.svc.%s" "keystone-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
|
||||
WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
ErrorLog /dev/stdout
|
||||
|
||||
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
||||
CustomLog /dev/stdout combined env=!forwarded
|
||||
CustomLog /dev/stdout proxy env=forwarded
|
||||
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/keystone/certs/tls.crt
|
||||
SSLCertificateKeyFile /etc/keystone/certs/tls.key
|
||||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
SSLHonorCipherOrder on
|
||||
</VirtualHost>
|
||||
endpoints:
|
||||
identity:
|
||||
auth:
|
||||
admin:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
test:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
host_fqdn_override:
|
||||
default:
|
||||
tls:
|
||||
secretName: keystone-tls-api
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: ClusterIssuer
|
||||
scheme:
|
||||
default: https
|
||||
public: https
|
||||
port:
|
||||
api:
|
||||
default: 443
|
||||
oslo_messaging:
|
||||
port:
|
||||
https:
|
||||
default: 15680
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
17
openstack/values_overrides/keystone/train-ubuntu_bionic.yaml
Normal file
17
openstack/values_overrides/keystone/train-ubuntu_bionic.yaml
Normal file
@ -0,0 +1,17 @@
|
||||
---
|
||||
keystone:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
keystone_api: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
|
||||
keystone_bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
keystone_credential_rotate: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
|
||||
keystone_credential_setup: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
|
||||
keystone_db_sync: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
|
||||
keystone_domain_manage: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
|
||||
keystone_fernet_rotate: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
|
||||
keystone_fernet_setup: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
|
||||
ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
|
||||
...
|
@ -0,0 +1,17 @@
|
||||
---
|
||||
keystone:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
keystone_api: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
|
||||
keystone_bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
keystone_credential_rotate: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
|
||||
keystone_credential_setup: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
|
||||
keystone_db_sync: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
|
||||
keystone_domain_manage: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
|
||||
keystone_fernet_rotate: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
|
||||
keystone_fernet_setup: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
|
||||
ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
|
||||
...
|
@ -0,0 +1,17 @@
|
||||
---
|
||||
keystone:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
keystone_api: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
|
||||
keystone_bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
keystone_credential_rotate: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
|
||||
keystone_credential_setup: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
|
||||
keystone_db_sync: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
|
||||
keystone_domain_manage: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
|
||||
keystone_fernet_rotate: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
|
||||
keystone_fernet_setup: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
|
||||
ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
|
||||
...
|
@ -0,0 +1,17 @@
|
||||
---
|
||||
keystone:
|
||||
images:
|
||||
tags:
|
||||
bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
keystone_api: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
|
||||
keystone_bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
keystone_credential_rotate: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
|
||||
keystone_credential_setup: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
|
||||
keystone_db_sync: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
|
||||
keystone_domain_manage: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
|
||||
keystone_fernet_rotate: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
|
||||
keystone_fernet_setup: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
|
||||
ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
|
||||
...
|
35
openstack/values_overrides/mariadb/apparmor.yaml
Normal file
35
openstack/values_overrides/mariadb/apparmor.yaml
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
mariadb:
|
||||
pod:
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
mariadb-ingress-error-pages:
|
||||
init: runtime/default
|
||||
ingress-error-pages: runtime/default
|
||||
mariadb-ingress:
|
||||
init: runtime/default
|
||||
ingress: runtime/default
|
||||
mariadb-server:
|
||||
init: runtime/default
|
||||
mariadb-perms: runtime/default
|
||||
mariadb: runtime/default
|
||||
mariadb-backup:
|
||||
init: runtime/default
|
||||
mariadb-backup: runtime/default
|
||||
mariadb-test:
|
||||
init: runtime/default
|
||||
mariadb-test: runtime/default
|
||||
prometheus-mysql-exporter:
|
||||
init: runtime/default
|
||||
mysql-exporter: runtime/default
|
||||
create-sql-user:
|
||||
init: runtime/default
|
||||
exporter-create-sql-user: runtime/default
|
||||
|
||||
monitoring:
|
||||
prometheus:
|
||||
enabled: true
|
||||
|
||||
manifests:
|
||||
cron_job_mariadb_backup: true
|
||||
...
|
12
openstack/values_overrides/mariadb/local-storage.yaml
Normal file
12
openstack/values_overrides/mariadb/local-storage.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
mariadb:
|
||||
pod:
|
||||
replicas:
|
||||
server: 1
|
||||
volume:
|
||||
size: 1Gi
|
||||
class_name: local-storage
|
||||
monitoring:
|
||||
prometheus:
|
||||
enabled: false
|
||||
...
|
85
openstack/values_overrides/mariadb/netpol.yaml
Normal file
85
openstack/values_overrides/mariadb/netpol.yaml
Normal file
@ -0,0 +1,85 @@
|
||||
---
|
||||
mariadb:
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
mariadb:
|
||||
egress:
|
||||
- to:
|
||||
- ipBlock:
|
||||
cidr: %%%REPLACE_API_ADDR%%%/32
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: %%%REPLACE_API_PORT%%%
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: heat
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: glance
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: cinder
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: aodh
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: barbican
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ceilometer
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: designate
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: horizon
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ironic
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: magnum
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: mistral
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: nova
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: neutron
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: rally
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: senlin
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: placement
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: prometheus-mysql-exporter
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: mariadb
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: mariadb-backup
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 3306
|
||||
- protocol: TCP
|
||||
port: 4567
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
- protocol: TCP
|
||||
port: 8080
|
||||
...
|
24
openstack/values_overrides/mariadb/tls.yaml
Normal file
24
openstack/values_overrides/mariadb/tls.yaml
Normal file
@ -0,0 +1,24 @@
|
||||
---
|
||||
mariadb:
|
||||
pod:
|
||||
security_context:
|
||||
server:
|
||||
container:
|
||||
perms:
|
||||
readOnlyRootFilesystem: false
|
||||
mariadb:
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: true
|
||||
readOnlyRootFilesystem: false
|
||||
endpoints:
|
||||
oslo_db:
|
||||
host_fqdn_override:
|
||||
default:
|
||||
tls:
|
||||
secretName: mariadb-tls-direct
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: ClusterIssuer
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
16
openstack/values_overrides/memcached/apparmor.yaml
Normal file
16
openstack/values_overrides/memcached/apparmor.yaml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
memcached:
|
||||
pod:
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
prometheus_memcached_exporter:
|
||||
init: runtime/default
|
||||
memcached-exporter: runtime/default
|
||||
memcached:
|
||||
init: runtime/default
|
||||
memcached: runtime/default
|
||||
|
||||
monitoring:
|
||||
prometheus:
|
||||
enabled: false
|
||||
...
|
81
openstack/values_overrides/memcached/netpol.yaml
Normal file
81
openstack/values_overrides/memcached/netpol.yaml
Normal file
@ -0,0 +1,81 @@
|
||||
---
|
||||
memcached:
|
||||
manifests:
|
||||
network_policy: true
|
||||
network_policy:
|
||||
memcached:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ingress
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: heat
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: glance
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: cinder
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: barbican
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ceilometer
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: horizon
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ironic
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: magnum
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: mistral
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: nova
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: neutron
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: senlin
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: placement
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: prometheus_memcached_exporter
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: aodh
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: rally
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: memcached
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: gnocchi
|
||||
ports:
|
||||
- port: 11211
|
||||
protocol: TCP
|
||||
- port: 9150
|
||||
protocol: TCP
|
||||
egress:
|
||||
- to:
|
||||
- ipBlock:
|
||||
cidr: %%%REPLACE_API_ADDR%%%/32
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: %%%REPLACE_API_PORT%%%
|
||||
...
|
26
openstack/values_overrides/rabbitmq/apparmor.yaml
Normal file
26
openstack/values_overrides/rabbitmq/apparmor.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
rabbitmq:
|
||||
pod:
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
rabbitmq-cluster-wait:
|
||||
init: runtime/default
|
||||
rabbitmq-cookie: runtime/default
|
||||
rabbitmq-rabbitmq-cluster-wait: runtime/default
|
||||
rabbitmq:
|
||||
init: runtime/default
|
||||
rabbitmq-password: runtime/default
|
||||
rabbitmq-cookie: runtime/default
|
||||
rabbitmq-perms: runtime/default
|
||||
rabbitmq: runtime/default
|
||||
prometheus-rabbitmq-exporter:
|
||||
init: runtime/default
|
||||
rabbitmq-exporter: runtime/default
|
||||
rabbitmq-rabbitmq-test:
|
||||
rabbitmq-rabbitmq-test: runtime/default
|
||||
init: runtime/default
|
||||
|
||||
monitoring:
|
||||
prometheus:
|
||||
enabled: true
|
||||
...
|
106
openstack/values_overrides/rabbitmq/netpol.yaml
Normal file
106
openstack/values_overrides/rabbitmq/netpol.yaml
Normal file
@ -0,0 +1,106 @@
|
||||
---
|
||||
rabbitmq:
|
||||
network_policy:
|
||||
rabbitmq:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: heat
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: glance
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: cinder
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: aodh
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: barbican
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ceilometer
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: designate
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: ironic
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: magnum
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: mistral
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: nova
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: neutron
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: senlin
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: placement
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: rabbitmq
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: prometheus_rabbitmq_exporter
|
||||
ports:
|
||||
# AMQP port
|
||||
- protocol: TCP
|
||||
port: 5672
|
||||
# HTTP API ports
|
||||
- protocol: TCP
|
||||
port: 15672
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: rabbitmq
|
||||
ports:
|
||||
# Clustering port AMQP + 20000
|
||||
- protocol: TCP
|
||||
port: 25672
|
||||
# Erlang Port Mapper Daemon (epmd)
|
||||
- protocol: TCP
|
||||
port: 4369
|
||||
egress:
|
||||
- to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: rabbitmq
|
||||
ports:
|
||||
# Erlang port mapper daemon (epmd)
|
||||
- protocol: TCP
|
||||
port: 4369
|
||||
# Rabbit clustering port AMQP + 20000
|
||||
- protocol: TCP
|
||||
port: 25672
|
||||
# NOTE(lamt): Set by inet_dist_listen_{min/max}. Firewalls must
|
||||
# permit traffic in this range to pass between clustered nodes.
|
||||
# - protocol: TCP
|
||||
# port: 35197
|
||||
- to:
|
||||
- ipBlock:
|
||||
cidr: %%%REPLACE_API_ADDR%%%/32
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: %%%REPLACE_API_PORT%%%
|
||||
|
||||
manifests:
|
||||
monitoring:
|
||||
prometheus:
|
||||
network_policy_exporter: true
|
||||
network_policy: true
|
||||
...
|
31
openstack/values_overrides/rabbitmq/tls.yaml
Normal file
31
openstack/values_overrides/rabbitmq/tls.yaml
Normal file
@ -0,0 +1,31 @@
|
||||
---
|
||||
rabbitmq:
|
||||
conf:
|
||||
rabbitmq:
|
||||
ssl_options:
|
||||
cacertfile: "/etc/rabbitmq/certs/ca.crt"
|
||||
certfile: "/etc/rabbitmq/certs/tls.crt"
|
||||
keyfile: "/etc/rabbitmq/certs/tls.key"
|
||||
verify: verify_peer
|
||||
fail_if_no_peer_cert: false
|
||||
management:
|
||||
ssl:
|
||||
cacertfile: "/etc/rabbitmq/certs/ca.crt"
|
||||
certfile: "/etc/rabbitmq/certs/tls.crt"
|
||||
keyfile: "/etc/rabbitmq/certs/tls.key"
|
||||
endpoints:
|
||||
oslo_messaging:
|
||||
host_fqdn_override:
|
||||
default:
|
||||
tls:
|
||||
secretName: rabbitmq-tls-direct
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: ClusterIssuer
|
||||
port:
|
||||
https:
|
||||
default: 15680
|
||||
public: 443
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
@ -23,4 +23,5 @@ glance:
|
||||
- 0.3.0 Remove glance registry
|
||||
- 0.3.1 Enable taint toleration for Openstack services
|
||||
- 0.3.2 Decrease terminationGracePeriodSeconds on glance-api
|
||||
- 0.3.3 Update naming for subchart compatibility
|
||||
...
|
||||
|
@ -16,4 +16,5 @@ heat:
|
||||
- 0.2.7 Helm 3 - Fix Job Labels
|
||||
- 0.2.8 Update htk requirements repo
|
||||
- 0.2.9 Enable taint toleration for Openstack services
|
||||
- 0.2.10 Updated naming for subchart compatibility
|
||||
...
|
||||
|
@ -36,4 +36,5 @@ keystone:
|
||||
- 0.2.18 Remove default policy
|
||||
- 0.2.19 Revert Reduce log chattiness
|
||||
- 0.2.20 Enable taint toleration for Openstack services
|
||||
- 0.2.21 Updated naming for subchart compatibility
|
||||
...
|
||||
|
4
releasenotes/notes/openstack.yaml
Normal file
4
releasenotes/notes/openstack.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
openstack:
|
||||
- 0.1.0 Initial Chart
|
||||
...
|
@ -20,6 +20,7 @@
|
||||
|
||||
set -e
|
||||
HELM_CHART="$1"
|
||||
SUBCHART="$2"
|
||||
: "${HELM_CHART_ROOT_PATH:="../openstack-helm"}"
|
||||
: "${OPENSTACK_RELEASE:="train"}"
|
||||
: "${CONTAINER_DISTRO_NAME:="ubuntu"}"
|
||||
@ -61,6 +62,7 @@ function replace_variables() {
|
||||
|
||||
function override_file_args () {
|
||||
OVERRIDE_ARGS=""
|
||||
if [ -z "$SUBCHART" ];then
|
||||
echoerr "We will attempt to use values-override files with the following paths:"
|
||||
for FILE in $(combination ${1//,/ } | uniq | tac); do
|
||||
FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml"
|
||||
@ -70,9 +72,23 @@ function override_file_args () {
|
||||
fi
|
||||
echoerr "${FILE_PATH}"
|
||||
done
|
||||
else
|
||||
echoerr "running as subchart"
|
||||
echoerr "We will attempt to use values-override files with the following paths:"
|
||||
for FILE in $(combination ${1//,/ } | uniq | tac); do
|
||||
FILE_PATH="${HELM_CHART_ROOT_PATH}/values_overrides/${HELM_CHART}/${FILE}.yaml"
|
||||
if [ -f "${FILE_PATH}" ]; then
|
||||
replace_variables ${FILE_PATH}
|
||||
OVERRIDE_ARGS+=" --values=${FILE_PATH} "
|
||||
fi
|
||||
echoerr "${FILE_PATH}"
|
||||
done
|
||||
fi
|
||||
|
||||
echo "${OVERRIDE_ARGS}"
|
||||
}
|
||||
|
||||
|
||||
echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
|
||||
source ../openstack-helm/tools/deployment/common/env-variables.sh
|
||||
override_file_args "${OSH_FEATURE_MIX}"
|
||||
|
@ -12,11 +12,14 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
set -e
|
||||
if [[ "$2" -gt 0 ]];then
|
||||
seconds=$2
|
||||
else
|
||||
seconds=900
|
||||
fi
|
||||
|
||||
# From Kolla-Kubernetes, orginal authors Kevin Fox & Serguei Bezverkhi
|
||||
# Default wait timeout is 900 seconds
|
||||
end=$(date +%s)
|
||||
timeout=${2:-900}
|
||||
timeout=${2:-$seconds}
|
||||
end=$((end + timeout))
|
||||
while true; do
|
||||
kubectl get pods --namespace=$1 -o json | jq -r \
|
||||
|
40
tools/deployment/component/common/openstack.sh
Executable file
40
tools/deployment/component/common/openstack.sh
Executable file
@ -0,0 +1,40 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
set -xe
|
||||
namespace=openstack
|
||||
chart=$namespace
|
||||
export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../openstack-helm/openstack"}"}"
|
||||
: ${OSH_EXTRA_HELM_ARGS_MARIADB:="$(./tools/deployment/common/get-values-overrides.sh mariadb subchart)"}
|
||||
: ${OSH_EXTRA_HELM_ARGS_RABBITMQ:="$(./tools/deployment/common/get-values-overrides.sh rabbitmq subchart)"}
|
||||
: ${OSH_EXTRA_HELM_ARGS_MEMCACHED:="$(./tools/deployment/common/get-values-overrides.sh memcached subchart)"}
|
||||
: ${OSH_EXTRA_HELM_ARGS_KEYSTONE:="$(./tools/deployment/common/get-values-overrides.sh keystone subchart)"}
|
||||
: ${OSH_EXTRA_HELM_ARGS_HEAT:="$(./tools/deployment/common/get-values-overrides.sh heat subchart)"}
|
||||
: ${OSH_EXTRA_HELM_ARGS_GLANCE:="$(./tools/deployment/common/get-values-overrides.sh glance subchart)"}
|
||||
|
||||
#NOTE: Lint and package chart
|
||||
make -C ${HELM_CHART_ROOT_PATH} .
|
||||
|
||||
echo "helm installing ..."
|
||||
helm upgrade --install $chart $chart/ \
|
||||
${OSH_EXTRA_HELM_ARGS_MARIADB} \
|
||||
${OSH_EXTRA_HELM_ARGS_RABBITMQ} \
|
||||
${OSH_EXTRA_HELM_ARGS_MEMCACHED} \
|
||||
${OSH_EXTRA_HELM_ARGS_KEYSTONE} \
|
||||
${OSH_EXTRA_HELM_ARGS_HEAT} \
|
||||
${OSH_EXTRA_HELM_ARGS_GLANCE} \
|
||||
${OSH_EXTRA_HELM_ARGS:=} \
|
||||
--namespace=$namespace
|
||||
#NOTE: Wait for deploy
|
||||
./tools/deployment/common/wait-for-pods.sh $namespace 1800
|
Loading…
Reference in New Issue
Block a user