Support TLS endpoints in heat
This allows heat to consume TLS openstack endpoints. Jobs consume openstack endpoints, typically identity endpoints. And heat itself interact with other openstack services via endpoints. Change-Id: I7af6c52377db479b7f7e28ade23582dcc6f8f2f9
This commit is contained in:
parent
d1a7abeb0c
commit
68822ee439
@ -14,7 +14,7 @@ apiVersion: v1
|
|||||||
appVersion: v1.0.0
|
appVersion: v1.0.0
|
||||||
description: OpenStack-Helm Heat
|
description: OpenStack-Helm Heat
|
||||||
name: heat
|
name: heat
|
||||||
version: 0.2.15
|
version: 0.2.16
|
||||||
home: https://docs.openstack.org/heat/latest/
|
home: https://docs.openstack.org/heat/latest/
|
||||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
|
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
|
||||||
sources:
|
sources:
|
||||||
|
@ -67,6 +67,11 @@ spec:
|
|||||||
{{ tuple $envAll "heat_engine_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
|
{{ tuple $envAll "heat_engine_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.engine_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.engine_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
||||||
{{ dict "envAll" $envAll "application" "engine_cleaner" "container" "heat_engine_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
|
{{ dict "envAll" $envAll "application" "engine_cleaner" "container" "heat_engine_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
|
||||||
|
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||||
|
env:
|
||||||
|
- name: REQUESTS_CA_BUNDLE
|
||||||
|
value: "/etc/heat/certs/ca.crt"
|
||||||
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
- /tmp/heat-engine-cleaner.sh
|
- /tmp/heat-engine-cleaner.sh
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
@ -88,6 +93,7 @@ spec:
|
|||||||
subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
|
subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
|
||||||
{{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }}
|
{{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
@ -99,6 +105,7 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: heat-etc
|
secretName: heat-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||||
- name: heat-bin
|
- name: heat-bin
|
||||||
configMap:
|
configMap:
|
||||||
|
@ -60,6 +60,11 @@ spec:
|
|||||||
- name: heat-purge-deleted
|
- name: heat-purge-deleted
|
||||||
{{ tuple $envAll "heat_purge_deleted" | include "helm-toolkit.snippets.image" | indent 14 }}
|
{{ tuple $envAll "heat_purge_deleted" | include "helm-toolkit.snippets.image" | indent 14 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.purge_deleted | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.purge_deleted | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
||||||
|
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||||
|
env:
|
||||||
|
- name: REQUESTS_CA_BUNDLE
|
||||||
|
value: "/etc/heat/certs/ca.crt"
|
||||||
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
- /tmp/heat-purge-deleted-active.sh
|
- /tmp/heat-purge-deleted-active.sh
|
||||||
- {{ quote .Values.jobs.purge_deleted.purge_age }}
|
- {{ quote .Values.jobs.purge_deleted.purge_age }}
|
||||||
@ -82,6 +87,7 @@ spec:
|
|||||||
subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
|
subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
|
||||||
{{ if $mounts_heat_purge_deleted.volumeMounts }}{{ toYaml $mounts_heat_purge_deleted.volumeMounts | indent 14 }}{{ end }}
|
{{ if $mounts_heat_purge_deleted.volumeMounts }}{{ toYaml $mounts_heat_purge_deleted.volumeMounts | indent 14 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
@ -93,6 +99,7 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: heat-etc
|
secretName: heat-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||||
- name: heat-bin
|
- name: heat-bin
|
||||||
configMap:
|
configMap:
|
||||||
|
@ -62,6 +62,11 @@ spec:
|
|||||||
{{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
{{ dict "envAll" $envAll "application" "heat" "container" "heat_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
{{ dict "envAll" $envAll "application" "heat" "container" "heat_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
|
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||||
|
env:
|
||||||
|
- name: REQUESTS_CA_BUNDLE
|
||||||
|
value: "/etc/heat/certs/ca.crt"
|
||||||
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
- /tmp/heat-api.sh
|
- /tmp/heat-api.sh
|
||||||
- start
|
- start
|
||||||
@ -124,7 +129,7 @@ spec:
|
|||||||
subPath: mpm_event.conf
|
subPath: mpm_event.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
@ -142,7 +147,7 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: heat-etc
|
secretName: heat-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -62,6 +62,11 @@ spec:
|
|||||||
{{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
{{ dict "envAll" $envAll "application" "heat" "container" "heat_cfn" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
{{ dict "envAll" $envAll "application" "heat" "container" "heat_cfn" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
|
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||||
|
env:
|
||||||
|
- name: REQUESTS_CA_BUNDLE
|
||||||
|
value: "/etc/heat/certs/ca.crt"
|
||||||
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
- /tmp/heat-cfn.sh
|
- /tmp/heat-cfn.sh
|
||||||
- start
|
- start
|
||||||
@ -124,7 +129,7 @@ spec:
|
|||||||
subPath: mpm_event.conf
|
subPath: mpm_event.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -141,6 +146,6 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: heat-etc
|
secretName: heat-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -70,6 +70,11 @@ spec:
|
|||||||
{{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
{{ dict "envAll" $envAll "application" "heat" "container" "heat_engine" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
{{ dict "envAll" $envAll "application" "heat" "container" "heat_engine" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
|
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||||
|
env:
|
||||||
|
- name: REQUESTS_CA_BUNDLE
|
||||||
|
value: "/etc/heat/certs/ca.crt"
|
||||||
|
{{- end }}
|
||||||
command:
|
command:
|
||||||
- /tmp/heat-engine.sh
|
- /tmp/heat-engine.sh
|
||||||
- start
|
- start
|
||||||
@ -103,7 +108,7 @@ spec:
|
|||||||
subPath: policy.yaml
|
subPath: policy.yaml
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
@ -120,7 +125,7 @@ spec:
|
|||||||
secretName: heat-etc
|
secretName: heat-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "5"
|
|||||||
|
|
||||||
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
||||||
{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
|
{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
|
||||||
{{- if .Values.manifests.certificates -}}
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||||
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- if .Values.helm3_hook }}
|
{{- if .Values.helm3_hook }}
|
||||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-2"
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_endpoints }}
|
{{- if .Values.manifests.job_ks_endpoints }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
||||||
{{- if .Values.manifests.certificates -}}
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- if .Values.helm3_hook }}
|
{{- if .Values.helm3_hook }}
|
||||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-3"
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_service }}
|
{{- if .Values.manifests.job_ks_service }}
|
||||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
||||||
{{- if .Values.manifests.certificates -}}
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- if .Values.helm3_hook }}
|
{{- if .Values.helm3_hook }}
|
||||||
|
@ -64,9 +64,9 @@ spec:
|
|||||||
mountPath: /tmp/ks-domain-user.sh
|
mountPath: /tmp/ks-domain-user.sh
|
||||||
subPath: ks-domain-user.sh
|
subPath: ks-domain-user.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: SERVICE_OS_SERVICE_NAME
|
- name: SERVICE_OS_SERVICE_NAME
|
||||||
@ -100,5 +100,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: heat-bin
|
name: heat-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -18,7 +18,7 @@ helm.sh/hook: post-install,post-upgrade
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_user_trustee }}
|
{{- if .Values.manifests.job_ks_user_trustee }}
|
||||||
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
|
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
|
||||||
{{- if .Values.manifests.certificates -}}
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- if .Values.helm3_hook }}
|
{{- if .Values.helm3_hook }}
|
||||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-1"
|
|||||||
|
|
||||||
{{- if .Values.manifests.job_ks_user }}
|
{{- if .Values.manifests.job_ks_user }}
|
||||||
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
|
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
|
||||||
{{- if .Values.manifests.certificates -}}
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- if .Values.helm3_hook }}
|
{{- if .Values.helm3_hook }}
|
||||||
|
@ -68,10 +68,10 @@ spec:
|
|||||||
mountPath: /tmp/trusts.sh
|
mountPath: /tmp/trusts.sh
|
||||||
subPath: trusts.sh
|
subPath: trusts.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
|
||||||
env:
|
env:
|
||||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }}
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
||||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: SERVICE_OS_ROLES
|
- name: SERVICE_OS_ROLES
|
||||||
@ -87,5 +87,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: heat-bin
|
name: heat-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}
|
||||||
|
@ -1326,6 +1326,11 @@ network_policy:
|
|||||||
# set helm3_hook: false when using the helm2 binary.
|
# set helm3_hook: false when using the helm2 binary.
|
||||||
helm3_hook: true
|
helm3_hook: true
|
||||||
|
|
||||||
|
tls:
|
||||||
|
identity: false
|
||||||
|
oslo_messaging: false
|
||||||
|
oslo_db: false
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
certificates: false
|
certificates: false
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
|
16
heat/values_overrides/tls-offloading.yaml
Normal file
16
heat/values_overrides/tls-offloading.yaml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
endpoints:
|
||||||
|
identity:
|
||||||
|
auth:
|
||||||
|
admin:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
heat:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
heat_trustee:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
test:
|
||||||
|
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||||
|
|
||||||
|
tls:
|
||||||
|
identity: true
|
||||||
|
...
|
@ -22,4 +22,5 @@ heat:
|
|||||||
- 0.2.13 Add Xena and Yoga values overrides
|
- 0.2.13 Add Xena and Yoga values overrides
|
||||||
- 0.2.14 Added OCI registry authentication
|
- 0.2.14 Added OCI registry authentication
|
||||||
- 0.2.15 Distinguish between port number of internal endpoint and binding port number
|
- 0.2.15 Distinguish between port number of internal endpoint and binding port number
|
||||||
|
- 0.2.16 Support TLS endpoints
|
||||||
...
|
...
|
||||||
|
Loading…
Reference in New Issue
Block a user