From 8b2ba7b02952c51b33f71c7468c962dc8a3894c2 Mon Sep 17 00:00:00 2001 From: josebb Date: Thu, 2 Dec 2021 19:33:39 +0200 Subject: [PATCH] Support TLS endpoints in nova This allows nova to consume TLS openstack endpoints. Jobs consume openstack endpoints, typically identity endpoints. And nova itself interact with other openstack services via endpoints. Change-Id: Iff4422360ca51e94fd1b00854693e266cc202390 --- nova/Chart.yaml | 2 +- nova/templates/cron-job-archive-deleted-rows.yaml | 8 ++++++++ nova/templates/cron-job-cell-setup.yaml | 9 +++++++++ nova/templates/cron-job-service-cleaner.yaml | 6 +++--- nova/templates/daemonset-compute.yaml | 10 +++++----- nova/templates/deployment-api-osapi.yaml | 9 +++++++-- nova/templates/deployment-conductor.yaml | 6 +++--- nova/templates/deployment-scheduler.yaml | 6 +++--- nova/templates/job-bootstrap.yaml | 6 +++--- nova/templates/job-cell-setup.yaml | 12 +++++++++--- nova/templates/job-ks-endpoints.yaml | 2 +- nova/templates/job-ks-placement-endpoints.yaml | 2 +- nova/templates/job-ks-placement-service.yaml | 2 +- nova/templates/job-ks-placement-user.yaml | 2 +- nova/templates/job-ks-service.yaml | 2 +- nova/templates/job-ks-user.yaml | 2 +- nova/values.yaml | 5 +++++ nova/values_overrides/tls-offloading.yaml | 14 ++++++++++++++ releasenotes/notes/nova.yaml | 1 + 19 files changed, 77 insertions(+), 29 deletions(-) create mode 100644 nova/values_overrides/tls-offloading.yaml diff --git a/nova/Chart.yaml b/nova/Chart.yaml index cd91eadc08..c14f6e2124 100644 --- a/nova/Chart.yaml +++ b/nova/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Nova name: nova -version: 0.2.35 +version: 0.2.36 home: https://docs.openstack.org/nova/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png sources: diff --git a/nova/templates/cron-job-archive-deleted-rows.yaml b/nova/templates/cron-job-archive-deleted-rows.yaml index 29a6e70542..a2835ddf2e 100644 --- a/nova/templates/cron-job-archive-deleted-rows.yaml +++ b/nova/templates/cron-job-archive-deleted-rows.yaml @@ -59,6 +59,11 @@ spec: {{ dict "envAll" $envAll "application" "archive_deleted_rows" "container" "nova_archive_deleted_rows" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }} command: - /tmp/archive-deleted-rows.sh +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/nova/certs/ca.crt" +{{- end }} volumeMounts: - name: pod-tmp mountPath: /tmp @@ -74,6 +79,7 @@ spec: mountPath: /tmp/archive-deleted-rows.sh readOnly: true subPath: archive-deleted-rows.sh +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} volumes: - name: pod-tmp @@ -85,4 +91,6 @@ spec: - name: archive-deleted-rows-conf secret: secretName: nova-etc +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- end }} diff --git a/nova/templates/cron-job-cell-setup.yaml b/nova/templates/cron-job-cell-setup.yaml index f2d2801e4e..127c275952 100644 --- a/nova/templates/cron-job-cell-setup.yaml +++ b/nova/templates/cron-job-cell-setup.yaml @@ -59,6 +59,11 @@ spec: {{ dict "envAll" $envAll "application" "cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }} command: - /tmp/cell-setup.sh +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/nova/certs/ca.crt" +{{- end }} volumeMounts: - name: pod-tmp mountPath: /tmp @@ -82,7 +87,9 @@ spec: mountPath: /etc/nova/policy.yaml subPath: policy.yaml readOnly: true +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} + volumes: - name: pod-tmp emptyDir: {} @@ -96,5 +103,7 @@ spec: configMap: name: nova-bin defaultMode: 0555 +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} + {{- end }} diff --git a/nova/templates/cron-job-service-cleaner.yaml b/nova/templates/cron-job-service-cleaner.yaml index 9f745acebe..1a9f461749 100644 --- a/nova/templates/cron-job-service-cleaner.yaml +++ b/nova/templates/cron-job-service-cleaner.yaml @@ -58,7 +58,7 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }} {{ dict "envAll" $envAll "application" "service_cleaner" "container" "nova_service_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }} env: -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" .Values.manifests.certificates}} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" (or .Values.manifests.certificates .Values.tls.identity) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }} {{- end }} command: @@ -72,7 +72,7 @@ spec: readOnly: true - name: etcnova mountPath: /etc/nova -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }} volumes: - name: pod-tmp emptyDir: {} @@ -86,5 +86,5 @@ spec: configMap: name: nova-bin defaultMode: 0555 -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }} {{- end }} diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index 75289c7938..f6bab517ad 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -276,7 +276,7 @@ spec: value: "{{ .Values.pod.probes.rpc_timeout }}" - name: RPC_PROBE_RETRIES value: "{{ .Values.pod.probes.rpc_retries }}" -{{- if .Values.manifests.certificates }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} - name: REQUESTS_CA_BUNDLE value: "/etc/nova/certs/ca.crt" {{- end }} @@ -431,7 +431,7 @@ spec: subPath: tf-plugin.pth readOnly: true {{- end }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} {{- if .Values.network.ssh.enabled }} @@ -444,7 +444,7 @@ spec: value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }} - name: SSH_PORT value: {{ .Values.network.ssh.port | quote }} -{{- if .Values.manifests.certificates }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} - name: REQUESTS_CA_BUNDLE value: "/etc/nova/certs/ca.crt" {{- end }} @@ -460,7 +460,7 @@ spec: mountPath: /tmp/ssh-start.sh subPath: ssh-start.sh readOnly: true -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }} {{ end }} volumes: @@ -546,7 +546,7 @@ spec: - name: tf-plugin-bin emptyDir: {} {{- end }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index 29c80ba937..3348ca9696 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -72,6 +72,11 @@ spec: {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "nova" "container" "nova_osapi" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/nova/certs/ca.crt" +{{- end }} command: - /tmp/nova-api.sh - start @@ -130,7 +135,7 @@ spec: readOnly: true {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }} volumes: @@ -151,7 +156,7 @@ spec: secretName: nova-etc defaultMode: 0444 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index ba301abede..df07583d3b 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -91,7 +91,7 @@ spec: value: "{{ .Values.pod.probes.rpc_timeout }}" - name: RPC_PROBE_RETRIES value: "{{ .Values.pod.probes.rpc_retries }}" -{{- if .Values.manifests.certificates }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} - name: REQUESTS_CA_BUNDLE value: "/etc/nova/certs/ca.crt" {{- end }} @@ -122,7 +122,7 @@ spec: mountPath: /etc/nova/policy.yaml subPath: policy.yaml readOnly: true -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }} @@ -137,7 +137,7 @@ spec: secret: secretName: nova-etc defaultMode: 0444 -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }} diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index 52e469585b..e8a63a2455 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -91,7 +91,7 @@ spec: value: "{{ .Values.pod.probes.rpc_timeout }}" - name: RPC_PROBE_RETRIES value: "{{ .Values.pod.probes.rpc_retries }}" -{{- if .Values.manifests.certificates }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} - name: REQUESTS_CA_BUNDLE value: "/etc/nova/certs/ca.crt" {{- end }} @@ -123,7 +123,7 @@ spec: subPath: policy.yaml readOnly: true {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }} volumes: @@ -138,7 +138,7 @@ spec: secretName: nova-etc defaultMode: 0444 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml index 80d53d0817..0878a513c2 100644 --- a/nova/templates/job-bootstrap.yaml +++ b/nova/templates/job-bootstrap.yaml @@ -71,7 +71,7 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "bootstrap" "container" "bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: -{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" .Values.manifests.certificates }} +{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (or .Values.manifests.certificates .Values.tls.identity) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} - name: WAIT_PERCENTAGE @@ -99,7 +99,7 @@ spec: mountPath: {{ $logConfigFile | quote }} subPath: {{ base $logConfigFile | quote }} readOnly: true -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -113,7 +113,7 @@ spec: secret: secretName: {{ $configMapEtc | quote }} defaultMode: 0444 -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml index 44ef618e49..1ba49cb4b5 100644 --- a/nova/templates/job-cell-setup.yaml +++ b/nova/templates/job-cell-setup.yaml @@ -64,7 +64,7 @@ spec: {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} env: -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }} +{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }} {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} {{- end }} command: @@ -76,12 +76,17 @@ spec: mountPath: /tmp/cell-setup-init.sh subPath: cell-setup-init.sh readOnly: true -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} containers: - name: nova-cell-setup {{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/nova/certs/ca.crt" +{{- end }} command: - /tmp/cell-setup.sh volumeMounts: @@ -108,6 +113,7 @@ spec: subPath: policy.yaml readOnly: true {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} @@ -122,7 +128,7 @@ spec: name: nova-bin defaultMode: 0555 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 diff --git a/nova/templates/job-ks-endpoints.yaml b/nova/templates/job-ks-endpoints.yaml index 52ec50e493..1e41ec46dc 100644 --- a/nova/templates/job-ks-endpoints.yaml +++ b/nova/templates/job-ks-endpoints.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-2" {{- if .Values.manifests.job_ks_endpoints }} {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/nova/templates/job-ks-placement-endpoints.yaml b/nova/templates/job-ks-placement-endpoints.yaml index b5a10aedf8..0293b187b9 100644 --- a/nova/templates/job-ks-placement-endpoints.yaml +++ b/nova/templates/job-ks-placement-endpoints.yaml @@ -14,7 +14,7 @@ limitations under the License. {{- if .Values.manifests.job_ks_placement_endpoints }} {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}} {{- end -}} {{- if .Values.pod.tolerations.nova.enabled -}} diff --git a/nova/templates/job-ks-placement-service.yaml b/nova/templates/job-ks-placement-service.yaml index d5846517cb..c55381687e 100644 --- a/nova/templates/job-ks-placement-service.yaml +++ b/nova/templates/job-ks-placement-service.yaml @@ -14,7 +14,7 @@ limitations under the License. {{- if .Values.manifests.job_ks_placement_service }} {{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}} {{- end -}} {{- if .Values.pod.tolerations.nova.enabled -}} diff --git a/nova/templates/job-ks-placement-user.yaml b/nova/templates/job-ks-placement-user.yaml index f6de6f6b58..f613f8387e 100644 --- a/nova/templates/job-ks-placement-user.yaml +++ b/nova/templates/job-ks-placement-user.yaml @@ -14,7 +14,7 @@ limitations under the License. {{- if .Values.manifests.job_ks_placement_user }} {{- $ksUserJob := dict "envAll" . "serviceName" "placement" "serviceUser" "placement" "configMapBin" "nova-bin" -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}} {{- end -}} {{- if .Values.pod.tolerations.nova.enabled -}} diff --git a/nova/templates/job-ks-service.yaml b/nova/templates/job-ks-service.yaml index 9d1eebe5aa..9e7a551f76 100644 --- a/nova/templates/job-ks-service.yaml +++ b/nova/templates/job-ks-service.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-3" {{- if .Values.manifests.job_ks_service }} {{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml index 65e5055a97..7d0f01975b 100644 --- a/nova/templates/job-ks-user.yaml +++ b/nova/templates/job-ks-user.yaml @@ -19,7 +19,7 @@ helm.sh/hook-weight: "-1" {{- if .Values.manifests.job_ks_user }} {{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}} -{{- if .Values.manifests.certificates -}} +{{- if or .Values.manifests.certificates .Values.tls.identity -}} {{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}} {{- end -}} {{- if .Values.helm3_hook }} diff --git a/nova/values.yaml b/nova/values.yaml index 027924990b..e9eef6bd90 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -2520,6 +2520,11 @@ health_probe: logging: level: ERROR +tls: + identity: false + oslo_messaging: false + oslo_db: false + manifests: certificates: false configmap_bin: true diff --git a/nova/values_overrides/tls-offloading.yaml b/nova/values_overrides/tls-offloading.yaml new file mode 100644 index 0000000000..ae86d70eb9 --- /dev/null +++ b/nova/values_overrides/tls-offloading.yaml @@ -0,0 +1,14 @@ +--- +endpoints: + identity: + auth: + admin: + cacert: /etc/ssl/certs/openstack-helm.crt + nova: + cacert: /etc/ssl/certs/openstack-helm.crt + test: + cacert: /etc/ssl/certs/openstack-helm.crt + +tls: + identity: true +... diff --git a/releasenotes/notes/nova.yaml b/releasenotes/notes/nova.yaml index 83027d29d4..30fc7f9b23 100644 --- a/releasenotes/notes/nova.yaml +++ b/releasenotes/notes/nova.yaml @@ -56,4 +56,5 @@ nova: - 0.2.33 Cleanup old releases - 0.2.34 Remove consoleauth in nova - 0.2.35 Enable taint toleration for Openstack services + - 0.2.36 Support TLS endpoints ...