Merge "feat(tls): add tls support to openstack services"

This commit is contained in:
Zuul 2020-07-10 22:17:08 +00:00 committed by Gerrit Code Review
commit afd68753c7
125 changed files with 2307 additions and 65 deletions

View File

@ -18,12 +18,52 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in cinder-wsgi; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/cinder/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec cinder-api \
--config-file /etc/cinder/cinder.conf
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "volumev3" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -117,6 +117,10 @@ data:
backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }}
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cinder "key" "wsgi-cinder.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}

View File

@ -100,6 +100,8 @@ spec:
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: wsgi-cinder
mountPath: /var/www/cgi-bin/cinder
- name: cinder-bin
mountPath: /tmp/cinder-api.sh
subPath: cinder-api.sh
@ -130,14 +132,33 @@ spec:
mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
subPath: resource_filters.json
readOnly: true
{{- if .Values.conf.security }}
- name: cinder-etc
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
subPath: security.conf
readOnly: true
{{- end }}
{{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
- name: cinder-coordination
mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
{{- end }}
{{- if .Values.manifests.certificates }}
- name: cinder-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/cinder-api.conf
subPath: wsgi-cinder.conf
readOnly: true
- name: cinder-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: wsgi-cinder
emptyDir: {}
- name: cinder-bin
configMap:
name: cinder-bin
@ -152,5 +173,6 @@ spec:
- name: cinder-coordination
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -111,19 +111,18 @@ spec:
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: INTERNAL_PROJECT_NAME
value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }}
- name: INTERNAL_USER_NAME
value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }}
{{- with $env := dict "ksUserSecret" (index .Values.secrets.identity "cinder" ) }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
containers:
- name: cinder-volume
{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -259,5 +258,6 @@ spec:
- name: usrlocalsbin
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "volume" "backendPort" "c-api" -}}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volume" "backendPort" "c-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.volume.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volume.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}

View File

@ -54,8 +54,9 @@ spec:
mountPath: /tmp/create-internal-tenant.sh
subPath: create-internal-tenant.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -82,4 +83,5 @@ spec:
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end -}}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

View File

@ -50,8 +50,9 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -66,7 +67,7 @@ spec:
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -89,6 +90,7 @@ spec:
readOnly: true
- name: rally-db
mountPath: /var/lib/rally
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@ -103,5 +105,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}

View File

@ -1196,7 +1196,7 @@ secrets:
volume:
api:
public: cinder-tls-public
internal: cinder-tls-api
# We use a different layout of the endpoints here to account for versioning
# this swaps the service name and type, and should be rolled out to other
# services.
@ -1449,6 +1449,7 @@ network_policy:
- {}
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
cron_volume_usage_audit: true

View File

@ -0,0 +1,136 @@
---
pod:
security_context:
cinder_api:
container:
cinder_api:
runAsUser: 0
readOnlyRootFilesystem: false
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
site_dir: /etc/apache2/sites-enabled
conf_dir: /etc/apache2/conf-enabled
mods_dir: /etc/apache2/mods-available
a2enmod:
- ssl
a2dismod: null
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_cinder: |
{{- $portInt := tuple "volume" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "cinder-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess cinder-api processes=1 threads=1 user=cinder display-name=%{GROUP}
WSGIProcessGroup cinder-api
WSGIScriptAlias / /var/www/cgi-bin/cinder/cinder-wsgi
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/cinder/certs/tls.crt
SSLCertificateKeyFile /etc/cinder/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
cinder:
keystone_authtoken:
cafile: /etc/cinder/certs/ca.crt
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
cinder:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
image:
scheme:
default: https
port:
api:
public: 443
image_registry:
scheme:
default: https
port:
api:
public: 443
volume:
host_fqdn_override:
default:
tls:
secretName: cinder-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
internal: https
port:
api:
public: 443
volumev2:
host_fqdn_override:
default:
tls:
secretName: cinder-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
internal: https
port:
api:
public: 443
volumev3:
host_fqdn_override:
default:
tls:
secretName: cinder-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
internal: https
port:
api:
public: 443
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

View File

@ -0,0 +1,17 @@
#!/bin/bash
set -xe
COMMAND="${@:-start}"
function start () {
envsubst < /etc/nginx/nginx.conf > /tmp/nginx.conf
cat /tmp/nginx.conf
nginx -t -c /tmp/nginx.conf
exec nginx -c /tmp/nginx.conf
}
function stop () {
nginx -s stop
}
$COMMAND

View File

@ -0,0 +1,18 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "image" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{ dict "envAll" . "service" "image_registry" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -61,4 +61,8 @@ data:
{{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rabbit-init.sh: |
{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
{{- if .Values.manifests.certificates }}
nginx.sh: |
{{ tuple "bin/_nginx.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
{{- end }}

View File

@ -188,4 +188,5 @@ data:
policy.json: {{ toJson .Values.conf.policy | b64enc }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }}
{{- end }}

View File

@ -92,6 +92,45 @@ spec:
readOnly: true
{{ end }}
containers:
{{- if $envAll.Values.manifests.certificates }}
- name: nginx
{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
ports:
- name: g-api
containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
env:
- name: PORT
value: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SHORTNAME
value: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
readinessProbe:
tcpSocket:
port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
command:
- /tmp/nginx.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/nginx.sh
- stop
volumeMounts:
- name: glance-bin
mountPath: /tmp/nginx.sh
subPath: nginx.sh
readOnly: true
- name: glance-etc
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
- name: glance-api
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@ -105,6 +144,21 @@ spec:
command:
- /tmp/glance-api.sh
- stop
{{- if $envAll.Values.manifests.certificates }}
readinessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
livenessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
initialDelaySeconds: 30
{{- else }}
ports:
- name: g-api
containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -114,7 +168,7 @@ spec:
livenessProbe:
tcpSocket:
port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 30
{{- end }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
@ -164,6 +218,7 @@ spec:
subPath: key
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -197,5 +252,6 @@ spec:
secret:
secretName: {{ .Values.secrets.rbd | quote }}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -55,6 +55,45 @@ spec:
initContainers:
{{ tuple $envAll "registry" $mounts_glance_registry_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
{{- if $envAll.Values.manifests.certificates }}
- name: nginx
{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
ports:
- name: g-reg
containerPort: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
env:
- name: PORT
value: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SHORTNAME
value: {{ tuple "image_registry" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
readinessProbe:
tcpSocket:
port: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
command:
- /tmp/nginx.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/nginx.sh
- stop
volumeMounts:
- name: glance-bin
mountPath: /tmp/nginx.sh
subPath: nginx.sh
readOnly: true
- name: glance-etc
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
- name: glance-registry
{{ tuple $envAll "glance_registry" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@ -68,6 +107,21 @@ spec:
command:
- /tmp/glance-registry.sh
- stop
{{- if $envAll.Values.manifests.certificates }}
readinessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
livenessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
initialDelaySeconds: 30
{{- else }}
ports:
- name: g-reg
containerPort: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -77,7 +131,7 @@ spec:
livenessProbe:
tcpSocket:
port: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 30
{{- end }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
@ -109,6 +163,7 @@ spec:
mountPath: /etc/glance/policy.json
subPath: policy.json
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -123,5 +178,6 @@ spec:
secret:
secretName: glance-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "image" "backendPort" "g-api" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "image" "backendPort" "g-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.image.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_registry .Values.network.registry.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "registry" "backendServiceType" "image_registry" "backendPort" "g-reg" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "registry" "backendServiceType" "image_registry" "backendPort" "g-reg" -}}
{{- $secretName := $envAll.Values.secrets.tls.image_registry.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image_registry.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -25,5 +25,8 @@ volumes:
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

View File

@ -569,7 +569,10 @@ secrets:
image:
api:
public: glance-tls-public
internal: glance-tls-api
image_registry:
api:
internal: glance-tls-reg
# typically overridden by environmental
# values, but should include all endpoints
@ -991,6 +994,7 @@ pod:
cpu: "2000m"
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
deployment_api: true

View File

@ -0,0 +1,138 @@
---
images:
tags:
nginx: docker.io/nginx:1.18.0
conf:
glance:
DEFAULT:
bind_host: 127.0.0.1
keystone_authtoken:
cafile: /etc/glance/certs/ca.crt
glance_store:
https_ca_certificates_file: /etc/glance/certs/ca.crt
glance_registry:
DEFAULT:
bind_host: 127.0.0.1
keystone_authtoken:
cafile: /etc/glance/certs/ca.crt
nginx: |
worker_processes 1;
daemon off;
user nginx;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65s;
tcp_nodelay on;
log_format main '[nginx] method=$request_method path=$request_uri '
'status=$status upstream_status=$upstream_status duration=$request_time size=$body_bytes_sent '
'"$remote_user" "$http_referer" "$http_user_agent"';
access_log /dev/stdout main;
upstream websocket {
server 127.0.0.1:$PORT;
}
server {
server_name {{ printf "%s.%s.svc.%s" "${SHORTNAME}" .Release.Namespace .Values.endpoints.cluster_domain_suffix }};
listen $POD_IP:$PORT ssl;
client_max_body_size 0;
ssl_certificate /etc/nginx/certs/tls.crt;
ssl_certificate_key /etc/nginx/certs/tls.key;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
location / {
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_pass http://websocket;
proxy_read_timeout 90;
}
}
}
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
registry:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
endpoints:
identity:
name: keystone
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
glance:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
image:
host_fqdn_override:
default:
tls:
secretName: glance-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
public: https
port:
api:
public: 443
image_registry:
host_fqdn_override:
default:
tls:
secretName: glance-tls-reg
issuerRef:
name: ca-issuer
scheme:
default: https
public: https
port:
api:
public: 443
dashboard:
scheme:
default: https
public: https
port:
web:
default: 80
public: 443
pod:
security_context:
glance:
pod:
runAsUser: 0
resources:
nginx:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
certificates: true
...

View File

@ -18,12 +18,48 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in heat-wsgi-api; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec heat-api \
--config-file /etc/heat/heat.conf
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

View File

@ -18,12 +18,49 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in heat-wsgi-api-cfn; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec heat-api-cfn \
--config-file /etc/heat/heat.conf
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

View File

@ -0,0 +1,18 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "orchestration" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{ dict "envAll" . "service" "cloudformation" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -136,6 +136,11 @@ data:
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
policy.json: {{ toJson .Values.conf.policy | b64enc }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_heat "key" "wsgi-heat.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cfn "key" "wsgi-cnf.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
{{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
{{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }}

View File

@ -83,6 +83,8 @@ spec:
mountPath: /tmp
- name: pod-etc-heat
mountPath: /etc/heat
- name: wsgi-heat
mountPath: /var/www/cgi-bin/heat
- name: heat-bin
mountPath: /tmp/heat-api.sh
subPath: heat-api.sh
@ -109,12 +111,25 @@ spec:
mountPath: /etc/heat/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
{{- if .Values.manifests.certificates }}
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api.conf
subPath: wsgi-heat.conf
readOnly: true
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: pod-etc-heat
emptyDir: {}
- name: wsgi-heat
emptyDir: {}
- name: heat-bin
configMap:
name: heat-bin
@ -123,5 +138,6 @@ spec:
secret:
secretName: heat-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -83,6 +83,8 @@ spec:
mountPath: /tmp
- name: pod-etc-heat
mountPath: /etc/heat
- name: wsgi-heat
mountPath: /var/www/cgi-bin/heat
- name: heat-bin
mountPath: /tmp/heat-cfn.sh
subPath: heat-cfn.sh
@ -109,12 +111,25 @@ spec:
mountPath: /etc/heat/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
{{- if .Values.manifests.certificates }}
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api-cfn.conf
subPath: wsgi-cnf.conf
readOnly: true
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: pod-etc-heat
emptyDir: {}
- name: wsgi-heat
emptyDir: {}
- name: heat-bin
configMap:
name: heat-bin
@ -123,5 +138,6 @@ spec:
secret:
secretName: heat-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -99,6 +99,7 @@ spec:
mountPath: /etc/heat/policy.json
subPath: policy.json
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -113,5 +114,6 @@ spec:
secret:
secretName: heat-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "orchestration" "backendPort" "h-api" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "orchestration" "backendPort" "h-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.orchestration.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.orchestration.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_cfn .Values.network.cfn.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}}
{{- $secretName := $envAll.Values.secrets.tls.cloudformation.cfn.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.cloudformation.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -15,5 +15,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}

View File

@ -53,8 +53,9 @@ spec:
mountPath: /tmp/ks-domain-user.sh
subPath: ks-domain-user.sh
readOnly: true
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -88,4 +89,5 @@ spec:
configMap:
name: heat-bin
defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user_trustee }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

View File

@ -57,9 +57,10 @@ spec:
mountPath: /tmp/trusts.sh
subPath: trusts.sh
readOnly: true
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLES
@ -75,4 +76,5 @@ spec:
configMap:
name: heat-bin
defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}

View File

@ -49,8 +49,9 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -65,7 +66,7 @@ spec:
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -94,6 +95,7 @@ spec:
subPath: {{ printf "test_template_%d" $key }}
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@ -108,5 +110,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}

View File

@ -797,10 +797,11 @@ secrets:
orchestration:
api:
public: heat-tls-public
internal: heat-tls-api
cloudformation:
cfn:
public: cloudformation-tls-public
internal: heat-tls-cfn
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
@ -1262,6 +1263,7 @@ network_policy:
- {}
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
cron_job_engine_cleaner: true

View File

@ -0,0 +1,182 @@
---
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
site_dir: /etc/apache2/sites-enabled
conf_dir: /etc/apache2/conf-enabled
mods_dir: /etc/apache2/mods-available
a2enmod:
- ssl
a2dismod: null
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_heat: |
{{- $portInt := tuple "orchestration" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "heat-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess heat-api processes=1 threads=1 user=heat display-name=%{GROUP}
WSGIProcessGroup heat-api
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/heat/certs/tls.crt
SSLCertificateKeyFile /etc/heat/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
wsgi_cfn: |
{{- $portInt := tuple "cloudformation" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "heat-api-cfn" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess heat-api-cfn processes=1 threads=1 user=heat display-name=%{GROUP}
WSGIProcessGroup heat-api-cfn
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api-cfn
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/heat/certs/tls.crt
SSLCertificateKeyFile /etc/heat/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
heat:
clients_neutron:
ca_file: /etc/heat/certs/ca.crt
clients_cinder:
ca_file: /etc/heat/certs/ca.crt
clients_glance:
ca_file: /etc/heat/certs/ca.crt
clients_nova:
ca_file: /etc/heat/certs/ca.crt
clients_swift:
ca_file: /etc/heat/certs/ca.crt
ssl:
ca_file: /etc/heat/certs/ca.crt
keystone_authtoken:
cafile: /etc/heat/certs/ca.crt
clients:
ca_file: /etc/heat/certs/ca.crt
clients_heat:
ca_file: /etc/heat/certs/ca.crt
clients_keystone:
ca_file: /etc/heat/certs/ca.crt
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
cfn:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
cloudwatch:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
pod:
security_context:
heat:
container:
heat_api:
readOnlyRootFilesystem: false
runAsUser: 0
heat_cfn:
readOnlyRootFilesystem: false
runAsUser: 0
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
heat:
cacert: /etc/ssl/certs/openstack-helm.crt
heat_trustee:
cacert: /etc/ssl/certs/openstack-helm.crt
heat_stack_user:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
orchestration:
host_fqdn_override:
default:
tls:
secretName: heat-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
port:
api:
public: 443
cloudformation:
host_fqdn_override:
default:
tls:
secretName: heat-tls-cfn
issuerRef:
name: ca-issuer
scheme:
default: https
port:
api:
public: 443
# Cloudwatch does not get an entry in the keystone service catalog
cloudwatch:
host_fqdn_override:
default:
tls:
secretName: heat-tls-cloudwatch
issuerRef:
name: ca-issuer
kind: Issuer
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "dashboard" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -78,14 +78,14 @@ spec:
containerPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
readinessProbe:
httpGet:
scheme: HTTP
scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
path: /
port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 15
periodSeconds: 10
livenessProbe:
httpGet:
scheme: HTTP
scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
path: /
port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 180
@ -129,6 +129,7 @@ spec:
subPath: {{ base $policyFile }}
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal "path" "/etc/openstack-dashboard/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -145,5 +146,6 @@ spec:
secret:
secretName: horizon-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.dashboard.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}}
{{- $secretName := $envAll.Values.secrets.tls.dashboard.dashboard.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.dashboard.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -183,6 +183,7 @@ conf:
# values will not work
horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
debug: "False"
use_ssl: "False"
keystone_multidomain_support: "True"
keystone_default_domain: Default
disable_password_reveal: "True"
@ -266,6 +267,7 @@ conf:
# If Horizon is being served through SSL, then uncomment the following two
# settings to better secure the cookies from security exploits
USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }}
CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
@ -425,8 +427,10 @@ conf:
# Disable SSL certificate checks (useful for self-signed certificates):
#OPENSTACK_SSL_NO_VERIFY = True
{{- if .Values.manifests.certificates }}
# The CA certificate to use to verify SSL connections
#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
OPENSTACK_SSL_CACERT = '/etc/openstack-dashboard/certs/ca.crt'
{{- end }}
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
# capabilities of the auth backend for Keystone.
@ -2133,6 +2137,7 @@ secrets:
dashboard:
dashboard:
public: horizon-tls-public
internal: horizon-tls-web
# typically overridden by environmental
# values, but should include all endpoints
@ -2253,6 +2258,7 @@ network_policy:
- {}
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
deployment: true

View File

@ -0,0 +1,109 @@
---
network:
dashboard:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
conf:
software:
apache2:
a2enmod:
- headers
- rewrite
- ssl
horizon:
apache: |
<IfVersion < 2.4>
Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
</IfVersion>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:80>
ServerName horizon-int.openstack.svc.cluster.local
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</Virtualhost>
<VirtualHost *:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
ServerName horizon-int.openstack.svc.cluster.local
WSGIScriptReloading On
WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
WSGIProcessGroup horizon-http
WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
WSGIPassAuthorization On
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH)
RewriteRule .* - [F]
<Location "/">
Require all granted
</Location>
Alias /static /var/www/html/horizon
<Location "/static">
SetHandler static
</Location>
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
TransferLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
ErrorLog /dev/stdout
SSLEngine on
SSLCertificateFile /etc/openstack-dashboard/certs/tls.crt
SSLCertificateKeyFile /etc/openstack-dashboard/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
local_settings:
config:
use_ssl: "True"
csrf_cookie_secure: "True"
enforce_password_check: "True"
session_cookie_secure: "True"
session_cookie_httponly: "True"
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
dashboard:
host_fqdn_override:
default:
tls:
secretName: horizon-tls-web
issuerRef:
name: ca-issuer
scheme:
default: https
public: https
port:
web:
default: 443
public: 443
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

View File

@ -51,6 +51,10 @@ function start () {
}
function stop () {
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
}

View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "identity" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -14,7 +14,7 @@ limitations under the License.
{{- define "apiProbeTemplate" }}
httpGet:
scheme: HTTP
scheme: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
path: /v3/
port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
@ -147,6 +147,7 @@ spec:
{{- end }}
- name: keystone-credential-keys
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -180,5 +181,6 @@ spec:
- name: keystone-credential-keys
secret:
secretName: keystone-credential-keys
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "identity" "backendPort" "ks-pub" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "identity" "backendPort" "ks-pub" -}}
{{- $secretName := $envAll.Values.secrets.tls.identity.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.identity.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}

View File

@ -50,8 +50,9 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -66,7 +67,7 @@ spec:
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -89,6 +90,7 @@ spec:
readOnly: true
- name: rally-db
mountPath: /var/lib/rally
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@ -103,5 +105,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}

View File

@ -1070,6 +1070,7 @@ secrets:
identity:
api:
public: keystone-tls-public
internal: keystone-tls-api
# typically overridden by environmental
# values, but should include all endpoints
@ -1235,6 +1236,7 @@ endpoints:
default: 80
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
cron_credential_rotate: true

View File

@ -0,0 +1,80 @@
---
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: null
nginx.ingress.kubernetes.io/backend-protocol: "https"
pod:
security_context:
keystone:
pod:
runAsUser: 0
container:
keystone_api:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
conf:
software:
apache2:
a2enmod:
- ssl
wsgi_keystone: |
{{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $vh := tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
Listen 0.0.0.0:{{ $portInt }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:{{ tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
ServerName {{ printf "%s.%s.svc.%s" "keystone-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/keystone/certs/tls.crt
SSLCertificateKeyFile /etc/keystone/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
host_fqdn_override:
default:
tls:
secretName: keystone-tls-api
issuerRef:
name: ca-issuer
kind: Issuer
scheme:
default: https
public: https
port:
api:
default: 443
manifests:
certificates: true
...

View File

@ -0,0 +1,30 @@
#!/bin/bash
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
COMMAND="${@:-start}"
function start () {
exec neutron-rpc-server \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini
}
function stop () {
kill -TERM 1
}
$COMMAND

View File

@ -18,6 +18,55 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
add_config=""
{{- if .Values.conf.plugins.taas.taas.enabled }}
add_config+='taas_plugin.ini;'
{{- end }}
{{- if ( has "sriov" .Values.network.backend ) }}
add_config+='sriov_agent.ini;'
{{- end }}
{{- if .Values.conf.plugins.l2gateway }}
add_config+='l2gw_plugin.ini;'
{{- end }}
export OS_NEUTRON_CONFIG_FILES=${add_config}
for WSGI_SCRIPT in neutron-api; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/neutron/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2ensite }}
{{- range .Values.conf.software.apache2.a2ensite }}
a2ensite {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec neutron-server \
--config-file /etc/neutron/neutron.conf \
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
@ -34,10 +83,18 @@ function start () {
{{- if .Values.conf.plugins.l2gateway }} \
--config-file /etc/neutron/l2gw_plugin.ini
{{- end }}
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "network" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -81,6 +81,10 @@ data:
{{ tuple "bin/_neutron-bagpipe-bgp.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-bagpipe-bgp-init.sh: |
{{ tuple "bin/_neutron-bagpipe-bgp-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- if .Values.manifests.certificates }}
neutron-rpc-server.sh: |
{{ tuple "bin/_neutron-rpc-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
neutron-server.sh: |
{{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-ironic-agent.sh: |

View File

@ -272,6 +272,10 @@ data:
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
auto_bridge_add: {{ toJson $envAll.Values.conf.auto_bridge_add | b64enc }}
dpdk.conf: {{ toJson $envAll.Values.conf.ovs_dpdk | b64enc }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_neutron_server "key" "wsgi-server.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- $filePrefix := replace "_" "-" $key }}
{{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}

View File

@ -189,6 +189,7 @@ spec:
mountPath: /run/netns
mountPropagation: Bidirectional
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -211,6 +212,7 @@ spec:
hostPath:
path: /run/netns
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }}
{{- end }}
{{- end }}

View File

@ -177,10 +177,64 @@ spec:
mountPath: /etc/neutron/policy.json
subPath: policy.json
readOnly: true
{{- if .Values.manifests.certificates }}
- name: wsgi-neutron
mountPath: /var/www/cgi-bin/neutron
- name: neutron-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/wsgi-server.conf
subPath: wsgi-server.conf
readOnly: true
- name: neutron-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{ end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.manifests.certificates }}
- name: neutron-rpc-server
{{ tuple $envAll "neutron_rpc_server" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.rpc_server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "neutron_server" "container" "neutron_rpc_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "readiness" "probeTemplate" (include "serverReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "liveness" "probeTemplate" (include "serverLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
command:
- /tmp/neutron-rpc-server.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/neutron-rpc-server.sh
- stop
volumeMounts:
- name: neutron-bin
mountPath: /tmp/neutron-rpc-server.sh
subPath: neutron-rpc-server.sh
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
readOnly: true
{{- end }}
- name: neutron-etc
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
subPath: ml2_conf.ini
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
{{- if .Values.manifests.certificates }}
- name: wsgi-neutron
emptyDir: {}
{{- end }}
- name: pod-var-neutron
emptyDir: {}
- name: neutron-bin
@ -195,5 +249,6 @@ spec:
- name: neutron-plugin-shared
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_server .Values.network.server.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.network.server.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.network.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

View File

@ -51,8 +51,9 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -66,7 +67,7 @@ spec:
- name: {{ .Release.Name }}-reset
{{ tuple $envAll "purge_test" | include "helm-toolkit.snippets.image" | indent 6 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -95,13 +96,14 @@ spec:
readOnly: true
- name: pod-tmp
mountPath: /tmp/pod-tmp
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ end }}
containers:
- name: neutron-test
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -124,6 +126,7 @@ spec:
readOnly: true
- name: rally-db
mountPath: /var/lib/rally
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@ -138,5 +141,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}

View File

@ -31,6 +31,7 @@ images:
ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_rpc_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
@ -473,6 +474,7 @@ pod:
capabilities:
add:
- SYS_MODULE
- SYS_CHROOT
runAsUser: 0
readOnlyRootFilesystem: true
neutron_lb_agent_init:
@ -497,6 +499,7 @@ pod:
capabilities:
add:
- SYS_MODULE
- SYS_CHROOT
runAsUser: 0
readOnlyRootFilesystem: true
neutron_ovs_agent_init:
@ -2179,9 +2182,13 @@ secrets:
admin: neutron-rabbitmq-admin
neutron: neutron-rabbitmq-user
tls:
compute_metadata:
metadata:
internal: metadata-tls-metadata
network:
server:
public: neutron-tls-public
internal: neutron-tls-server
# typically overridden by environmental
# values, but should include all endpoints
@ -2468,6 +2475,7 @@ network_policy:
- {}
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
daemonset_dhcp_agent: true

View File

@ -16,5 +16,6 @@ images:
neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_rpc_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
...

View File

@ -0,0 +1,145 @@
---
network:
server:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
pod:
security_context:
neutron_server:
pod:
runAsUser: 0
container:
neutron_server:
readOnlyRootFilesystem: false
neutron_rpc_server:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
resources:
rpc_server:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
conf_dir: /etc/apache2/conf-enabled
site_dir: /etc/apache2/sites-available
mods_dir: /etc/apache2/mods-available
a2enmod:
- ssl
a2dismod: null
a2ensite:
- wsgi-server
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_neutron_server: |
<Directory /usr/local/bin>
Require all granted
</Directory>
{{- $portInt := tuple "network" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "neutron-server" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess neutron-server processes=1 threads=1 user=neutron display-name=%{GROUP}
WSGIProcessGroup neutron-server
WSGIScriptAlias / /var/www/cgi-bin/neutron/neutron-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/neutron/certs/tls.crt
SSLCertificateKeyFile /etc/neutron/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
Alias /networking /var/www/cgi-bin/neutron/neutron-api
<Location /networking>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup neutron-server
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
WSGISocketPrefix /var/run/apache2
neutron:
nova:
cafile: /etc/neutron/certs/ca.crt
keystone_authtoken:
cafile: /etc/neutron/certs/ca.crt
metadata_agent:
DEFAULT:
auth_ca_cert: /etc/ssl/certs/openstack-helm.crt
nova_metadata_port: 443
nova_metadata_protocol: https
endpoints:
compute:
scheme:
default: https
port:
api:
public: 443
compute_metadata:
scheme:
default: https
port:
metadata:
public: 443
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
neutron:
cacert: /etc/ssl/certs/openstack-helm.crt
nova:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
network:
host_fqdn_override:
default:
tls:
secretName: neutron-tls-server
issuerRef:
name: ca-issuer
scheme:
default: https
port:
api:
public: 443
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

View File

@ -15,5 +15,6 @@ images:
neutron_metadata: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_server: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_rpc_server: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
...

View File

@ -18,13 +18,51 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in nova-metadata-wsgi; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec nova-api-metadata \
--config-file /etc/nova/nova.conf \
--config-file /tmp/pod-shared/nova-api-metadata.ini
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

View File

@ -18,12 +18,51 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in nova-api-wsgi; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec nova-api-os-compute \
--config-file /etc/nova/nova.conf
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

View File

@ -46,6 +46,9 @@ function start () {
}
function stop () {
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
}

View File

@ -0,0 +1,27 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "compute" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- if .Values.manifests.deployment_novncproxy }}
{{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
{{- if .Values.manifests.deployment_placement }}
{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
{{ dict "envAll" . "service" "compute_metadata" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- if .Values.manifests.deployment_spiceproxy }}
{{ dict "envAll" . "service" "compute_spice_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
{{- end -}}

View File

@ -265,6 +265,11 @@ data:
nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config" "format" "Secret" ) | indent 2 }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_api "key" "wsgi-api.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_metadata "key" "wsgi-metadata.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
{{- if .Values.conf.security }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
{{- end }}

View File

@ -53,7 +53,7 @@ spec:
{{ tuple $envAll "nova_service_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" .Values.manifests.certificates}}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }}
{{- end }}
command:

View File

@ -240,6 +240,10 @@ spec:
value: "{{ .Values.pod.probes.rpc_timeout }}"
- name: RPC_PROBE_RETRIES
value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
command:
@ -377,6 +381,7 @@ spec:
subPath: tf-plugin.pth
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.network.sshd.enabled }}
- name: nova-compute-ssh
@ -390,6 +395,10 @@ spec:
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }}
- name: SSH_PORT
value: {{ .Values.network.ssh.port | quote }}
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
ports:
- containerPort: {{ .Values.network.ssh.port }}
command:
@ -412,6 +421,7 @@ spec:
mountPath: /tmp/ssh-start.sh
subPath: ssh-start.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ end }}
volumes:
- name: pod-tmp
@ -481,6 +491,7 @@ spec:
- name: tf-plugin-bin
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
{{- end }}
{{- end }}

View File

@ -166,10 +166,27 @@ spec:
- name: pod-shared
mountPath: /tmp/pod-shared
readOnly: true
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
mountPath: /var/www/cgi-bin/nova
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-metadata.conf
subPath: wsgi-metadata.conf
readOnly: true
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
emptyDir: {}
{{- end }}
- name: nova-bin
configMap:
name: nova-bin
@ -180,5 +197,6 @@ spec:
defaultMode: 0444
- name: pod-shared
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -114,10 +114,27 @@ spec:
mountPath: /etc/nova/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
mountPath: /var/www/cgi-bin/nova
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-api.conf
subPath: wsgi-api.conf
readOnly: true
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
emptyDir: {}
{{- end }}
- name: pod-var-nova
emptyDir: {}
- name: nova-bin
@ -128,5 +145,6 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -88,6 +88,10 @@ spec:
value: "{{ .Values.pod.probes.rpc_timeout }}"
- name: RPC_PROBE_RETRIES
value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
command:
- /tmp/nova-conductor.sh
volumeMounts:
@ -115,6 +119,7 @@ spec:
mountPath: /etc/nova/policy.yaml
subPath: policy.yaml
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -127,5 +132,6 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -139,6 +139,7 @@ spec:
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -155,5 +156,6 @@ spec:
emptyDir: {}
- name: pod-shared
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -120,6 +120,7 @@ spec:
subPath: security.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -134,5 +135,6 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -88,6 +88,10 @@ spec:
value: "{{ .Values.pod.probes.rpc_timeout }}"
- name: RPC_PROBE_RETRIES
value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
command:
- /tmp/nova-scheduler.sh
volumeMounts:
@ -115,6 +119,7 @@ spec:
mountPath: /etc/nova/policy.yaml
subPath: policy.yaml
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -127,5 +132,6 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -138,6 +138,7 @@ spec:
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -154,5 +155,6 @@ spec:
emptyDir: {}
- name: pod-shared
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_metadata .Values.network.metadata.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}}
{{- $secretName := $envAll.Values.secrets.tls.compute_metadata.metadata.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_metadata.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
{{- $secretName := $envAll.Values.secrets.tls.compute_novnc_proxy.novncproxy.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_novnc_proxy.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_osapi .Values.network.osapi.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.compute.osapi.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_placement .Values.network.placement.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.placement.placement.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

View File

@ -63,7 +63,7 @@ spec:
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }}
{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: WAIT_PERCENTAGE
@ -91,6 +91,7 @@ spec:
mountPath: {{ $logConfigFile | quote }}
subPath: {{ base $logConfigFile | quote }}
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes:
- name: pod-tmp
emptyDir: {}
@ -104,6 +105,7 @@ spec:
secret:
secretName: {{ $configMapEtc | quote }}
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1

View File

@ -42,7 +42,7 @@ spec:
{{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
command:
@ -54,6 +54,7 @@ spec:
mountPath: /tmp/cell-setup-init.sh
subPath: cell-setup-init.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
containers:
- name: nova-cell-setup
{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -96,4 +97,5 @@ spec:
configMap:
name: nova-bin
defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_placement_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_placement_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}

Some files were not shown because too many files have changed in this diff Show More