nova: use directory mount for vencrypt certs

Kubernetes subpath mount does not reflect the changes of the volume origin(ConfigMap, Secret or whatever). This patch uses directory mount instead of subPath for renewed certs to be reflected inside the pod automatically Change-Id: I740737d23db1fe3621b4490523730375e6c36313
2024-01-11 01:05:35 +11:00 · 2024-01-11 01:05:35 +11:00 · d5b62a8235
commit d5b62a8235
parent 3620054def
3 changed files with 14 additions and 3 deletions
--- a/nova/Chart.yaml
+++ b/nova/Chart.yaml
@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Nova
 name: nova
-version: 0.3.34
+version: 0.3.35
 home: https://docs.openstack.org/nova/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
 sources:
--- a/nova/templates/deployment-novncproxy.yaml
+++ b/nova/templates/deployment-novncproxy.yaml
@ -144,9 +144,14 @@ spec:
              readOnly: true
            - name: pod-shared
              mountPath: /tmp/pod-shared
+            {{- if $vencrypt_enabled }}
+            - name: {{ .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal }}
+              mountPath: /etc/pki/nova-novncproxy
+              readOnly: true
+            {{- end }}
+
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal "path" "/etc/pki/nova-novncproxy" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
      volumes:
@ -164,9 +169,14 @@ spec:
          emptyDir: {}
        - name: pod-shared
          emptyDir: {}
+        {{- if $vencrypt_enabled }}
+        - name: {{ .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal }}
+          secret:
+            secretName: {{ .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal }}
+            defaultMode: 0444
+        {{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
 {{- end }}
--- a/releasenotes/notes/nova.yaml
+++ b/releasenotes/notes/nova.yaml
@ -103,4 +103,5 @@ nova:
  - 0.3.32 Set the startupProbe for nova-compute
  - 0.3.33 Add job to create 'vms' pool
  - 0.3.34 Add public endpoints for the spiceproxy
+  - 0.3.35 Use directory mount for vencrypt certificates
 ...