From b356cbe21f787af75531bf85a5d7f58abe709cf9 Mon Sep 17 00:00:00 2001 From: josebb Date: Wed, 11 May 2022 10:40:04 +0300 Subject: [PATCH] Support TLS endpoints in nova metadata-api This allows nova metadata-api to consume TLS openstack endpoints, typically identity endpoints. Same idea with https://review.opendev.org/c/openstack/openstack-helm/+/820212 Change-Id: I80e580badc96908f382fe8c6ddb2fae7caa957ed --- nova/Chart.yaml | 2 +- nova/templates/deployment-api-metadata.yaml | 9 +++++++-- releasenotes/notes/nova.yaml | 1 + 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/nova/Chart.yaml b/nova/Chart.yaml index 5652456e1c..58049ae87d 100644 --- a/nova/Chart.yaml +++ b/nova/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Nova name: nova -version: 0.2.44 +version: 0.2.45 home: https://docs.openstack.org/nova/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png sources: diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml index 44d3a492d7..9170d69b42 100644 --- a/nova/templates/deployment-api-metadata.yaml +++ b/nova/templates/deployment-api-metadata.yaml @@ -91,6 +91,11 @@ spec: {{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.api_metadata | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} {{ dict "envAll" $envAll "application" "nova" "container" "nova_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} +{{- if or .Values.manifests.certificates .Values.tls.identity }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/etc/nova/certs/ca.crt" +{{- end }} command: - /tmp/nova-api-metadata.sh - start @@ -182,7 +187,7 @@ spec: readOnly: true {{- end }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -202,6 +207,6 @@ spec: - name: pod-shared emptyDir: {} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/releasenotes/notes/nova.yaml b/releasenotes/notes/nova.yaml index dda928fd9f..027612cb7e 100644 --- a/releasenotes/notes/nova.yaml +++ b/releasenotes/notes/nova.yaml @@ -65,4 +65,5 @@ nova: - 0.2.42 Add missing configuration ``[vnc]/novncproxy_host`` - 0.2.43 Added OCI registry authentication - 0.2.44 Distinguish between port number of internal endpoint and binding port number + - 0.2.45 Support TLS endpoints for metadata-api ...