openstack/openstack-helm
Code Issues Proposed changes
71de762a28
openstack-helm/nova/values_overrides/tls.yaml
Gupta, Sangeet (sg774j) 5028aa8de1 Mount rabbitmq TLS secret 
Mount rabbitmq TLS secret to openstack services which support internal
TLS. Once internal TLS support is added to other service, the TLSed 
rabbitmq support should be added.

Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/795188

Change-Id: I9aa272e365f846746f2e06aa7b7010db730e17df
2021-06-10 14:12:57 +00:00

257 lines
8.1 KiB
YAML
Raw Blame History

---
network:
osapi:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
metadata:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
placement:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
novncproxy:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
conf:
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_nova_api: |
{{- $portInt := tuple "compute" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "nova-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess nova-api processes=1 threads=1 user=nova display-name=%{GROUP}
WSGIProcessGroup nova-api
WSGIScriptAlias / /var/www/cgi-bin/nova/nova-api-wsgi
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/nova/certs/tls.crt
SSLCertificateKeyFile /etc/nova/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
wsgi_nova_metadata: |
{{- $portInt := tuple "compute_metadata" "internal" "metadata" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "nova-metadata" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess nova-metadata processes=1 threads=1 user=nova display-name=%{GROUP}
WSGIProcessGroup nova-metadata
WSGIScriptAlias / /var/www/cgi-bin/nova/nova-metadata-wsgi
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/nova/certs/tls.crt
SSLCertificateKeyFile /etc/nova/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
software:
apache2:
a2enmod:
- ssl
wsgi_placement: |
Listen 0.0.0.0:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:{{ tuple "placement" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
WSGIDaemonProcess placement-api processes=4 threads=1 user=nova group=nova display-name=%{GROUP}
WSGIProcessGroup placement-api
WSGIScriptAlias / /var/www/cgi-bin/nova/nova-placement-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/nova/certs/tls.crt
SSLCertificateKeyFile /etc/nova/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
Alias /placement /var/www/cgi-bin/nova/nova-placement-api
<Location /placement>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup placement-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
nova:
glance:
cafile: /etc/nova/certs/ca.crt
ironic:
cafile: /etc/nova/certs/ca.crt
neutron:
cafile: /etc/nova/certs/ca.crt
keystone_authtoken:
cafile: /etc/nova/certs/ca.crt
cinder:
cafile: /etc/nova/certs/ca.crt
placement:
cafile: /etc/nova/certs/ca.crt
keystone:
cafile: /etc/nova/certs/ca.crt
oslo_messaging_rabbit:
ssl: true
ssl_ca_file: /etc/rabbitmq/certs/ca.crt
ssl_cert_file: /etc/rabbitmq/certs/tls.crt
ssl_key_file: /etc/rabbitmq/certs/tls.key
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
nova:
cacert: /etc/ssl/certs/openstack-helm.crt
neutron:
cacert: /etc/ssl/certs/openstack-helm.crt
placement:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
image:
scheme:
default: https
port:
api:
public: 443
compute:
host_fqdn_override:
default:
tls:
secretName: nova-tls-api
issuerRef:
name: ca-issuer
kind: ClusterIssuer
scheme:
default: 'https'
port:
api:
public: 443
compute_metadata:
host_fqdn_override:
default:
tls:
secretName: metadata-tls-metadata
issuerRef:
name: ca-issuer
kind: ClusterIssuer
scheme:
default: https
port:
metadata:
public: 443
compute_novnc_proxy:
host_fqdn_override:
default:
tls:
secretName: nova-novncproxy-tls-proxy
issuerRef:
name: ca-issuer
kind: ClusterIssuer
scheme:
default: https
port:
novnc_proxy:
public: 443
compute_spice_proxy:
host_fqdn_override:
default:
tls:
secretName: nova-tls-spiceproxy
issuerRef:
name: ca-issuer
kind: ClusterIssuer
scheme:
default: https
placement:
host_fqdn_override:
default:
tls:
secretName: placement-tls-api
issuerRef:
name: ca-issuer
kind: ClusterIssuer
scheme:
default: https
port:
api:
public: 443
network:
scheme:
default: https
port:
api:
public: 443
oslo_messaging:
port:
https:
default: 15680
pod:
security_context:
nova:
container:
nova_api:
runAsUser: 0
readOnlyRootFilesystem: false
nova_osapi:
runAsUser: 0
readOnlyRootFilesystem: false
manifests:
certificates: true
...
View Git Blame Copy Permalink