Activate new Ingress Helm-Chart

After the OSH-I upversion, the Ingress Helm chart was
changed from the one from Openstack community to the
Ingress-nginx. A previous commit [1] added the new
Helm chart to the build environment and another [2]
created the manifest for this new Ingress chart. Now,
this review removes the old Ingress manifest and activates
the new Ingress Helm chart.

A patch was created to rename the Ingress Helm-chart so it
wouldn't have a conflict with the Ingress deployed by the platform.

All manifests and plugins of the old Ingress was deleted, and
all references (kustomization, dependencies, etc...) was changed
to the new Ingress chart name.

The new Ingress was placed as a dependency to the OSH-I debian package.
This dependencie was moved to the stx-openstack-helm-fluxcd debian
control, to facilitate the tarball building proccess. As it was, the
new Ingress needed to be declared in the tarball building call, with
this change this is not necessary anymore.

Finally the name for the ingressClass name in all Helm charts' Ingress
was changed for the new name defined by the Ingress patch.

[1] - https://review.opendev.org/c/starlingx/openstack-armada-app/+/937396
[2] - https://review.opendev.org/c/starlingx/openstack-armada-app/+/937174

Test Plan:
PASS - Build all packages and STX-O tarball
PASS - STX-O upload and apply
PASS - New Ingress Helm chart deployed with new name
PASS - Ingress from all charts with new ingressclassname
PASS - Ingress comunicates with other Helm charts
PASS - Launch a VM

This is the last change in the realtion chain related to the upversion
to the Caracal version and the activation of the new Ingress chart. All
reviews must be merged together, otherwise the build and apply of STX-O
will break.

Story: 2011303
Task: 51611

Change-Id: If10a47a470b6e32ccb1090dbaa604fcbf6d1f82e
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>

ingress-nginx-helm/debian/deb_folder/patches/0001-Change-Ingress-chart-name.patch

@@ -0,0 +1,34 @@
+From 599cd1751cae649ae650333da4866f6565f21f46 Mon Sep 17 00:00:00 2001
+From: Daniel Caires <DanielMarques.Caires@windriver.com>
+Date: Fri, 17 Jan 2025 14:33:55 -0300
+Subject: [PATCH] Change Ingress chart name
+
+When activating the new Ingress chart in STX-openstack
+it was noted that because it had the same name as the
+Ingress used in the platform, the new Ingress in STX-O
+could not be properly configured.
+
+This patch changes the name of the Ingress Helm Chart,
+so it differs from the one used by the platform.
+
+Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
+---
+ charts/ingress-nginx/Chart.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
+index 3ee839a..31ed0a0 100644
+--- a/charts/ingress-nginx/Chart.yaml
++++ b/charts/ingress-nginx/Chart.yaml
+@@ -19,7 +19,7 @@ maintainers:
+ - name: rikatz
+ - name: strongjz
+ - name: tao12345666333
+-name: ingress-nginx
++name: ingress-nginx-openstack
+ sources:
+ - https://github.com/kubernetes/ingress-nginx
+ version: 4.11.1
+-- 
+2.34.1
+

ingress-nginx-helm/debian/deb_folder/patches/series

@@ -0,0 +1 @@
+0001-Change-Ingress-chart-name.patch

openstack-helm-infra/debian/deb_folder/control

@@ -4,8 +4,7 @@ Priority: optional
 Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
 Build-Depends: debhelper-compat (= 13),
  helm,
- procps,
- ingress-nginx-helm
+ procps
 Standards-Version: 4.5.1
 Homepage: https://www.starlingx.io
 

openstack-helm-infra/debian/deb_folder/patches/0019-Fix-upversion-breaking-changes.patch

@@ -0,0 +1,52 @@
+From e94108931a7ed75882b4bd5da463fee3f0f231f5 Mon Sep 17 00:00:00 2001
+From: Daniel Caires <DanielMarques.Caires@windriver.com>
+Date: Mon, 13 Jan 2025 10:40:59 -0300
+Subject: [PATCH] Fix upversion breaking changes
+
+After the OSH and OSH-I to caracal, two changes made into the upstream
+broke the deployment of STX-O.
+
+The first change it was a enconding of the password. This broke the
+apply of STX-O because urlquery is a GO template function and when
+the plugin tries to retrieve the password from the Helm environment
+it is not encoded the same way.
+
+The second change modified the pathtype of the Helm charts' ingress.
+
+This patch reverts this two modification to the upstream.
+
+Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
+---
+ .../templates/endpoints/_authenticated_endpoint_uri_lookup.tpl  | 2 +-
+ helm-toolkit/templates/manifests/_ingress.tpl                   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
+index d7390d8b..12b84dec 100644
+--- a/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
++++ b/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
+@@ -50,7 +50,7 @@ return: |
+ {{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+ {{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+ {{- $endpointUser := index $userMap "username" }}
+-{{- $endpointPass := index $userMap "password" | urlquery }}
++{{- $endpointPass := index $userMap "password" }}
+ {{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ {{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ {{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+diff --git a/helm-toolkit/templates/manifests/_ingress.tpl b/helm-toolkit/templates/manifests/_ingress.tpl
+index cacb4b81..4ea88966 100644
+--- a/helm-toolkit/templates/manifests/_ingress.tpl
++++ b/helm-toolkit/templates/manifests/_ingress.tpl
+@@ -625,7 +625,7 @@ examples:
+ {{- $backendServiceType := index . "backendServiceType" -}}
+ {{- $backendPort := index . "backendPort" -}}
+ {{- $endpoint := index . "endpoint" | default "public" -}}
+-{{- $pathType := index . "pathType" | default "Prefix" -}}
++{{- $pathType := index . "pathType" | default "ImplementationSpecific" -}}
+ {{- $certIssuer := index . "certIssuer" | default "" -}}
+ {{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ {{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+-- 
+2.34.1
+

openstack-helm-infra/debian/deb_folder/patches/series

@@ -16,3 +16,4 @@
 0016-Add-pre-apply-cleanup-Job-to-STX-O-Helm-charts.patch
 0017-Add-Kubernetes-name-label-to-helm-toolkit-template.patch
 0018-Add-support-for-multiple-hosts-in-a-daemonset.patch
+0019-Fix-upversion-breaking-changes.patch

python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/common/constants.py

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2019-2024 Wind River Systems, Inc.
+# Copyright (c) 2019-2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -27,7 +27,7 @@ HELM_CHART_GNOCCHI = 'gnocchi'
 HELM_CHART_HEAT = 'heat'
 HELM_CHART_HELM_TOOLKIT = 'openstack-helm-toolkit'
 HELM_CHART_HORIZON = 'horizon'
-HELM_CHART_INGRESS = 'ingress'
+HELM_CHART_INGRESS = 'ingress-nginx-openstack'
 HELM_CHART_IRONIC = 'ironic'
 HELM_CHART_KEYSTONE = 'keystone'
 HELM_CHART_KEYSTONE_API_PROXY = 'keystone-api-proxy'
@@ -59,7 +59,7 @@ FLUXCD_HELMRELEASE_GNOCCHI = 'gnocchi'
 FLUXCD_HELMRELEASE_HEAT = 'heat'
 FLUXCD_HELMRELEASE_HELM_TOOLKIT = 'openstack-helm-toolkit'
 FLUXCD_HELMRELEASE_HORIZON = 'horizon'
-FLUXCD_HELMRELEASE_INGRESS = 'ingress'
+FLUXCD_HELMRELEASE_INGRESS = 'ingress-nginx-openstack'
 FLUXCD_HELMRELEASE_IRONIC = 'ironic'
 FLUXCD_HELMRELEASE_KEYSTONE = 'keystone'
 FLUXCD_HELMRELEASE_KEYSTONE_API_PROXY = 'keystone-api-proxy'

python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/ingress.py

@@ -1,60 +0,0 @@
-#
-# Copyright (c) 2019-2020 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-from sysinv.common import exception
-from sysinv.helm import common
-
-from k8sapp_openstack.common import constants as app_constants
-from k8sapp_openstack.helm import openstack
-
-
-class IngressHelm(openstack.OpenstackBaseHelm):
-    """Class to encapsulate helm operations for the ingress chart"""
-
-    CHART = app_constants.HELM_CHART_INGRESS
-    HELM_RELEASE = app_constants.FLUXCD_HELMRELEASE_INGRESS
-
-    def get_overrides(self, namespace=None):
-        limit_enabled, limit_cpus, limit_mem_mib = self._get_platform_res_limit()
-
-        overrides = {
-            common.HELM_NS_OPENSTACK: {
-                'conf': {
-                     'ingress': {
-                         'proxy-connect-timeout': "30"
-                     }
-                },
-                'pod': {
-                    'replicas': {
-                        'ingress': self._num_provisioned_controllers(),
-                        'error_page': self._num_provisioned_controllers()
-                    },
-                    'resources': {
-                        'enabled': limit_enabled,
-                        'ingress': {
-                            'limits': {
-                                'cpu': "%d000m" % (limit_cpus),
-                                'memory': "%dMi" % (limit_mem_mib)
-                            }
-                        },
-                        'error_pages': {
-                            'limits': {
-                                'cpu': "%d000m" % (limit_cpus),
-                                'memory': "%dMi" % (limit_mem_mib)
-                            }
-                        }
-                    }
-                }
-            }
-        }
-
-        if namespace in self.SUPPORTED_NAMESPACES:
-            return overrides[namespace]
-        elif namespace:
-            raise exception.InvalidHelmNamespace(chart=self.CHART,
-                                                 namespace=namespace)
-        else:
-            return overrides

python3-k8sapp-openstack/k8sapp_openstack/k8sapp_openstack/helm/ingress_nginx_openstack.py

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2024 Wind River Systems, Inc.
+# Copyright (c) 2024-2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -11,7 +11,7 @@ from k8sapp_openstack.common import constants as app_constants
 from k8sapp_openstack.helm import openstack
 
 
-class IngressHelm(openstack.OpenstackBaseHelm):
+class IngressNginxOpenstackHelm(openstack.OpenstackBaseHelm):
     """Class to encapsulate helm operations for the ingress chart"""
 
     CHART = app_constants.HELM_CHART_INGRESS

python3-k8sapp-openstack/k8sapp_openstack/setup.cfg

@@ -33,7 +33,7 @@ systemconfig.helm_applications =
     openstack = systemconfig.helm_plugins.openstack
 
 systemconfig.helm_plugins.openstack =
-    001_ingress = k8sapp_openstack.helm.ingress:IngressHelm
+    001_ingress-nginx-openstack = k8sapp_openstack.helm.ingress_nginx_openstack:IngressNginxOpenstackHelm
     002_mariadb = k8sapp_openstack.helm.mariadb:MariadbHelm
     003_garbd = k8sapp_openstack.helm.garbd:GarbdHelm
     004_rabbitmq = k8sapp_openstack.helm.rabbitmq:RabbitmqHelm

stx-openstack-helm-fluxcd/debian/deb_folder/control

@@ -8,7 +8,8 @@ Build-Depends: debhelper-compat (= 13),
  openstack-helm-infra,
  openstack-helm,
  procps,
- python3-k8sapp-openstack-wheels
+ python3-k8sapp-openstack-wheels,
+ ingress-nginx-helm
 Standards-Version: 4.5.1
 Homepage: https://www.starlingx.io
 
@@ -18,7 +19,8 @@ Architecture: all
 Depends: ${misc:Depends},
  openstack-helm-infra,
  openstack-helm,
- python3-k8sapp-openstack-wheels
+ python3-k8sapp-openstack-wheels,
+ ingress-nginx-helm
 Description: StarlingX Openstack FluxCD application
  This package contains the components needed for the Openstack FluxCD
  application.

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/aodh/aodh-static-overrides.yaml

@@ -44,6 +44,12 @@ pod:
         - key: openstack-compute-node
           operator: Exists
           effect: NoSchedule
+network:
+  api:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 endpoints:
   oslo_messaging:
     statefulset:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/barbican/barbican-static-overrides.yaml

@@ -49,6 +49,12 @@ pod:
         - key: openstack-compute-node
           operator: Exists
           effect: NoSchedule
+network:
+  api:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 endpoints:
   oslo_messaging:
     statefulset:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ceilometer/ceilometer-static-overrides.yaml

@@ -525,6 +525,12 @@ wsgi_ceilometer: |
       ErrorLog /dev/stdout
       CustomLog /dev/stdout combined
   </VirtualHost>
+network:
+  api:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 pod:
   affinity:
     anti:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ceph-rgw/ceph-rgw-static-overrides.yaml

@@ -47,6 +47,12 @@ labels:
   registry:
     node_selector_key: openstack-control-plane
     node_selector_value: enabled
+network:
+  api:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 pod:
   replicas:
     api: 2

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/cinder/cinder-static-overrides.yaml

@@ -67,6 +67,12 @@ pod:
       - key: openstack-compute-node
         operator: Exists
         effect: NoSchedule
+network:
+  api:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 endpoints:
   oslo_messaging:
     statefulset:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/fm-rest-api/fm-rest-api-static-overrides.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2022-2024 Wind River Systems, Inc.
+# Copyright (c) 2022-2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -32,6 +32,12 @@ pod:
     fm:
       requests:
         ephemeral-storage: "20000Ki"
+network:
+  faultmanagement:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 labels:
   isApplication: false
   api:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/garbd/garbd-static-overrides.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2022-2024 Wind River Systems, Inc.
+# Copyright (c) 2022-2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/garbd/helmrelease.yaml

@@ -29,7 +29,7 @@ spec:
   upgrade:
     disableHooks: False
   dependsOn:
-    - name: ingress
+    - name: ingress-nginx-openstack
       namespace: openstack
     - name: nginx-ports-control
       namespace: openstack

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/glance/glance-static-overrides.yaml

@@ -34,6 +34,12 @@ images:
     rabbit_init: docker.io/rabbitmq:3.9.0-management
     pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
     test: null
+network:
+  api:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 pod:
   replicas:
     api: 2

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/gnocchi/gnocchi-static-overrides.yaml

@@ -89,6 +89,12 @@ conf:
     app:healthcheck:
       use: egg:oslo.middleware#healthcheck
       oslo_config_project: gnocchi
+network:
+  api:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 pod:
   affinity:
     anti:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/heat/heat-static-overrides.yaml

@@ -70,6 +70,23 @@ conf:
       bind_host: "::"
     heat_api_cfn:
       bind_host: "::"
+network:
+  api:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
+  cfn:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
+  cloudwatch:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 pod:
   replicas:
     api: 2

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/horizon/horizon-static-overrides.yaml

@@ -22,6 +22,11 @@ manifests:
   pod_helm_test: false
   secret_keystone: false
 network:
+  dashboard:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
   node_port:
     enabled: 'true'
     port: 31000

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ingress-nginx-openstack/helmrelease.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2024 Wind River Systems, Inc.
+# Copyright (c) 2024-2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -8,15 +8,15 @@
 apiVersion: "helm.toolkit.fluxcd.io/v2"
 kind: HelmRelease
 metadata:
-  name: ingress-nginx
+  name: ingress-nginx-openstack
   labels:
-    chart_group: openstack-ingress-nginx
+    chart_group: ingress-nginx-openstack
 spec:
-  releaseName: openstack-ingress-nginx
+  releaseName: ingress-nginx-openstack
   chart:
     spec:
-      chart: ingress-nginx
-      version: 4.11.1
+      chart: ingress-nginx-openstack
+      version: 4.11.1+STX.2
       sourceRef:
         kind: HelmRepository
         name: starlingx

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ingress-nginx-openstack/ingress-nginx-static-overrides.yaml

@@ -0,0 +1,89 @@
+#
+# Copyright (c) 2024-2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+---
+fullnameOverride: ingress-nginx-openstack
+nameOverride: ingress-nginx-openstack
+
+controller:
+  opentelemetry:
+    image:
+      repository: registry.k8s.io/ingress-nginx/opentelemetry
+      tag: "v20230721-3e2062ee5"
+  config:
+    bind-address: '::'
+    worker-processes: "4"
+    enable-underscores-in-headers: "true"
+    enable-vts-status: "true"
+    proxy-connect-timeout: "30"
+    server-tokens: "false"
+
+  dnsPolicy: ClusterFirst
+  hostNetwork: false
+  ingressClassResource:
+    name: nginx-openstack
+    controllerValue: k8s.io/ingress-nginx-openstack
+  ingressClass: nginx-openstack
+  scope:
+    enabled: true
+    namespace: "openstack"
+    namespaceSelector: "openstack"
+  labels:
+    app: ingress-api
+  tolerations:
+  - key: "node-role.kubernetes.io/master"
+    operator: "Exists"
+    effect: "NoSchedule"
+  - key: "node-role.kubernetes.io/control-plane"
+    operator: "Exists"
+    effect: "NoSchedule"
+  - key: "openstack-compute-node"
+    operator: "Exists"
+    effect: "NoSchedule"
+  affinity:
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: release_group
+            operator: In
+            values:
+            - ingress-nginx-openstack
+          - key: application
+            operator: In
+            values:
+            - ingress-nginx-openstack
+          - key: component
+            operator: In
+            values:
+            - server
+        topologyKey: kubernetes.io/hostname
+  nodeSelector:
+    openstack-control-plane: "enabled"
+  service:
+    type: ClusterIP
+  admissionWebhooks:
+    patch:
+      image:
+        repository: registry.k8s.io/ingress-nginx/kube-webhook-certgen
+        tag: v1.4.1
+    enabled: false
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+      maxSurge: 3
+  resources:
+    requests:
+      cpu: 100m
+      ephemeral-storage: 2000Ki
+      memory: 128Mi
+
+defaultBackend:
+  enabled: false
+
+revisionHistoryLimit: 3
+...

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ingress-nginx-openstack/kustomization.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2024 Wind River Systems, Inc.
+# Copyright (c) 2024-2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ingress-nginx/ingress-nginx-static-overrides.yaml

@@ -1,140 +0,0 @@
-#
-# Copyright (c) 2024 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
----
-fullnameOverride: ingress-nginx
-
-controller:
-  config:
-    bind-address: '::'
-    worker-processes: "4"
-    enable-underscores-in-headers: "true"
-    enable-vts-status: "true"
-    proxy-connect-timeout: "30"
-    server-tokens: "false"
-    ssl-dh-param: openstack/secret-dhparam
-
-  dnsPolicy: ClusterFirstWithHostNet
-  ingressClassResource:
-    enabled: false
-    controllerValue: k8s.io/ingress-nginx-openstack
-  scope:
-    enabled: true
-    namespace: "openstack"
-    namespaceSelector: "openstack"
-  labels:
-    app: ingress-api
-  tolerations:
-    - key: "node-role.kubernetes.io/master"
-      operator: "Exists"
-      effect: "NoSchedule"
-    - key: "node-role.kubernetes.io/control-plane"
-      operator: "Exists"
-      effect: "NoSchedule"
-    - key: "openstack-compute-node"
-      operator: "Exists"
-      effect: "NoSchedule"
-  affinity:
-    podAntiAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-      - labelSelector:
-          matchExpressions:
-            - key: release_group
-              operator: In
-              values:
-              - osh-openstack-ingress
-            - key: application
-              operator: In
-              values:
-              - ingress
-            - key: component
-              operator: In
-              values:
-              - server
-        topologyKey: kubernetes.io/hostname
-  nodeSelector:
-    openstack-control-plane: "enabled"
-  service:
-    type: ClusterIP
-  admissionWebhooks:
-    enabled: false
-  updateStrategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 1
-      maxSurge: 3
-  requests:
-    cpu: 100m
-    ephemeral-storage: 2000Ki
-    memory: 128Mi
-
-defaultBackend:
-  enabled: true
-  config:
-    bind-address: '::'
-    worker-processes: "4"
-    enable-underscores-in-headers: "true"
-    enable-vts-status: "true"
-    proxy-connect-timeout: "30"
-    server-tokens: "false"
-    ssl-dh-param: openstack/secret-dhparam
-
-  dnsPolicy: ClusterFirstWithHostNet
-  ingressClassResource:
-    enabled: false
-    controllerValue: k8s.io/ingress-nginx-openstack
-  scope:
-    enabled: true
-    namespace: "openstack"
-    namespaceSelector: "openstack"
-  labels:
-    app: ingress-api
-  tolerations:
-    - key: "node-role.kubernetes.io/master"
-      operator: "Exists"
-      effect: "NoSchedule"
-    - key: "node-role.kubernetes.io/control-plane"
-      operator: "Exists"
-      effect: "NoSchedule"
-    - key: "openstack-compute-node"
-      operator: "Exists"
-      effect: "NoSchedule"
-  affinity:
-    podAntiAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-      - labelSelector:
-          matchExpressions:
-            - key: release_group
-              operator: In
-              values:
-              - osh-openstack-ingress
-            - key: application
-              operator: In
-              values:
-              - ingress
-            - key: component
-              operator: In
-              values:
-              - server
-        topologyKey: kubernetes.io/hostname
-  nodeSelector:
-    openstack-control-plane: "enabled"
-  service:
-    type: ClusterIP
-  admissionWebhooks:
-    enabled: false
-  updateStrategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 1
-      maxSurge: 3
-  requests:
-    cpu: 100m
-    ephemeral-storage: 2000Ki
-    memory: 128Mi
-
-revisionHistoryLimit: 3
-...

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ingress/helmrelease.yaml

@@ -1,39 +0,0 @@
-#
-# Copyright (c) 2022-2024 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
----
-apiVersion: "helm.toolkit.fluxcd.io/v2"
-kind: HelmRelease
-metadata:
-  name: ingress
-  labels:
-    chart_group: openstack-ingress
-spec:
-  releaseName: osh-openstack-ingress
-  chart:
-    spec:
-      chart: ingress
-      version: 0.2.15
-      sourceRef:
-        kind: HelmRepository
-        name: starlingx
-      interval: 1m
-  interval: 1m
-  timeout: 30m
-  test:
-    enable: false
-  install:
-    disableHooks: false
-  upgrade:
-    disableHooks: false
-  valuesFrom:
-    - kind: Secret
-      name: ingress-static-overrides
-      valuesKey: ingress-static-overrides.yaml
-    - kind: Secret
-      name: ingress-system-overrides
-      valuesKey: ingress-system-overrides.yaml
-...

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ingress/ingress-static-overrides.yaml

@@ -1,56 +0,0 @@
-#
-# Copyright (c) 2022-2024 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
----
-release_group: osh-openstack-ingress
-labels:
-  isApplication: false
-  server:
-    node_selector_key: openstack-control-plane
-    node_selector_value: enabled
-  error_server:
-    node_selector_key: openstack-control-plane
-    node_selector_value: enabled
-images:
-  tags:
-    ingress: registry.k8s.io/ingress-nginx/controller:v1.7.0
-    error_pages: registry.k8s.io/defaultbackend-amd64:1.5
-    pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
-    image_repo_sync: null
-    ingress_module_init: null
-    ingress_routed_vip: null
-    keepalived: null
-pod:
-  replicas:
-    error_page: 2
-    ingress: 2
-  affinity:
-    anti:
-      type:
-        default: requiredDuringSchedulingIgnoredDuringExecution
-  resources:
-    enabled: true
-    ingress:
-      requests:
-        ephemeral-storage: "2000Ki"
-  tolerations:
-    ingress:
-      enabled: true
-      tolerations:
-      - key: node-role.kubernetes.io/master
-        operator: Exists
-        effect: NoSchedule
-      - key: node-role.kubernetes.io/control-plane
-        operator: Exists
-        effect: NoSchedule
-      - key: openstack-compute-node
-        operator: Exists
-        effect: NoSchedule
-conf:
-  ingress:
-    worker-processes: '4'
-    bind-address: "::"
-...

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ingress/kustomization.yaml

@@ -1,22 +0,0 @@
-#
-# Copyright (c) 2022 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
----
-namespace: openstack
-commonLabels:
-  chart_group: openstack-ingress
-resources:
-  - helmrelease.yaml
-secretGenerator:
-  - name: ingress-static-overrides
-    files:
-      - ingress-static-overrides.yaml
-  - name: ingress-system-overrides
-    files:
-      - ingress-system-overrides.yaml
-generatorOptions:
-  disableNameSuffixHash: true
-...

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/ironic/ironic-static-overrides.yaml

@@ -30,6 +30,12 @@ pod:
         - key: openstack-compute-node
           operator: Exists
           effect: NoSchedule
+network:
+  api:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 labels:
   isApplication: false
   api:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone-api-proxy/keystone-api-proxy-static-overrides.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2022-2024 Wind River Systems, Inc.
+# Copyright (c) 2022-2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -16,6 +16,12 @@ images:
     keystone_api_proxy: docker.io/starlingx/stx-keystone-api-proxy:master-debian-stable-latest
     ks_endpoints: docker.io/starlingx/stx-heat:master-debian-stable-latest
     pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
+network:
+  keystone_api_proxy:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 conf:
   keystone_api_proxy:
     identity:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/keystone/keystone-static-overrides.yaml

@@ -43,6 +43,12 @@ images:
     pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
     rabbit_init: docker.io/rabbitmq:3.9.0-management
     test: null
+network:
+  api:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 pod:
   replicas:
     api: 2

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/kustomization.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2023 Wind River Systems, Inc.
+# Copyright (c) 2023-2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -10,7 +10,7 @@ kind: Kustomization
 namespace: openstack
 resources:
   - base
-  - ingress
+  - ingress-nginx-openstack
   - nginx-ports-control
   - mariadb
   - garbd

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/mariadb/helmrelease.yaml

@@ -29,7 +29,7 @@ spec:
   upgrade:
     disableHooks: False
   dependsOn:
-    - name: ingress
+    - name: ingress-nginx-openstack
       namespace: openstack
     - name: nginx-ports-control
       namespace: openstack

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/neutron/neutron-static-overrides.yaml

@@ -172,6 +172,11 @@ network:
   backend:
     - openvswitch
     - sriov
+  server:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 dependencies:
   static:
     ovs_agent:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/nova-api-proxy/nova-api-proxy-static-overrides.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2022-2024 Wind River Systems, Inc.
+# Copyright (c) 2022-2025 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -16,6 +16,12 @@ images:
 endpoints:
   identity:
     force_public_endpoint: true
+network:
+  api_proxy:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 pod:
   affinity:
     anti:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/nova/nova-static-overrides.yaml

@@ -91,7 +91,7 @@ images:
     nova_service_cleaner: docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20201223
     nova_spiceproxy: docker.io/starlingx/stx-nova:master-debian-stable-latest
     nova_spiceproxy_assets: docker.io/starlingx/stx-nova:master-debian-stable-latest
-    nova_storage_init: docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20201223
+    nova_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy
     nova_wait_for_computes_init: null
     pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
     rabbit_init: docker.io/rabbitmq:3.9.0-management
@@ -265,6 +265,26 @@ conf:
       UserKnownHostsFile /dev/null
       Port {{ .Values.network.ssh.port }}
 network:
+  osapi:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
+  metadata:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
+  novncproxy:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
+  spiceproxy:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
   ssh:
     enabled: true
 console:

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/placement/placement-static-overrides.yaml

@@ -29,6 +29,12 @@ images:
     placement: docker.io/starlingx/stx-placement:master-debian-stable-latest
     placement_db_sync: docker.io/starlingx/stx-placement:master-debian-stable-latest
     pre_apply_cleanup: docker.io/starlingx/stx-vault-manager:master-debian-stable-latest
+network:
+  api:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 pod:
   replicas:
     placement: 1

stx-openstack-helm-fluxcd/stx-openstack-helm-fluxcd/manifests/rabbitmq/rabbitmq-static-overrides.yaml

@@ -29,6 +29,12 @@ images:
     rabbitmq_init: docker.io/starlingx/stx-heat:master-debian-stable-latest
     scripted_test: docker.io/rabbitmq:3.9.0-management
     rabbitmq: docker.io/rabbitmq:3.9.0
+network:
+  management:
+    ingress:
+      classes:
+        namespace: "nginx-openstack"
+        cluster: "nginx"
 pod:
   affinity:
     anti: