Support TLS endpoints in heat
This allows heat to consume TLS openstack endpoints. Jobs consume openstack endpoints, typically identity endpoints. And heat itself interact with other openstack services via endpoints. Change-Id: I7af6c52377db479b7f7e28ade23582dcc6f8f2f9
This commit is contained in:
parent
d1a7abeb0c
commit
68822ee439
@ -14,7 +14,7 @@ apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Heat
|
||||
name: heat
|
||||
version: 0.2.15
|
||||
version: 0.2.16
|
||||
home: https://docs.openstack.org/heat/latest/
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
|
||||
sources:
|
||||
|
@ -67,6 +67,11 @@ spec:
|
||||
{{ tuple $envAll "heat_engine_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.engine_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
||||
{{ dict "envAll" $envAll "application" "engine_cleaner" "container" "heat_engine_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
env:
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/heat/certs/ca.crt"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/heat-engine-cleaner.sh
|
||||
volumeMounts:
|
||||
@ -88,6 +93,7 @@ spec:
|
||||
subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
|
||||
readOnly: true
|
||||
{{ end }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
|
||||
{{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }}
|
||||
volumes:
|
||||
@ -99,6 +105,7 @@ spec:
|
||||
secret:
|
||||
secretName: heat-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
- name: heat-bin
|
||||
configMap:
|
||||
|
@ -60,6 +60,11 @@ spec:
|
||||
- name: heat-purge-deleted
|
||||
{{ tuple $envAll "heat_purge_deleted" | include "helm-toolkit.snippets.image" | indent 14 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.purge_deleted | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
env:
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/heat/certs/ca.crt"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/heat-purge-deleted-active.sh
|
||||
- {{ quote .Values.jobs.purge_deleted.purge_age }}
|
||||
@ -82,6 +87,7 @@ spec:
|
||||
subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
|
||||
readOnly: true
|
||||
{{ end }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
|
||||
{{ if $mounts_heat_purge_deleted.volumeMounts }}{{ toYaml $mounts_heat_purge_deleted.volumeMounts | indent 14 }}{{ end }}
|
||||
volumes:
|
||||
@ -93,6 +99,7 @@ spec:
|
||||
secret:
|
||||
secretName: heat-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
- name: heat-bin
|
||||
configMap:
|
||||
|
@ -62,6 +62,11 @@ spec:
|
||||
{{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "heat" "container" "heat_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
env:
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/heat/certs/ca.crt"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/heat-api.sh
|
||||
- start
|
||||
@ -124,7 +129,7 @@ spec:
|
||||
subPath: mpm_event.conf
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
@ -142,7 +147,7 @@ spec:
|
||||
secret:
|
||||
secretName: heat-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
@ -62,6 +62,11 @@ spec:
|
||||
{{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "heat" "container" "heat_cfn" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
env:
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/heat/certs/ca.crt"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/heat-cfn.sh
|
||||
- start
|
||||
@ -124,7 +129,7 @@ spec:
|
||||
subPath: mpm_event.conf
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -141,6 +146,6 @@ spec:
|
||||
secret:
|
||||
secretName: heat-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
@ -70,6 +70,11 @@ spec:
|
||||
{{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "heat" "container" "heat_engine" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
env:
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/heat/certs/ca.crt"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/heat-engine.sh
|
||||
- start
|
||||
@ -103,7 +108,7 @@ spec:
|
||||
subPath: policy.yaml
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
@ -119,8 +124,8 @@ spec:
|
||||
secret:
|
||||
secretName: heat-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "5"
|
||||
|
||||
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
||||
{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.helm3_hook }}
|
||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-2"
|
||||
|
||||
{{- if .Values.manifests.job_ks_endpoints }}
|
||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.helm3_hook }}
|
||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-3"
|
||||
|
||||
{{- if .Values.manifests.job_ks_service }}
|
||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.helm3_hook }}
|
||||
|
@ -64,9 +64,9 @@ spec:
|
||||
mountPath: /tmp/ks-domain-user.sh
|
||||
subPath: ks-domain-user.sh
|
||||
readOnly: true
|
||||
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
- name: SERVICE_OS_SERVICE_NAME
|
||||
@ -100,5 +100,5 @@ spec:
|
||||
configMap:
|
||||
name: heat-bin
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
|
@ -18,7 +18,7 @@ helm.sh/hook: post-install,post-upgrade
|
||||
|
||||
{{- if .Values.manifests.job_ks_user_trustee }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.helm3_hook }}
|
||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-1"
|
||||
|
||||
{{- if .Values.manifests.job_ks_user }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.helm3_hook }}
|
||||
|
@ -68,10 +68,10 @@ spec:
|
||||
mountPath: /tmp/trusts.sh
|
||||
subPath: trusts.sh
|
||||
readOnly: true
|
||||
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }}
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
- name: SERVICE_OS_ROLES
|
||||
@ -87,5 +87,5 @@ spec:
|
||||
configMap:
|
||||
name: heat-bin
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}
|
||||
|
@ -1326,6 +1326,11 @@ network_policy:
|
||||
# set helm3_hook: false when using the helm2 binary.
|
||||
helm3_hook: true
|
||||
|
||||
tls:
|
||||
identity: false
|
||||
oslo_messaging: false
|
||||
oslo_db: false
|
||||
|
||||
manifests:
|
||||
certificates: false
|
||||
configmap_bin: true
|
||||
|
16
heat/values_overrides/tls-offloading.yaml
Normal file
16
heat/values_overrides/tls-offloading.yaml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
endpoints:
|
||||
identity:
|
||||
auth:
|
||||
admin:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
heat:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
heat_trustee:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
test:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
|
||||
tls:
|
||||
identity: true
|
||||
...
|
@ -22,4 +22,5 @@ heat:
|
||||
- 0.2.13 Add Xena and Yoga values overrides
|
||||
- 0.2.14 Added OCI registry authentication
|
||||
- 0.2.15 Distinguish between port number of internal endpoint and binding port number
|
||||
- 0.2.16 Support TLS endpoints
|
||||
...
|
||||
|
Loading…
x
Reference in New Issue
Block a user