Support TLS endpoints in nova
This allows nova to consume TLS openstack endpoints. Jobs consume openstack endpoints, typically identity endpoints. And nova itself interact with other openstack services via endpoints. Change-Id: Iff4422360ca51e94fd1b00854693e266cc202390
This commit is contained in:
parent
45ea26175b
commit
8b2ba7b029
@ -14,7 +14,7 @@ apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Nova
|
||||
name: nova
|
||||
version: 0.2.35
|
||||
version: 0.2.36
|
||||
home: https://docs.openstack.org/nova/latest/
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
|
||||
sources:
|
||||
|
@ -59,6 +59,11 @@ spec:
|
||||
{{ dict "envAll" $envAll "application" "archive_deleted_rows" "container" "nova_archive_deleted_rows" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
|
||||
command:
|
||||
- /tmp/archive-deleted-rows.sh
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
env:
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/nova/certs/ca.crt"
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
@ -74,6 +79,7 @@ spec:
|
||||
mountPath: /tmp/archive-deleted-rows.sh
|
||||
readOnly: true
|
||||
subPath: archive-deleted-rows.sh
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -85,4 +91,6 @@ spec:
|
||||
- name: archive-deleted-rows-conf
|
||||
secret:
|
||||
secretName: nova-etc
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{- end }}
|
||||
|
@ -59,6 +59,11 @@ spec:
|
||||
{{ dict "envAll" $envAll "application" "cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
|
||||
command:
|
||||
- /tmp/cell-setup.sh
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
env:
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/nova/certs/ca.crt"
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
@ -82,7 +87,9 @@ spec:
|
||||
mountPath: /etc/nova/policy.yaml
|
||||
subPath: policy.yaml
|
||||
readOnly: true
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
||||
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -96,5 +103,7 @@ spec:
|
||||
configMap:
|
||||
name: nova-bin
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
|
||||
{{- end }}
|
||||
|
@ -58,7 +58,7 @@ spec:
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
||||
{{ dict "envAll" $envAll "application" "service_cleaner" "container" "nova_service_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" .Values.manifests.certificates}}
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }}
|
||||
{{- end }}
|
||||
command:
|
||||
@ -72,7 +72,7 @@ spec:
|
||||
readOnly: true
|
||||
- name: etcnova
|
||||
mountPath: /etc/nova
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -86,5 +86,5 @@ spec:
|
||||
configMap:
|
||||
name: nova-bin
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{- end }}
|
||||
|
@ -276,7 +276,7 @@ spec:
|
||||
value: "{{ .Values.pod.probes.rpc_timeout }}"
|
||||
- name: RPC_PROBE_RETRIES
|
||||
value: "{{ .Values.pod.probes.rpc_retries }}"
|
||||
{{- if .Values.manifests.certificates }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/nova/certs/ca.crt"
|
||||
{{- end }}
|
||||
@ -431,7 +431,7 @@ spec:
|
||||
subPath: tf-plugin.pth
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||
{{- if .Values.network.ssh.enabled }}
|
||||
@ -444,7 +444,7 @@ spec:
|
||||
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.network.ssh.key_types | quote }}
|
||||
- name: SSH_PORT
|
||||
value: {{ .Values.network.ssh.port | quote }}
|
||||
{{- if .Values.manifests.certificates }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/nova/certs/ca.crt"
|
||||
{{- end }}
|
||||
@ -460,7 +460,7 @@ spec:
|
||||
mountPath: /tmp/ssh-start.sh
|
||||
subPath: ssh-start.sh
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
||||
{{ end }}
|
||||
volumes:
|
||||
@ -546,7 +546,7 @@ spec:
|
||||
- name: tf-plugin-bin
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
@ -72,6 +72,11 @@ spec:
|
||||
{{ tuple $envAll "nova_api" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "nova" "container" "nova_osapi" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
env:
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/nova/certs/ca.crt"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/nova-api.sh
|
||||
- start
|
||||
@ -130,7 +135,7 @@ spec:
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
@ -151,7 +156,7 @@ spec:
|
||||
secretName: nova-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
@ -91,7 +91,7 @@ spec:
|
||||
value: "{{ .Values.pod.probes.rpc_timeout }}"
|
||||
- name: RPC_PROBE_RETRIES
|
||||
value: "{{ .Values.pod.probes.rpc_retries }}"
|
||||
{{- if .Values.manifests.certificates }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/nova/certs/ca.crt"
|
||||
{{- end }}
|
||||
@ -122,7 +122,7 @@ spec:
|
||||
mountPath: /etc/nova/policy.yaml
|
||||
subPath: policy.yaml
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
|
||||
@ -137,7 +137,7 @@ spec:
|
||||
secret:
|
||||
secretName: nova-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
|
||||
|
@ -91,7 +91,7 @@ spec:
|
||||
value: "{{ .Values.pod.probes.rpc_timeout }}"
|
||||
- name: RPC_PROBE_RETRIES
|
||||
value: "{{ .Values.pod.probes.rpc_retries }}"
|
||||
{{- if .Values.manifests.certificates }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/nova/certs/ca.crt"
|
||||
{{- end }}
|
||||
@ -123,7 +123,7 @@ spec:
|
||||
subPath: policy.yaml
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
@ -138,7 +138,7 @@ spec:
|
||||
secretName: nova-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
@ -71,7 +71,7 @@ spec:
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "bootstrap" "container" "bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" .Values.manifests.certificates }}
|
||||
{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
- name: WAIT_PERCENTAGE
|
||||
@ -99,7 +99,7 @@ spec:
|
||||
mountPath: {{ $logConfigFile | quote }}
|
||||
subPath: {{ base $logConfigFile | quote }}
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -113,7 +113,7 @@ spec:
|
||||
secret:
|
||||
secretName: {{ $configMapEtc | quote }}
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
@ -64,7 +64,7 @@ spec:
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
@ -76,12 +76,17 @@ spec:
|
||||
mountPath: /tmp/cell-setup-init.sh
|
||||
subPath: cell-setup-init.sh
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
containers:
|
||||
- name: nova-cell-setup
|
||||
{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
env:
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/nova/certs/ca.crt"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/cell-setup.sh
|
||||
volumeMounts:
|
||||
@ -108,6 +113,7 @@ spec:
|
||||
subPath: policy.yaml
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -122,7 +128,7 @@ spec:
|
||||
name: nova-bin
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-2"
|
||||
|
||||
{{- if .Values.manifests.job_ks_endpoints }}
|
||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.helm3_hook }}
|
||||
|
@ -14,7 +14,7 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_ks_placement_endpoints }}
|
||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.pod.tolerations.nova.enabled -}}
|
||||
|
@ -14,7 +14,7 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_ks_placement_service }}
|
||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.pod.tolerations.nova.enabled -}}
|
||||
|
@ -14,7 +14,7 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.job_ks_placement_user }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "placement" "serviceUser" "placement" "configMapBin" "nova-bin" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.pod.tolerations.nova.enabled -}}
|
||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-3"
|
||||
|
||||
{{- if .Values.manifests.job_ks_service }}
|
||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.helm3_hook }}
|
||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-1"
|
||||
|
||||
{{- if .Values.manifests.job_ks_user }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.helm3_hook }}
|
||||
|
@ -2520,6 +2520,11 @@ health_probe:
|
||||
logging:
|
||||
level: ERROR
|
||||
|
||||
tls:
|
||||
identity: false
|
||||
oslo_messaging: false
|
||||
oslo_db: false
|
||||
|
||||
manifests:
|
||||
certificates: false
|
||||
configmap_bin: true
|
||||
|
14
nova/values_overrides/tls-offloading.yaml
Normal file
14
nova/values_overrides/tls-offloading.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
endpoints:
|
||||
identity:
|
||||
auth:
|
||||
admin:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
nova:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
test:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
|
||||
tls:
|
||||
identity: true
|
||||
...
|
@ -56,4 +56,5 @@ nova:
|
||||
- 0.2.33 Cleanup old releases
|
||||
- 0.2.34 Remove consoleauth in nova
|
||||
- 0.2.35 Enable taint toleration for Openstack services
|
||||
- 0.2.36 Support TLS endpoints
|
||||
...
|
||||
|
Loading…
x
Reference in New Issue
Block a user