Support TLS endpoints in cinder
This allows cinder to consume TLS openstack endpoints. Jobs consume openstack endpoints, typically identity endpoints. And cinder itself interact with other openstack services via endpoints. Change-Id: Id5668f9dde1f63fe472fef639571936de831e217
This commit is contained in:
parent
d2be022999
commit
f16ac05866
@ -14,7 +14,7 @@ apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Cinder
|
||||
name: cinder
|
||||
version: 0.2.26
|
||||
version: 0.2.27
|
||||
home: https://docs.openstack.org/cinder/latest/
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png
|
||||
sources:
|
||||
|
@ -64,6 +64,11 @@ spec:
|
||||
{{ tuple $envAll "cinder_volume_usage_audit" | include "helm-toolkit.snippets.image" | indent 14 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.volume_usage_audit | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
|
||||
{{ dict "envAll" $envAll "application" "volume_usage_audit" "container" "cinder_volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
env:
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/cinder/certs/ca.crt"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/volume-usage-audit.sh
|
||||
volumeMounts:
|
||||
@ -85,6 +90,7 @@ spec:
|
||||
mountPath: /tmp/volume-usage-audit.sh
|
||||
subPath: volume-usage-audit.sh
|
||||
readOnly: true
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
||||
{{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }}
|
||||
@ -101,6 +107,7 @@ spec:
|
||||
configMap:
|
||||
name: cinder-bin
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
||||
{{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }}
|
||||
|
@ -80,6 +80,11 @@ spec:
|
||||
command:
|
||||
- /tmp/cinder-api.sh
|
||||
- start
|
||||
env:
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/cinder/certs/ca.crt"
|
||||
{{- end }}
|
||||
lifecycle:
|
||||
preStop:
|
||||
exec:
|
||||
@ -156,7 +161,7 @@ spec:
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
@ -179,7 +184,7 @@ spec:
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
@ -131,9 +131,9 @@ spec:
|
||||
readOnly: true
|
||||
- name: pod-shared
|
||||
mountPath: /tmp/pod-shared
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
- name: INTERNAL_PROJECT_NAME
|
||||
@ -150,6 +150,11 @@ spec:
|
||||
{{ dict "envAll" $envAll "application" "cinder_volume" "container" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
command:
|
||||
- /tmp/cinder-volume.sh
|
||||
env:
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
||||
- name: REQUESTS_CA_BUNDLE
|
||||
value: "/etc/cinder/certs/ca.crt"
|
||||
{{- end }}
|
||||
terminationMessagePath: /var/log/termination-log
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
@ -269,7 +274,7 @@ spec:
|
||||
mountPropagation: HostToContainer
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
|
||||
@ -333,7 +338,7 @@ spec:
|
||||
path: /sys
|
||||
{{- end }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "5"
|
||||
|
||||
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
||||
{{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.pod.tolerations.cinder.enabled -}}
|
||||
|
@ -68,9 +68,9 @@ spec:
|
||||
mountPath: /tmp/create-internal-tenant.sh
|
||||
subPath: create-internal-tenant.sh
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
- name: SERVICE_OS_SERVICE_NAME
|
||||
@ -97,5 +97,5 @@ spec:
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end -}}
|
||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-2"
|
||||
|
||||
{{- if .Values.manifests.job_ks_endpoints }}
|
||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volumev3" ) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.helm3_hook }}
|
||||
|
@ -25,7 +25,7 @@ helm.sh/hook-weight: "-3"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" $serviceTypes -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.helm3_hook }}
|
||||
|
@ -19,7 +19,7 @@ helm.sh/hook-weight: "-1"
|
||||
|
||||
{{- if .Values.manifests.job_ks_user }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
|
||||
{{- end -}}
|
||||
{{- if .Values.helm3_hook }}
|
||||
|
@ -1481,6 +1481,11 @@ network_policy:
|
||||
# set helm3_hook: false when using the helm2 binary.
|
||||
helm3_hook: true
|
||||
|
||||
tls:
|
||||
identity: false
|
||||
oslo_messaging: false
|
||||
oslo_db: false
|
||||
|
||||
manifests:
|
||||
certificates: false
|
||||
configmap_bin: true
|
||||
|
12
cinder/values_overrides/tls-offloading.yaml
Normal file
12
cinder/values_overrides/tls-offloading.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
endpoints:
|
||||
identity:
|
||||
auth:
|
||||
admin:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
test:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
|
||||
tls:
|
||||
identity: true
|
||||
...
|
@ -43,4 +43,5 @@ cinder:
|
||||
- 0.2.24 Fix conditional check for cinder.utils.has_ceph_backend template
|
||||
- 0.2.25 Remove volumes unrelated with ceph backend from conditional volume list in cinder-volume deployment
|
||||
- 0.2.26 Distinguish between port number of internal endpoint and binding port number
|
||||
- 0.2.27 Support TLS endpoints
|
||||
...
|
||||
|
Loading…
x
Reference in New Issue
Block a user