8709072253
After the OSH upversion to caracal, a new pod was being deployed in the controller for Neutron. The rpc server was added as part of the Neutron Helm chart deployment. The problem was that the patches 0007 and 0008 from OSH, was removing some information related to TLS and, because this is a new template, the rpc-server was not included in this cleanup. This review adds the rpc-server to the list of templates that are being cleaned by patches 0007 and 0008. Test Plan: PASS - Build OSH and STX-O tarball PASS - Deploy STX-O in a system with https enabled PASS - Neutron rpc-server pod is running PASS - Create Networks and launch a VM Closes-Bug: #2103801 Change-Id: I84140bbd957ca07a0a53cde2bf58e0ededdb914d Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
2360 lines
139 KiB
Diff
2360 lines
139 KiB
Diff
From bba7b91404e1c00b3576c84c809047f8f640fccf Mon Sep 17 00:00:00 2001
|
|
From: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
|
|
Date: Thu, 10 Feb 2022 16:23:26 -0300
|
|
Subject: [PATCH] Remove TLS from openstack services at backend
|
|
|
|
Openstack-helm provides the option to terminate TLS at the services.
|
|
However, at Starlingx TLS termination is done at the reverse
|
|
proxy (ingress) and therefore is unecessary for the OpenStack to be
|
|
HTTPS. Removing this option creates a cumbersome override file, so
|
|
to diminish this overrides this patches disables https at the backend
|
|
|
|
Signed-off-by: Lucas Cavalcante <lucasmedeiros.cavalcante@windriver.com>
|
|
[ upversioned openstack-helm base commit ]
|
|
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
|
|
[ Replicated changes to `cinder-volume-usage-audit` cron job ]
|
|
Signed-off-by: Luan Nunes Utimura <LuanNunes.Utimura@windriver.com>
|
|
[ Changed Horizon SSL Cert paths ]
|
|
Signed-off-by: Lucas de Ataides <lucas.deataidesbarreto@windriver.com>
|
|
[ Upversioned openstack-helm base commit to Caracal ]
|
|
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
|
|
[ Add changes to rpc-server deployment ]
|
|
Signed-off-by: Daniel Caires <DanielMarques.Caires@windriver.com>
|
|
Change-Id: Ibc0e53d95cfe43e0e04c9cc14bc81469fb919a40
|
|
---
|
|
cinder/templates/bin/_cinder-api.sh.tpl | 40 -----------
|
|
cinder/templates/certificates.yaml | 17 -----
|
|
cinder/templates/configmap-etc.yaml | 4 --
|
|
.../cron-job-cinder-volume-usage-audit.yaml | 4 +-
|
|
cinder/templates/deployment-api.yaml | 28 ++------
|
|
cinder/templates/deployment-scheduler.yaml | 4 +-
|
|
cinder/templates/deployment-volume.yaml | 6 +-
|
|
cinder/templates/ingress-api.yaml | 7 +-
|
|
cinder/templates/job-bootstrap.yaml | 2 +-
|
|
.../templates/job-create-internal-tenant.yaml | 4 +-
|
|
cinder/templates/job-ks-endpoints.yaml | 2 +-
|
|
cinder/templates/job-ks-service.yaml | 2 +-
|
|
cinder/templates/job-ks-user.yaml | 2 +-
|
|
cinder/templates/pod-rally-test.yaml | 6 +-
|
|
glance/templates/certificates.yaml | 17 -----
|
|
glance/templates/deployment-api.yaml | 61 +---------------
|
|
glance/templates/ingress-api.yaml | 7 +-
|
|
glance/templates/job-bootstrap.yaml | 2 +-
|
|
glance/templates/job-ks-endpoints.yaml | 2 +-
|
|
glance/templates/job-ks-service.yaml | 2 +-
|
|
glance/templates/job-ks-user.yaml | 2 +-
|
|
glance/templates/job-storage-init.yaml | 4 +-
|
|
glance/templates/pod-rally-test.yaml | 6 +-
|
|
heat/templates/bin/_heat-api.sh.tpl | 36 ----------
|
|
heat/templates/bin/_heat-cfn.sh.tpl | 37 ----------
|
|
heat/templates/certificates.yaml | 18 -----
|
|
heat/templates/deployment-api.yaml | 14 +---
|
|
heat/templates/deployment-cfn.yaml | 14 +---
|
|
heat/templates/deployment-engine.yaml | 4 +-
|
|
heat/templates/ingress-api.yaml | 4 --
|
|
heat/templates/ingress-cfn.yaml | 4 --
|
|
heat/templates/job-bootstrap.yaml | 2 +-
|
|
heat/templates/job-ks-endpoints.yaml | 2 +-
|
|
heat/templates/job-ks-service.yaml | 2 +-
|
|
heat/templates/job-ks-user-domain.yaml | 4 +-
|
|
heat/templates/job-ks-user-trustee.yaml | 2 +-
|
|
heat/templates/job-ks-user.yaml | 2 +-
|
|
heat/templates/job-trusts.yaml | 4 +-
|
|
heat/templates/pod-rally-test.yaml | 6 +-
|
|
horizon/templates/certificates.yaml | 17 -----
|
|
horizon/templates/deployment.yaml | 6 +-
|
|
horizon/templates/ingress-api.yaml | 4 --
|
|
horizon/templates/pod-helm-tests.yaml | 4 +-
|
|
horizon/values.yaml | 2 +-
|
|
keystone/templates/bin/_keystone-api.sh.tpl | 4 --
|
|
keystone/templates/certificates.yaml | 17 -----
|
|
keystone/templates/deployment-api.yaml | 8 ++-
|
|
keystone/templates/ingress-api.yaml | 7 +-
|
|
keystone/templates/job-bootstrap.yaml | 4 +-
|
|
keystone/templates/job-domain-manage.yaml | 14 +---
|
|
keystone/templates/pod-rally-test.yaml | 16 ++---
|
|
neutron/templates/certificates.yaml | 17 -----
|
|
.../templates/daemonset-metadata-agent.yaml | 4 +-
|
|
neutron/templates/deployment-rpc_server.yaml | 4 +-
|
|
neutron/templates/deployment-server.yaml | 70 +------------------
|
|
neutron/templates/ingress-server.yaml | 4 --
|
|
neutron/templates/job-bootstrap.yaml | 2 +-
|
|
neutron/templates/job-ks-endpoints.yaml | 2 +-
|
|
neutron/templates/job-ks-service.yaml | 2 +-
|
|
neutron/templates/job-ks-user.yaml | 2 +-
|
|
neutron/templates/pod-rally-test.yaml | 8 +--
|
|
neutron/values.yaml | 1 +
|
|
nova/templates/bin/_nova-api-metadata.sh.tpl | 38 ----------
|
|
nova/templates/bin/_nova-api.sh.tpl | 39 -----------
|
|
nova/templates/certificates.yaml | 30 --------
|
|
nova/templates/cron-job-service-cleaner.yaml | 4 +-
|
|
nova/templates/daemonset-compute.yaml | 10 +--
|
|
nova/templates/deployment-api-metadata.yaml | 16 +----
|
|
nova/templates/deployment-api-osapi.yaml | 16 +----
|
|
nova/templates/deployment-conductor.yaml | 6 +-
|
|
nova/templates/deployment-novncproxy.yaml | 4 +-
|
|
nova/templates/deployment-scheduler.yaml | 6 +-
|
|
nova/templates/deployment-spiceproxy.yaml | 4 +-
|
|
nova/templates/ingress-metadata.yaml | 4 --
|
|
nova/templates/ingress-novncproxy.yaml | 4 --
|
|
nova/templates/ingress-osapi.yaml | 4 --
|
|
nova/templates/job-bootstrap.yaml | 4 +-
|
|
nova/templates/job-cell-setup.yaml | 6 +-
|
|
nova/templates/job-ks-endpoints.yaml | 2 +-
|
|
nova/templates/job-ks-service.yaml | 2 +-
|
|
nova/templates/job-ks-user.yaml | 2 +-
|
|
nova/templates/pod-rally-test.yaml | 6 +-
|
|
placement/templates/certificates.yaml | 17 -----
|
|
placement/templates/deployment.yaml | 4 +-
|
|
placement/templates/ingress.yaml | 4 --
|
|
placement/templates/job-ks-endpoints.yaml | 2 +-
|
|
placement/templates/job-ks-service.yaml | 2 +-
|
|
placement/templates/job-ks-user.yaml | 2 +-
|
|
88 files changed, 129 insertions(+), 714 deletions(-)
|
|
delete mode 100644 cinder/templates/certificates.yaml
|
|
delete mode 100644 glance/templates/certificates.yaml
|
|
delete mode 100644 heat/templates/certificates.yaml
|
|
delete mode 100644 horizon/templates/certificates.yaml
|
|
delete mode 100644 keystone/templates/certificates.yaml
|
|
delete mode 100644 neutron/templates/certificates.yaml
|
|
delete mode 100644 nova/templates/certificates.yaml
|
|
delete mode 100644 placement/templates/certificates.yaml
|
|
|
|
diff --git a/cinder/templates/bin/_cinder-api.sh.tpl b/cinder/templates/bin/_cinder-api.sh.tpl
|
|
index 73ae5718..993e47e9 100644
|
|
--- a/cinder/templates/bin/_cinder-api.sh.tpl
|
|
+++ b/cinder/templates/bin/_cinder-api.sh.tpl
|
|
@@ -18,51 +18,11 @@ set -ex
|
|
COMMAND="${@:-start}"
|
|
|
|
function start () {
|
|
-{{- if .Values.manifests.certificates }}
|
|
- for WSGI_SCRIPT in cinder-wsgi; do
|
|
- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/cinder/
|
|
- done
|
|
-
|
|
- if [ -f /etc/apache2/envvars ]; then
|
|
- # Loading Apache2 ENV variables
|
|
- source /etc/apache2/envvars
|
|
- mkdir -p ${APACHE_RUN_DIR}
|
|
- fi
|
|
-
|
|
-{{- if .Values.conf.software.apache2.a2enmod }}
|
|
- {{- range .Values.conf.software.apache2.a2enmod }}
|
|
- a2enmod {{ . }}
|
|
- {{- end }}
|
|
-{{- end }}
|
|
-
|
|
-{{- if .Values.conf.software.apache2.a2dismod }}
|
|
- {{- range .Values.conf.software.apache2.a2dismod }}
|
|
- a2dismod {{ . }}
|
|
- {{- end }}
|
|
-{{- end }}
|
|
-
|
|
- if [ -f /var/run/apache2/apache2.pid ]; then
|
|
- # Remove the stale pid for debian/ubuntu images
|
|
- rm -f /var/run/apache2/apache2.pid
|
|
- fi
|
|
- # Starts Apache2
|
|
- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
|
|
-{{- else }}
|
|
exec uwsgi --ini /etc/cinder/cinder-api-uwsgi.ini
|
|
-{{- end }}
|
|
}
|
|
|
|
function stop () {
|
|
-{{- if .Values.manifests.certificates }}
|
|
- if [ -f /etc/apache2/envvars ]; then
|
|
- # Loading Apache2 ENV variables
|
|
- source /etc/apache2/envvars
|
|
- mkdir -p ${APACHE_RUN_DIR}
|
|
- fi
|
|
- {{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
|
-{{- else }}
|
|
kill -TERM 1
|
|
-{{- end }}
|
|
}
|
|
|
|
$COMMAND
|
|
diff --git a/cinder/templates/certificates.yaml b/cinder/templates/certificates.yaml
|
|
deleted file mode 100644
|
|
index 7ccf6ca1..00000000
|
|
--- a/cinder/templates/certificates.yaml
|
|
+++ /dev/null
|
|
@@ -1,17 +0,0 @@
|
|
-{{/*
|
|
-Licensed under the Apache License, Version 2.0 (the "License");
|
|
-you may not use this file except in compliance with the License.
|
|
-You may obtain a copy of the License at
|
|
-
|
|
- http://www.apache.org/licenses/LICENSE-2.0
|
|
-
|
|
-Unless required by applicable law or agreed to in writing, software
|
|
-distributed under the License is distributed on an "AS IS" BASIS,
|
|
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
-See the License for the specific language governing permissions and
|
|
-limitations under the License.
|
|
-*/}}
|
|
-
|
|
-{{- if .Values.manifests.certificates -}}
|
|
-{{ dict "envAll" . "service" "volumev3" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- end -}}
|
|
diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml
|
|
index 1a20ea84..1a26cc4f 100644
|
|
--- a/cinder/templates/configmap-etc.yaml
|
|
+++ b/cinder/templates/configmap-etc.yaml
|
|
@@ -179,10 +179,6 @@ data:
|
|
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
|
|
cinder-api-uwsgi.ini: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.cinder_api_uwsgi | b64enc }}
|
|
policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
|
|
-{{- if .Values.manifests.certificates }}
|
|
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
|
|
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cinder "key" "wsgi-cinder.conf" "format" "Secret" ) | indent 2 }}
|
|
-{{- end }}
|
|
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
|
|
cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
|
|
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
|
|
diff --git a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
|
|
index 897b5b63..0c2c6bac 100644
|
|
--- a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
|
|
+++ b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
|
|
@@ -90,7 +90,7 @@ spec:
|
|
mountPath: /tmp/volume-usage-audit.sh
|
|
subPath: volume-usage-audit.sh
|
|
readOnly: true
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.public "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
|
{{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }}
|
|
@@ -107,7 +107,7 @@ spec:
|
|
configMap:
|
|
name: cinder-bin
|
|
defaultMode: 0555
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
|
{{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }}
|
|
diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml
|
|
index 641ed3b4..ea31f7e7 100644
|
|
--- a/cinder/templates/deployment-api.yaml
|
|
+++ b/cinder/templates/deployment-api.yaml
|
|
@@ -78,6 +78,10 @@ spec:
|
|
{{ tuple $envAll "cinder_api" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
{{ dict "envAll" $envAll "application" "cinder_api" "container" "cinder_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
|
+ env:
|
|
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
|
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
|
+{{- end }}
|
|
command:
|
|
- /tmp/cinder-api.sh
|
|
- start
|
|
@@ -114,8 +118,6 @@ spec:
|
|
volumeMounts:
|
|
- name: pod-tmp
|
|
mountPath: /tmp
|
|
- - name: wsgi-cinder
|
|
- mountPath: /var/www/cgi-bin/cinder
|
|
- name: cinder-bin
|
|
mountPath: /tmp/cinder-api.sh
|
|
subPath: cinder-api.sh
|
|
@@ -150,35 +152,17 @@ spec:
|
|
mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
|
|
subPath: resource_filters.json
|
|
readOnly: true
|
|
-{{- if .Values.conf.security }}
|
|
- - name: cinder-etc
|
|
- mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
|
|
- subPath: security.conf
|
|
- readOnly: true
|
|
-{{- end }}
|
|
{{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
|
|
- name: cinder-coordination
|
|
mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
|
|
{{- end }}
|
|
- {{- if .Values.manifests.certificates }}
|
|
- - name: cinder-etc
|
|
- mountPath: {{ .Values.conf.software.apache2.site_dir }}/cinder-api.conf
|
|
- subPath: wsgi-cinder.conf
|
|
- readOnly: true
|
|
- - name: cinder-etc
|
|
- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
|
|
- subPath: mpm_event.conf
|
|
- readOnly: true
|
|
- {{- end }}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
emptyDir: {}
|
|
- - name: wsgi-cinder
|
|
- emptyDir: {}
|
|
- name: cinder-bin
|
|
configMap:
|
|
name: cinder-bin
|
|
@@ -194,7 +178,7 @@ spec:
|
|
emptyDir: {}
|
|
{{- end }}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml
|
|
index 03206a8d..68c6cb6d 100644
|
|
--- a/cinder/templates/deployment-scheduler.yaml
|
|
+++ b/cinder/templates/deployment-scheduler.yaml
|
|
@@ -108,7 +108,7 @@ spec:
|
|
- name: cinder-coordination
|
|
mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
|
|
{{- end }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_cinder_scheduler.volumeMounts }}{{ toYaml $mounts_cinder_scheduler.volumeMounts | indent 12 }}{{ end }}
|
|
@@ -129,7 +129,7 @@ spec:
|
|
- name: cinder-coordination
|
|
emptyDir: {}
|
|
{{- end }}
|
|
- {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+ {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_cinder_scheduler.volumes }}{{ toYaml $mounts_cinder_scheduler.volumes | indent 8 }}{{ end }}
|
|
diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml
|
|
index 93625536..65f7677f 100644
|
|
--- a/cinder/templates/deployment-volume.yaml
|
|
+++ b/cinder/templates/deployment-volume.yaml
|
|
@@ -132,7 +132,7 @@ spec:
|
|
readOnly: true
|
|
- name: pod-shared
|
|
mountPath: /tmp/pod-shared
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
env:
|
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
|
@@ -282,7 +282,7 @@ spec:
|
|
mountPropagation: HostToContainer
|
|
{{- end }}
|
|
{{- end }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
|
|
@@ -352,7 +352,7 @@ spec:
|
|
path: /sys
|
|
{{- end }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/cinder/templates/ingress-api.yaml b/cinder/templates/ingress-api.yaml
|
|
index 4586d3a1..a514adfd 100644
|
|
--- a/cinder/templates/ingress-api.yaml
|
|
+++ b/cinder/templates/ingress-api.yaml
|
|
@@ -13,11 +13,6 @@ limitations under the License.
|
|
*/}}
|
|
|
|
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
|
-{{- $envAll := . -}}
|
|
-{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volume" "backendPort" "c-api" -}}
|
|
-{{- $secretName := $envAll.Values.secrets.tls.volume.api.internal -}}
|
|
-{{- if and .Values.manifests.certificates $secretName -}}
|
|
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volume.host_fqdn_override.default.tls.issuerRef.name -}}
|
|
-{{- end -}}
|
|
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "volume" "backendPort" "c-api" -}}
|
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
|
{{- end }}
|
|
diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml
|
|
index 271b9483..8880d170 100644
|
|
--- a/cinder/templates/job-bootstrap.yaml
|
|
+++ b/cinder/templates/job-bootstrap.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "5"
|
|
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
|
{{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
|
|
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.pod.tolerations.cinder.enabled -}}
|
|
{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
|
|
diff --git a/cinder/templates/job-create-internal-tenant.yaml b/cinder/templates/job-create-internal-tenant.yaml
|
|
index 1a0a475b..83c95309 100644
|
|
--- a/cinder/templates/job-create-internal-tenant.yaml
|
|
+++ b/cinder/templates/job-create-internal-tenant.yaml
|
|
@@ -68,7 +68,7 @@ spec:
|
|
mountPath: /tmp/create-internal-tenant.sh
|
|
subPath: create-internal-tenant.sh
|
|
readOnly: true
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
env:
|
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
|
@@ -97,5 +97,5 @@ spec:
|
|
configMap:
|
|
name: {{ $configMapBin | quote }}
|
|
defaultMode: 0555
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- end -}}
|
|
diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml
|
|
index cee225b3..59b93dd2 100644
|
|
--- a/cinder/templates/job-ks-endpoints.yaml
|
|
+++ b/cinder/templates/job-ks-endpoints.yaml
|
|
@@ -27,7 +27,7 @@ helm.sh/hook-weight: "-2"
|
|
{{- if .Values.manifests.job_ks_endpoints }}
|
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( $volTypes ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
|
|
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
|
|
diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml
|
|
index ff83df34..4b1092d1 100644
|
|
--- a/cinder/templates/job-ks-service.yaml
|
|
+++ b/cinder/templates/job-ks-service.yaml
|
|
@@ -33,7 +33,7 @@ helm.sh/hook-weight: "-3"
|
|
{{- end }}
|
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( $volTypes ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
|
|
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
|
|
diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml
|
|
index a53a88d8..37316965 100644
|
|
--- a/cinder/templates/job-ks-user.yaml
|
|
+++ b/cinder/templates/job-ks-user.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1"
|
|
{{- if .Values.manifests.job_ks_user }}
|
|
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
|
|
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
|
|
diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml
|
|
index 3ed52cde..14b83620 100644
|
|
--- a/cinder/templates/pod-rally-test.yaml
|
|
+++ b/cinder/templates/pod-rally-test.yaml
|
|
@@ -53,7 +53,7 @@ spec:
|
|
mountPath: /tmp/ks-user.sh
|
|
subPath: ks-user.sh
|
|
readOnly: true
|
|
-{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
env:
|
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
|
@@ -93,7 +93,7 @@ spec:
|
|
readOnly: true
|
|
- name: rally-db
|
|
mountPath: /var/lib/rally
|
|
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
@@ -108,6 +108,6 @@ spec:
|
|
defaultMode: 0555
|
|
- name: rally-db
|
|
emptyDir: {}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/glance/templates/certificates.yaml b/glance/templates/certificates.yaml
|
|
deleted file mode 100644
|
|
index deb2a237..00000000
|
|
--- a/glance/templates/certificates.yaml
|
|
+++ /dev/null
|
|
@@ -1,17 +0,0 @@
|
|
-{{/*
|
|
-Licensed under the Apache License, Version 2.0 (the "License");
|
|
-you may not use this file except in compliance with the License.
|
|
-You may obtain a copy of the License at
|
|
-
|
|
- http://www.apache.org/licenses/LICENSE-2.0
|
|
-
|
|
-Unless required by applicable law or agreed to in writing, software
|
|
-distributed under the License is distributed on an "AS IS" BASIS,
|
|
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
-See the License for the specific language governing permissions and
|
|
-limitations under the License.
|
|
-*/}}
|
|
-
|
|
-{{- if .Values.manifests.certificates -}}
|
|
-{{ dict "envAll" . "service" "image" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- end -}}
|
|
diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml
|
|
index b70d44ca..e41e5a2e 100644
|
|
--- a/glance/templates/deployment-api.yaml
|
|
+++ b/glance/templates/deployment-api.yaml
|
|
@@ -13,34 +13,18 @@ limitations under the License.
|
|
*/}}
|
|
|
|
{{- define "readinessProbeTemplate" }}
|
|
-{{- if .Values.manifests.certificates }}
|
|
-exec:
|
|
- command:
|
|
- - python
|
|
- - -c
|
|
- - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
|
|
-{{- else }}
|
|
httpGet:
|
|
scheme: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
|
|
path: /
|
|
port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
{{- end }}
|
|
-{{- end }}
|
|
|
|
{{- define "livenessProbeTemplate" }}
|
|
-{{- if .Values.manifests.certificates }}
|
|
-exec:
|
|
- command:
|
|
- - python
|
|
- - -c
|
|
- - "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
|
|
-{{- else }}
|
|
httpGet:
|
|
scheme: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
|
|
path: /
|
|
port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
{{- end }}
|
|
-{{- end }}
|
|
|
|
{{- if .Values.manifests.deployment_api }}
|
|
{{- $envAll := . }}
|
|
@@ -133,47 +117,6 @@ spec:
|
|
readOnly: true
|
|
{{ end }}
|
|
containers:
|
|
- {{- if $envAll.Values.manifests.certificates }}
|
|
- - name: nginx
|
|
-{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
-{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
-{{ dict "envAll" $envAll "application" "glance" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
|
- ports:
|
|
- - name: g-api
|
|
- containerPort: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
- env:
|
|
- - name: PORT
|
|
- value: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
|
- - name: POD_IP
|
|
- valueFrom:
|
|
- fieldRef:
|
|
- fieldPath: status.podIP
|
|
- - name: SHORTNAME
|
|
- value: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
|
|
- readinessProbe:
|
|
- tcpSocket:
|
|
- port: {{ tuple "image" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
- initialDelaySeconds: 30
|
|
- command:
|
|
- - /tmp/nginx.sh
|
|
- - start
|
|
- lifecycle:
|
|
- preStop:
|
|
- exec:
|
|
- command:
|
|
- - /tmp/nginx.sh
|
|
- - stop
|
|
- volumeMounts:
|
|
- - name: glance-bin
|
|
- mountPath: /tmp/nginx.sh
|
|
- subPath: nginx.sh
|
|
- readOnly: true
|
|
- - name: glance-etc
|
|
- mountPath: /etc/nginx/nginx.conf
|
|
- subPath: nginx.conf
|
|
- readOnly: true
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
- {{- end }}
|
|
- name: glance-api
|
|
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
@@ -322,7 +265,7 @@ spec:
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
@@ -382,7 +325,7 @@ spec:
|
|
path: /sys
|
|
{{- end }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" $envAll.Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/glance/templates/ingress-api.yaml b/glance/templates/ingress-api.yaml
|
|
index 939855e0..497d96ad 100644
|
|
--- a/glance/templates/ingress-api.yaml
|
|
+++ b/glance/templates/ingress-api.yaml
|
|
@@ -13,11 +13,6 @@ limitations under the License.
|
|
*/}}
|
|
|
|
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
|
-{{- $envAll := . }}
|
|
-{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "image" "backendPort" "g-api" -}}
|
|
-{{- $secretName := $envAll.Values.secrets.tls.image.api.internal -}}
|
|
-{{- if and .Values.manifests.certificates $secretName -}}
|
|
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image.host_fqdn_override.default.tls.issuerRef.name -}}
|
|
-{{- end -}}
|
|
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "image" "backendPort" "g-api" -}}
|
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
|
{{- end }}
|
|
diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml
|
|
index c1af58dc..1097b8fd 100644
|
|
--- a/glance/templates/job-bootstrap.yaml
|
|
+++ b/glance/templates/job-bootstrap.yaml
|
|
@@ -31,7 +31,7 @@ volumes:
|
|
{{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }}
|
|
{{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
|
|
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
|
|
diff --git a/glance/templates/job-ks-endpoints.yaml b/glance/templates/job-ks-endpoints.yaml
|
|
index fe761a38..c828eb80 100644
|
|
--- a/glance/templates/job-ks-endpoints.yaml
|
|
+++ b/glance/templates/job-ks-endpoints.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2"
|
|
{{- if .Values.manifests.job_ks_endpoints }}
|
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
|
|
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
|
|
diff --git a/glance/templates/job-ks-service.yaml b/glance/templates/job-ks-service.yaml
|
|
index 8aaef789..9cf540f5 100644
|
|
--- a/glance/templates/job-ks-service.yaml
|
|
+++ b/glance/templates/job-ks-service.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3"
|
|
{{- if .Values.manifests.job_ks_service }}
|
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
|
|
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
|
|
diff --git a/glance/templates/job-ks-user.yaml b/glance/templates/job-ks-user.yaml
|
|
index 7f646e39..38912a27 100644
|
|
--- a/glance/templates/job-ks-user.yaml
|
|
+++ b/glance/templates/job-ks-user.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1"
|
|
{{- if .Values.manifests.job_ks_user }}
|
|
{{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
|
|
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
|
|
diff --git a/glance/templates/job-storage-init.yaml b/glance/templates/job-storage-init.yaml
|
|
index f6ac0a10..133e12be 100644
|
|
--- a/glance/templates/job-storage-init.yaml
|
|
+++ b/glance/templates/job-storage-init.yaml
|
|
@@ -168,7 +168,7 @@ spec:
|
|
- name: glance-images
|
|
mountPath: {{ .Values.conf.glance.glance_store.filesystem_store_datadir }}
|
|
{{ end }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
emptyDir: {}
|
|
@@ -194,5 +194,5 @@ spec:
|
|
persistentVolumeClaim:
|
|
claimName: glance-images
|
|
{{ end }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- end }}
|
|
diff --git a/glance/templates/pod-rally-test.yaml b/glance/templates/pod-rally-test.yaml
|
|
index 0ca17eb2..6732c239 100644
|
|
--- a/glance/templates/pod-rally-test.yaml
|
|
+++ b/glance/templates/pod-rally-test.yaml
|
|
@@ -60,7 +60,7 @@ spec:
|
|
mountPath: /tmp/ks-user.sh
|
|
subPath: ks-user.sh
|
|
readOnly: true
|
|
-{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
env:
|
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
|
@@ -103,7 +103,7 @@ spec:
|
|
mountPath: /var/lib/rally
|
|
- name: rally-work
|
|
mountPath: /home/rally/.rally
|
|
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
@@ -120,6 +120,6 @@ spec:
|
|
emptyDir: {}
|
|
- name: rally-work
|
|
emptyDir: {}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/heat/templates/bin/_heat-api.sh.tpl b/heat/templates/bin/_heat-api.sh.tpl
|
|
index 35afabcb..90ac7c18 100644
|
|
--- a/heat/templates/bin/_heat-api.sh.tpl
|
|
+++ b/heat/templates/bin/_heat-api.sh.tpl
|
|
@@ -18,47 +18,11 @@ set -ex
|
|
COMMAND="${@:-start}"
|
|
|
|
function start () {
|
|
-
|
|
-{{- if .Values.manifests.certificates }}
|
|
- for WSGI_SCRIPT in heat-wsgi-api; do
|
|
- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
|
|
- done
|
|
-
|
|
- if [ -f /etc/apache2/envvars ]; then
|
|
- # Loading Apache2 ENV variables
|
|
- source /etc/apache2/envvars
|
|
- mkdir -p ${APACHE_RUN_DIR}
|
|
- fi
|
|
-
|
|
-{{- if .Values.conf.software.apache2.a2enmod }}
|
|
- {{- range .Values.conf.software.apache2.a2enmod }}
|
|
- a2enmod {{ . }}
|
|
- {{- end }}
|
|
-{{- end }}
|
|
-
|
|
-{{- if .Values.conf.software.apache2.a2dismod }}
|
|
- {{- range .Values.conf.software.apache2.a2dismod }}
|
|
- a2dismod {{ . }}
|
|
- {{- end }}
|
|
-{{- end }}
|
|
-
|
|
- if [ -f /var/run/apache2/apache2.pid ]; then
|
|
- # Remove the stale pid for debian/ubuntu images
|
|
- rm -f /var/run/apache2/apache2.pid
|
|
- fi
|
|
- # Starts Apache2
|
|
- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
|
|
-{{- else }}
|
|
exec uwsgi --ini /etc/heat/heat-api-uwsgi.ini
|
|
-{{- end }}
|
|
}
|
|
|
|
function stop () {
|
|
-{{- if .Values.manifests.certificates }}
|
|
- {{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
|
-{{- else }}
|
|
kill -TERM 1
|
|
-{{- end }}
|
|
}
|
|
|
|
$COMMAND
|
|
diff --git a/heat/templates/bin/_heat-cfn.sh.tpl b/heat/templates/bin/_heat-cfn.sh.tpl
|
|
index ea94ce8a..338bc7f2 100644
|
|
--- a/heat/templates/bin/_heat-cfn.sh.tpl
|
|
+++ b/heat/templates/bin/_heat-cfn.sh.tpl
|
|
@@ -18,48 +18,11 @@ set -ex
|
|
COMMAND="${@:-start}"
|
|
|
|
function start () {
|
|
-{{- if .Values.manifests.certificates }}
|
|
- for WSGI_SCRIPT in heat-wsgi-api-cfn; do
|
|
- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
|
|
- done
|
|
-
|
|
- if [ -f /etc/apache2/envvars ]; then
|
|
- # Loading Apache2 ENV variables
|
|
- source /etc/apache2/envvars
|
|
- mkdir -p ${APACHE_RUN_DIR}
|
|
- fi
|
|
-
|
|
-
|
|
-{{- if .Values.conf.software.apache2.a2enmod }}
|
|
- {{- range .Values.conf.software.apache2.a2enmod }}
|
|
- a2enmod {{ . }}
|
|
- {{- end }}
|
|
-{{- end }}
|
|
-
|
|
-{{- if .Values.conf.software.apache2.a2dismod }}
|
|
- {{- range .Values.conf.software.apache2.a2dismod }}
|
|
- a2dismod {{ . }}
|
|
- {{- end }}
|
|
-{{- end }}
|
|
-
|
|
-
|
|
- if [ -f /var/run/apache2/apache2.pid ]; then
|
|
- # Remove the stale pid for debian/ubuntu images
|
|
- rm -f /var/run/apache2/apache2.pid
|
|
- fi
|
|
- # Starts Apache2
|
|
- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
|
|
-{{- else }}
|
|
exec uwsgi --ini /etc/heat/heat-api-cfn-uwsgi.ini
|
|
-{{- end }}
|
|
}
|
|
|
|
function stop () {
|
|
-{{- if .Values.manifests.certificates }}
|
|
- {{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
|
-{{- else }}
|
|
kill -TERM 1
|
|
-{{- end }}
|
|
}
|
|
|
|
$COMMAND
|
|
diff --git a/heat/templates/certificates.yaml b/heat/templates/certificates.yaml
|
|
deleted file mode 100644
|
|
index 353dfd69..00000000
|
|
--- a/heat/templates/certificates.yaml
|
|
+++ /dev/null
|
|
@@ -1,18 +0,0 @@
|
|
-{{/*
|
|
-Licensed under the Apache License, Version 2.0 (the "License");
|
|
-you may not use this file except in compliance with the License.
|
|
-You may obtain a copy of the License at
|
|
-
|
|
- http://www.apache.org/licenses/LICENSE-2.0
|
|
-
|
|
-Unless required by applicable law or agreed to in writing, software
|
|
-distributed under the License is distributed on an "AS IS" BASIS,
|
|
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
-See the License for the specific language governing permissions and
|
|
-limitations under the License.
|
|
-*/}}
|
|
-
|
|
-{{- if .Values.manifests.certificates -}}
|
|
-{{ dict "envAll" . "service" "orchestration" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{ dict "envAll" . "service" "cloudformation" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- end -}}
|
|
diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml
|
|
index 05f8feae..cf1876d0 100644
|
|
--- a/heat/templates/deployment-api.yaml
|
|
+++ b/heat/templates/deployment-api.yaml
|
|
@@ -129,17 +129,7 @@ spec:
|
|
mountPath: /etc/heat/api_audit_map.conf
|
|
subPath: api_audit_map.conf
|
|
readOnly: true
|
|
- {{- if .Values.manifests.certificates }}
|
|
- - name: heat-etc
|
|
- mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api.conf
|
|
- subPath: wsgi-heat.conf
|
|
- readOnly: true
|
|
- - name: heat-etc
|
|
- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
|
|
- subPath: mpm_event.conf
|
|
- readOnly: true
|
|
- {{- end }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
@@ -157,7 +147,7 @@ spec:
|
|
secret:
|
|
secretName: heat-etc
|
|
defaultMode: 0444
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml
|
|
index 773972ba..00647372 100644
|
|
--- a/heat/templates/deployment-cfn.yaml
|
|
+++ b/heat/templates/deployment-cfn.yaml
|
|
@@ -128,17 +128,7 @@ spec:
|
|
mountPath: /etc/heat/api_audit_map.conf
|
|
subPath: api_audit_map.conf
|
|
readOnly: true
|
|
- {{- if .Values.manifests.certificates }}
|
|
- - name: heat-etc
|
|
- mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api-cfn.conf
|
|
- subPath: wsgi-cnf.conf
|
|
- readOnly: true
|
|
- - name: heat-etc
|
|
- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
|
|
- subPath: mpm_event.conf
|
|
- readOnly: true
|
|
- {{- end }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
@@ -155,6 +145,6 @@ spec:
|
|
secret:
|
|
secretName: heat-etc
|
|
defaultMode: 0444
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml
|
|
index fa463f02..ec705374 100644
|
|
--- a/heat/templates/deployment-engine.yaml
|
|
+++ b/heat/templates/deployment-engine.yaml
|
|
@@ -109,7 +109,7 @@ spec:
|
|
subPath: policy.yaml
|
|
readOnly: true
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
@@ -126,7 +126,7 @@ spec:
|
|
secretName: heat-etc
|
|
defaultMode: 0444
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/heat/templates/ingress-api.yaml b/heat/templates/ingress-api.yaml
|
|
index 8d5c9a03..47a3bbaf 100644
|
|
--- a/heat/templates/ingress-api.yaml
|
|
+++ b/heat/templates/ingress-api.yaml
|
|
@@ -15,9 +15,5 @@ limitations under the License.
|
|
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
|
{{- $envAll := . }}
|
|
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "orchestration" "backendPort" "h-api" -}}
|
|
-{{- $secretName := $envAll.Values.secrets.tls.orchestration.api.internal -}}
|
|
-{{- if and .Values.manifests.certificates $secretName -}}
|
|
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.orchestration.host_fqdn_override.default.tls.issuerRef.name -}}
|
|
-{{- end -}}
|
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
|
{{- end }}
|
|
diff --git a/heat/templates/ingress-cfn.yaml b/heat/templates/ingress-cfn.yaml
|
|
index d9653384..8bcb7884 100644
|
|
--- a/heat/templates/ingress-cfn.yaml
|
|
+++ b/heat/templates/ingress-cfn.yaml
|
|
@@ -15,9 +15,5 @@ limitations under the License.
|
|
{{- if and .Values.manifests.ingress_cfn .Values.network.cfn.ingress.public }}
|
|
{{- $envAll := . }}
|
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}}
|
|
-{{- $secretName := $envAll.Values.secrets.tls.cloudformation.cfn.internal -}}
|
|
-{{- if and .Values.manifests.certificates $secretName -}}
|
|
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.cloudformation.host_fqdn_override.default.tls.issuerRef.name -}}
|
|
-{{- end -}}
|
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
|
{{- end }}
|
|
diff --git a/heat/templates/job-bootstrap.yaml b/heat/templates/job-bootstrap.yaml
|
|
index e5157dae..0c69dcfd 100644
|
|
--- a/heat/templates/job-bootstrap.yaml
|
|
+++ b/heat/templates/job-bootstrap.yaml
|
|
@@ -19,7 +19,7 @@ helm.sh/hook: post-install,post-upgrade
|
|
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
|
{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
|
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
|
|
diff --git a/heat/templates/job-ks-endpoints.yaml b/heat/templates/job-ks-endpoints.yaml
|
|
index 21b0bd1e..4cc29e41 100644
|
|
--- a/heat/templates/job-ks-endpoints.yaml
|
|
+++ b/heat/templates/job-ks-endpoints.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2"
|
|
{{- if .Values.manifests.job_ks_endpoints }}
|
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
|
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
|
|
diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml
|
|
index 930707ad..a2e708bb 100644
|
|
--- a/heat/templates/job-ks-service.yaml
|
|
+++ b/heat/templates/job-ks-service.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3"
|
|
{{- if .Values.manifests.job_ks_service }}
|
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
|
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
|
|
diff --git a/heat/templates/job-ks-user-domain.yaml b/heat/templates/job-ks-user-domain.yaml
|
|
index 6e76df8f..16ba3d3c 100644
|
|
--- a/heat/templates/job-ks-user-domain.yaml
|
|
+++ b/heat/templates/job-ks-user-domain.yaml
|
|
@@ -64,7 +64,7 @@ spec:
|
|
mountPath: /tmp/ks-domain-user.sh
|
|
subPath: ks-domain-user.sh
|
|
readOnly: true
|
|
-{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
env:
|
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
|
@@ -100,5 +100,5 @@ spec:
|
|
configMap:
|
|
name: heat-bin
|
|
defaultMode: 0555
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- end }}
|
|
diff --git a/heat/templates/job-ks-user-trustee.yaml b/heat/templates/job-ks-user-trustee.yaml
|
|
index 665be817..deac434e 100644
|
|
--- a/heat/templates/job-ks-user-trustee.yaml
|
|
+++ b/heat/templates/job-ks-user-trustee.yaml
|
|
@@ -19,7 +19,7 @@ helm.sh/hook: post-install,post-upgrade
|
|
{{- if .Values.manifests.job_ks_user_trustee }}
|
|
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
|
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.heat_trust" . | fromYaml) }}
|
|
diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml
|
|
index c5be1fea..1788213a 100644
|
|
--- a/heat/templates/job-ks-user.yaml
|
|
+++ b/heat/templates/job-ks-user.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1"
|
|
{{- if .Values.manifests.job_ks_user }}
|
|
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
|
|
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
|
|
diff --git a/heat/templates/job-trusts.yaml b/heat/templates/job-trusts.yaml
|
|
index ae5bc644..cf6a8a1a 100644
|
|
--- a/heat/templates/job-trusts.yaml
|
|
+++ b/heat/templates/job-trusts.yaml
|
|
@@ -68,7 +68,7 @@ spec:
|
|
mountPath: /tmp/trusts.sh
|
|
subPath: trusts.sh
|
|
readOnly: true
|
|
-{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
|
|
env:
|
|
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
|
|
@@ -87,5 +87,5 @@ spec:
|
|
configMap:
|
|
name: heat-bin
|
|
defaultMode: 0555
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}
|
|
diff --git a/heat/templates/pod-rally-test.yaml b/heat/templates/pod-rally-test.yaml
|
|
index ac6c636e..4dc8154b 100644
|
|
--- a/heat/templates/pod-rally-test.yaml
|
|
+++ b/heat/templates/pod-rally-test.yaml
|
|
@@ -58,7 +58,7 @@ spec:
|
|
mountPath: /tmp/ks-user.sh
|
|
subPath: ks-user.sh
|
|
readOnly: true
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
env:
|
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
|
@@ -104,7 +104,7 @@ spec:
|
|
subPath: {{ printf "test_template_%d" $key }}
|
|
readOnly: true
|
|
{{- end }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
@@ -119,6 +119,6 @@ spec:
|
|
defaultMode: 0555
|
|
- name: rally-db
|
|
emptyDir: {}
|
|
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/horizon/templates/certificates.yaml b/horizon/templates/certificates.yaml
|
|
deleted file mode 100644
|
|
index 8dbb884a..00000000
|
|
--- a/horizon/templates/certificates.yaml
|
|
+++ /dev/null
|
|
@@ -1,17 +0,0 @@
|
|
-{{/*
|
|
-Licensed under the Apache License, Version 2.0 (the "License");
|
|
-you may not use this file except in compliance with the License.
|
|
-You may obtain a copy of the License at
|
|
-
|
|
- http://www.apache.org/licenses/LICENSE-2.0
|
|
-
|
|
-Unless required by applicable law or agreed to in writing, software
|
|
-distributed under the License is distributed on an "AS IS" BASIS,
|
|
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
-See the License for the specific language governing permissions and
|
|
-limitations under the License.
|
|
-*/}}
|
|
-
|
|
-{{- if .Values.manifests.certificates -}}
|
|
-{{ dict "envAll" . "service" "dashboard" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- end -}}
|
|
diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml
|
|
index fab84924..32013af7 100644
|
|
--- a/horizon/templates/deployment.yaml
|
|
+++ b/horizon/templates/deployment.yaml
|
|
@@ -76,7 +76,7 @@ spec:
|
|
fieldPath: status.podIP
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
|
- name: REQUESTS_CA_BUNDLE
|
|
- value: "/etc/openstack-dashboard/certs/ca.crt"
|
|
+ value: "/etc/ssl/certs/openstack-helm.crt"
|
|
{{- end }}
|
|
lifecycle:
|
|
preStop:
|
|
@@ -173,7 +173,7 @@ spec:
|
|
mountPath: /tmp/favicon.ico
|
|
subPath: favicon.ico
|
|
{{- end }}
|
|
-{{- dict "enabled" (or $envAll.Values.manifests.certificates $envAll.Values.tls.identity) "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal "path" "/etc/openstack-dashboard/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or $envAll.Values.manifests.certificates $envAll.Values.tls.identity) "name" $envAll.Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
@@ -197,6 +197,6 @@ spec:
|
|
name: horizon-logo
|
|
{{- end }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or $envAll.Values.manifests.certificates $envAll.Values.tls.identity) "name" $envAll.Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or $envAll.Values.manifests.certificates $envAll.Values.tls.identity) "name" $envAll.Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/horizon/templates/ingress-api.yaml b/horizon/templates/ingress-api.yaml
|
|
index 252ac523..22f13814 100644
|
|
--- a/horizon/templates/ingress-api.yaml
|
|
+++ b/horizon/templates/ingress-api.yaml
|
|
@@ -15,9 +15,5 @@ limitations under the License.
|
|
{{- if and .Values.manifests.ingress_api .Values.network.dashboard.ingress.public }}
|
|
{{- $envAll := . }}
|
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}}
|
|
-{{- $secretName := $envAll.Values.secrets.tls.dashboard.dashboard.internal -}}
|
|
-{{- if and .Values.manifests.certificates $secretName -}}
|
|
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.dashboard.host_fqdn_override.default.tls.issuerRef.name -}}
|
|
-{{- end -}}
|
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
|
{{- end }}
|
|
diff --git a/horizon/templates/pod-helm-tests.yaml b/horizon/templates/pod-helm-tests.yaml
|
|
index 7d163039..979402a7 100644
|
|
--- a/horizon/templates/pod-helm-tests.yaml
|
|
+++ b/horizon/templates/pod-helm-tests.yaml
|
|
@@ -62,7 +62,7 @@ spec:
|
|
mountPath: /tmp/selenium-test.py
|
|
subPath: selenium-test.py
|
|
readOnly: true
|
|
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
@@ -71,6 +71,6 @@ spec:
|
|
configMap:
|
|
name: horizon-bin
|
|
defaultMode: 0555
|
|
-{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/horizon/values.yaml b/horizon/values.yaml
|
|
index 024e57ce..a4033a5c 100644
|
|
--- a/horizon/values.yaml
|
|
+++ b/horizon/values.yaml
|
|
@@ -478,7 +478,7 @@ conf:
|
|
|
|
{{- if .Values.manifests.certificates }}
|
|
# The CA certificate to use to verify SSL connections
|
|
- OPENSTACK_SSL_CACERT = '/etc/openstack-dashboard/certs/ca.crt'
|
|
+ OPENSTACK_SSL_CACERT = '/etc/ssl/certs/openstack-helm.crt'
|
|
{{- end }}
|
|
|
|
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
|
|
diff --git a/keystone/templates/bin/_keystone-api.sh.tpl b/keystone/templates/bin/_keystone-api.sh.tpl
|
|
index f6216df1..85740a05 100644
|
|
--- a/keystone/templates/bin/_keystone-api.sh.tpl
|
|
+++ b/keystone/templates/bin/_keystone-api.sh.tpl
|
|
@@ -49,10 +49,6 @@ function start () {
|
|
}
|
|
|
|
function stop () {
|
|
- if [ -f /etc/apache2/envvars ]; then
|
|
- # Loading Apache2 ENV variables
|
|
- source /etc/apache2/envvars
|
|
- fi
|
|
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
|
}
|
|
|
|
diff --git a/keystone/templates/certificates.yaml b/keystone/templates/certificates.yaml
|
|
deleted file mode 100644
|
|
index f8a73c4b..00000000
|
|
--- a/keystone/templates/certificates.yaml
|
|
+++ /dev/null
|
|
@@ -1,17 +0,0 @@
|
|
-{{/*
|
|
-Licensed under the Apache License, Version 2.0 (the "License");
|
|
-you may not use this file except in compliance with the License.
|
|
-You may obtain a copy of the License at
|
|
-
|
|
- http://www.apache.org/licenses/LICENSE-2.0
|
|
-
|
|
-Unless required by applicable law or agreed to in writing, software
|
|
-distributed under the License is distributed on an "AS IS" BASIS,
|
|
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
-See the License for the specific language governing permissions and
|
|
-limitations under the License.
|
|
-*/}}
|
|
-
|
|
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal -}}
|
|
-{{ dict "envAll" . "service" "identity" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- end -}}
|
|
diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
|
|
index cff233b8..7130ecaf 100644
|
|
--- a/keystone/templates/deployment-api.yaml
|
|
+++ b/keystone/templates/deployment-api.yaml
|
|
@@ -152,7 +152,9 @@ spec:
|
|
- name: keystone-credential-keys
|
|
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
|
|
{{- dict "enabled" .Values.tls.oslo_db "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" .Values.tls.identity "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.public }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- end }}
|
|
{{- dict "enabled" $envAll.Values.tls.oslo_messaging "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
|
|
{{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
|
|
@@ -189,7 +191,9 @@ spec:
|
|
secret:
|
|
secretName: keystone-credential-keys
|
|
{{- dict "enabled" .Values.tls.oslo_db "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" .Values.tls.identity "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- if and $envAll.Values.manifests.certificates .Values.secrets.tls.identity.api.public }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- end }}
|
|
{{- dict "enabled" $envAll.Values.tls.oslo_messaging "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
|
|
{{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
|
|
diff --git a/keystone/templates/ingress-api.yaml b/keystone/templates/ingress-api.yaml
|
|
index 525c2121..b7b0e238 100644
|
|
--- a/keystone/templates/ingress-api.yaml
|
|
+++ b/keystone/templates/ingress-api.yaml
|
|
@@ -13,12 +13,7 @@ limitations under the License.
|
|
*/}}
|
|
|
|
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
|
-{{- $envAll := . }}
|
|
-{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "identity" "backendPort" "ks-pub" -}}
|
|
-{{- $secretName := $envAll.Values.secrets.tls.identity.api.internal -}}
|
|
-{{- if and .Values.manifests.certificates $secretName -}}
|
|
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.identity.host_fqdn_override.default.tls.issuerRef.name -}}
|
|
-{{- end -}}
|
|
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "identity" "backendPort" "ks-pub" -}}
|
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
|
{{- end }}
|
|
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.admin }}
|
|
diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml
|
|
index b1336b1c..37ce4a48 100644
|
|
--- a/keystone/templates/job-bootstrap.yaml
|
|
+++ b/keystone/templates/job-bootstrap.yaml
|
|
@@ -19,8 +19,8 @@ helm.sh/hook-weight: "5"
|
|
|
|
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
|
{{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
|
|
-{{- if and ( or .Values.manifests.certificates .Values.tls.identity) .Values.secrets.tls.identity.api.internal -}}
|
|
-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
|
|
+{{- if and ( or .Values.manifests.certificates .Values.tls.identity) .Values.secrets.tls.identity.api.public -}}
|
|
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.pod.tolerations.keystone.enabled -}}
|
|
{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
|
|
diff --git a/keystone/templates/job-domain-manage.yaml b/keystone/templates/job-domain-manage.yaml
|
|
index a783423c..50e76b8d 100644
|
|
--- a/keystone/templates/job-domain-manage.yaml
|
|
+++ b/keystone/templates/job-domain-manage.yaml
|
|
@@ -57,7 +57,7 @@ spec:
|
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
|
env:
|
|
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
|
|
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
|
{{- end }}
|
|
command:
|
|
@@ -69,18 +69,12 @@ spec:
|
|
mountPath: /tmp/domain-manage-init.sh
|
|
subPath: domain-manage-init.sh
|
|
readOnly: true
|
|
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- end }}
|
|
containers:
|
|
- name: keystone-domain-manage
|
|
{{ tuple $envAll "keystone_domain_manage" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
|
env:
|
|
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
|
|
-{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
|
-{{- end }}
|
|
command:
|
|
- /tmp/domain-manage.sh
|
|
volumeMounts:
|
|
@@ -120,9 +114,6 @@ spec:
|
|
{{- end }}
|
|
- name: keystone-credential-keys
|
|
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
|
|
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- end }}
|
|
{{ if $mounts_keystone_domain_manage.volumeMounts }}{{ toYaml $mounts_keystone_domain_manage.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
@@ -147,8 +138,5 @@ spec:
|
|
- name: keystone-credential-keys
|
|
secret:
|
|
secretName: keystone-credential-keys
|
|
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- end }}
|
|
{{ if $mounts_keystone_domain_manage.volumes }}{{ toYaml $mounts_keystone_domain_manage.volumes | indent 9 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/keystone/templates/pod-rally-test.yaml b/keystone/templates/pod-rally-test.yaml
|
|
index ad5b23a0..2d5e9528 100644
|
|
--- a/keystone/templates/pod-rally-test.yaml
|
|
+++ b/keystone/templates/pod-rally-test.yaml
|
|
@@ -58,11 +58,11 @@ spec:
|
|
mountPath: /tmp/ks-user.sh
|
|
subPath: ks-user.sh
|
|
readOnly: true
|
|
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.public }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
{{- end }}
|
|
env:
|
|
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
|
|
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.public) }}
|
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
|
{{- end }}
|
|
- name: SERVICE_OS_SERVICE_NAME
|
|
@@ -78,7 +78,7 @@ spec:
|
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
|
|
{{ dict "envAll" $envAll "application" "test" "container" "keystone_test" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6}}
|
|
env:
|
|
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal) }}
|
|
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (and .Values.manifests.certificates .Values.secrets.tls.identity.api.public) }}
|
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
|
{{- end }}
|
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
|
|
@@ -103,8 +103,8 @@ spec:
|
|
mountPath: /var/lib/rally
|
|
- name: rally-work
|
|
mountPath: /home/rally/.rally
|
|
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.public }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
{{- end }}
|
|
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
|
volumes:
|
|
@@ -122,8 +122,8 @@ spec:
|
|
emptyDir: {}
|
|
- name: rally-work
|
|
emptyDir: {}
|
|
-{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.internal }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
+{{- if and .Values.manifests.certificates .Values.secrets.tls.identity.api.public }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
{{- end }}
|
|
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/neutron/templates/certificates.yaml b/neutron/templates/certificates.yaml
|
|
deleted file mode 100644
|
|
index f65396d0..00000000
|
|
--- a/neutron/templates/certificates.yaml
|
|
+++ /dev/null
|
|
@@ -1,17 +0,0 @@
|
|
-{{/*
|
|
-Licensed under the Apache License, Version 2.0 (the "License");
|
|
-you may not use this file except in compliance with the License.
|
|
-You may obtain a copy of the License at
|
|
-
|
|
- http://www.apache.org/licenses/LICENSE-2.0
|
|
-
|
|
-Unless required by applicable law or agreed to in writing, software
|
|
-distributed under the License is distributed on an "AS IS" BASIS,
|
|
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
-See the License for the specific language governing permissions and
|
|
-limitations under the License.
|
|
-*/}}
|
|
-
|
|
-{{- if .Values.manifests.certificates -}}
|
|
-{{ dict "envAll" . "service" "network" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- end -}}
|
|
diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml
|
|
index fc9a75ee..4625765a 100644
|
|
--- a/neutron/templates/daemonset-metadata-agent.yaml
|
|
+++ b/neutron/templates/daemonset-metadata-agent.yaml
|
|
@@ -193,7 +193,7 @@ spec:
|
|
mountPath: /run/netns
|
|
mountPropagation: Bidirectional
|
|
{{- end }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
@@ -217,7 +217,7 @@ spec:
|
|
hostPath:
|
|
path: /run/netns
|
|
{{- end }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/neutron/templates/deployment-rpc_server.yaml b/neutron/templates/deployment-rpc_server.yaml
|
|
index 1866e21e..a8a111d7 100644
|
|
--- a/neutron/templates/deployment-rpc_server.yaml
|
|
+++ b/neutron/templates/deployment-rpc_server.yaml
|
|
@@ -194,7 +194,7 @@ spec:
|
|
subPath: policy.yaml
|
|
readOnly: true
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_neutron_rpc_server.volumeMounts }}{{ toYaml $mounts_neutron_rpc_server.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
@@ -221,7 +221,7 @@ spec:
|
|
emptyDir: {}
|
|
{{- end }}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_neutron_rpc_server.volumes }}{{ toYaml $mounts_neutron_rpc_server.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml
|
|
index b6b634d2..6b236a33 100644
|
|
--- a/neutron/templates/deployment-server.yaml
|
|
+++ b/neutron/templates/deployment-server.yaml
|
|
@@ -13,35 +13,17 @@ limitations under the License.
|
|
*/}}
|
|
|
|
{{- define "serverReadinessProbeTemplate" }}
|
|
-{{- if .Values.manifests.certificates }}
|
|
-exec:
|
|
- command:
|
|
- - python
|
|
- - -c
|
|
- - "import requests; requests.get('http://127.0.0.1:{{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
|
|
-initialDelaySeconds: 30
|
|
-{{- else }}
|
|
httpGet:
|
|
scheme: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
|
|
path: /
|
|
port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
{{- end }}
|
|
-{{- end }}
|
|
{{- define "serverLivenessProbeTemplate" }}
|
|
-{{- if .Values.manifests.certificates }}
|
|
-exec:
|
|
- command:
|
|
- - python
|
|
- - -c
|
|
- - "import requests; requests.get('http://127.0.0.1:{{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
|
|
-initialDelaySeconds: 30
|
|
-{{- else }}
|
|
httpGet:
|
|
scheme: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
|
|
path: /
|
|
port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
{{- end }}
|
|
-{{- end }}
|
|
|
|
{{- if .Values.manifests.deployment_server }}
|
|
{{- $envAll := . }}
|
|
@@ -120,50 +102,6 @@ spec:
|
|
mountPath: /opt/plugin
|
|
{{- end }}
|
|
containers:
|
|
- {{- if $envAll.Values.manifests.certificates }}
|
|
- - name: nginx
|
|
-{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
-{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
-{{ dict "envAll" $envAll "application" "neutron_server" "container" "nginx" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
|
- ports:
|
|
- - name: q-api
|
|
- containerPort: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
- env:
|
|
- - name: PORT
|
|
- value: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
|
- - name: POD_IP
|
|
- valueFrom:
|
|
- fieldRef:
|
|
- fieldPath: status.podIP
|
|
- - name: SHORTNAME
|
|
- value: {{ tuple "network" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
|
|
- readinessProbe:
|
|
- httpGet:
|
|
- scheme: HTTPS
|
|
- path: /
|
|
- port: {{ tuple "network" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
- command:
|
|
- - /tmp/nginx.sh
|
|
- - start
|
|
- lifecycle:
|
|
- preStop:
|
|
- exec:
|
|
- command:
|
|
- - /tmp/nginx.sh
|
|
- - stop
|
|
- volumeMounts:
|
|
- - name: pod-tmp
|
|
- mountPath: /tmp
|
|
- - name: neutron-bin
|
|
- mountPath: /tmp/nginx.sh
|
|
- subPath: nginx.sh
|
|
- readOnly: true
|
|
- - name: neutron-etc
|
|
- mountPath: /etc/nginx/nginx.conf
|
|
- subPath: nginx.conf
|
|
- readOnly: true
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
- {{- end }}
|
|
- name: neutron-server
|
|
{{ tuple $envAll "neutron_server" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
@@ -272,7 +210,7 @@ spec:
|
|
subPath: policy.yaml
|
|
readOnly: true
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
@@ -280,10 +218,6 @@ spec:
|
|
emptyDir: {}
|
|
- name: pod-shared
|
|
emptyDir: {}
|
|
- {{- if .Values.manifests.certificates }}
|
|
- - name: wsgi-neutron
|
|
- emptyDir: {}
|
|
- {{- end }}
|
|
- name: pod-var-neutron
|
|
emptyDir: {}
|
|
- name: neutron-bin
|
|
@@ -299,7 +233,7 @@ spec:
|
|
emptyDir: {}
|
|
{{- end }}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/neutron/templates/ingress-server.yaml b/neutron/templates/ingress-server.yaml
|
|
index 6e6eb735..43526fa8 100644
|
|
--- a/neutron/templates/ingress-server.yaml
|
|
+++ b/neutron/templates/ingress-server.yaml
|
|
@@ -15,9 +15,5 @@ limitations under the License.
|
|
{{- if and .Values.manifests.ingress_server .Values.network.server.ingress.public }}
|
|
{{- $envAll := . }}
|
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}}
|
|
-{{- $secretName := $envAll.Values.secrets.tls.network.server.internal -}}
|
|
-{{- if and .Values.manifests.certificates $secretName }}
|
|
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.network.host_fqdn_override.default.tls.issuerRef.name -}}
|
|
-{{- end }}
|
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
|
{{- end }}
|
|
diff --git a/neutron/templates/job-bootstrap.yaml b/neutron/templates/job-bootstrap.yaml
|
|
index ff9dbe8f..ef799a4f 100644
|
|
--- a/neutron/templates/job-bootstrap.yaml
|
|
+++ b/neutron/templates/job-bootstrap.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "5"
|
|
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
|
|
{{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
|
|
+{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
|
|
diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml
|
|
index ec76b71d..60788f67 100644
|
|
--- a/neutron/templates/job-ks-endpoints.yaml
|
|
+++ b/neutron/templates/job-ks-endpoints.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2"
|
|
{{- if .Values.manifests.job_ks_endpoints }}
|
|
{{- $ksEndpointsJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksEndpointsJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
|
|
+{{- $_ := set $ksEndpointsJob "tlsSecret" .Values.secrets.tls.network.server.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksEndpointsJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
|
|
diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml
|
|
index e4225c6e..f26e7ac6 100644
|
|
--- a/neutron/templates/job-ks-service.yaml
|
|
+++ b/neutron/templates/job-ks-service.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3"
|
|
{{- if .Values.manifests.job_ks_service }}
|
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
|
|
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
|
|
diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml
|
|
index 563ba7ba..aac6eeac 100644
|
|
--- a/neutron/templates/job-ks-user.yaml
|
|
+++ b/neutron/templates/job-ks-user.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1"
|
|
{{- if .Values.manifests.job_ks_user }}
|
|
{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
|
|
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
|
|
diff --git a/neutron/templates/pod-rally-test.yaml b/neutron/templates/pod-rally-test.yaml
|
|
index 5ef57fa3..8f289bf7 100644
|
|
--- a/neutron/templates/pod-rally-test.yaml
|
|
+++ b/neutron/templates/pod-rally-test.yaml
|
|
@@ -59,7 +59,7 @@ spec:
|
|
mountPath: /tmp/ks-user.sh
|
|
subPath: ks-user.sh
|
|
readOnly: true
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
env:
|
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
|
@@ -104,7 +104,7 @@ spec:
|
|
readOnly: true
|
|
- name: pod-tmp
|
|
mountPath: /tmp/pod-tmp
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
{{ end }}
|
|
containers:
|
|
- name: neutron-test
|
|
@@ -134,7 +134,7 @@ spec:
|
|
readOnly: true
|
|
- name: rally-db
|
|
mountPath: /var/lib/rally
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
@@ -149,6 +149,6 @@ spec:
|
|
defaultMode: 0555
|
|
- name: rally-db
|
|
emptyDir: {}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/neutron/values.yaml b/neutron/values.yaml
|
|
index 8333a90b..db4a6bf0 100644
|
|
--- a/neutron/values.yaml
|
|
+++ b/neutron/values.yaml
|
|
@@ -2303,6 +2303,7 @@ secrets:
|
|
compute_metadata:
|
|
metadata:
|
|
internal: metadata-tls-metadata
|
|
+ public: neutron-tls-public
|
|
network:
|
|
server:
|
|
public: neutron-tls-public
|
|
diff --git a/nova/templates/bin/_nova-api-metadata.sh.tpl b/nova/templates/bin/_nova-api-metadata.sh.tpl
|
|
index e7602e8a..c3ea248b 100644
|
|
--- a/nova/templates/bin/_nova-api-metadata.sh.tpl
|
|
+++ b/nova/templates/bin/_nova-api-metadata.sh.tpl
|
|
@@ -18,49 +18,11 @@ set -ex
|
|
COMMAND="${@:-start}"
|
|
|
|
function start () {
|
|
-{{- if .Values.manifests.certificates }}
|
|
- for WSGI_SCRIPT in nova-metadata-wsgi; do
|
|
- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
|
|
- done
|
|
-
|
|
- if [ -f /etc/apache2/envvars ]; then
|
|
- # Loading Apache2 ENV variables
|
|
- source /etc/apache2/envvars
|
|
- mkdir -p ${APACHE_RUN_DIR}
|
|
- fi
|
|
-
|
|
-{{- if .Values.conf.software.apache2.a2enmod }}
|
|
- {{- range .Values.conf.software.apache2.a2enmod }}
|
|
- a2enmod {{ . }}
|
|
- {{- end }}
|
|
-{{- end }}
|
|
-
|
|
-{{- if .Values.conf.software.apache2.a2dismod }}
|
|
- {{- range .Values.conf.software.apache2.a2dismod }}
|
|
- a2dismod {{ . }}
|
|
- {{- end }}
|
|
-{{- end }}
|
|
-
|
|
- if [ -f /var/run/apache2/apache2.pid ]; then
|
|
- # Remove the stale pid for debian/ubuntu images
|
|
- rm -f /var/run/apache2/apache2.pid
|
|
- fi
|
|
- # Starts Apache2
|
|
- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
|
|
-{{- else }}
|
|
exec uwsgi --ini /etc/nova/nova-metadata-uwsgi.ini
|
|
-{{- end }}
|
|
}
|
|
|
|
function stop () {
|
|
-{{- if .Values.manifests.certificates }}
|
|
- if [ -f /etc/apache2/envvars ]; then
|
|
- source /etc/apache2/envvars
|
|
- fi
|
|
- {{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
|
-{{- else }}
|
|
kill -TERM 1
|
|
-{{- end }}
|
|
}
|
|
|
|
$COMMAND
|
|
diff --git a/nova/templates/bin/_nova-api.sh.tpl b/nova/templates/bin/_nova-api.sh.tpl
|
|
index 10843865..03d6654e 100644
|
|
--- a/nova/templates/bin/_nova-api.sh.tpl
|
|
+++ b/nova/templates/bin/_nova-api.sh.tpl
|
|
@@ -18,50 +18,11 @@ set -ex
|
|
COMMAND="${@:-start}"
|
|
|
|
function start () {
|
|
-{{- if .Values.manifests.certificates }}
|
|
- for WSGI_SCRIPT in nova-api-wsgi; do
|
|
- cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
|
|
- done
|
|
-
|
|
- if [ -f /etc/apache2/envvars ]; then
|
|
- # Loading Apache2 ENV variables
|
|
- source /etc/apache2/envvars
|
|
- mkdir -p ${APACHE_RUN_DIR}
|
|
- fi
|
|
-
|
|
-{{- if .Values.conf.software.apache2.a2enmod }}
|
|
- {{- range .Values.conf.software.apache2.a2enmod }}
|
|
- a2enmod {{ . }}
|
|
- {{- end }}
|
|
-{{- end }}
|
|
-
|
|
-{{- if .Values.conf.software.apache2.a2dismod }}
|
|
- {{- range .Values.conf.software.apache2.a2dismod }}
|
|
- a2dismod {{ . }}
|
|
- {{- end }}
|
|
-{{- end }}
|
|
-
|
|
-
|
|
- if [ -f /var/run/apache2/apache2.pid ]; then
|
|
- # Remove the stale pid for debian/ubuntu images
|
|
- rm -f /var/run/apache2/apache2.pid
|
|
- fi
|
|
- # Starts Apache2
|
|
- exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
|
|
-{{- else }}
|
|
exec uwsgi --ini /etc/nova/nova-api-uwsgi.ini
|
|
-{{- end }}
|
|
}
|
|
|
|
function stop () {
|
|
-{{- if .Values.manifests.certificates }}
|
|
- if [ -f /etc/apache2/envvars ]; then
|
|
- source /etc/apache2/envvars
|
|
- fi
|
|
- {{ .Values.conf.software.apache2.binary }} -k graceful-stop
|
|
-{{- else }}
|
|
kill -TERM 1
|
|
-{{- end }}
|
|
}
|
|
|
|
$COMMAND
|
|
diff --git a/nova/templates/certificates.yaml b/nova/templates/certificates.yaml
|
|
deleted file mode 100644
|
|
index a1385e3b..00000000
|
|
--- a/nova/templates/certificates.yaml
|
|
+++ /dev/null
|
|
@@ -1,30 +0,0 @@
|
|
-{{/*
|
|
-Licensed under the Apache License, Version 2.0 (the "License");
|
|
-you may not use this file except in compliance with the License.
|
|
-You may obtain a copy of the License at
|
|
-
|
|
- http://www.apache.org/licenses/LICENSE-2.0
|
|
-
|
|
-Unless required by applicable law or agreed to in writing, software
|
|
-distributed under the License is distributed on an "AS IS" BASIS,
|
|
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
-See the License for the specific language governing permissions and
|
|
-limitations under the License.
|
|
-*/}}
|
|
-
|
|
-{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
|
|
-{{ dict "envAll" . "service" "compute_novnc_vencrypt" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- end }}
|
|
-{{- if .Values.manifests.certificates -}}
|
|
-{{ dict "envAll" . "service" "compute" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- if .Values.manifests.deployment_novncproxy }}
|
|
-{{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- end }}
|
|
-{{- if .Values.manifests.deployment_placement }}
|
|
-{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- end }}
|
|
-{{ dict "envAll" . "service" "compute_metadata" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- if .Values.manifests.deployment_spiceproxy }}
|
|
-{{ dict "envAll" . "service" "compute_spice_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- end }}
|
|
-{{- end -}}
|
|
diff --git a/nova/templates/cron-job-service-cleaner.yaml b/nova/templates/cron-job-service-cleaner.yaml
|
|
index dd61db79..0da8c5e1 100644
|
|
--- a/nova/templates/cron-job-service-cleaner.yaml
|
|
+++ b/nova/templates/cron-job-service-cleaner.yaml
|
|
@@ -72,7 +72,7 @@ spec:
|
|
readOnly: true
|
|
- name: etcnova
|
|
mountPath: /etc/nova
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
emptyDir: {}
|
|
@@ -86,5 +86,5 @@ spec:
|
|
configMap:
|
|
name: nova-bin
|
|
defaultMode: 0555
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
|
|
{{- end }}
|
|
diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
|
|
index 3ad00ff2..5b52745f 100644
|
|
--- a/nova/templates/daemonset-compute.yaml
|
|
+++ b/nova/templates/daemonset-compute.yaml
|
|
@@ -294,7 +294,7 @@ spec:
|
|
value: "{{ .Values.pod.probes.rpc_retries }}"
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
|
- name: REQUESTS_CA_BUNDLE
|
|
- value: "/etc/nova/certs/ca.crt"
|
|
+ value: "/etc/ssl/certs/openstack-helm.crt"
|
|
{{- end }}
|
|
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
|
|
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
|
|
@@ -448,7 +448,7 @@ spec:
|
|
subPath: tf-plugin.pth
|
|
readOnly: true
|
|
{{- end }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
|
{{- if .Values.network.ssh.enabled }}
|
|
@@ -463,7 +463,7 @@ spec:
|
|
value: {{ .Values.network.ssh.port | quote }}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
|
- name: REQUESTS_CA_BUNDLE
|
|
- value: "/etc/nova/certs/ca.crt"
|
|
+ value: "/etc/ssl/certs/openstack-helm.crt"
|
|
{{- end }}
|
|
ports:
|
|
- containerPort: {{ .Values.network.ssh.port }}
|
|
@@ -477,7 +477,7 @@ spec:
|
|
mountPath: /tmp/ssh-start.sh
|
|
subPath: ssh-start.sh
|
|
readOnly: true
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
|
|
{{ end }}
|
|
volumes:
|
|
@@ -563,7 +563,7 @@ spec:
|
|
- name: tf-plugin-bin
|
|
emptyDir: {}
|
|
{{- end }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml
|
|
index 51e30c9d..ee5e38ea 100644
|
|
--- a/nova/templates/deployment-api-metadata.yaml
|
|
+++ b/nova/templates/deployment-api-metadata.yaml
|
|
@@ -183,20 +183,8 @@ spec:
|
|
- name: pod-shared
|
|
mountPath: /tmp/pod-shared
|
|
readOnly: true
|
|
- {{- if .Values.manifests.certificates }}
|
|
- - name: wsgi-nova
|
|
- mountPath: /var/www/cgi-bin/nova
|
|
- - name: nova-etc
|
|
- mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-metadata.conf
|
|
- subPath: wsgi-metadata.conf
|
|
- readOnly: true
|
|
- - name: nova-etc
|
|
- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
|
|
- subPath: mpm_event.conf
|
|
- readOnly: true
|
|
- {{- end }}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
@@ -216,6 +204,6 @@ spec:
|
|
- name: pod-shared
|
|
emptyDir: {}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute_metadata.metadata.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml
|
|
index b203ba6c..04d70533 100644
|
|
--- a/nova/templates/deployment-api-osapi.yaml
|
|
+++ b/nova/templates/deployment-api-osapi.yaml
|
|
@@ -131,20 +131,8 @@ spec:
|
|
mountPath: /etc/nova/api_audit_map.conf
|
|
subPath: api_audit_map.conf
|
|
readOnly: true
|
|
- {{- if .Values.manifests.certificates }}
|
|
- - name: wsgi-nova
|
|
- mountPath: /var/www/cgi-bin/nova
|
|
- - name: nova-etc
|
|
- mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-api.conf
|
|
- subPath: wsgi-api.conf
|
|
- readOnly: true
|
|
- - name: nova-etc
|
|
- mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
|
|
- subPath: mpm_event.conf
|
|
- readOnly: true
|
|
- {{- end }}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
@@ -165,7 +153,7 @@ spec:
|
|
secretName: nova-etc
|
|
defaultMode: 0444
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml
|
|
index b58b3855..44ed2858 100644
|
|
--- a/nova/templates/deployment-conductor.yaml
|
|
+++ b/nova/templates/deployment-conductor.yaml
|
|
@@ -94,7 +94,7 @@ spec:
|
|
value: "{{ .Values.pod.probes.rpc_retries }}"
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
|
- name: REQUESTS_CA_BUNDLE
|
|
- value: "/etc/nova/certs/ca.crt"
|
|
+ value: "/etc/ssl/certs/openstack-helm.crt"
|
|
{{- end }}
|
|
command:
|
|
- /tmp/nova-conductor.sh
|
|
@@ -123,7 +123,7 @@ spec:
|
|
mountPath: /etc/nova/policy.yaml
|
|
subPath: policy.yaml
|
|
readOnly: true
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
|
|
@@ -138,7 +138,7 @@ spec:
|
|
secret:
|
|
secretName: nova-etc
|
|
defaultMode: 0444
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
|
|
diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml
|
|
index f4c1d8ba..aa547263 100644
|
|
--- a/nova/templates/deployment-novncproxy.yaml
|
|
+++ b/nova/templates/deployment-novncproxy.yaml
|
|
@@ -152,7 +152,7 @@ spec:
|
|
{{- end }}
|
|
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
@@ -177,7 +177,7 @@ spec:
|
|
defaultMode: 0444
|
|
{{- end }}
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml
|
|
index bba444c9..d3f4095c 100644
|
|
--- a/nova/templates/deployment-scheduler.yaml
|
|
+++ b/nova/templates/deployment-scheduler.yaml
|
|
@@ -94,7 +94,7 @@ spec:
|
|
value: "{{ .Values.pod.probes.rpc_retries }}"
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity }}
|
|
- name: REQUESTS_CA_BUNDLE
|
|
- value: "/etc/nova/certs/ca.crt"
|
|
+ value: "/etc/ssl/certs/openstack-helm.crt"
|
|
{{- end }}
|
|
command:
|
|
- /tmp/nova-scheduler.sh
|
|
@@ -124,7 +124,7 @@ spec:
|
|
subPath: policy.yaml
|
|
readOnly: true
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
@@ -139,7 +139,7 @@ spec:
|
|
secretName: nova-etc
|
|
defaultMode: 0444
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/nova/templates/deployment-spiceproxy.yaml b/nova/templates/deployment-spiceproxy.yaml
|
|
index eca1628e..a7b45eca 100644
|
|
--- a/nova/templates/deployment-spiceproxy.yaml
|
|
+++ b/nova/templates/deployment-spiceproxy.yaml
|
|
@@ -142,7 +142,7 @@ spec:
|
|
readOnly: true
|
|
- name: pod-shared
|
|
mountPath: /tmp/pod-shared
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
@@ -159,6 +159,6 @@ spec:
|
|
emptyDir: {}
|
|
- name: pod-shared
|
|
emptyDir: {}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/nova/templates/ingress-metadata.yaml b/nova/templates/ingress-metadata.yaml
|
|
index 36eb8647..8c88cfdc 100644
|
|
--- a/nova/templates/ingress-metadata.yaml
|
|
+++ b/nova/templates/ingress-metadata.yaml
|
|
@@ -15,9 +15,5 @@ limitations under the License.
|
|
{{- if and .Values.manifests.ingress_metadata .Values.network.metadata.ingress.public }}
|
|
{{- $envAll := . -}}
|
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}}
|
|
-{{- $secretName := $envAll.Values.secrets.tls.compute_metadata.metadata.internal -}}
|
|
-{{- if and .Values.manifests.certificates $secretName }}
|
|
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_metadata.host_fqdn_override.default.tls.issuerRef.name -}}
|
|
-{{- end -}}
|
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
|
{{- end }}
|
|
diff --git a/nova/templates/ingress-novncproxy.yaml b/nova/templates/ingress-novncproxy.yaml
|
|
index ec68fb60..189e07e8 100644
|
|
--- a/nova/templates/ingress-novncproxy.yaml
|
|
+++ b/nova/templates/ingress-novncproxy.yaml
|
|
@@ -15,9 +15,5 @@ limitations under the License.
|
|
{{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public (eq .Values.console.console_kind "novnc") }}
|
|
{{- $envAll := . }}
|
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
|
|
-{{- $secretName := $envAll.Values.secrets.tls.compute_novnc_proxy.novncproxy.internal -}}
|
|
-{{- if and .Values.manifests.certificates $secretName }}
|
|
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_novnc_proxy.host_fqdn_override.default.tls.issuerRef.name -}}
|
|
-{{- end }}
|
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
|
{{- end }}
|
|
diff --git a/nova/templates/ingress-osapi.yaml b/nova/templates/ingress-osapi.yaml
|
|
index b78f80f4..6f9a4f74 100644
|
|
--- a/nova/templates/ingress-osapi.yaml
|
|
+++ b/nova/templates/ingress-osapi.yaml
|
|
@@ -15,9 +15,5 @@ limitations under the License.
|
|
{{- if and .Values.manifests.ingress_osapi .Values.network.osapi.ingress.public }}
|
|
{{- $envAll := . -}}
|
|
{{- $ingressOpts := dict "envAll" $envAll "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}}
|
|
-{{- $secretName := $envAll.Values.secrets.tls.compute.osapi.internal -}}
|
|
-{{- if and .Values.manifests.certificates $secretName }}
|
|
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute.host_fqdn_override.default.tls.issuerRef.name -}}
|
|
-{{- end }}
|
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
|
{{- end }}
|
|
diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml
|
|
index de8812dd..2aa62d21 100644
|
|
--- a/nova/templates/job-bootstrap.yaml
|
|
+++ b/nova/templates/job-bootstrap.yaml
|
|
@@ -102,7 +102,7 @@ spec:
|
|
subPath: {{ base .Values.conf.nova.DEFAULT.log_config_append | quote }}
|
|
readOnly: true
|
|
{{- end }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
emptyDir: {}
|
|
@@ -116,7 +116,7 @@ spec:
|
|
secret:
|
|
secretName: {{ $configMapEtc | quote }}
|
|
defaultMode: 0444
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml
|
|
index 1ba49cb4..6ad23f63 100644
|
|
--- a/nova/templates/job-cell-setup.yaml
|
|
+++ b/nova/templates/job-cell-setup.yaml
|
|
@@ -76,7 +76,7 @@ spec:
|
|
mountPath: /tmp/cell-setup-init.sh
|
|
subPath: cell-setup-init.sh
|
|
readOnly: true
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
containers:
|
|
- name: nova-cell-setup
|
|
{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
@@ -113,7 +113,7 @@ spec:
|
|
subPath: policy.yaml
|
|
readOnly: true
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
emptyDir: {}
|
|
@@ -128,7 +128,7 @@ spec:
|
|
name: nova-bin
|
|
defaultMode: 0555
|
|
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
diff --git a/nova/templates/job-ks-endpoints.yaml b/nova/templates/job-ks-endpoints.yaml
|
|
index 1e41ec46..01d434f6 100644
|
|
--- a/nova/templates/job-ks-endpoints.yaml
|
|
+++ b/nova/templates/job-ks-endpoints.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-2"
|
|
{{- if .Values.manifests.job_ks_endpoints }}
|
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
|
|
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
|
|
diff --git a/nova/templates/job-ks-service.yaml b/nova/templates/job-ks-service.yaml
|
|
index 9e7a551f..8cab3f78 100644
|
|
--- a/nova/templates/job-ks-service.yaml
|
|
+++ b/nova/templates/job-ks-service.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-3"
|
|
{{- if .Values.manifests.job_ks_service }}
|
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
|
|
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
|
|
diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml
|
|
index 7d0f0197..b0e7413b 100644
|
|
--- a/nova/templates/job-ks-user.yaml
|
|
+++ b/nova/templates/job-ks-user.yaml
|
|
@@ -20,7 +20,7 @@ helm.sh/hook-weight: "-1"
|
|
{{- if .Values.manifests.job_ks_user }}
|
|
{{- $ksUserJob := dict "envAll" . "serviceName" "nova" -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
|
|
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.compute.osapi.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
|
|
diff --git a/nova/templates/pod-rally-test.yaml b/nova/templates/pod-rally-test.yaml
|
|
index d53f2047..9b66716b 100644
|
|
--- a/nova/templates/pod-rally-test.yaml
|
|
+++ b/nova/templates/pod-rally-test.yaml
|
|
@@ -59,7 +59,7 @@ spec:
|
|
mountPath: /tmp/ks-user.sh
|
|
subPath: ks-user.sh
|
|
readOnly: true
|
|
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
env:
|
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
|
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
|
@@ -99,7 +99,7 @@ spec:
|
|
readOnly: true
|
|
- name: rally-db
|
|
mountPath: /var/lib/rally
|
|
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
+{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
|
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
@@ -114,6 +114,6 @@ spec:
|
|
defaultMode: 0555
|
|
- name: rally-db
|
|
emptyDir: {}
|
|
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.public | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
|
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/placement/templates/certificates.yaml b/placement/templates/certificates.yaml
|
|
deleted file mode 100644
|
|
index ada7fde1..00000000
|
|
--- a/placement/templates/certificates.yaml
|
|
+++ /dev/null
|
|
@@ -1,17 +0,0 @@
|
|
-{{/*
|
|
-Licensed under the Apache License, Version 2.0 (the "License");
|
|
-you may not use this file except in compliance with the License.
|
|
-You may obtain a copy of the License at
|
|
-
|
|
- http://www.apache.org/licenses/LICENSE-2.0
|
|
-
|
|
-Unless required by applicable law or agreed to in writing, software
|
|
-distributed under the License is distributed on an "AS IS" BASIS,
|
|
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
-See the License for the specific language governing permissions and
|
|
-limitations under the License.
|
|
-*/}}
|
|
-
|
|
-{{- if .Values.manifests.certificates -}}
|
|
-{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
|
-{{- end -}}
|
|
diff --git a/placement/templates/deployment.yaml b/placement/templates/deployment.yaml
|
|
index 08450f36..72800a05 100644
|
|
--- a/placement/templates/deployment.yaml
|
|
+++ b/placement/templates/deployment.yaml
|
|
@@ -141,7 +141,7 @@ spec:
|
|
mountPath: {{ .Values.conf.placement.DEFAULT.log_dir }}
|
|
{{- end }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal "path" "/etc/placement/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
|
{{ if $mounts_placement.volumeMounts }}{{ toYaml $mounts_placement.volumeMounts | indent 12 }}{{ end }}
|
|
volumes:
|
|
- name: pod-tmp
|
|
@@ -163,6 +163,6 @@ spec:
|
|
type: DirectoryOrCreate
|
|
{{- end }}
|
|
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
-{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.placement.api.public | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
|
{{ if $mounts_placement.volumes }}{{ toYaml $mounts_placement.volumes | indent 8 }}{{ end }}
|
|
{{- end }}
|
|
diff --git a/placement/templates/ingress.yaml b/placement/templates/ingress.yaml
|
|
index 68ce111a..779b2fe6 100644
|
|
--- a/placement/templates/ingress.yaml
|
|
+++ b/placement/templates/ingress.yaml
|
|
@@ -17,9 +17,5 @@ limitations under the License.
|
|
{{- if and .Values.manifests.ingress .Values.network.api.ingress.public }}
|
|
{{- $envAll := . -}}
|
|
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "placement" "backendPort" "p-api" -}}
|
|
-{{- $secretName := $envAll.Values.secrets.tls.placement.api.internal -}}
|
|
-{{- if and .Values.manifests.certificates $secretName -}}
|
|
-{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
|
|
-{{- end -}}
|
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
|
{{- end }}
|
|
diff --git a/placement/templates/job-ks-endpoints.yaml b/placement/templates/job-ks-endpoints.yaml
|
|
index bfb0bd28..55b7e906 100644
|
|
--- a/placement/templates/job-ks-endpoints.yaml
|
|
+++ b/placement/templates/job-ks-endpoints.yaml
|
|
@@ -22,7 +22,7 @@ helm.sh/hook-weight: "1"
|
|
{{- if .Values.manifests.job_ks_endpoints }}
|
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
|
|
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) -}}
|
|
diff --git a/placement/templates/job-ks-service.yaml b/placement/templates/job-ks-service.yaml
|
|
index 3f05eb06..f6c84509 100644
|
|
--- a/placement/templates/job-ks-service.yaml
|
|
+++ b/placement/templates/job-ks-service.yaml
|
|
@@ -22,7 +22,7 @@ helm.sh/hook-weight: "-2"
|
|
{{- if .Values.manifests.job_ks_service }}
|
|
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "serviceTypes" ( tuple "placement" ) -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
|
|
+{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) -}}
|
|
diff --git a/placement/templates/job-ks-user.yaml b/placement/templates/job-ks-user.yaml
|
|
index 056938bd..02602c15 100644
|
|
--- a/placement/templates/job-ks-user.yaml
|
|
+++ b/placement/templates/job-ks-user.yaml
|
|
@@ -22,7 +22,7 @@ helm.sh/hook-weight: "-1"
|
|
{{- if .Values.manifests.job_ks_user }}
|
|
{{- $ksUserJob := dict "envAll" . "serviceName" "placement" -}}
|
|
{{- if or .Values.manifests.certificates .Values.tls.identity -}}
|
|
-{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.internal -}}
|
|
+{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.placement.api.public -}}
|
|
{{- end -}}
|
|
{{- if .Values.helm3_hook }}
|
|
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) -}}
|
|
--
|
|
2.34.1
|
|
|