Merge "Enable TLS for Ranger Agent services call to Openstack Services"
This commit is contained in:
commit
fb48e46ff6
|
@ -55,8 +55,10 @@ def get_token():
|
|||
}
|
||||
|
||||
try:
|
||||
verify = os.environ['CAFILE'] or False
|
||||
resp = requests.post(
|
||||
url, data=json.dumps(data), headers=headers, timeout=120)
|
||||
url, data=json.dumps(data), headers=headers,
|
||||
verify=verify, timeout=120)
|
||||
|
||||
if resp.status_code != 201:
|
||||
sys.stderr.write("Failed to get token for region: %s - %s\n" %
|
||||
|
|
|
@ -42,8 +42,10 @@ def get_token():
|
|||
}
|
||||
|
||||
try:
|
||||
verify = os.environ['CAFILE'] or False
|
||||
resp = requests.post(
|
||||
url, data=json.dumps(data), headers=headers, timeout=100)
|
||||
url, data=json.dumps(data), headers=headers,
|
||||
verify=verify, timeout=100)
|
||||
|
||||
if resp.status_code != 201:
|
||||
sys.stderr.write("Failed to get token for region: %s - %s\n" %
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{ dict "envAll" . "service" "ranger_agent" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||
{{- end -}}
|
|
@ -16,7 +16,12 @@ limitations under the License.
|
|||
{{- $envAll := . }}
|
||||
|
||||
{{- if empty .Values.conf.ranger_agent.database.connection -}}
|
||||
{{- $_ := tuple "oslo_db" "internal" "ranger_agent" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.ranger_agent.database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db" "internal" "ranger_agent" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.ranger_agent.database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.ranger_agent.database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.ranger_agent.DEFAULT.transport_url -}}
|
||||
{{- $_ := tuple "oslo_messaging" "internal" "ranger-agent" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" | set .Values.conf.ranger_agent.DEFAULT "transport_url" -}}
|
||||
|
@ -24,6 +29,9 @@ limitations under the License.
|
|||
{{- if empty .Values.conf.ranger_agent.DEFAULT.ord_server_url -}}
|
||||
{{- $_ := tuple "ranger_agent" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.ranger_agent.path.default | set .Values.conf.ranger_agent.DEFAULT "ord_server_url" -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.ranger_agent.DEFAULT.glance_api_url -}}
|
||||
{{- $_ := tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.ranger_agent.DEFAULT "glance_api_url" -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.ranger_agent.keystone_authtoken.username -}}
|
||||
{{- $_ := set .Values.conf.ranger_agent.keystone_authtoken "username" .Values.endpoints.identity.auth.ranger_agent.username -}}
|
||||
{{- end -}}
|
||||
|
|
|
@ -116,6 +116,8 @@ spec:
|
|||
mountPath: /etc/ranger-agent/api-paste.ini
|
||||
subPath: api-paste.ini
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal "path" "/etc/ranger-agent/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_ranger_agent_api.volumeMounts }}{{ toYaml $mounts_ranger_agent_api.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-etc-ranger-agent
|
||||
|
@ -128,5 +130,7 @@ spec:
|
|||
secret:
|
||||
secretName: ranger-agent-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_ranger_agent_api.volumes}}{{ toYaml $mounts_ranger_agent_api.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -141,6 +141,8 @@ spec:
|
|||
mountPath: /etc/ranger-agent/api-paste.ini
|
||||
subPath: api-paste.ini
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal "path" "/etc/ranger-agent/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_ranger_agent_engine.volumeMounts }}{{ toYaml $mounts_ranger_agent_engine.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-etc-ranger-agent
|
||||
|
@ -153,5 +155,7 @@ spec:
|
|||
secret:
|
||||
secretName: ranger-agent-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_ranger_agent_engine.volumes}}{{ toYaml $mounts_ranger_agent_engine.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -74,6 +74,8 @@ spec:
|
|||
value: {{ tuple "ranger_agent" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.ranger_agent.path.default }}
|
||||
- name: RMS_ENDPOINT
|
||||
value: {{ .Values.conf.region.rms_listener_endpoint }}
|
||||
- name: CAFILE
|
||||
value: {{ default "" .Values.conf.ranger_agent.keystone_authtoken.https_cacert }}
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.ranger_agent }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
|
@ -85,6 +87,7 @@ spec:
|
|||
mountPath: /tmp/add-region.py
|
||||
subPath: add-region.py
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal "path" "/etc/ranger-agent/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_ranger_agent_add_region.volumeMounts }}
|
||||
{{ toYaml $mounts_ranger_agent_add_region.volumeMounts | indent 12 }}
|
||||
{{ end }}
|
||||
|
@ -93,6 +96,7 @@ spec:
|
|||
configMap:
|
||||
name: ranger-agent-bin
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_ranger_agent_add_region.volumes }}
|
||||
{{ toYaml $mounts_ranger_agent_add_region.volumes | indent 8 }}
|
||||
{{ end }}
|
||||
|
|
|
@ -13,6 +13,9 @@ limitations under the License.
|
|||
*/}}
|
||||
|
||||
{{- if .Values.manifests.job_db_drop }}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" "ranger-agent" -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- $dbDropJob := dict "envAll" . "serviceName" "ranger-agent" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- end }}
|
||||
|
|
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||
|
||||
{{- if .Values.manifests.job_db_init }}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" "ranger-agent" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
|
||||
{{- end }}
|
||||
|
|
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||
|
||||
{{- if .Values.manifests.job_db_sync }}
|
||||
{{- $dbSyncJob := dict "envAll" . "serviceName" "ranger-agent" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
|
||||
{{- end }}
|
||||
|
|
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||
|
||||
{{- if .Values.manifests.job_ks_endpoints }}
|
||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "ranger-agent" "serviceTypes" ( tuple "ranger-agent" ) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.ranger_agent.api.internal -}}
|
||||
{{- end -}}
|
||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
|
||||
{{- end }}
|
||||
|
|
|
@ -14,6 +14,9 @@ limitations under the License.
|
|||
|
||||
{{- if .Values.manifests.job_ks_service }}
|
||||
{{- $ksServiceJob := dict "envAll" . "serviceName" "ranger-agent" "serviceTypes" ( tuple "ranger-agent" ) -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.ranger_agent.api.internal -}}
|
||||
{{- end -}}
|
||||
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
|
||||
{{- end }}
|
||||
|
||||
|
|
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||
|
||||
{{- if .Values.manifests.job_ks_user_ranger }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "ranger-agent" "serviceUser" "ranger_admin" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.ranger_agent.api.internal -}}
|
||||
{{- end -}}
|
||||
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
||||
{{- end }}
|
||||
|
|
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||
|
||||
{{- if .Values.manifests.job_ks_user_ranger }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "ranger-agent" "serviceUser" "ranger" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.ranger_agent.api.internal -}}
|
||||
{{- end -}}
|
||||
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
||||
{{- end }}
|
||||
|
|
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||
|
||||
{{- if .Values.manifests.job_ks_user }}
|
||||
{{- $ksUserJob := dict "envAll" . "serviceName" "ranger-agent" "serviceUser" "ranger_agent" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.ranger_agent.api.internal -}}
|
||||
{{- end -}}
|
||||
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
||||
{{- end }}
|
||||
|
|
|
@ -48,6 +48,8 @@ spec:
|
|||
value: {{ tuple "ranger_agent" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
||||
- name: END_STATUS_KEY
|
||||
value: {{ .Values.conf.test.expected_end_status_key }}
|
||||
- name: CAFILE
|
||||
value: {{ default "" .Values.conf.ranger_agent.keystone_authtoken.https_cacert }}
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.ranger_agent }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
|
||||
{{- end }}
|
||||
|
@ -59,11 +61,13 @@ spec:
|
|||
mountPath: /tmp/ranger-agent-test.py
|
||||
subPath: ranger-agent-test.py
|
||||
readOnly: true
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal "path" "/etc/ranger-agent/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
|
||||
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
|
||||
volumes:
|
||||
- name: ranger-agent-bin
|
||||
configMap:
|
||||
name: ranger-agent-bin
|
||||
defaultMode: 0555
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.ranger_agent.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
|
||||
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -16,6 +16,7 @@ limitations under the License.
|
|||
{{- $envAll := . }}
|
||||
{{- range $key1, $userClass := tuple "admin" "ranger_agent" }}
|
||||
{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
|
||||
{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
|
@ -23,6 +24,10 @@ metadata:
|
|||
name: {{ $secretName }}
|
||||
type: Opaque
|
||||
data:
|
||||
DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
|
||||
{{- else }}
|
||||
DB_CONNECTION: {{ $connection | b64enc -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -26,8 +26,8 @@ images:
|
|||
ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
||||
ks_user: docker.io/openstackhelm/heat:stein-ubuntu_bionic
|
||||
rabbit_init: docker.io/rabbitmq:3.7-management
|
||||
ranger-agent_db_sync: quay.io/attcomdev/ranger-agent:cbfd19b550b722a605f799523e51c108a8f1311a
|
||||
ranger_agent: quay.io/attcomdev/ranger-agent:cbfd19b550b722a605f799523e51c108a8f1311a
|
||||
ranger-agent_db_sync: quay.io/attcomdev/ranger-agent:7a994622705a949953d5d1552e4186c576fdcff9
|
||||
ranger_agent: quay.io/attcomdev/ranger-agent:7a994622705a949953d5d1552e4186c576fdcff9
|
||||
scripted_test: docker.io/openstackhelm/heat:newton-ubuntu_xenial
|
||||
pull_policy: "IfNotPresent"
|
||||
local_registry:
|
||||
|
@ -346,6 +346,10 @@ secrets:
|
|||
ranger_agent:
|
||||
api:
|
||||
public: ranger-agent
|
||||
internal: ranger-agent-tls-api
|
||||
# ranger_agent_engine:
|
||||
# engine:
|
||||
# internal: ranger-agent-tls-engine
|
||||
|
||||
# typically overridden by environmental
|
||||
# values, but should include all endpoints
|
||||
|
@ -460,6 +464,9 @@ endpoints:
|
|||
admin:
|
||||
username: root
|
||||
password: password
|
||||
secret:
|
||||
tls:
|
||||
internal: mariadb-tls-direct
|
||||
ranger_agent:
|
||||
username: ranger-agent
|
||||
password: password
|
||||
|
@ -534,6 +541,7 @@ endpoints:
|
|||
public: 443
|
||||
|
||||
manifests:
|
||||
certificates: false
|
||||
configmap_bin: true
|
||||
configmap_etc: true
|
||||
deployment_ranger_agent_api: true
|
||||
|
|
|
@ -0,0 +1,62 @@
|
|||
---
|
||||
pod:
|
||||
security_context:
|
||||
ranger_agent:
|
||||
container:
|
||||
ranger_agent_api:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: false
|
||||
ranger_agent_engine:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: false
|
||||
conf:
|
||||
ranger_agent:
|
||||
keystone_authtoken:
|
||||
https_cacert: /etc/ranger-agent/certs/ca.crt
|
||||
endpoints:
|
||||
identity:
|
||||
auth:
|
||||
admin:
|
||||
cacert: /etc/ssl/certs/openstack-helm.crt
|
||||
scheme:
|
||||
default: https
|
||||
port:
|
||||
api:
|
||||
default: 443
|
||||
orchestration:
|
||||
scheme:
|
||||
default: https
|
||||
port:
|
||||
api:
|
||||
public: 443
|
||||
image:
|
||||
scheme:
|
||||
default: https
|
||||
port:
|
||||
api:
|
||||
public: 443
|
||||
ranger_agent:
|
||||
host_fqdn_override:
|
||||
default:
|
||||
tls:
|
||||
secretName: ranger-agent-tls-api
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
# Needed in TLS phase 2 to terminate call from Ranger
|
||||
# scheme:
|
||||
# default: https
|
||||
# port:
|
||||
# api:
|
||||
# public: 443
|
||||
#
|
||||
# TBD - only need below if separate cert for engine pod
|
||||
# ranger_agent_engine:
|
||||
# host_fqdn_override:
|
||||
# default:
|
||||
# tls:
|
||||
# secretName: ranger-agent-tls-engine
|
||||
# issuerRef:
|
||||
# name: ca-issuer
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
|
@ -16,7 +16,12 @@ limitations under the License.
|
|||
{{- $envAll := . }}
|
||||
|
||||
{{- if empty .Values.conf.ranger.database.connection -}}
|
||||
{{- $_ := tuple "oslo_db" "internal" "ranger" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.ranger.database "connection" -}}
|
||||
{{- $connection := tuple "oslo_db" "internal" "ranger" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | set .Values.conf.ranger.database "connection" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values.conf.ranger.database "connection" $connection -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if empty .Values.conf.ranger.keystone_authtoken.username -}}
|
||||
{{- $_ := set .Values.conf.ranger.keystone_authtoken "username" .Values.endpoints.identity.auth.ranger.username -}}
|
||||
|
|
|
@ -115,6 +115,7 @@ spec:
|
|||
mountPath: /etc/ranger/ranger.conf
|
||||
subPath: ranger.conf
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_audit.volumeMounts }}{{ toYaml $mounts_audit.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
|
@ -129,5 +130,6 @@ spec:
|
|||
secret:
|
||||
secretName: ranger-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_audit.volumes}}{{ toYaml $mounts_audit.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -115,6 +115,7 @@ spec:
|
|||
mountPath: /etc/ranger/ranger.conf
|
||||
subPath: ranger.conf
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_cms.volumeMounts }}{{ toYaml $mounts_cms.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
|
@ -129,5 +130,6 @@ spec:
|
|||
secret:
|
||||
secretName: ranger-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_cms.volumes}}{{ toYaml $mounts_cms.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -115,6 +115,7 @@ spec:
|
|||
mountPath: /etc/ranger/ranger.conf
|
||||
subPath: ranger.conf
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_fms.volumeMounts }}{{ toYaml $mounts_fms.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
|
@ -129,5 +130,6 @@ spec:
|
|||
secret:
|
||||
secretName: ranger-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_fms.volumes}}{{ toYaml $mounts_fms.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -115,6 +115,7 @@ spec:
|
|||
mountPath: /etc/ranger/ranger.conf
|
||||
subPath: ranger.conf
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_ims.volumeMounts }}{{ toYaml $mounts_ims.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
|
@ -129,5 +130,6 @@ spec:
|
|||
secret:
|
||||
secretName: ranger-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_ims.volumes}}{{ toYaml $mounts_ims.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -162,6 +162,7 @@ spec:
|
|||
mountPath: /etc/ranger/ranger.conf
|
||||
subPath: ranger.conf
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_rds.volumeMounts }}{{ toYaml $mounts_rds.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
|
@ -176,5 +177,6 @@ spec:
|
|||
secret:
|
||||
secretName: ranger-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_rds.volumes}}{{ toYaml $mounts_rds.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -115,6 +115,7 @@ spec:
|
|||
mountPath: /etc/ranger/ranger.conf
|
||||
subPath: ranger.conf
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_rms.volumeMounts }}{{ toYaml $mounts_rms.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
|
@ -129,5 +130,6 @@ spec:
|
|||
secret:
|
||||
secretName: ranger-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_rms.volumes}}{{ toYaml $mounts_rms.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -115,6 +115,7 @@ spec:
|
|||
mountPath: /etc/ranger/ranger.conf
|
||||
subPath: ranger.conf
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_uuid.volumeMounts }}{{ toYaml $mounts_uuid.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
|
@ -129,5 +130,6 @@ spec:
|
|||
secret:
|
||||
secretName: ranger-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_uuid.volumes}}{{ toYaml $mounts_uuid.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -13,6 +13,9 @@ limitations under the License.
|
|||
*/}}
|
||||
|
||||
{{- if .Values.manifests.job_db_drop }}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" "ranger" -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- $dbDropJob := dict "envAll" . "serviceName" "ranger" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
|
||||
{{- end }}
|
||||
|
|
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||
|
||||
{{- if .Values.manifests.job_db_init }}
|
||||
{{- $dbInitJob := dict "envAll" . "serviceName" "ranger" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbInitJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
|
||||
{{- end }}
|
||||
|
|
|
@ -14,5 +14,8 @@ limitations under the License.
|
|||
|
||||
{{- if .Values.manifests.job_db_sync }}
|
||||
{{- $dbSyncJob := dict "envAll" . "serviceName" "ranger" -}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{- $_ := set $dbSyncJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
|
||||
{{- end -}}
|
||||
{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
|
||||
{{- end }}
|
||||
|
|
|
@ -16,6 +16,7 @@ limitations under the License.
|
|||
{{- $envAll := . }}
|
||||
{{- range $key1, $userClass := tuple "admin" "ranger" }}
|
||||
{{- $secretName := index $envAll.Values.secrets.oslo_db $userClass }}
|
||||
{{- $connection := tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
|
@ -23,6 +24,10 @@ metadata:
|
|||
name: {{ $secretName }}
|
||||
type: Opaque
|
||||
data:
|
||||
DB_CONNECTION: {{ tuple "oslo_db" "internal" $userClass "mysql" $envAll | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | b64enc -}}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
DB_CONNECTION: {{ (printf "%s?charset=utf8&ssl_ca=/etc/mysql/certs/ca.crt&ssl_key=/etc/mysql/certs/tls.key&ssl_cert=/etc/mysql/certs/tls.crt&ssl_verify_cert" $connection ) | b64enc -}}
|
||||
{{- else }}
|
||||
DB_CONNECTION: {{ $connection | b64enc -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -572,6 +572,9 @@ endpoints:
|
|||
admin:
|
||||
username: root
|
||||
password: password
|
||||
secret:
|
||||
tls:
|
||||
internal: mariadb-tls-direct
|
||||
ranger:
|
||||
username: ranger
|
||||
password: password
|
||||
|
@ -717,6 +720,7 @@ network:
|
|||
port: 38090
|
||||
|
||||
manifests:
|
||||
certificates: false
|
||||
configmap_bin: true
|
||||
configmap_etc: true
|
||||
deployment_ranger_services: true
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
|
@ -21,10 +21,11 @@
|
|||
set -e
|
||||
HELM_CHART="$1"
|
||||
: "${HELM_CHART_ROOT_PATH:="../openstack-helm-addons"}"
|
||||
: "${OPENSTACK_RELEASE:="ocata"}"
|
||||
: "${CONTAINER_DISTRO_NAME:="ubuntu"}"
|
||||
: "${CONTAINER_DISTRO_VERSION:="xenial"}"
|
||||
: "${FEATURE_GATES:=""}"
|
||||
OSH_FEATURE_MIX="${FEATURE_GATES},${CONTAINER_DISTRO_NAME}_${CONTAINER_DISTRO_VERSION},${CONTAINER_DISTRO_NAME}"
|
||||
OSH_FEATURE_MIX="${FEATURE_GATES},${OPENSTACK_RELEASE},${CONTAINER_DISTRO_NAME}_${CONTAINER_DISTRO_VERSION},${CONTAINER_DISTRO_NAME}"
|
||||
|
||||
function echoerr () {
|
||||
echo "$@" 1>&2;
|
||||
|
@ -72,6 +73,6 @@ function override_file_args () {
|
|||
echo "${OVERRIDE_ARGS}"
|
||||
}
|
||||
|
||||
echoerr "We are going to deploy the service ${HELM_CHART}, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
|
||||
echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
|
||||
source ${HELM_CHART_ROOT_PATH}/tools/deployment/common/env-variables.sh
|
||||
override_file_args "${OSH_FEATURE_MIX}"
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
|
@ -19,19 +21,36 @@ sudo -H -E pip3 install \
|
|||
|
||||
sudo -H mkdir -p /etc/openstack
|
||||
sudo -H chown -R $(id -un): /etc/openstack
|
||||
tee /etc/openstack/clouds.yaml << EOF
|
||||
clouds:
|
||||
openstack_helm:
|
||||
region_name: RegionOne
|
||||
identity_api_version: 3
|
||||
auth:
|
||||
username: 'admin'
|
||||
password: 'password'
|
||||
project_name: 'admin'
|
||||
project_domain_name: 'default'
|
||||
user_domain_name: 'default'
|
||||
auth_url: 'http://keystone.openstack.svc.cluster.local/v3'
|
||||
FEATURE_GATE="tls"; if [[ ${FEATURE_GATES//,/ } =~ (^|[[:space:]])${FEATURE_GATE}($|[[:space:]]) ]]; then
|
||||
tee /etc/openstack/clouds.yaml << EOF
|
||||
clouds:
|
||||
openstack_helm:
|
||||
region_name: RegionOne
|
||||
identity_api_version: 3
|
||||
cacert: /etc/openstack-helm/certs/ca/ca.pem
|
||||
auth:
|
||||
username: 'admin'
|
||||
password: 'password'
|
||||
project_name: 'admin'
|
||||
project_domain_name: 'default'
|
||||
user_domain_name: 'default'
|
||||
auth_url: 'https://keystone.openstack.svc.cluster.local/v3'
|
||||
EOF
|
||||
else
|
||||
tee /etc/openstack/clouds.yaml << EOF
|
||||
clouds:
|
||||
openstack_helm:
|
||||
region_name: RegionOne
|
||||
identity_api_version: 3
|
||||
auth:
|
||||
username: 'admin'
|
||||
password: 'password'
|
||||
project_name: 'admin'
|
||||
project_domain_name: 'default'
|
||||
user_domain_name: 'default'
|
||||
auth_url: 'http://keystone.openstack.svc.cluster.local/v3'
|
||||
EOF
|
||||
fi
|
||||
|
||||
#NOTE: Build charts
|
||||
make all
|
||||
|
|
|
@ -34,5 +34,12 @@ helm upgrade --install heat ${HELM_CHART_ROOT_PATH}/heat \
|
|||
#NOTE: Validate Deployment info
|
||||
helm status heat
|
||||
export OS_CLOUD=openstack_helm
|
||||
openstack service list
|
||||
openstack endpoint list
|
||||
sleep 30 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx
|
||||
openstack orchestration service list
|
||||
openstack --os-interface internal orchestration service list
|
||||
|
||||
FEATURE_GATE="tls"; if [[ ${FEATURE_GATES//,/ } =~ (^|[[:space:]])${FEATURE_GATE}($|[[:space:]]) ]]; then
|
||||
curl --cacert /etc/openstack-helm/certs/ca/ca.pem -L https://heat.openstack.svc.cluster.local
|
||||
curl --cacert /etc/openstack-helm/certs/ca/ca.pem -L https://heat-api.openstack.svc.cluster.local:8004
|
||||
fi
|
||||
|
|
|
@ -36,3 +36,8 @@ helm status keystone
|
|||
export OS_CLOUD=openstack_helm
|
||||
sleep 30 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx
|
||||
openstack endpoint list
|
||||
|
||||
FEATURE_GATE="tls"; if [[ ${FEATURE_GATES//,/ } =~ (^|[[:space:]])${FEATURE_GATE}($|[[:space:]]) ]]; then
|
||||
curl --cacert /etc/openstack-helm/certs/ca/ca.pem -L https://keystone.openstack.svc.cluster.local
|
||||
curl --cacert /etc/openstack-helm/certs/ca/ca.pem -L https://keystone-api.openstack.svc.cluster.local:5000
|
||||
fi
|
||||
|
|
|
@ -0,0 +1,173 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -eux
|
||||
|
||||
: ${CERT_MANAGER_VERSION:="v0.15.0"}
|
||||
|
||||
cert_path="/etc/openstack-helm"
|
||||
ca_cert_root="$cert_path/certs/ca"
|
||||
|
||||
function check_cert {
|
||||
# $1: the certificate file, e.g. ca.pem
|
||||
# $2: the key file, e.g. ca-key.pem
|
||||
local cert="$(openssl x509 -noout -modulus -in $1)"
|
||||
local key="$(openssl rsa -noout -modulus -in $2)"
|
||||
if ! [ "$cert" = "$key" ]; then
|
||||
echo "Failure: tls private key does not match cert"
|
||||
exit 1
|
||||
else
|
||||
echo "Pass: $cert is valid with $key"
|
||||
fi
|
||||
}
|
||||
|
||||
# Download cfssl and cfssljson if they are not available on the system
|
||||
if type cfssl && type cfssljson; then
|
||||
echo "cfssl and cfssljson found - skipping installation"
|
||||
else
|
||||
echo "installing cfssl and cfssljson"
|
||||
temp_bin=$(mktemp --directory)
|
||||
cd $temp_bin
|
||||
CFSSLURL=https://pkg.cfssl.org/R1.2
|
||||
curl -sSL -o cfssl $CFSSLURL/cfssl_linux-amd64
|
||||
curl -sSL -o cfssljson $CFSSLURL/cfssljson_linux-amd64
|
||||
chmod +x {cfssl,cfssljson}
|
||||
export PATH=$PATH:$temp_bin
|
||||
fi
|
||||
|
||||
# Sets up a directory for the certs
|
||||
sudo rm -rf $cert_path
|
||||
sudo mkdir -p $ca_cert_root
|
||||
sudo chmod -R go+w $cert_path
|
||||
|
||||
cd $ca_cert_root
|
||||
|
||||
cat > ca-csr.json <<EOF
|
||||
{
|
||||
"CN": "ACME Company",
|
||||
"key": {
|
||||
"algo": "rsa",
|
||||
"size": 4096
|
||||
},
|
||||
"names": [
|
||||
{
|
||||
"C": "US",
|
||||
"L": "SomeState",
|
||||
"ST": "SomeCity",
|
||||
"O": "SomeOrg",
|
||||
"OU": "SomeUnit"
|
||||
}
|
||||
]
|
||||
}
|
||||
EOF
|
||||
|
||||
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
|
||||
check_cert ca.pem ca-key.pem
|
||||
|
||||
|
||||
cat > cfssl.json <<EOF
|
||||
{
|
||||
"signing": {
|
||||
"default": {
|
||||
"expiry": "8760h"
|
||||
},
|
||||
"profiles": {
|
||||
"intermediate_ca": {
|
||||
"expiry": "8760h",
|
||||
"usages": [
|
||||
"signing",
|
||||
"digital signature",
|
||||
"cert sign",
|
||||
"crl sign",
|
||||
"key encipherment",
|
||||
"server auth",
|
||||
"client auth"
|
||||
],
|
||||
"ca_constraint": {
|
||||
"is_ca": true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
cat > intermediate-ca.json <<EOF
|
||||
{
|
||||
"CN": "OpenStack Helm CA",
|
||||
"key": {
|
||||
"algo": "rsa",
|
||||
"size": 4096
|
||||
},
|
||||
"names": [
|
||||
{
|
||||
"C": "GB",
|
||||
"L": "Space",
|
||||
"ST": "Earth",
|
||||
"O": "OSH",
|
||||
"OU": "OSH"
|
||||
}
|
||||
],
|
||||
"ca": {
|
||||
"expiry": "8760h"
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
cfssl gencert -initca intermediate-ca.json | cfssljson -bare intermediate-ca -
|
||||
cfssl sign -ca ca.pem -ca-key ca-key.pem -config cfssl.json -profile intermediate_ca \
|
||||
intermediate-ca.csr | cfssljson -bare intermediate-ca
|
||||
check_cert intermediate-ca.pem intermediate-ca-key.pem
|
||||
|
||||
kubectl create ns cert-manager
|
||||
helm repo add jetstack https://charts.jetstack.io
|
||||
helm repo update
|
||||
|
||||
# helm 2 command
|
||||
helm install --name cert-manager --namespace cert-manager \
|
||||
--version ${CERT_MANAGER_VERSION} jetstack/cert-manager \
|
||||
--set installCRDs=true \
|
||||
--set featureGates=ExperimentalCertificateControllers=true \
|
||||
--set extraArgs[0]="--enable-certificate-owner-ref=true"
|
||||
|
||||
# helm 3 command
|
||||
# helm install cert-manager jetstack/cert-manager --namespace cert-manager \
|
||||
# --version ${CERT_MANAGER_VERSION} \
|
||||
# --set installCRDs=true \
|
||||
#. --set featureGates=ExperimentalCertificateControllers=true \
|
||||
# --set extraArgs[0]="--enable-certificate-owner-ref=true"
|
||||
|
||||
helm repo remove jetstack
|
||||
|
||||
key=$(cat /etc/openstack-helm/certs/ca/ca-key.pem | base64 | tr -d "\n")
|
||||
crt=$(cat /etc/openstack-helm/certs/ca/ca.pem | base64 | tr -d "\n")
|
||||
|
||||
cat > /tmp/ca-issuers.yaml <<EOF
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: ca-key-pair
|
||||
namespace: openstack
|
||||
data:
|
||||
tls.crt: $crt
|
||||
tls.key: $key
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha3
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: ca-issuer
|
||||
namespace: openstack
|
||||
spec:
|
||||
ca:
|
||||
secretName: ca-key-pair
|
||||
EOF
|
||||
|
||||
|
||||
kubectl wait --for=condition=Ready pods --all -n cert-manager --timeout=180s
|
||||
|
||||
# Per [0], put a sleep here to guard against the error - failed calling webhook "webhook.cert-manager.io"
|
||||
# [0] https://github.com/jetstack/cert-manager/issues/2602
|
||||
sleep 45
|
||||
|
||||
kubectl create ns openstack
|
||||
kubectl apply -f /tmp/ca-issuers.yaml
|
|
@ -68,11 +68,13 @@
|
|||
openstack_release: stein
|
||||
container_distro_name: ubuntu
|
||||
container_distro_version: bionic
|
||||
feature_gates: tls
|
||||
gate_scripts_relative_path: ../openstack-helm-addons
|
||||
gate_scripts:
|
||||
- ./tools/deployment/common/install-packages.sh
|
||||
- ./tools/deployment/common/deploy-k8s.sh
|
||||
- ./tools/deployment/common/setup-client.sh
|
||||
- ./tools/scripts/tls/cert-manager.sh
|
||||
- ./tools/deployment/component/common/ingress.sh
|
||||
- ./tools/deployment/component/common/mariadb.sh
|
||||
- ./tools/deployment/component/common/rabbitmq.sh
|
||||
|
|
Loading…
Reference in New Issue