openstack
/
openstack-helm
Code Issues Proposed changes

Create Openstack common components umbrella chart 

ADD openstack chart with values_overrides
    * rabbitmq
    * mariadb
    * memcached
    * keystone
    * heat
    * glance

    This adds umbrella chart that references other charts via
    symlink and include global values.

    Because chart valeus_overrides yaml apply to the main chart,
    the umbrella chart has a chart-scoped replacement

  ADD openstack.sh deploy script
    This script deploys all components with a single release.

  ADD corresponding release notes

  CHG wait-for-pods-sh to accept timeout arguement

  CHG get-values-overrides.sh to modify file path for subchart

Change-Id: I25cd9d6785c61540d6329657c0358f27299d3647
This commit is contained in:
Graham Steffaniak 2022-03-16 14:55:47 -05:00
parent 3b780510be
commit 1157d95b71
60 changed files with 1568 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
glance/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Glance
name: glance
version: 0.3.2
version: 0.3.3
home: https://docs.openstack.org/glance/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
sources:

8
glance/templates/configmap-etc.yaml
View File

@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if (.Values.global).subchart_release_name }}
{{- $_ := set . "deployment_name" .Chart.Name }}
{{- else }}
{{- $_ := set . "deployment_name" .Release.Name }}
{{- end }}
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
@ -97,7 +103,7 @@ limitations under the License.
{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
{{- end -}}

12
glance/templates/pod-rally-test.yaml
View File

@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if (.Values.global).subchart_release_name }}
{{- $_ := set . "deployment_name" .Chart.Name }}
{{- else }}
{{- $_ := set . "deployment_name" .Release.Name }}
{{- end }}
{{- if .Values.manifests.pod_rally_test }}
{{- $envAll := . }}
{{- $mounts_tests := .Values.pod.mounts.glance_tests.glance_tests }}
{{- $mounts_tests_init := .Values.pod.mounts.glance_tests.init_container }}
{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: v1
kind: Pod
metadata:
name: {{ print $envAll.Release.Name "-test" }}
name: {{ print $envAll.Chart.Name "-test" }}
labels:
{{ tuple $envAll "glance" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
@ -79,7 +85,7 @@ spec:
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
value: {{.Release.Name}}
value: {{.Chart.Name}}
command:
- /tmp/rally-test.sh
volumeMounts:

2
glance/values_overrides/netpol.yaml
View File

@ -27,8 +27,6 @@ network_policy:
matchLabels:
application: cinder
ports:
- protocol: TCP
port: 9191
- protocol: TCP
port: 9292
egress:

2
heat/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Heat
name: heat
version: 0.2.9
version: 0.2.10
home: https://docs.openstack.org/heat/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
sources:

8
heat/templates/configmap-etc.yaml
View File

@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if (.Values.global).subchart_release_name }}
{{- $_ := set . "deployment_name" .Chart.Name }}
{{- else }}
{{- $_ := set . "deployment_name" .Release.Name }}
{{- end }}
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
@ -120,7 +126,7 @@ limitations under the License.
{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
{{- end -}}

16
heat/templates/pod-rally-test.yaml
View File

@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if (.Values.global).subchart_release_name }}
{{- $_ := set . "deployment_name" .Chart.Name }}
{{- else }}
{{- $_ := set . "deployment_name" .Release.Name }}
{{- end }}
{{- if .Values.manifests.pod_rally_test }}
{{- $envAll := . }}
{{- $mounts_tests := .Values.pod.mounts.heat_tests.heat_tests }}
{{- $mounts_tests_init := .Values.pod.mounts.heat_tests.init_container }}
{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: v1
kind: Pod
metadata:
name: {{ print $envAll.Release.Name "-test" }}
name: {{ print $envAll.deployment_name "-test" }}
labels:
{{ tuple $envAll "heat" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
@ -40,7 +46,7 @@ spec:
serviceAccountName: {{ $serviceAccountName }}
initContainers:
{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
- name: {{ .Release.Name }}-test-ks-user
- name: {{ .deployment_name }}-test-ks-user
{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
command:
@ -65,7 +71,7 @@ spec:
- name: SERVICE_OS_ROLE
value: {{ .Values.endpoints.identity.auth.test.role | quote }}
containers:
- name: {{ .Release.Name }}-test
- name: {{ .deployment_name }}-test
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
@ -76,7 +82,7 @@ spec:
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
value: {{.Release.Name}}
value: {{.deployment_name}}
command:
- /tmp/rally-test.sh
volumeMounts:

31
heat/values_overrides/ocata-ubuntu_xenial.yaml
View File

@ -1,17 +1,18 @@
---
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
db_init: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
db_drop: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
ks_user: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
ks_service: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
ks_endpoints: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_db_sync: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_api: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_cfn: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_cloudwatch: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_engine: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_engine_cleaner: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_purge_deleted: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
db_init: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
db_drop: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
ks_user: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
ks_service: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
ks_endpoints: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_db_sync: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_api: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_cfn: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_cloudwatch: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_engine: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_engine_cleaner: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
heat_purge_deleted: "docker.io/openstackhelm/heat:ocata-ubuntu_xenial"
...

2
keystone/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0
description: OpenStack-Helm Keystone
name: keystone
version: 0.2.20
version: 0.2.21
home: https://docs.openstack.org/keystone/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
sources:

8
keystone/templates/configmap-etc.yaml
View File

@ -12,6 +12,12 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if (.Values.global).subchart_release_name }}
{{- $_ := set . "deployment_name" .Chart.Name }}
{{- else }}
{{- $_ := set . "deployment_name" .Release.Name }}
{{- end }}
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
@ -35,7 +41,7 @@ limitations under the License.
{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
{{- end -}}

12
keystone/templates/pod-rally-test.yaml
View File

@ -12,19 +12,25 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if (.Values.global).subchart_release_name }}
{{- $_ := set . "deployment_name" .Chart.Name }}
{{- else }}
{{- $_ := set . "deployment_name" .Release.Name }}
{{- end }}
{{- if .Values.manifests.pod_rally_test }}
{{- $envAll := . }}
{{- $mounts_tests := .Values.pod.mounts.keystone_tests.keystone_tests }}
{{- $mounts_tests_init := .Values.pod.mounts.keystone_tests.init_container }}
{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: v1
kind: Pod
metadata:
name: {{ print $envAll.Release.Name "-test" }}
name: {{ print $envAll.deployment_name "-test" }}
labels:
{{ tuple $envAll "keystone" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
@ -79,7 +85,7 @@ spec:
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
value: {{.Release.Name}}
value: {{.deployment_name}}
command:
- /tmp/rally-test.sh
volumeMounts:

1
keystone/values.yaml
View File

@ -68,7 +68,6 @@ bootstrap:
--domain="${OS_DEFAULT_DOMAIN}" \
"admin"
network:
api:
ingress:

21
openstack/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

31
openstack/Chart.yaml Normal file
View File

@ -0,0 +1,31 @@
apiVersion: v2
appVersion: 1.16.0
dependencies:
- name: helm-toolkit
repository: file://../../openstack-helm-infra/helm-toolkit
version: ">0.1.0"
- name: mariadb
repository: file://../../openstack-helm-infra/mariadb
version: ">0.1.0"
- name: rabbitmq
repository: file://../../openstack-helm-infra/rabbitmq
version: ">0.1.0"
- name: memcached
repository: file://../../openstack-helm-infra/memcached
version: ">0.1.0"
- name: keystone
repository: file://../keystone
version: ">0.1.0"
- name: heat
repository: file://../heat
version: ">0.1.0"
- name: glance
repository: file://../glance
version: ">0.1.0"
description: A chart for openstack helm commmon deployment items
name: openstack
type: application
version: 0.1.0
maintainers:
- name: OpenStack-Helm Authors

1
openstack/charts/glance Symbolic link
View File

@ -0,0 +1 @@
../../glance/

1
openstack/charts/heat Symbolic link
View File

@ -0,0 +1 @@
../../heat

1
openstack/charts/helm-toolkit Symbolic link
View File

@ -0,0 +1 @@
../../../openstack-helm-infra/helm-toolkit

1
openstack/charts/keystone Symbolic link
View File

@ -0,0 +1 @@
../../keystone/

1
openstack/charts/mariadb Symbolic link
View File

@ -0,0 +1 @@
../../../openstack-helm-infra/mariadb

1
openstack/charts/memcached Symbolic link
View File

@ -0,0 +1 @@
../../../openstack-helm-infra/memcached/

1
openstack/charts/rabbitmq Symbolic link
View File

@ -0,0 +1 @@
../../../openstack-helm-infra/rabbitmq/

42
openstack/values.yaml Normal file
View File

@ -0,0 +1,42 @@
---
# default values for openstack umbrella chart
# Global overrides for subcharts
global:
subchart_release_name: true
helm-toolkit:
enabled: true
rabbitmq:
enabled: true
volume:
enabled: false
pod:
replicas:
server: 1
mariadb:
enabled: true
pod:
replicas:
server: 1
volume:
enabled: false
use_local_path_for_single_pod_cluster:
enabled: true
memcached:
enabled: true
keystone:
enabled: true
heat:
enabled: true
glance:
enabled: true
storage: pvc
volume:
class_name: standard

23
openstack/values_overrides/glance/apparmor.yaml Normal file
View File

@ -0,0 +1,23 @@
---
glance:
pod:
mandatory_access_control:
type: apparmor
glance-api:
glance-api: runtime/default
glance-perms: runtime/default
init: runtime/default
nginx: runtime/default
glance-metadefs-load:
init: runtime/default
glance-metadefs-load: runtime/default
glance-storage-init:
init: runtime/default
glance-storage-init: runtime/default
glance-test:
init: runtime/default
glance-test: runtime/default
glance-test-ks-user: runtime/default
manifests:
certificates: true
...

46
openstack/values_overrides/glance/netpol.yaml Normal file
View File

@ -0,0 +1,46 @@
---
glance:
manifests:
network_policy: true
network_policy:
glance:
ingress:
- from:
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: cinder
ports:
- protocol: TCP
port: 9292
egress:
- to:
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- to:
- ipBlock:
cidr: %%%REPLACE_API_ADDR%%%/32
ports:
- protocol: TCP
port: %%%REPLACE_API_PORT%%%
...

128
openstack/values_overrides/glance/tls.yaml Normal file
View File

@ -0,0 +1,128 @@
---
glance:
images:
tags:
nginx: docker.io/nginx:1.18.0
conf:
glance:
DEFAULT:
bind_host: 127.0.0.1
keystone_authtoken:
cafile: /etc/glance/certs/ca.crt
glance_store:
https_ca_certificates_file: /etc/glance/certs/ca.crt
swift_store_cacert: /etc/glance/certs/ca.crt
oslo_messaging_rabbit:
ssl: true
ssl_ca_file: /etc/rabbitmq/certs/ca.crt
ssl_cert_file: /etc/rabbitmq/certs/tls.crt
ssl_key_file: /etc/rabbitmq/certs/tls.key
nginx: |
worker_processes 1;
daemon off;
user nginx;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65s;
tcp_nodelay on;
log_format main '[nginx] method=$request_method path=$request_uri '
'status=$status upstream_status=$upstream_status duration=$request_time size=$body_bytes_sent '
'"$remote_user" "$http_referer" "$http_user_agent"';
access_log /dev/stdout main;
upstream websocket {
server 127.0.0.1:$PORT;
}
server {
server_name {{ printf "%s.%s.svc.%s" "${SHORTNAME}" .Release.Namespace .Values.endpoints.cluster_domain_suffix }};
listen $POD_IP:$PORT ssl;
client_max_body_size 0;
ssl_certificate /etc/nginx/certs/tls.crt;
ssl_certificate_key /etc/nginx/certs/tls.key;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
location / {
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_pass http://websocket;
proxy_read_timeout 90;
}
}
}
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
endpoints:
identity:
name: keystone
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
glance:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
image:
host_fqdn_override:
default:
tls:
secretName: glance-tls-api
issuerRef:
name: ca-issuer
kind: ClusterIssuer
scheme:
default: https
public: https
port:
api:
public: 443
dashboard:
scheme:
default: https
public: https
port:
web:
default: 80
public: 443
oslo_messaging:
port:
https:
default: 15680
pod:
security_context:
glance:
pod:
runAsUser: 0
resources:
nginx:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
certificates: true
...

15
openstack/values_overrides/glance/train-ubuntu_bionic.yaml Normal file
View File

@ -0,0 +1,15 @@
---
glance:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
ks_service: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
ks_endpoints: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
glance_db_sync: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
glance_api: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
glance_metadefs_load: "docker.io/openstackhelm/glance:train-ubuntu_bionic"
glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
...

15
openstack/values_overrides/glance/ussuri-ubuntu_bionic.yaml Normal file
View File

@ -0,0 +1,15 @@
---
glance:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
ks_service: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
ks_endpoints: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
glance_db_sync: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
glance_api: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
glance_metadefs_load: "docker.io/openstackhelm/glance:ussuri-ubuntu_bionic"
glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
...

15
openstack/values_overrides/glance/victoria-ubuntu_focal.yaml Normal file
View File

@ -0,0 +1,15 @@
---
glance:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
ks_service: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
ks_endpoints: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
glance_db_sync: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
glance_api: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
glance_metadefs_load: "docker.io/openstackhelm/glance:victoria-ubuntu_focal"
glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
...

15
openstack/values_overrides/glance/wallaby-ubuntu_focal.yaml Normal file
View File

@ -0,0 +1,15 @@
---
glance:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
ks_service: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
ks_endpoints: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
glance_db_sync: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
glance_api: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
glance_metadefs_load: "docker.io/openstackhelm/glance:wallaby-ubuntu_focal"
glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic"
...

27
openstack/values_overrides/heat/apparmor.yaml Normal file
View File

@ -0,0 +1,27 @@
---
heat:
pod:
mandatory_access_control:
type: apparmor
heat-api:
heat-api: runtime/default
init: runtime/default
heat-cfn:
heat-cfn: runtime/default
init: runtime/default
heat-engine:
heat-engine: runtime/default
init: runtime/default
heat-engine-cleaner:
heat-engine-cleaner: runtime/default
init: runtime/default
heat-domain-ks-user:
heat-ks-domain-user: runtime/default
init: runtime/default
heat-trusts:
heat-trusts: runtime/default
init: runtime/default
heat-purge-deleted:
heat-purge-deleted: runtime/default
init: runtime/default
...

48
openstack/values_overrides/heat/netpol.yaml Normal file
View File

@ -0,0 +1,48 @@
---
heat:
manifests:
network_policy: true
network_policy:
heat:
ingress:
- from:
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: horizon
ports:
- protocol: TCP
port: 8000
- protocol: TCP
port: 8003
- protocol: TCP
port: 8004
egress:
- to:
- podSelector:
matchLabels:
application: neutron
- to:
- podSelector:
matchLabels:
application: nova
- to:
- podSelector:
matchLabels:
application: glance
- to:
- podSelector:
matchLabels:
application: cinder
- to:
- ipBlock:
cidr: %%%REPLACE_API_ADDR%%%/32
ports:
- protocol: TCP
port: %%%REPLACE_API_PORT%%%
...

191
openstack/values_overrides/heat/tls.yaml Normal file
View File

@ -0,0 +1,191 @@
---
heat:
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
site_dir: /etc/apache2/sites-enabled
conf_dir: /etc/apache2/conf-enabled
mods_dir: /etc/apache2/mods-available
a2enmod:
- ssl
a2dismod: null
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_heat: |
{{- $portInt := tuple "orchestration" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "heat-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess heat-api processes=1 threads=1 user=heat display-name=%{GROUP}
WSGIProcessGroup heat-api
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/heat/certs/tls.crt
SSLCertificateKeyFile /etc/heat/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
wsgi_cfn: |
{{- $portInt := tuple "cloudformation" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "heat-api-cfn" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess heat-api-cfn processes=1 threads=1 user=heat display-name=%{GROUP}
WSGIProcessGroup heat-api-cfn
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api-cfn
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/heat/certs/tls.crt
SSLCertificateKeyFile /etc/heat/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
heat:
clients_neutron:
ca_file: /etc/heat/certs/ca.crt
clients_cinder:
ca_file: /etc/heat/certs/ca.crt
clients_glance:
ca_file: /etc/heat/certs/ca.crt
clients_nova:
ca_file: /etc/heat/certs/ca.crt
clients_swift:
ca_file: /etc/heat/certs/ca.crt
ssl:
ca_file: /etc/heat/certs/ca.crt
keystone_authtoken:
cafile: /etc/heat/certs/ca.crt
clients:
ca_file: /etc/heat/certs/ca.crt
clients_keystone:
ca_file: /etc/heat/certs/ca.crt
oslo_messaging_rabbit:
ssl: true
ssl_ca_file: /etc/rabbitmq/certs/ca.crt
ssl_cert_file: /etc/rabbitmq/certs/tls.crt
ssl_key_file: /etc/rabbitmq/certs/tls.key
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
cfn:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
cloudwatch:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
pod:
security_context:
heat:
container:
heat_api:
readOnlyRootFilesystem: false
runAsUser: 0
heat_cfn:
readOnlyRootFilesystem: false
runAsUser: 0
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
heat:
cacert: /etc/ssl/certs/openstack-helm.crt
heat_trustee:
cacert: /etc/ssl/certs/openstack-helm.crt
heat_stack_user:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
orchestration:
host_fqdn_override:
default:
tls:
secretName: heat-tls-api
issuerRef:
name: ca-issuer
kind: ClusterIssuer
scheme:
default: https
port:
api:
public: 443
cloudformation:
host_fqdn_override:
default:
tls:
secretName: heat-tls-cfn
issuerRef:
name: ca-issuer
kind: ClusterIssuer
scheme:
default: https
port:
api:
public: 443
# Cloudwatch does not get an entry in the keystone service catalog
cloudwatch:
host_fqdn_override:
default:
tls:
secretName: heat-tls-cloudwatch
issuerRef:
name: ca-issuer
kind: ClusterIssuer
ingress:
port:
ingress:
default: 443
oslo_messaging:
port:
https:
default: 15680
manifests:
certificates: true
...

18
openstack/values_overrides/heat/train-ubuntu_bionic.yaml Normal file
View File

@ -0,0 +1,18 @@
---
heat:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
ks_service: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
ks_endpoints: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
heat_db_sync: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
heat_api: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
heat_cfn: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
heat_cloudwatch: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
heat_engine: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
heat_engine_cleaner: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
heat_purge_deleted: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
...

18
openstack/values_overrides/heat/ussuri-ubuntu_bionic.yaml Normal file
View File

@ -0,0 +1,18 @@
---
heat:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
ks_service: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
ks_endpoints: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
heat_db_sync: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
heat_api: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
heat_cfn: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
heat_cloudwatch: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
heat_engine: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
heat_engine_cleaner: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
heat_purge_deleted: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
...

18
openstack/values_overrides/heat/victoria-ubuntu_focal.yaml Normal file
View File

@ -0,0 +1,18 @@
---
heat:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
ks_service: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
ks_endpoints: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
heat_db_sync: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
heat_api: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
heat_cfn: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
heat_cloudwatch: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
heat_engine: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
heat_engine_cleaner: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
heat_purge_deleted: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
...

18
openstack/values_overrides/heat/wallaby-ubuntu_focal.yaml Normal file
View File

@ -0,0 +1,18 @@
---
heat:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
ks_service: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
ks_endpoints: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
heat_db_sync: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
heat_api: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
heat_cfn: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
heat_cloudwatch: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
heat_engine: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
heat_engine_cleaner: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
heat_purge_deleted: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
...

21
openstack/values_overrides/keystone/apparmor.yaml Normal file
View File

@ -0,0 +1,21 @@
---
keystone:
pod:
mandatory_access_control:
type: apparmor
keystone-api:
keystone-api: runtime/default
keystone-credential-setup:
keystone-credential-setup: runtime/default
keystone-fernet-setup:
keystone-fernet-setup: runtime/default
keystone-credential-cleanup:
keystone-credential-cleanup: runtime/default
keystone-domain-manage:
keystone-domain-manage: runtime/default
keystone-domain-manage-init: runtime/default
keystone-test:
init: runtime/default
keystone-test: runtime/default
keystone-test-ks-user: runtime/default
...

59
openstack/values_overrides/keystone/ldap.yaml Normal file
View File

@ -0,0 +1,59 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
keystone:
conf:
keystone:
identity:
driver: sql
default_domain_id: default
domain_specific_drivers_enabled: True
domain_configurations_from_database: True
domain_config_dir: /etc/keystone/domains
ks_domains:
ldapdomain:
identity:
driver: ldap
ldap:
url: "ldap://ldap.openstack.svc.cluster.local:389"
user: "cn=admin,dc=cluster,dc=local"
password: password
suffix: "dc=cluster,dc=local"
user_attribute_ignore: "enabled,email,tenants,default_project_id"
query_scope: sub
user_enabled_emulation: True
user_enabled_emulation_dn: "cn=overwatch,ou=Groups,dc=cluster,dc=local"
user_tree_dn: "ou=People,dc=cluster,dc=local"
user_enabled_mask: 2
user_enabled_default: 512
user_name_attribute: cn
user_id_attribute: sn
user_mail_attribute: mail
user_pass_attribute: userPassword
group_tree_dn: "ou=Groups,dc=cluster,dc=local"
group_filter: ""
group_objectclass: posixGroup
group_id_attribute: cn
group_name_attribute: cn
group_desc_attribute: description
group_member_attribute: memberUID
use_pool: true
pool_size: 27
pool_retry_max: 3
pool_retry_delay: 0.1
pool_connection_timeout: 15
pool_connection_lifetime: 600
use_auth_pool: true
auth_pool_size: 100
auth_pool_connection_lifetime: 60
...

70
openstack/values_overrides/keystone/netpol.yaml Normal file
View File

@ -0,0 +1,70 @@
---
keystone:
manifests:
network_policy: true
network_policy:
keystone:
ingress:
- from:
- podSelector:
matchLabels:
application: ceph
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
- podSelector:
matchLabels:
application: placement
- podSelector:
matchLabels:
application: prometheus-openstack-exporter
ports:
- protocol: TCP
port: 5000
egress:
- to:
- ipBlock:
cidr: %%%REPLACE_API_ADDR%%%/32
ports:
- protocol: TCP
port: %%%REPLACE_API_PORT%%%
...

91
openstack/values_overrides/keystone/tls.yaml Normal file
View File

@ -0,0 +1,91 @@
---
keystone:
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: null
nginx.ingress.kubernetes.io/backend-protocol: "https"
pod:
security_context:
keystone:
pod:
runAsUser: 0
container:
keystone_api:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
conf:
software:
apache2:
a2enmod:
- ssl
keystone:
oslo_messaging_rabbit:
ssl: true
ssl_ca_file: /etc/rabbitmq/certs/ca.crt
ssl_cert_file: /etc/rabbitmq/certs/tls.crt
ssl_key_file: /etc/rabbitmq/certs/tls.key
wsgi_keystone: |
{{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $vh := tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
Listen 0.0.0.0:{{ $portInt }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:{{ tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
ServerName {{ printf "%s.%s.svc.%s" "keystone-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/keystone/certs/tls.crt
SSLCertificateKeyFile /etc/keystone/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
host_fqdn_override:
default:
tls:
secretName: keystone-tls-api
issuerRef:
name: ca-issuer
kind: ClusterIssuer
scheme:
default: https
public: https
port:
api:
default: 443
oslo_messaging:
port:
https:
default: 15680
manifests:
certificates: true
...

17
openstack/values_overrides/keystone/train-ubuntu_bionic.yaml Normal file
View File

@ -0,0 +1,17 @@
---
keystone:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
db_init: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
db_drop: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
keystone_api: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
keystone_bootstrap: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
keystone_credential_rotate: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
keystone_credential_setup: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
keystone_db_sync: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
keystone_domain_manage: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
keystone_fernet_rotate: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
keystone_fernet_setup: "docker.io/openstackhelm/keystone:train-ubuntu_bionic"
ks_user: "docker.io/openstackhelm/heat:train-ubuntu_bionic"
...

17
openstack/values_overrides/keystone/ussuri-ubuntu_bionic.yaml Normal file
View File

@ -0,0 +1,17 @@
---
keystone:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
db_init: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
db_drop: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
keystone_api: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
keystone_bootstrap: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
keystone_credential_rotate: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
keystone_credential_setup: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
keystone_db_sync: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
keystone_domain_manage: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
keystone_fernet_rotate: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
keystone_fernet_setup: "docker.io/openstackhelm/keystone:ussuri-ubuntu_bionic"
ks_user: "docker.io/openstackhelm/heat:ussuri-ubuntu_bionic"
...

17
openstack/values_overrides/keystone/victoria-ubuntu_focal.yaml Normal file
View File

@ -0,0 +1,17 @@
---
keystone:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
db_init: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
db_drop: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
keystone_api: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
keystone_bootstrap: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
keystone_credential_rotate: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
keystone_credential_setup: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
keystone_db_sync: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
keystone_domain_manage: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
keystone_fernet_rotate: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
keystone_fernet_setup: "docker.io/openstackhelm/keystone:victoria-ubuntu_focal"
ks_user: "docker.io/openstackhelm/heat:victoria-ubuntu_focal"
...

17
openstack/values_overrides/keystone/wallaby-ubuntu_focal.yaml Normal file
View File

@ -0,0 +1,17 @@
---
keystone:
images:
tags:
bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
db_init: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
db_drop: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
keystone_api: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
keystone_bootstrap: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
keystone_credential_rotate: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
keystone_credential_setup: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
keystone_db_sync: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
keystone_domain_manage: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
keystone_fernet_rotate: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
keystone_fernet_setup: "docker.io/openstackhelm/keystone:wallaby-ubuntu_focal"
ks_user: "docker.io/openstackhelm/heat:wallaby-ubuntu_focal"
...

35
openstack/values_overrides/mariadb/apparmor.yaml Normal file
View File

@ -0,0 +1,35 @@
---
mariadb:
pod:
mandatory_access_control:
type: apparmor
mariadb-ingress-error-pages:
init: runtime/default
ingress-error-pages: runtime/default
mariadb-ingress:
init: runtime/default
ingress: runtime/default
mariadb-server:
init: runtime/default
mariadb-perms: runtime/default
mariadb: runtime/default
mariadb-backup:
init: runtime/default
mariadb-backup: runtime/default
mariadb-test:
init: runtime/default
mariadb-test: runtime/default
prometheus-mysql-exporter:
init: runtime/default
mysql-exporter: runtime/default
create-sql-user:
init: runtime/default
exporter-create-sql-user: runtime/default
monitoring:
prometheus:
enabled: true
manifests:
cron_job_mariadb_backup: true
...

12
openstack/values_overrides/mariadb/local-storage.yaml Normal file
View File

@ -0,0 +1,12 @@
---
mariadb:
pod:
replicas:
server: 1
volume:
size: 1Gi
class_name: local-storage
monitoring:
prometheus:
enabled: false
...

85
openstack/values_overrides/mariadb/netpol.yaml Normal file
View File

@ -0,0 +1,85 @@
---
mariadb:
manifests:
network_policy: true
network_policy:
mariadb:
egress:
- to:
- ipBlock:
cidr: %%%REPLACE_API_ADDR%%%/32
ports:
- protocol: TCP
port: %%%REPLACE_API_PORT%%%
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: aodh
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: designate
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: rally
- podSelector:
matchLabels:
application: senlin
- podSelector:
matchLabels:
application: placement
- podSelector:
matchLabels:
application: prometheus-mysql-exporter
- podSelector:
matchLabels:
application: mariadb
- podSelector:
matchLabels:
application: mariadb-backup
ports:
- protocol: TCP
port: 3306
- protocol: TCP
port: 4567
- protocol: TCP
port: 80
- protocol: TCP
port: 8080
...

24
openstack/values_overrides/mariadb/tls.yaml Normal file
View File

@ -0,0 +1,24 @@
---
mariadb:
pod:
security_context:
server:
container:
perms:
readOnlyRootFilesystem: false
mariadb:
runAsUser: 0
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
endpoints:
oslo_db:
host_fqdn_override:
default:
tls:
secretName: mariadb-tls-direct
issuerRef:
name: ca-issuer
kind: ClusterIssuer
manifests:
certificates: true
...

16
openstack/values_overrides/memcached/apparmor.yaml Normal file
View File

@ -0,0 +1,16 @@
---
memcached:
pod:
mandatory_access_control:
type: apparmor
prometheus_memcached_exporter:
init: runtime/default
memcached-exporter: runtime/default
memcached:
init: runtime/default
memcached: runtime/default
monitoring:
prometheus:
enabled: false
...

81
openstack/values_overrides/memcached/netpol.yaml Normal file
View File

@ -0,0 +1,81 @@
---
memcached:
manifests:
network_policy: true
network_policy:
memcached:
ingress:
- from:
- podSelector:
matchLabels:
application: ingress
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: horizon
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
- podSelector:
matchLabels:
application: placement
- podSelector:
matchLabels:
application: prometheus_memcached_exporter
- podSelector:
matchLabels:
application: aodh
- podSelector:
matchLabels:
application: rally
- podSelector:
matchLabels:
application: memcached
- podSelector:
matchLabels:
application: gnocchi
ports:
- port: 11211
protocol: TCP
- port: 9150
protocol: TCP
egress:
- to:
- ipBlock:
cidr: %%%REPLACE_API_ADDR%%%/32
ports:
- protocol: TCP
port: %%%REPLACE_API_PORT%%%
...

26
openstack/values_overrides/rabbitmq/apparmor.yaml Normal file
View File

@ -0,0 +1,26 @@
---
rabbitmq:
pod:
mandatory_access_control:
type: apparmor
rabbitmq-cluster-wait:
init: runtime/default
rabbitmq-cookie: runtime/default
rabbitmq-rabbitmq-cluster-wait: runtime/default
rabbitmq:
init: runtime/default
rabbitmq-password: runtime/default
rabbitmq-cookie: runtime/default
rabbitmq-perms: runtime/default
rabbitmq: runtime/default
prometheus-rabbitmq-exporter:
init: runtime/default
rabbitmq-exporter: runtime/default
rabbitmq-rabbitmq-test:
rabbitmq-rabbitmq-test: runtime/default
init: runtime/default
monitoring:
prometheus:
enabled: true
...

106
openstack/values_overrides/rabbitmq/netpol.yaml Normal file
View File

@ -0,0 +1,106 @@
---
rabbitmq:
network_policy:
rabbitmq:
ingress:
- from:
- podSelector:
matchLabels:
application: keystone
- podSelector:
matchLabels:
application: heat
- podSelector:
matchLabels:
application: glance
- podSelector:
matchLabels:
application: cinder
- podSelector:
matchLabels:
application: aodh
- podSelector:
matchLabels:
application: barbican
- podSelector:
matchLabels:
application: ceilometer
- podSelector:
matchLabels:
application: designate
- podSelector:
matchLabels:
application: ironic
- podSelector:
matchLabels:
application: magnum
- podSelector:
matchLabels:
application: mistral
- podSelector:
matchLabels:
application: nova
- podSelector:
matchLabels:
application: neutron
- podSelector:
matchLabels:
application: senlin
- podSelector:
matchLabels:
application: placement
- podSelector:
matchLabels:
application: rabbitmq
- podSelector:
matchLabels:
application: prometheus_rabbitmq_exporter
ports:
# AMQP port
- protocol: TCP
port: 5672
# HTTP API ports
- protocol: TCP
port: 15672
- protocol: TCP
port: 80
- from:
- podSelector:
matchLabels:
application: rabbitmq
ports:
# Clustering port AMQP + 20000
- protocol: TCP
port: 25672
# Erlang Port Mapper Daemon (epmd)
- protocol: TCP
port: 4369
egress:
- to:
- podSelector:
matchLabels:
application: rabbitmq
ports:
# Erlang port mapper daemon (epmd)
- protocol: TCP
port: 4369
# Rabbit clustering port AMQP + 20000
- protocol: TCP
port: 25672
# NOTE(lamt): Set by inet_dist_listen_{min/max}. Firewalls must
# permit traffic in this range to pass between clustered nodes.
# - protocol: TCP
# port: 35197
- to:
- ipBlock:
cidr: %%%REPLACE_API_ADDR%%%/32
ports:
- protocol: TCP
port: %%%REPLACE_API_PORT%%%
manifests:
monitoring:
prometheus:
network_policy_exporter: true
network_policy: true
...

31
openstack/values_overrides/rabbitmq/tls.yaml Normal file
View File

@ -0,0 +1,31 @@
---
rabbitmq:
conf:
rabbitmq:
ssl_options:
cacertfile: "/etc/rabbitmq/certs/ca.crt"
certfile: "/etc/rabbitmq/certs/tls.crt"
keyfile: "/etc/rabbitmq/certs/tls.key"
verify: verify_peer
fail_if_no_peer_cert: false
management:
ssl:
cacertfile: "/etc/rabbitmq/certs/ca.crt"
certfile: "/etc/rabbitmq/certs/tls.crt"
keyfile: "/etc/rabbitmq/certs/tls.key"
endpoints:
oslo_messaging:
host_fqdn_override:
default:
tls:
secretName: rabbitmq-tls-direct
issuerRef:
name: ca-issuer
kind: ClusterIssuer
port:
https:
default: 15680
public: 443
manifests:
certificates: true
...

1
releasenotes/notes/glance.yaml
View File

@ -23,4 +23,5 @@ glance:
- 0.3.0 Remove glance registry
- 0.3.1 Enable taint toleration for Openstack services
- 0.3.2 Decrease terminationGracePeriodSeconds on glance-api
- 0.3.3 Update naming for subchart compatibility
...

1
releasenotes/notes/heat.yaml
View File

@ -16,4 +16,5 @@ heat:
- 0.2.7 Helm 3 - Fix Job Labels
- 0.2.8 Update htk requirements repo
- 0.2.9 Enable taint toleration for Openstack services
- 0.2.10 Updated naming for subchart compatibility
...

1
releasenotes/notes/keystone.yaml
View File

@ -36,4 +36,5 @@ keystone:
- 0.2.18 Remove default policy
- 0.2.19 Revert Reduce log chattiness
- 0.2.20 Enable taint toleration for Openstack services
- 0.2.21 Updated naming for subchart compatibility
...

4
releasenotes/notes/openstack.yaml Normal file
View File

@ -0,0 +1,4 @@
---
openstack:
- 0.1.0 Initial Chart
...

34
tools/deployment/common/get-values-overrides.sh
View File

@ -20,6 +20,7 @@
set -e
HELM_CHART="$1"
SUBCHART="$2"
: "${HELM_CHART_ROOT_PATH:="../openstack-helm"}"
: "${OPENSTACK_RELEASE:="train"}"
: "${CONTAINER_DISTRO_NAME:="ubuntu"}"
@ -61,18 +62,33 @@ function replace_variables() {
function override_file_args () {
OVERRIDE_ARGS=""
echoerr "We will attempt to use values-override files with the following paths:"
for FILE in $(combination ${1//,/ } | uniq | tac); do
FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml"
if [ -f "${FILE_PATH}" ]; then
replace_variables ${FILE_PATH}
OVERRIDE_ARGS+=" --values=${FILE_PATH} "
fi
echoerr "${FILE_PATH}"
done
if [ -z "$SUBCHART" ];then
echoerr "We will attempt to use values-override files with the following paths:"
for FILE in $(combination ${1//,/ } | uniq | tac); do
FILE_PATH="${HELM_CHART_ROOT_PATH}/${HELM_CHART}/values_overrides/${FILE}.yaml"
if [ -f "${FILE_PATH}" ]; then
replace_variables ${FILE_PATH}
OVERRIDE_ARGS+=" --values=${FILE_PATH} "
fi
echoerr "${FILE_PATH}"
done
else
echoerr "running as subchart"
echoerr "We will attempt to use values-override files with the following paths:"
for FILE in $(combination ${1//,/ } | uniq | tac); do
FILE_PATH="${HELM_CHART_ROOT_PATH}/values_overrides/${HELM_CHART}/${FILE}.yaml"
if [ -f "${FILE_PATH}" ]; then
replace_variables ${FILE_PATH}
OVERRIDE_ARGS+=" --values=${FILE_PATH} "
fi
echoerr "${FILE_PATH}"
done
fi
echo "${OVERRIDE_ARGS}"
}
echoerr "We are going to deploy the service ${HELM_CHART} for the OpenStack ${OPENSTACK_RELEASE} release, using ${CONTAINER_DISTRO_NAME} (${CONTAINER_DISTRO_VERSION}) distribution containers."
source ../openstack-helm/tools/deployment/common/env-variables.sh
override_file_args "${OSH_FEATURE_MIX}"

9
tools/deployment/common/wait-for-pods.sh
View File

@ -12,11 +12,14 @@
# License for the specific language governing permissions and limitations
# under the License.
set -e
if [[ "$2" -gt 0 ]];then
seconds=$2
else
seconds=900
fi
# From Kolla-Kubernetes, orginal authors Kevin Fox & Serguei Bezverkhi
# Default wait timeout is 900 seconds
end=$(date +%s)
timeout=${2:-900}
timeout=${2:-$seconds}
end=$((end + timeout))
while true; do
kubectl get pods --namespace=$1 -o json | jq -r \

40
tools/deployment/component/common/openstack.sh Executable file
View File

@ -0,0 +1,40 @@
#!/bin/bash
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
set -xe
namespace=openstack
chart=$namespace
export HELM_CHART_ROOT_PATH="${HELM_CHART_ROOT_PATH:="${OSH_INFRA_PATH:="../openstack-helm/openstack"}"}"
: ${OSH_EXTRA_HELM_ARGS_MARIADB:="$(./tools/deployment/common/get-values-overrides.sh mariadb subchart)"}
: ${OSH_EXTRA_HELM_ARGS_RABBITMQ:="$(./tools/deployment/common/get-values-overrides.sh rabbitmq subchart)"}
: ${OSH_EXTRA_HELM_ARGS_MEMCACHED:="$(./tools/deployment/common/get-values-overrides.sh memcached subchart)"}
: ${OSH_EXTRA_HELM_ARGS_KEYSTONE:="$(./tools/deployment/common/get-values-overrides.sh keystone subchart)"}
: ${OSH_EXTRA_HELM_ARGS_HEAT:="$(./tools/deployment/common/get-values-overrides.sh heat subchart)"}
: ${OSH_EXTRA_HELM_ARGS_GLANCE:="$(./tools/deployment/common/get-values-overrides.sh glance subchart)"}
#NOTE: Lint and package chart
make -C ${HELM_CHART_ROOT_PATH} .
echo "helm installing ..."
helm upgrade --install $chart $chart/ \
${OSH_EXTRA_HELM_ARGS_MARIADB} \
${OSH_EXTRA_HELM_ARGS_RABBITMQ} \
${OSH_EXTRA_HELM_ARGS_MEMCACHED} \
${OSH_EXTRA_HELM_ARGS_KEYSTONE} \
${OSH_EXTRA_HELM_ARGS_HEAT} \
${OSH_EXTRA_HELM_ARGS_GLANCE} \
${OSH_EXTRA_HELM_ARGS:=} \
--namespace=$namespace
#NOTE: Wait for deploy
./tools/deployment/common/wait-for-pods.sh $namespace 1800