openstack
/
openstack-helm
Code Issues Proposed changes

feat(tls): add tls support to openstack services 

This patch set enables TLS for the following OpenStack services: keystone,
horizon, glance, cinder, heat, nova, placement and neutron for s- (stein)
and t- (train) release. This serves as a consolidation and clean up patch
for the following patches:

[0] https://review.opendev.org/#/c/733291
[1] https://review.opendev.org/#/c/735202
[2] https://review.opendev.org/#/c/733962
[3] https://review.opendev.org/#/c/733404
[4] https://review.opendev.org/#/c/734896

This also addresses comments mentioned in previous patches.

Co-authored-by: Gage Hugo <gagehugo@gmail.com>
Co-authored-by: sgupta <sg774j@att.com>

Depends-on: https://review.opendev.org/#/c/737194/

Change-Id: Id34ace54298660b4b151522916e929a29f5731be
Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
Tin Lam 2020-06-03 12:40:40 -05:00
parent 6027ac0c0c
commit 918a307427
125 changed files with 2307 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
cinder/templates/bin/_cinder-api.sh.tpl
View File

@ -18,12 +18,52 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in cinder-wsgi; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/cinder/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec cinder-api \
--config-file /etc/cinder/cinder.conf
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

17
cinder/templates/certificates.yaml Normal file
View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "volumev3" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

4
cinder/templates/configmap-etc.yaml
View File

@ -117,6 +117,10 @@ data:
backends.conf: {{ include "helm-toolkit.utils.to_ini" .Values.conf.backends | b64enc }}
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
policy.yaml: {{ toYaml .Values.conf.policy | b64enc }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cinder "key" "wsgi-cinder.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
cinder_sudoers: {{ $envAll.Values.conf.cinder_sudoers | b64enc }}
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}

22
cinder/templates/deployment-api.yaml
View File

@ -100,6 +100,8 @@ spec:
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: wsgi-cinder
mountPath: /var/www/cgi-bin/cinder
- name: cinder-bin
mountPath: /tmp/cinder-api.sh
subPath: cinder-api.sh
@ -130,14 +132,33 @@ spec:
mountPath: {{ .Values.conf.cinder.DEFAULT.resource_query_filters_file }}
subPath: resource_filters.json
readOnly: true
{{- if .Values.conf.security }}
- name: cinder-etc
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/security.conf
subPath: security.conf
readOnly: true
{{- end }}
{{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
- name: cinder-coordination
mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
{{- end }}
{{- if .Values.manifests.certificates }}
- name: cinder-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/cinder-api.conf
subPath: wsgi-cinder.conf
readOnly: true
- name: cinder-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: wsgi-cinder
emptyDir: {}
- name: cinder-bin
configMap:
name: cinder-bin
@ -152,5 +173,6 @@ spec:
- name: cinder-coordination
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
{{- end }}

6
cinder/templates/deployment-volume.yaml
View File

@ -111,19 +111,18 @@ spec:
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: INTERNAL_PROJECT_NAME
value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }}
- name: INTERNAL_USER_NAME
value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }}
{{- with $env := dict "ksUserSecret" (index .Values.secrets.identity "cinder" ) }}
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
{{- end }}
containers:
- name: cinder-volume
{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -259,5 +258,6 @@ spec:
- name: usrlocalsbin
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
{{- end }}

7
cinder/templates/ingress-api.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "volume" "backendPort" "c-api" -}}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "volume" "backendPort" "c-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.volume.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.volume.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

3
cinder/templates/job-bootstrap.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}

4
cinder/templates/job-create-internal-tenant.yaml
View File

@ -54,8 +54,9 @@ spec:
mountPath: /tmp/create-internal-tenant.sh
subPath: create-internal-tenant.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -82,4 +83,5 @@ spec:
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end -}}

3
cinder/templates/job-ks-endpoints.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

3
cinder/templates/job-ks-service.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volume" "volumev2" "volumev3" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}

3
cinder/templates/job-ks-user.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volume.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

7
cinder/templates/pod-rally-test.yaml
View File

@ -50,8 +50,9 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
{{ dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -66,7 +67,7 @@ spec:
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -89,6 +90,7 @@ spec:
readOnly: true
- name: rally-db
mountPath: /var/lib/rally
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@ -103,5 +105,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}

3
cinder/values.yaml
View File

@ -1196,7 +1196,7 @@ secrets:
volume:
api:
public: cinder-tls-public
internal: cinder-tls-api
# We use a different layout of the endpoints here to account for versioning
# this swaps the service name and type, and should be rolled out to other
# services.
@ -1449,6 +1449,7 @@ network_policy:
- {}
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
cron_volume_usage_audit: true

136
cinder/values_overrides/tls.yaml Normal file
View File

@ -0,0 +1,136 @@
---
pod:
security_context:
cinder_api:
container:
cinder_api:
runAsUser: 0
readOnlyRootFilesystem: false
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
site_dir: /etc/apache2/sites-enabled
conf_dir: /etc/apache2/conf-enabled
mods_dir: /etc/apache2/mods-available
a2enmod:
- ssl
a2dismod: null
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_cinder: |
{{- $portInt := tuple "volume" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "cinder-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess cinder-api processes=1 threads=1 user=cinder display-name=%{GROUP}
WSGIProcessGroup cinder-api
WSGIScriptAlias / /var/www/cgi-bin/cinder/cinder-wsgi
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/cinder/certs/tls.crt
SSLCertificateKeyFile /etc/cinder/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
cinder:
keystone_authtoken:
cafile: /etc/cinder/certs/ca.crt
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
cinder:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
image:
scheme:
default: https
port:
api:
public: 443
image_registry:
scheme:
default: https
port:
api:
public: 443
volume:
host_fqdn_override:
default:
tls:
secretName: cinder-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
internal: https
port:
api:
public: 443
volumev2:
host_fqdn_override:
default:
tls:
secretName: cinder-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
internal: https
port:
api:
public: 443
volumev3:
host_fqdn_override:
default:
tls:
secretName: cinder-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
internal: https
port:
api:
public: 443
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

17
glance/templates/bin/_nginx.sh.tpl Normal file
View File

@ -0,0 +1,17 @@
#!/bin/bash
set -xe
COMMAND="${@:-start}"
function start () {
envsubst < /etc/nginx/nginx.conf > /tmp/nginx.conf
cat /tmp/nginx.conf
nginx -t -c /tmp/nginx.conf
exec nginx -c /tmp/nginx.conf
}
function stop () {
nginx -s stop
}
$COMMAND

18
glance/templates/certificates.yaml Normal file
View File

@ -0,0 +1,18 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "image" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{ dict "envAll" . "service" "image_registry" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

4
glance/templates/configmap-bin.yaml
View File

@ -61,4 +61,8 @@ data:
{{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
rabbit-init.sh: |
{{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
{{- if .Values.manifests.certificates }}
nginx.sh: |
{{ tuple "bin/_nginx.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
{{- end }}

1
glance/templates/configmap-etc.yaml
View File

@ -188,4 +188,5 @@ data:
policy.json: {{ toJson .Values.conf.policy | b64enc }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf" "format" "Secret" ) | indent 2 }}
{{- end }}

58
glance/templates/deployment-api.yaml
View File

@ -92,6 +92,45 @@ spec:
readOnly: true
{{ end }}
containers:
{{- if $envAll.Values.manifests.certificates }}
- name: nginx
{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
ports:
- name: g-api
containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
env:
- name: PORT
value: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SHORTNAME
value: {{ tuple "image" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
readinessProbe:
tcpSocket:
port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
command:
- /tmp/nginx.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/nginx.sh
- stop
volumeMounts:
- name: glance-bin
mountPath: /tmp/nginx.sh
subPath: nginx.sh
readOnly: true
- name: glance-etc
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
- name: glance-api
{{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@ -105,6 +144,21 @@ spec:
command:
- /tmp/glance-api.sh
- stop
{{- if $envAll.Values.manifests.certificates }}
readinessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
livenessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
initialDelaySeconds: 30
{{- else }}
ports:
- name: g-api
containerPort: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -114,7 +168,7 @@ spec:
livenessProbe:
tcpSocket:
port: {{ tuple "image" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 30
{{- end }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
@ -164,6 +218,7 @@ spec:
subPath: key
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_glance_api.volumeMounts }}{{ toYaml $mounts_glance_api.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -197,5 +252,6 @@ spec:
secret:
secretName: {{ .Values.secrets.rbd | quote }}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_glance_api.volumes }}{{ toYaml $mounts_glance_api.volumes | indent 8 }}{{ end }}
{{- end }}

58
glance/templates/deployment-registry.yaml
View File

@ -55,6 +55,45 @@ spec:
initContainers:
{{ tuple $envAll "registry" $mounts_glance_registry_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
{{- if $envAll.Values.manifests.certificates }}
- name: nginx
{{ tuple $envAll "nginx" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.nginx | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
ports:
- name: g-reg
containerPort: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
env:
- name: PORT
value: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SHORTNAME
value: {{ tuple "image_registry" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
readinessProbe:
tcpSocket:
port: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
command:
- /tmp/nginx.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/nginx.sh
- stop
volumeMounts:
- name: glance-bin
mountPath: /tmp/nginx.sh
subPath: nginx.sh
readOnly: true
- name: glance-etc
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/nginx/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
- name: glance-registry
{{ tuple $envAll "glance_registry" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.registry | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@ -68,6 +107,21 @@ spec:
command:
- /tmp/glance-registry.sh
- stop
{{- if $envAll.Values.manifests.certificates }}
readinessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
livenessProbe:
exec:
command:
- python
- -c
- "import requests; requests.get('http://127.0.0.1:{{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}')"
initialDelaySeconds: 30
{{- else }}
ports:
- name: g-reg
containerPort: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -77,7 +131,7 @@ spec:
livenessProbe:
tcpSocket:
port: {{ tuple "image_registry" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 30
{{- end }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
@ -109,6 +163,7 @@ spec:
mountPath: /etc/glance/policy.json
subPath: policy.json
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal "path" "/etc/glance/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_glance_registry.volumeMounts }}{{ toYaml $mounts_glance_registry.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -123,5 +178,6 @@ spec:
secret:
secretName: glance-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.image_registry.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_glance_registry.volumes }}{{ toYaml $mounts_glance_registry.volumes | indent 8 }}{{ end }}
{{- end }}

7
glance/templates/ingress-api.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "image" "backendPort" "g-api" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "image" "backendPort" "g-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.image.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

7
glance/templates/ingress-registry.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_registry .Values.network.registry.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "registry" "backendServiceType" "image_registry" "backendPort" "g-reg" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "registry" "backendServiceType" "image_registry" "backendPort" "g-reg" -}}
{{- $secretName := $envAll.Values.secrets.tls.image_registry.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.image_registry.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

3
glance/templates/job-bootstrap.yaml
View File

@ -25,5 +25,8 @@ volumes:
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $podVolumes := tuple . | include "glance.templates._job_bootstrap.pod_volumes" | toString | fromYaml }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "glance" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.glance.DEFAULT.log_config_append "podVolMounts" $podVolumes.volumeMounts "podVols" $podVolumes.volumes -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}

3
glance/templates/job-ks-endpoints.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

3
glance/templates/job-ks-service.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "glance" "serviceTypes" ( tuple "image" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}

3
glance/templates/job-ks-user.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "glance" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.image.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

6
glance/values.yaml
View File

@ -569,7 +569,10 @@ secrets:
image:
api:
public: glance-tls-public
internal: glance-tls-api
image_registry:
api:
internal: glance-tls-reg
# typically overridden by environmental
# values, but should include all endpoints
@ -991,6 +994,7 @@ pod:
cpu: "2000m"
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
deployment_api: true

138
glance/values_overrides/tls.yaml Normal file
View File

@ -0,0 +1,138 @@
---
images:
tags:
nginx: docker.io/nginx:1.18.0
conf:
glance:
DEFAULT:
bind_host: 127.0.0.1
keystone_authtoken:
cafile: /etc/glance/certs/ca.crt
glance_store:
https_ca_certificates_file: /etc/glance/certs/ca.crt
glance_registry:
DEFAULT:
bind_host: 127.0.0.1
keystone_authtoken:
cafile: /etc/glance/certs/ca.crt
nginx: |
worker_processes 1;
daemon off;
user nginx;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65s;
tcp_nodelay on;
log_format main '[nginx] method=$request_method path=$request_uri '
'status=$status upstream_status=$upstream_status duration=$request_time size=$body_bytes_sent '
'"$remote_user" "$http_referer" "$http_user_agent"';
access_log /dev/stdout main;
upstream websocket {
server 127.0.0.1:$PORT;
}
server {
server_name {{ printf "%s.%s.svc.%s" "${SHORTNAME}" .Release.Namespace .Values.endpoints.cluster_domain_suffix }};
listen $POD_IP:$PORT ssl;
client_max_body_size 0;
ssl_certificate /etc/nginx/certs/tls.crt;
ssl_certificate_key /etc/nginx/certs/tls.key;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
location / {
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_pass http://websocket;
proxy_read_timeout 90;
}
}
}
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
registry:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
endpoints:
identity:
name: keystone
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
glance:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
image:
host_fqdn_override:
default:
tls:
secretName: glance-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
public: https
port:
api:
public: 443
image_registry:
host_fqdn_override:
default:
tls:
secretName: glance-tls-reg
issuerRef:
name: ca-issuer
scheme:
default: https
public: https
port:
api:
public: 443
dashboard:
scheme:
default: https
public: https
port:
web:
default: 80
public: 443
pod:
security_context:
glance:
pod:
runAsUser: 0
resources:
nginx:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
certificates: true
...

36
heat/templates/bin/_heat-api.sh.tpl
View File

@ -18,12 +18,48 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in heat-wsgi-api; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec heat-api \
--config-file /etc/heat/heat.conf
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

37
heat/templates/bin/_heat-cfn.sh.tpl
View File

@ -18,12 +18,49 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in heat-wsgi-api-cfn; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/heat/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec heat-api-cfn \
--config-file /etc/heat/heat.conf
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

18
heat/templates/certificates.yaml Normal file
View File

@ -0,0 +1,18 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "orchestration" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{ dict "envAll" . "service" "cloudformation" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

5
heat/templates/configmap-etc.yaml
View File

@ -136,6 +136,11 @@ data:
logging.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.logging | b64enc }}
api-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | b64enc }}
policy.json: {{ toJson .Values.conf.policy | b64enc }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_heat "key" "wsgi-heat.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_cfn "key" "wsgi-cnf.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
{{- range $key, $value := $envAll.Values.conf.rally_tests.templates }}
{{ printf "test_template_%d" $key }}: {{ $value.template | b64enc }}

16
heat/templates/deployment-api.yaml
View File

@ -83,6 +83,8 @@ spec:
mountPath: /tmp
- name: pod-etc-heat
mountPath: /etc/heat
- name: wsgi-heat
mountPath: /var/www/cgi-bin/heat
- name: heat-bin
mountPath: /tmp/heat-api.sh
subPath: heat-api.sh
@ -109,12 +111,25 @@ spec:
mountPath: /etc/heat/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
{{- if .Values.manifests.certificates }}
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api.conf
subPath: wsgi-heat.conf
readOnly: true
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: pod-etc-heat
emptyDir: {}
- name: wsgi-heat
emptyDir: {}
- name: heat-bin
configMap:
name: heat-bin
@ -123,5 +138,6 @@ spec:
secret:
secretName: heat-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
{{- end }}

16
heat/templates/deployment-cfn.yaml
View File

@ -83,6 +83,8 @@ spec:
mountPath: /tmp
- name: pod-etc-heat
mountPath: /etc/heat
- name: wsgi-heat
mountPath: /var/www/cgi-bin/heat
- name: heat-bin
mountPath: /tmp/heat-cfn.sh
subPath: heat-cfn.sh
@ -109,12 +111,25 @@ spec:
mountPath: /etc/heat/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
{{- if .Values.manifests.certificates }}
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/heat-api-cfn.conf
subPath: wsgi-cnf.conf
readOnly: true
- name: heat-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: pod-etc-heat
emptyDir: {}
- name: wsgi-heat
emptyDir: {}
- name: heat-bin
configMap:
name: heat-bin
@ -123,5 +138,6 @@ spec:
secret:
secretName: heat-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
{{- end }}

2
heat/templates/deployment-engine.yaml
View File

@ -99,6 +99,7 @@ spec:
mountPath: /etc/heat/policy.json
subPath: policy.json
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -113,5 +114,6 @@ spec:
secret:
secretName: heat-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
{{- end }}

7
heat/templates/ingress-api.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "orchestration" "backendPort" "h-api" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "orchestration" "backendPort" "h-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.orchestration.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.orchestration.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

7
heat/templates/ingress-cfn.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_cfn .Values.network.cfn.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "cfn" "backendServiceType" "cloudformation" "backendPort" "h-cfn" -}}
{{- $secretName := $envAll.Values.secrets.tls.cloudformation.cfn.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.cloudformation.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

3
heat/templates/job-bootstrap.yaml
View File

@ -15,5 +15,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}

3
heat/templates/job-ks-endpoints.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

3
heat/templates/job-ks-service.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}

4
heat/templates/job-ks-user-domain.yaml
View File

@ -53,8 +53,9 @@ spec:
mountPath: /tmp/ks-domain-user.sh
subPath: ks-domain-user.sh
readOnly: true
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -88,4 +89,5 @@ spec:
configMap:
name: heat-bin
defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}

3
heat/templates/job-ks-user-trustee.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user_trustee }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

3
heat/templates/job-ks-user.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

4
heat/templates/job-trusts.yaml
View File

@ -57,9 +57,10 @@ spec:
mountPath: /tmp/trusts.sh
subPath: trusts.sh
readOnly: true
{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLES
@ -75,4 +76,5 @@ spec:
configMap:
name: heat-bin
defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}

7
heat/templates/pod-rally-test.yaml
View File

@ -49,8 +49,9 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -65,7 +66,7 @@ spec:
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -94,6 +95,7 @@ spec:
subPath: {{ printf "test_template_%d" $key }}
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@ -108,5 +110,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}

4
heat/values.yaml
View File

@ -797,10 +797,11 @@ secrets:
orchestration:
api:
public: heat-tls-public
internal: heat-tls-api
cloudformation:
cfn:
public: cloudformation-tls-public
internal: heat-tls-cfn
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
@ -1262,6 +1263,7 @@ network_policy:
- {}
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
cron_job_engine_cleaner: true

182
heat/values_overrides/tls.yaml Normal file
View File

@ -0,0 +1,182 @@
---
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
site_dir: /etc/apache2/sites-enabled
conf_dir: /etc/apache2/conf-enabled
mods_dir: /etc/apache2/mods-available
a2enmod:
- ssl
a2dismod: null
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_heat: |
{{- $portInt := tuple "orchestration" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "heat-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess heat-api processes=1 threads=1 user=heat display-name=%{GROUP}
WSGIProcessGroup heat-api
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/heat/certs/tls.crt
SSLCertificateKeyFile /etc/heat/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
wsgi_cfn: |
{{- $portInt := tuple "cloudformation" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "heat-api-cfn" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess heat-api-cfn processes=1 threads=1 user=heat display-name=%{GROUP}
WSGIProcessGroup heat-api-cfn
WSGIScriptAlias / /var/www/cgi-bin/heat/heat-wsgi-api-cfn
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/heat/certs/tls.crt
SSLCertificateKeyFile /etc/heat/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
heat:
clients_neutron:
ca_file: /etc/heat/certs/ca.crt
clients_cinder:
ca_file: /etc/heat/certs/ca.crt
clients_glance:
ca_file: /etc/heat/certs/ca.crt
clients_nova:
ca_file: /etc/heat/certs/ca.crt
clients_swift:
ca_file: /etc/heat/certs/ca.crt
ssl:
ca_file: /etc/heat/certs/ca.crt
keystone_authtoken:
cafile: /etc/heat/certs/ca.crt
clients:
ca_file: /etc/heat/certs/ca.crt
clients_heat:
ca_file: /etc/heat/certs/ca.crt
clients_keystone:
ca_file: /etc/heat/certs/ca.crt
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
cfn:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
cloudwatch:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
pod:
security_context:
heat:
container:
heat_api:
readOnlyRootFilesystem: false
runAsUser: 0
heat_cfn:
readOnlyRootFilesystem: false
runAsUser: 0
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
heat:
cacert: /etc/ssl/certs/openstack-helm.crt
heat_trustee:
cacert: /etc/ssl/certs/openstack-helm.crt
heat_stack_user:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
orchestration:
host_fqdn_override:
default:
tls:
secretName: heat-tls-api
issuerRef:
name: ca-issuer
scheme:
default: https
port:
api:
public: 443
cloudformation:
host_fqdn_override:
default:
tls:
secretName: heat-tls-cfn
issuerRef:
name: ca-issuer
scheme:
default: https
port:
api:
public: 443
# Cloudwatch does not get an entry in the keystone service catalog
cloudwatch:
host_fqdn_override:
default:
tls:
secretName: heat-tls-cloudwatch
issuerRef:
name: ca-issuer
kind: Issuer
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

17
horizon/templates/certificates.yaml Normal file
View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "dashboard" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

6
horizon/templates/deployment.yaml
View File

@ -78,14 +78,14 @@ spec:
containerPort: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
readinessProbe:
httpGet:
scheme: HTTP
scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
path: /
port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 15
periodSeconds: 10
livenessProbe:
httpGet:
scheme: HTTP
scheme: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
path: /
port: {{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 180
@ -129,6 +129,7 @@ spec:
subPath: {{ base $policyFile }}
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal "path" "/etc/openstack-dashboard/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_horizon.volumeMounts }}{{ toYaml $mounts_horizon.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -145,5 +146,6 @@ spec:
secret:
secretName: horizon-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.dashboard.dashboard.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_horizon.volumes }}{{ toYaml $mounts_horizon.volumes | indent 8 }}{{ end }}
{{- end }}

7
horizon/templates/ingress-api.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.dashboard.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "dashboard" "backendServiceType" "dashboard" "backendPort" "web" -}}
{{- $secretName := $envAll.Values.secrets.tls.dashboard.dashboard.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.dashboard.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

8
horizon/values.yaml
View File

@ -183,6 +183,7 @@ conf:
# values will not work
horizon_secret_key: 9aee62c0-5253-4a86-b189-e0fb71fa503c
debug: "False"
use_ssl: "False"
keystone_multidomain_support: "True"
keystone_default_domain: Default
disable_password_reveal: "True"
@ -266,6 +267,7 @@ conf:
# If Horizon is being served through SSL, then uncomment the following two
# settings to better secure the cookies from security exploits
USE_SSL = {{ .Values.conf.horizon.local_settings.config.use_ssl }}
CSRF_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.csrf_cookie_secure }}
SESSION_COOKIE_SECURE = {{ .Values.conf.horizon.local_settings.config.session_cookie_secure }}
@ -425,8 +427,10 @@ conf:
# Disable SSL certificate checks (useful for self-signed certificates):
#OPENSTACK_SSL_NO_VERIFY = True
{{- if .Values.manifests.certificates }}
# The CA certificate to use to verify SSL connections
#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
OPENSTACK_SSL_CACERT = '/etc/openstack-dashboard/certs/ca.crt'
{{- end }}
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
# capabilities of the auth backend for Keystone.
@ -2133,6 +2137,7 @@ secrets:
dashboard:
dashboard:
public: horizon-tls-public
internal: horizon-tls-web
# typically overridden by environmental
# values, but should include all endpoints
@ -2253,6 +2258,7 @@ network_policy:
- {}
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
deployment: true

109
horizon/values_overrides/tls.yaml Normal file
View File

@ -0,0 +1,109 @@
---
network:
dashboard:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
conf:
software:
apache2:
a2enmod:
- headers
- rewrite
- ssl
horizon:
apache: |
<IfVersion < 2.4>
Listen 0.0.0.0:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
</IfVersion>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:80>
ServerName horizon-int.openstack.svc.cluster.local
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</Virtualhost>
<VirtualHost *:{{ tuple "dashboard" "internal" "web" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
ServerName horizon-int.openstack.svc.cluster.local
WSGIScriptReloading On
WSGIDaemonProcess horizon-http processes=5 threads=1 user=horizon group=horizon display-name=%{GROUP} python-path=/var/lib/kolla/venv/lib/python2.7/site-packages
WSGIProcessGroup horizon-http
WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
WSGIPassAuthorization On
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE|PATCH)
RewriteRule .* - [F]
<Location "/">
Require all granted
</Location>
Alias /static /var/www/html/horizon
<Location "/static">
SetHandler static
</Location>
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
TransferLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
ErrorLog /dev/stdout
SSLEngine on
SSLCertificateFile /etc/openstack-dashboard/certs/tls.crt
SSLCertificateKeyFile /etc/openstack-dashboard/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
local_settings:
config:
use_ssl: "True"
csrf_cookie_secure: "True"
enforce_password_check: "True"
session_cookie_secure: "True"
session_cookie_httponly: "True"
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
dashboard:
host_fqdn_override:
default:
tls:
secretName: horizon-tls-web
issuerRef:
name: ca-issuer
scheme:
default: https
public: https
port:
web:
default: 443
public: 443
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

4
keystone/templates/bin/_keystone-api.sh.tpl
View File

@ -51,6 +51,10 @@ function start () {
}
function stop () {
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
}

17
keystone/templates/certificates.yaml Normal file
View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "identity" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

4
keystone/templates/deployment-api.yaml
View File

@ -14,7 +14,7 @@ limitations under the License.
{{- define "apiProbeTemplate" }}
httpGet:
scheme: HTTP
scheme: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
path: /v3/
port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
@ -147,6 +147,7 @@ spec:
{{- end }}
- name: keystone-credential-keys
mountPath: {{ .Values.conf.keystone.credential.key_repository }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal "path" "/etc/keystone/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_keystone_api.volumeMounts }}{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -180,5 +181,6 @@ spec:
- name: keystone-credential-keys
secret:
secretName: keystone-credential-keys
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_keystone_api.volumes }}{{ toYaml $mounts_keystone_api.volumes | indent 8 }}{{ end }}
{{- end }}

7
keystone/templates/ingress-api.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "identity" "backendPort" "ks-pub" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendServiceType" "identity" "backendPort" "ks-pub" -}}
{{- $secretName := $envAll.Values.secrets.tls.identity.api.internal -}}
{{- if and .Values.manifests.certificates $secretName -}}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.identity.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

3
keystone/templates/job-bootstrap.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "keystone" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.keystone.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.identity.api.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}

7
keystone/templates/pod-rally-test.yaml
View File

@ -50,8 +50,9 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -66,7 +67,7 @@ spec:
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -89,6 +90,7 @@ spec:
readOnly: true
- name: rally-db
mountPath: /var/lib/rally
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@ -103,5 +105,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.identity.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}

2
keystone/values.yaml
View File

@ -1070,6 +1070,7 @@ secrets:
identity:
api:
public: keystone-tls-public
internal: keystone-tls-api
# typically overridden by environmental
# values, but should include all endpoints
@ -1235,6 +1236,7 @@ endpoints:
default: 80
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
cron_credential_rotate: true

80
keystone/values_overrides/tls.yaml Normal file
View File

@ -0,0 +1,80 @@
---
network:
api:
ingress:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: null
nginx.ingress.kubernetes.io/backend-protocol: "https"
pod:
security_context:
keystone:
pod:
runAsUser: 0
container:
keystone_api:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
conf:
software:
apache2:
a2enmod:
- ssl
wsgi_keystone: |
{{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- $vh := tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
Listen 0.0.0.0:{{ $portInt }}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
<VirtualHost *:{{ tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}>
ServerName {{ printf "%s.%s.svc.%s" "keystone-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /dev/stdout
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/keystone/certs/tls.crt
SSLCertificateKeyFile /etc/keystone/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
endpoints:
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
host_fqdn_override:
default:
tls:
secretName: keystone-tls-api
issuerRef:
name: ca-issuer
kind: Issuer
scheme:
default: https
public: https
port:
api:
default: 443
manifests:
certificates: true
...

30
neutron/templates/bin/_neutron-rpc-server.sh.tpl Normal file
View File

@ -0,0 +1,30 @@
#!/bin/bash
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
COMMAND="${@:-start}"
function start () {
exec neutron-rpc-server \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini
}
function stop () {
kill -TERM 1
}
$COMMAND

57
neutron/templates/bin/_neutron-server.sh.tpl
View File

@ -18,6 +18,55 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
add_config=""
{{- if .Values.conf.plugins.taas.taas.enabled }}
add_config+='taas_plugin.ini;'
{{- end }}
{{- if ( has "sriov" .Values.network.backend ) }}
add_config+='sriov_agent.ini;'
{{- end }}
{{- if .Values.conf.plugins.l2gateway }}
add_config+='l2gw_plugin.ini;'
{{- end }}
export OS_NEUTRON_CONFIG_FILES=${add_config}
for WSGI_SCRIPT in neutron-api; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/neutron/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2ensite }}
{{- range .Values.conf.software.apache2.a2ensite }}
a2ensite {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec neutron-server \
--config-file /etc/neutron/neutron.conf \
{{- if ( has "tungstenfabric" .Values.network.backend ) }}
@ -34,10 +83,18 @@ function start () {
{{- if .Values.conf.plugins.l2gateway }} \
--config-file /etc/neutron/l2gw_plugin.ini
{{- end }}
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

17
neutron/templates/certificates.yaml Normal file
View File

@ -0,0 +1,17 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "network" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

4
neutron/templates/configmap-bin.yaml
View File

@ -81,6 +81,10 @@ data:
{{ tuple "bin/_neutron-bagpipe-bgp.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-bagpipe-bgp-init.sh: |
{{ tuple "bin/_neutron-bagpipe-bgp-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- if .Values.manifests.certificates }}
neutron-rpc-server.sh: |
{{ tuple "bin/_neutron-rpc-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
neutron-server.sh: |
{{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
neutron-ironic-agent.sh: |

4
neutron/templates/configmap-etc.yaml
View File

@ -272,6 +272,10 @@ data:
rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
auto_bridge_add: {{ toJson $envAll.Values.conf.auto_bridge_add | b64enc }}
dpdk.conf: {{ toJson $envAll.Values.conf.ovs_dpdk | b64enc }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_neutron_server "key" "wsgi-server.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
{{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
{{- $filePrefix := replace "_" "-" $key }}
{{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}

2
neutron/templates/daemonset-metadata-agent.yaml
View File

@ -189,6 +189,7 @@ spec:
mountPath: /run/netns
mountPropagation: Bidirectional
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_neutron_metadata_agent.volumeMounts }}{{ toYaml $mounts_neutron_metadata_agent.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -211,6 +212,7 @@ spec:
hostPath:
path: /run/netns
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_neutron_metadata_agent.volumes }}{{ toYaml $mounts_neutron_metadata_agent.volumes | indent 8 }}{{ end }}
{{- end }}
{{- end }}

55
neutron/templates/deployment-server.yaml
View File

@ -177,10 +177,64 @@ spec:
mountPath: /etc/neutron/policy.json
subPath: policy.json
readOnly: true
{{- if .Values.manifests.certificates }}
- name: wsgi-neutron
mountPath: /var/www/cgi-bin/neutron
- name: neutron-etc
mountPath: {{ .Values.conf.software.apache2.site_dir }}/wsgi-server.conf
subPath: wsgi-server.conf
readOnly: true
- name: neutron-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{ end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_neutron_server.volumeMounts }}{{ toYaml $mounts_neutron_server.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.manifests.certificates }}
- name: neutron-rpc-server
{{ tuple $envAll "neutron_rpc_server" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.rpc_server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "neutron_server" "container" "neutron_rpc_server" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "readiness" "probeTemplate" (include "serverReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "server" "container" "server" "type" "liveness" "probeTemplate" (include "serverLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
command:
- /tmp/neutron-rpc-server.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/neutron-rpc-server.sh
- stop
volumeMounts:
- name: neutron-bin
mountPath: /tmp/neutron-rpc-server.sh
subPath: neutron-rpc-server.sh
readOnly: true
- name: neutron-etc
mountPath: /etc/neutron/neutron.conf
subPath: neutron.conf
readOnly: true
{{- if .Values.conf.neutron.DEFAULT.log_config_append }}
- name: neutron-etc
mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }}
subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }}
readOnly: true
{{- end }}
- name: neutron-etc
mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
subPath: ml2_conf.ini
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal "path" "/etc/neutron/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
{{- if .Values.manifests.certificates }}
- name: wsgi-neutron
emptyDir: {}
{{- end }}
- name: pod-var-neutron
emptyDir: {}
- name: neutron-bin
@ -195,5 +249,6 @@ spec:
- name: neutron-plugin-shared
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_neutron_server.volumes }}{{ toYaml $mounts_neutron_server.volumes | indent 8 }}{{ end }}
{{- end }}

7
neutron/templates/ingress-server.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_server .Values.network.server.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "server" "backendServiceType" "network" "backendPort" "q-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.network.server.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.network.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

3
neutron/templates/job-bootstrap.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "neutron" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.neutron.DEFAULT.log_config_append -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}

3
neutron/templates/job-ks-endpoints.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

3
neutron/templates/job-ks-service.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "neutron" "serviceTypes" ( tuple "network" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}

3
neutron/templates/job-ks-user.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "neutron" -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.network.server.internal -}}
{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}

10
neutron/templates/pod-rally-test.yaml
View File

@ -51,8 +51,9 @@ spec:
mountPath: /tmp/ks-user.sh
subPath: ks-user.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@ -66,7 +67,7 @@ spec:
- name: {{ .Release.Name }}-reset
{{ tuple $envAll "purge_test" | include "helm-toolkit.snippets.image" | indent 6 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -95,13 +96,14 @@ spec:
readOnly: true
- name: pod-tmp
mountPath: /tmp/pod-tmp
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ end }}
containers:
- name: neutron-test
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
{{- end }}
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.test }}
@ -124,6 +126,7 @@ spec:
readOnly: true
- name: rally-db
mountPath: /var/lib/rally
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 8 }}
{{ if $mounts_tests.volumeMounts }}{{ toYaml $mounts_tests.volumeMounts | indent 8 }}{{ end }}
volumes:
- name: pod-tmp
@ -138,5 +141,6 @@ spec:
defaultMode: 0555
- name: rally-db
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.network.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 4 }}
{{ if $mounts_tests.volumes }}{{ toYaml $mounts_tests.volumes | indent 4 }}{{ end }}
{{- end }}

8
neutron/values.yaml
View File

@ -31,6 +31,7 @@ images:
ks_service: docker.io/openstackhelm/heat:stein-ubuntu_bionic
ks_endpoints: docker.io/openstackhelm/heat:stein-ubuntu_bionic
neutron_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_rpc_server: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_dhcp: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_metadata: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
neutron_l3: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
@ -473,6 +474,7 @@ pod:
capabilities:
add:
- SYS_MODULE
- SYS_CHROOT
runAsUser: 0
readOnlyRootFilesystem: true
neutron_lb_agent_init:
@ -497,6 +499,7 @@ pod:
capabilities:
add:
- SYS_MODULE
- SYS_CHROOT
runAsUser: 0
readOnlyRootFilesystem: true
neutron_ovs_agent_init:
@ -2179,9 +2182,13 @@ secrets:
admin: neutron-rabbitmq-admin
neutron: neutron-rabbitmq-user
tls:
compute_metadata:
metadata:
internal: metadata-tls-metadata
network:
server:
public: neutron-tls-public
internal: neutron-tls-server
# typically overridden by environmental
# values, but should include all endpoints
@ -2468,6 +2475,7 @@ network_policy:
- {}
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
daemonset_dhcp_agent: true

1
neutron/values_overrides/rocky-ubuntu_bionic.yaml
View File

@ -16,5 +16,6 @@ images:
neutron_netns_cleanup_cron: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_rpc_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
...

145
neutron/values_overrides/tls.yaml Normal file
View File

@ -0,0 +1,145 @@
---
network:
server:
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "https"
pod:
security_context:
neutron_server:
pod:
runAsUser: 0
container:
neutron_server:
readOnlyRootFilesystem: false
neutron_rpc_server:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
resources:
rpc_server:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
conf:
software:
apache2:
binary: apache2
start_parameters: -DFOREGROUND
conf_dir: /etc/apache2/conf-enabled
site_dir: /etc/apache2/sites-available
mods_dir: /etc/apache2/mods-available
a2enmod:
- ssl
a2dismod: null
a2ensite:
- wsgi-server
mpm_event: |
<IfModule mpm_event_module>
ServerLimit 1024
StartServers 32
MinSpareThreads 32
MaxSpareThreads 256
ThreadsPerChild 25
MaxRequestsPerChild 128
ThreadLimit 720
</IfModule>
wsgi_neutron_server: |
<Directory /usr/local/bin>
Require all granted
</Directory>
{{- $portInt := tuple "network" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
Listen {{ $portInt }}
<VirtualHost *:{{ $portInt }}>
ServerName {{ printf "%s.%s.svc.%s" "neutron-server" .Release.Namespace .Values.endpoints.cluster_domain_suffix }}
WSGIDaemonProcess neutron-server processes=1 threads=1 user=neutron display-name=%{GROUP}
WSGIProcessGroup neutron-server
WSGIScriptAlias / /var/www/cgi-bin/neutron/neutron-api
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
AllowEncodedSlashes On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
ErrorLog /dev/stdout
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
SSLEngine on
SSLCertificateFile /etc/neutron/certs/tls.crt
SSLCertificateKeyFile /etc/neutron/certs/tls.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
</VirtualHost>
Alias /networking /var/www/cgi-bin/neutron/neutron-api
<Location /networking>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup neutron-server
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
WSGISocketPrefix /var/run/apache2
neutron:
nova:
cafile: /etc/neutron/certs/ca.crt
keystone_authtoken:
cafile: /etc/neutron/certs/ca.crt
metadata_agent:
DEFAULT:
auth_ca_cert: /etc/ssl/certs/openstack-helm.crt
nova_metadata_port: 443
nova_metadata_protocol: https
endpoints:
compute:
scheme:
default: https
port:
api:
public: 443
compute_metadata:
scheme:
default: https
port:
metadata:
public: 443
identity:
auth:
admin:
cacert: /etc/ssl/certs/openstack-helm.crt
neutron:
cacert: /etc/ssl/certs/openstack-helm.crt
nova:
cacert: /etc/ssl/certs/openstack-helm.crt
test:
cacert: /etc/ssl/certs/openstack-helm.crt
scheme:
default: https
port:
api:
default: 443
network:
host_fqdn_override:
default:
tls:
secretName: neutron-tls-server
issuerRef:
name: ca-issuer
scheme:
default: https
port:
api:
public: 443
ingress:
port:
ingress:
default: 443
manifests:
certificates: true
...

1
neutron/values_overrides/train-ubuntu_bionic.yaml
View File

@ -15,5 +15,6 @@ images:
neutron_metadata: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_server: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_rpc_server: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:train-ubuntu_bionic"
...

38
nova/templates/bin/_nova-api-metadata.sh.tpl
View File

@ -18,13 +18,51 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in nova-metadata-wsgi; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec nova-api-metadata \
--config-file /etc/nova/nova.conf \
--config-file /tmp/pod-shared/nova-api-metadata.ini
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

39
nova/templates/bin/_nova-api.sh.tpl
View File

@ -18,12 +18,51 @@ set -ex
COMMAND="${@:-start}"
function start () {
{{- if .Values.manifests.certificates }}
for WSGI_SCRIPT in nova-api-wsgi; do
cp -a $(type -p ${WSGI_SCRIPT}) /var/www/cgi-bin/nova/
done
if [ -f /etc/apache2/envvars ]; then
# Loading Apache2 ENV variables
source /etc/apache2/envvars
mkdir -p ${APACHE_RUN_DIR}
fi
{{- if .Values.conf.software.apache2.a2enmod }}
{{- range .Values.conf.software.apache2.a2enmod }}
a2enmod {{ . }}
{{- end }}
{{- end }}
{{- if .Values.conf.software.apache2.a2dismod }}
{{- range .Values.conf.software.apache2.a2dismod }}
a2dismod {{ . }}
{{- end }}
{{- end }}
if [ -f /var/run/apache2/apache2.pid ]; then
# Remove the stale pid for debian/ubuntu images
rm -f /var/run/apache2/apache2.pid
fi
# Starts Apache2
exec {{ .Values.conf.software.apache2.binary }} {{ .Values.conf.software.apache2.start_parameters }}
{{- else }}
exec nova-api-os-compute \
--config-file /etc/nova/nova.conf
{{- end }}
}
function stop () {
{{- if .Values.manifests.certificates }}
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
{{- else }}
kill -TERM 1
{{- end }}
}
$COMMAND

3
nova/templates/bin/_nova-placement-api.sh.tpl
View File

@ -46,6 +46,9 @@ function start () {
}
function stop () {
if [ -f /etc/apache2/envvars ]; then
source /etc/apache2/envvars
fi
{{ .Values.conf.software.apache2.binary }} -k graceful-stop
}

27
nova/templates/certificates.yaml Normal file
View File

@ -0,0 +1,27 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "compute" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- if .Values.manifests.deployment_novncproxy }}
{{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
{{- if .Values.manifests.deployment_placement }}
{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
{{ dict "envAll" . "service" "compute_metadata" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- if .Values.manifests.deployment_spiceproxy }}
{{ dict "envAll" . "service" "compute_spice_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
{{- end -}}

5
nova/templates/configmap-etc.yaml
View File

@ -265,6 +265,11 @@ data:
nova-ironic.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.nova_ironic | b64enc }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_placement "key" "wsgi-nova-placement.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ssh "key" "ssh-config" "format" "Secret" ) | indent 2 }}
{{- if .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.mpm_event "key" "mpm_event.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_api "key" "wsgi-api.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_nova_metadata "key" "wsgi-metadata.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
{{- if .Values.conf.security }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
{{- end }}

2
nova/templates/cron-job-service-cleaner.yaml
View File

@ -53,7 +53,7 @@ spec:
{{ tuple $envAll "nova_service_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.service_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.nova "useCA" .Values.manifests.certificates}}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 14 }}
{{- end }}
command:

11
nova/templates/daemonset-compute.yaml
View File

@ -240,6 +240,10 @@ spec:
value: "{{ .Values.pod.probes.rpc_timeout }}"
- name: RPC_PROBE_RETRIES
value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "liveness" "probeTemplate" (include "novaComputeLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
{{ dict "envAll" $envAll "component" "compute" "container" "default" "type" "readiness" "probeTemplate" (include "novaComputeReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
command:
@ -377,6 +381,7 @@ spec:
subPath: tf-plugin.pth
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_compute.volumeMounts }}{{ toYaml $mounts_nova_compute.volumeMounts | indent 12 }}{{ end }}
{{- if .Values.network.sshd.enabled }}
- name: nova-compute-ssh
@ -390,6 +395,10 @@ spec:
value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.ssh.key_types | quote }}
- name: SSH_PORT
value: {{ .Values.network.ssh.port | quote }}
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
ports:
- containerPort: {{ .Values.network.ssh.port }}
command:
@ -412,6 +421,7 @@ spec:
mountPath: /tmp/ssh-start.sh
subPath: ssh-start.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ end }}
volumes:
- name: pod-tmp
@ -481,6 +491,7 @@ spec:
- name: tf-plugin-bin
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_compute.volumes }}{{ toYaml $mounts_nova_compute.volumes | indent 8 }}{{ end }}
{{- end }}
{{- end }}

18
nova/templates/deployment-api-metadata.yaml
View File

@ -166,10 +166,27 @@ spec:
- name: pod-shared
mountPath: /tmp/pod-shared
readOnly: true
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
mountPath: /var/www/cgi-bin/nova
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-metadata.conf
subPath: wsgi-metadata.conf
readOnly: true
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_api_metadata.volumeMounts }}{{ toYaml $mounts_nova_api_metadata.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
emptyDir: {}
{{- end }}
- name: nova-bin
configMap:
name: nova-bin
@ -180,5 +197,6 @@ spec:
defaultMode: 0444
- name: pod-shared
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_api_metadata.volumes }}{{ toYaml $mounts_nova_api_metadata.volumes | indent 8 }}{{ end }}
{{- end }}

18
nova/templates/deployment-api-osapi.yaml
View File

@ -114,10 +114,27 @@ spec:
mountPath: /etc/nova/api_audit_map.conf
subPath: api_audit_map.conf
readOnly: true
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
mountPath: /var/www/cgi-bin/nova
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.conf_dir }}/wsgi-api.conf
subPath: wsgi-api.conf
readOnly: true
- name: nova-etc
mountPath: {{ .Values.conf.software.apache2.mods_dir }}/mpm_event.conf
subPath: mpm_event.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_api_osapi.volumeMounts }}{{ toYaml $mounts_nova_api_osapi.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
emptyDir: {}
{{- if .Values.manifests.certificates }}
- name: wsgi-nova
emptyDir: {}
{{- end }}
- name: pod-var-nova
emptyDir: {}
- name: nova-bin
@ -128,5 +145,6 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_api_osapi.volumes}}{{ toYaml $mounts_nova_api_osapi.volumes | indent 8 }}{{ end }}
{{- end }}

6
nova/templates/deployment-conductor.yaml
View File

@ -88,6 +88,10 @@ spec:
value: "{{ .Values.pod.probes.rpc_timeout }}"
- name: RPC_PROBE_RETRIES
value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
command:
- /tmp/nova-conductor.sh
volumeMounts:
@ -115,6 +119,7 @@ spec:
mountPath: /etc/nova/policy.yaml
subPath: policy.yaml
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" "certs" (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_conductor.volumeMounts }}{{ toYaml $mounts_nova_conductor.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -127,5 +132,6 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_conductor.volumes }}{{ toYaml $mounts_nova_conductor.volumes | indent 8 }}{{ end }}
{{- end }}

2
nova/templates/deployment-novncproxy.yaml
View File

@ -139,6 +139,7 @@ spec:
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -155,5 +156,6 @@ spec:
emptyDir: {}
- name: pod-shared
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
{{- end }}

2
nova/templates/deployment-placement.yaml
View File

@ -120,6 +120,7 @@ spec:
subPath: security.conf
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_placement.volumeMounts }}{{ toYaml $mounts_nova_placement.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -134,5 +135,6 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.placement.placement.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_placement.volumes }}{{ toYaml $mounts_nova_placement.volumes | indent 8 }}{{ end }}
{{- end }}

6
nova/templates/deployment-scheduler.yaml
View File

@ -88,6 +88,10 @@ spec:
value: "{{ .Values.pod.probes.rpc_timeout }}"
- name: RPC_PROBE_RETRIES
value: "{{ .Values.pod.probes.rpc_retries }}"
{{- if .Values.manifests.certificates }}
- name: REQUESTS_CA_BUNDLE
value: "/etc/nova/certs/ca.crt"
{{- end }}
command:
- /tmp/nova-scheduler.sh
volumeMounts:
@ -115,6 +119,7 @@ spec:
mountPath: /etc/nova/policy.yaml
subPath: policy.yaml
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_scheduler.volumeMounts }}{{ toYaml $mounts_nova_scheduler.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -127,5 +132,6 @@ spec:
secret:
secretName: nova-etc
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_scheduler.volumes }}{{ toYaml $mounts_nova_scheduler.volumes | indent 8 }}{{ end }}
{{- end }}

2
nova/templates/deployment-spiceproxy.yaml
View File

@ -138,6 +138,7 @@ spec:
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_spiceproxy.volumeMounts }}{{ toYaml $mounts_nova_spiceproxy.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@ -154,5 +155,6 @@ spec:
emptyDir: {}
- name: pod-shared
emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_spice_proxy.spiceproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_spiceproxy.volumes }}{{ toYaml $mounts_nova_spiceproxy.volumes | indent 8 }}{{ end }}
{{- end }}

7
nova/templates/ingress-metadata.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_metadata .Values.network.metadata.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "metadata" "backendServiceType" "compute_metadata" "backendPort" "n-meta" -}}
{{- $secretName := $envAll.Values.secrets.tls.compute_metadata.metadata.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_metadata.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end -}}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

7
nova/templates/ingress-novncproxy.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_novncproxy .Values.network.novncproxy.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
{{- $envAll := . }}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" "backendPort" "n-novnc" -}}
{{- $secretName := $envAll.Values.secrets.tls.compute_novnc_proxy.novncproxy.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute_novnc_proxy.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

7
nova/templates/ingress-osapi.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_osapi .Values.network.osapi.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "osapi" "backendServiceType" "compute" "backendPort" "n-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.compute.osapi.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.compute.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

7
nova/templates/ingress-placement.yaml
View File

@ -13,6 +13,11 @@ limitations under the License.
*/}}
{{- if and .Values.manifests.ingress_placement .Values.network.placement.ingress.public }}
{{- $ingressOpts := dict "envAll" . "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}}
{{- $envAll := . -}}
{{- $ingressOpts := dict "envAll" $envAll "backendService" "placement" "backendServiceType" "placement" "backendPort" "p-api" -}}
{{- $secretName := $envAll.Values.secrets.tls.placement.placement.internal -}}
{{- if and .Values.manifests.certificates $secretName }}
{{- $_ := set $ingressOpts "certIssuer" .Values.endpoints.placement.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }}

4
nova/templates/job-bootstrap.yaml
View File

@ -63,7 +63,7 @@ spec:
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) }}
{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: WAIT_PERCENTAGE
@ -91,6 +91,7 @@ spec:
mountPath: {{ $logConfigFile | quote }}
subPath: {{ base $logConfigFile | quote }}
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes:
- name: pod-tmp
emptyDir: {}
@ -104,6 +105,7 @@ spec:
secret:
secretName: {{ $configMapEtc | quote }}
defaultMode: 0444
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1

4
nova/templates/job-cell-setup.yaml
View File

@ -42,7 +42,7 @@ spec:
{{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
command:
@ -54,6 +54,7 @@ spec:
mountPath: /tmp/cell-setup-init.sh
subPath: cell-setup-init.sh
readOnly: true
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal (tuple "ca.crt") | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
containers:
- name: nova-cell-setup
{{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -96,4 +97,5 @@ spec:
configMap:
name: nova-bin
defaultMode: 0555
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute.osapi.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}

3
nova/templates/job-ks-endpoints.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "nova" "serviceTypes" ( tuple "compute" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.compute.osapi.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

3
nova/templates/job-ks-placement-endpoints.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_placement_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}

3
nova/templates/job-ks-placement-service.yaml
View File

@ -14,5 +14,8 @@ limitations under the License.
{{- if .Values.manifests.job_ks_placement_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "placement" "configMapBin" "nova-bin" "serviceTypes" ( tuple "placement" ) -}}
{{- if .Values.manifests.certificates -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.placement.placement.internal -}}
{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}

Some files were not shown because too many files have changed in this diff Show More