chore: initial ovn commit
diff --git a/.github/workflows/ceph.yml b/.github/workflows/ceph.yml
index ef452e5..4384a93 100644
--- a/.github/workflows/ceph.yml
+++ b/.github/workflows/ceph.yml
@@ -69,6 +69,12 @@
test:
runs-on: ubuntu-20.04-16-cores
if: github.event_name != 'workflow_dispatch' || !inputs.debug_enabled
+ strategy:
+ fail-fast: false
+ matrix:
+ ovn:
+ - true
+ - false
steps:
- name: Checkout project
uses: actions/checkout@v3
@@ -94,3 +100,5 @@
- name: Run Molecule
run: poetry run molecule test -s ceph
+ env:
+ OVN_ENABLED: ${{ matrix.ovn }}
diff --git a/charts/ovn/.helmignore b/charts/ovn/.helmignore
new file mode 100644
index 0000000..b54c347
--- /dev/null
+++ b/charts/ovn/.helmignore
@@ -0,0 +1 @@
+values_overrides
diff --git a/charts/ovn/Chart.yaml b/charts/ovn/Chart.yaml
new file mode 100644
index 0000000..5652815
--- /dev/null
+++ b/charts/ovn/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v23.3.0
+description: OpenStack-Helm OVN
+home: https://www.ovn.org
+icon: https://www.ovn.org/images/ovn-logo.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: ovn
+sources:
+- https://github.com/ovn-org/ovn
+- https://opendev.org/openstack/openstack-helm
+version: 0.1.2
diff --git a/charts/ovn/charts/helm-toolkit/Chart.yaml b/charts/ovn/charts/helm-toolkit/Chart.yaml
new file mode 100644
index 0000000..7d3703e
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: OpenStack-Helm Helm-Toolkit
+home: https://docs.openstack.org/openstack-helm
+icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
+maintainers:
+- name: OpenStack-Helm Authors
+name: helm-toolkit
+sources:
+- https://opendev.org/openstack/openstack-helm-infra
+- https://opendev.org/openstack/openstack-helm
+version: 0.2.53
diff --git a/charts/ovn/charts/helm-toolkit/requirements.lock b/charts/ovn/charts/helm-toolkit/requirements.lock
new file mode 100644
index 0000000..8faebd5
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/requirements.lock
@@ -0,0 +1,3 @@
+dependencies: []
+digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726
+generated: "2023-07-22T05:50:19.670011799Z"
diff --git a/charts/ovn/charts/helm-toolkit/requirements.yaml b/charts/ovn/charts/helm-toolkit/requirements.yaml
new file mode 100644
index 0000000..27fb08a
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/requirements.yaml
@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies: []
+...
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..12b84de
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_authenticated_endpoint_uri_lookup.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves database, or basic auth, style endpoints
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ auth:
+ admin:
+ username: root
+ password: password
+ service_username:
+ username: username
+ password: password
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..b7cf287
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_authenticated_transport_endpoint_uri_lookup.tpl
@@ -0,0 +1,121 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves endpoint string suitible for use with oslo.messaging transport url
+ See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset: null
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: null
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_messaging:
+ auth:
+ cinder:
+ username: cinder
+ password: password
+ statefulset:
+ replicas: 2
+ name: rabbitmq-rabbitmq
+ hosts:
+ default: rabbitmq
+ host_fqdn_override:
+ default: rabbitmq.openstackhelm.org
+ path: /cinder
+ scheme: rabbit
+ port:
+ amqp:
+ default: 5672
+ usage: |
+ {{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
+ return: |
+ rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
+*/}}
+
+{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $userclass := index . 2 -}}
+{{- $port := index . 3 -}}
+{{- $context := index . 4 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
+{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
+{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
+{{- $endpointUser := index $userMap "username" }}
+{{- $endpointPass := index $userMap "password" }}
+{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $local := dict "endpointCredsAndHosts" list -}}
+{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
+{{- $endpointHostPrefix := $ssMap.name }}
+{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
+{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- else }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
+{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
+{{- end }}
+{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
new file mode 100644
index 0000000..fb8bbe7
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_endpoint_host_lookup.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves either the fully qualified hostname, of if defined in the host field
+ IPv4 for an endpoint.
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default:
+ host: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+ return: |
+ 127.0.0.1
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
new file mode 100644
index 0000000..447efe7
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_endpoint_port_lookup.tpl
@@ -0,0 +1,41 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the port for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+return: |
+ 3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- $endpointPortMAP := index $endpointMap.port $port }}
+{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
+{{- printf "%1.f" $endpointPort -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
new file mode 100644
index 0000000..3a268c0
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_endpoint_token_lookup.tpl
@@ -0,0 +1,36 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Gets the token for an endpoint
+values: |
+ endpoints:
+ keystone:
+ auth:
+ admin:
+ token: zh78JzXgw6YUKy2e
+usage: |
+ {{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
+return: |
+ zh78JzXgw6YUKy2e
+*/}}
+
+{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $userName := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
+{{- printf "%s" $serviceToken -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..6877b7b
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_host_and_port_endpoint_uri_lookup.tpl
@@ -0,0 +1,59 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves 'hostname:port' for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local:3306
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: 127.0.0.1
+ host_fqdn_override:
+ default: null
+ port:
+ mysql:
+ default: 3306
+ usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ return: |
+ 127.0.0.1:3306
+*/}}
+
+{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- printf "%s:%s" $endpointHostname $endpointPort -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
new file mode 100644
index 0000000..26374e3
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_fqdn_endpoint_lookup.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the fully qualified hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.default.svc.cluster.local
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default:
+ host: mariadb.openstackhelm.openstack.org
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+ return: |
+ mariadb.openstackhelm.openstack.org
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
+{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
+{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
+{{- end }}
+{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- else }}
+{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
+{{- printf "%s" $endpointHostname -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
new file mode 100644
index 0000000..9d60393
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_lookup.tpl
@@ -0,0 +1,40 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+return: |
+ mariadb.default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
+{{- printf "%s" $endpointClusterHostname -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
new file mode 100644
index 0000000..cc4d4de
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_namespaced_endpoint_namespace_lookup.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the namespace scoped hostname for an endpoint
+values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
+return: |
+ default
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
+{{- printf "%s" $namespace -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
new file mode 100644
index 0000000..f23c624
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_hostname_short_endpoint_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the short hostname for an endpoint
+examples:
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+ - values: |
+ endpoints:
+ oslo_db:
+ hosts:
+ default:
+ host: mariadb
+ host_fqdn_override:
+ default: null
+ usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ return: |
+ mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointScheme := $endpointMap.scheme }}
+{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
+{{- if kindIs "map" $context.Values.__endpointHost }}
+{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
+{{- end }}
+{{- $endpointHost := $context.Values.__endpointHost }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
+{{- printf "%s" $type -}}
+{{- else }}
+{{- $endpointHostname := printf "%s" $endpointHost }}
+{{- printf "%s" $endpointHostname -}}
+{{- end }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
new file mode 100644
index 0000000..e31c0eb
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_name_lookup.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves the service name for an service type
+values: |
+ endpoints:
+ identity:
+ name: keystone
+usage: |
+ {{ tuple identity . | include "keystone_endpoint_name_lookup" }}
+return: |
+ "keystone"
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- $endpointName := index $endpointMap "name" }}
+{{- $endpointName | quote -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
new file mode 100644
index 0000000..b2ec648
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_path_lookup.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the path for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ path:
+ default: /dbname
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+return: |
+ /dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.path }}
+{{- printf "%s" $endpointMap.path | default "/" -}}
+{{- else -}}
+{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
+{{- printf "%s" $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
new file mode 100644
index 0000000..b35cb0b
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_scheme_lookup.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# FIXME(portdirect): it appears the port input here serves no purpose,
+# and should be removed. In addition this function is bugged, do we use it?
+
+{{/*
+abstract: |
+ Resolves the scheme for an endpoint
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ scheme:
+ default:
+ mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+return: |
+ mysql+pymysql
+*/}}
+
+# This function returns the scheme for a service, it takes an tuple
+# input in the form: service-type, endpoint-class, port-name. eg:
+# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
+# will return the scheme setting for this particular endpoint. In other words, for most endpoints
+# it will return either 'http' or 'https'
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
+{{- if kindIs "string" $endpointMap.scheme }}
+{{- printf "%s" $endpointMap.scheme | default "http" -}}
+{{- else -}}
+{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
+{{- printf "%s" $endpointScheme -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
new file mode 100644
index 0000000..8d0819c
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_keystone_endpoint_uri_lookup.tpl
@@ -0,0 +1,52 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function helps resolve uri style endpoints. It will omit the port for
+ http when 80 is used, and 443 in the case of https.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+ path: /dbname
+ scheme: mysql+pymysql
+ port:
+ mysql:
+ default: 3306
+usage: |
+ {{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+return: |
+ mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
+*/}}
+
+{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $port := index . 2 -}}
+{{- $context := index . 3 -}}
+{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
+{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
+{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
+{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
+{{- else -}}
+{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl b/charts/ovn/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
new file mode 100644
index 0000000..cf2ef38
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl
@@ -0,0 +1,61 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ This function returns endpoint "<namespace>:<name>" pair from an endpoint
+ definition. This is used in kubernetes-entrypoint to support dependencies
+ between different services in different namespaces.
+ returns: the endpoint namespace and the service name, delimited by a colon
+
+ Normally, the service name is constructed dynamically from the hostname
+ however when an ip address is used as the hostname, we default to
+ namespace:endpointCategoryName in order to construct a valid service name
+ however this can be overridden to a custom service name by defining
+ .service.name within the endpoint definition
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: null
+usage: |
+ {{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
+return: |
+ foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
+{{- if .service.name }}
+{{- printf "%s:%s" $endpointNamespace .service.name -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
+{{- end -}}
+{{- else -}}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
new file mode 100644
index 0000000..18453ee
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_ceph-storageclass.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for kubernete ceph storageclass
+examples:
+ - values: |
+ manifests:
+ storageclass: true
+ storageclass:
+ rbd:
+ provision_storage_class: true
+ provisioner: "ceph.com/rbd"
+ metadata:
+ default_storage_class: true
+ name: general
+ parameters:
+ #We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
+ pool: rbd
+ admin_id: admin
+ ceph_configmap_name: "ceph-etc"
+ admin_secret_name: "pvc-ceph-conf-combined-storageclass"
+ admin_secret_namespace: ceph
+ user_id: admin
+ user_secret_name: "pvc-ceph-client-key"
+ image_format: "2"
+ image_features: layering
+ cephfs:
+ provision_storage_class: true
+ provisioner: "ceph.com/cephfs"
+ metadata:
+ name: cephfs
+ parameters:
+ admin_id: admin
+ admin_secret_name: "pvc-ceph-cephfs-client-key"
+ admin_secret_namespace: ceph
+ usage: |
+ {{- range $storageclass, $val := .Values.storageclass }}
+ {{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
+ {{- end }}
+ return: |
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+ name: general
+ provisioner: ceph.com/rbd
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-conf-combined-storageclass
+ adminSecretNamespace: ceph
+ pool: rbd
+ userId: admin
+ userSecretName: pvc-ceph-client-key
+ image_format: "2"
+ image_features: layering
+ ---
+ apiVersion: storage.k8s.io/v1
+ kind: StorageClass
+ metadata:
+ name: cephfs
+ provisioner: ceph.com/cephfs
+ parameters:
+ monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
+ adminId: admin
+ adminSecretName: pvc-ceph-cephfs-client-key
+ adminSecretNamespace: ceph
+*/}}
+
+{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
+{{- if empty $monHost -}}
+{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
+{{- end -}}
+{{- $storageclassData := index . "storageclass_data" -}}
+---
+{{- if $storageclassData.provision_storage_class }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+{{- if $storageclassData.metadata.default_storage_class }}
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+{{- end }}
+ name: {{ $storageclassData.metadata.name }}
+provisioner: {{ $storageclassData.provisioner }}
+parameters:
+ monitors: {{ $monHost }}
+{{- range $attr, $value := $storageclassData.parameters }}
+ {{ $attr }}: {{ $value | quote }}
+{{- end }}
+allowVolumeExpansion: true
+
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_certificates.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_certificates.tpl
new file mode 100644
index 0000000..8be771e
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_certificates.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a certificate using jetstack
+examples:
+ - values: |
+ endpoints:
+ dashboard:
+ host_fqdn_override:
+ default:
+ host: null
+ tls:
+ secretName: keystone-tls-api
+ issuerRef:
+ name: ca-issuer
+ duration: 2160h
+ organization:
+ - ACME
+ commonName: keystone-api.openstack.svc.cluster.local
+ privateKey:
+ size: 2048
+ usages:
+ - server auth
+ - client auth
+ dnsNames:
+ - cluster.local
+ issuerRef:
+ name: ca-issuer
+ usage: |
+ {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+ {{ $opts | include "helm-toolkit.manifests.certificates" }}
+ return: |
+ ---
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: keystone-tls-api
+ namespace: NAMESPACE
+ spec:
+ commonName: keystone-api.openstack.svc.cluster.local
+ dnsNames:
+ - cluster.local
+ duration: 2160h
+ issuerRef:
+ name: ca-issuer
+ privateKey:
+ size: 2048
+ organization:
+ - ACME
+ secretName: keystone-tls-api
+ usages:
+ - server auth
+ - client auth
+*/}}
+
+{{- define "helm-toolkit.manifests.certificates" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $service := index . "service" -}}
+{{- $type := index . "type" | default "" -}}
+{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
+{{/* Put in some sensible default value if one is not provided by values.yaml */}}
+{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
+ This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
+{{- if not (hasKey $slice "dnsNames") -}}
+{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
+{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
+{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
+{{- end -}}
+{{/* Default privateKey size to 4096. This can be overridden. */}}
+{{- if not (hasKey $slice "privateKey") -}}
+{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
+{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
+{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
+{{- end -}}
+{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
+{{- if not (hasKey $slice "duration") -}}
+{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
+{{- end -}}
+{{/* Default renewBefore to 15 days. This can be overridden. */}}
+{{- if not (hasKey $slice "renewBefore") -}}
+{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
+{{- end -}}
+{{/* Default the usage to server auth and client auth. This can be overridden. */}}
+{{- if not (hasKey $slice "usages") -}}
+{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{ $slice | toYaml | indent 2 }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_ingress.tpl
new file mode 100644
index 0000000..4c476b2
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -0,0 +1,727 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services ingress rules.
+examples:
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public: barbican
+ host_fqdn_override:
+ default: null
+ public:
+ host: barbican.openstackhelm.example
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican.openstackhelm.example
+ rules:
+ - host: barbican.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: barbican-tls-public
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - values: |
+ cert_issuer_type: issuer
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/issuer: ca-issuer
+ certmanager.k8s.io/issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+
+ - values: |
+ network:
+ api:
+ ingress:
+ public: true
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "https"
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ internal: barbican-tls-api
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ key_manager:
+ name: barbican
+ hosts:
+ default: barbican-api
+ public:
+ host: barbican
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ host_fqdn_override:
+ default: null
+ path:
+ default: /
+ scheme:
+ default: http
+ public: https
+ port:
+ api:
+ default: 9311
+ public: 80
+ certs:
+ barbican_tls_api:
+ secretName: barbican-tls-api
+ issuerRef:
+ name: ca-issuer
+ kind: ClusterIssuer
+ usage: |
+ {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: barbican
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ cert-manager.io/cluster-issuer: ca-issuer
+ certmanager.k8s.io/cluster-issuer: ca-issuer
+ nginx.ingress.kubernetes.io/backend-protocol: https
+ nginx.ingress.kubernetes.io/secure-backends: "true"
+ spec:
+ tls:
+ - secretName: barbican-tls-public-certmanager
+ hosts:
+ - barbican
+ - barbican.default
+ - barbican.default.svc.cluster.local
+ rules:
+ - host: barbican
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ - host: barbican.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: barbican-api
+ port:
+ name: b-api
+ # Sample usage for multiple DNS names associated with the same public
+ # endpoint and certificate
+ - values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ grafana:
+ name: grafana
+ hosts:
+ default: grafana-dashboard
+ public: grafana
+ host_fqdn_override:
+ public:
+ host: grafana.openstackhelm.example
+ tls:
+ dnsNames:
+ - grafana-alt.openstackhelm.example
+ crt: "BASE64 ENCODED CERT"
+ key: "BASE64 ENCODED KEY"
+ network:
+ grafana:
+ ingress:
+ classes:
+ namespace: "nginx"
+ cluster: "nginx-cluster"
+ annotations:
+ nginx.ingress.kubernetes.io/rewrite-target: /
+ secrets:
+ tls:
+ grafana:
+ grafana:
+ public: grafana-tls-public
+ usage: |
+ {{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
+ {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+ return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ rules:
+ - host: grafana
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana.default.svc.cluster.local
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-namespace-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: Ingress
+ metadata:
+ name: grafana-cluster-fqdn
+ annotations:
+ kubernetes.io/ingress.class: "nginx-cluster"
+ nginx.ingress.kubernetes.io/rewrite-target: /
+
+ spec:
+ tls:
+ - secretName: grafana-tls-public
+ hosts:
+ - grafana.openstackhelm.example
+ - grafana-alt.openstackhelm.example
+ rules:
+ - host: grafana.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+ - host: grafana-alt.openstackhelm.example
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: grafana-dashboard
+ port:
+ name: dashboard
+
+*/}}
+
+{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
+{{- $vHost := index . "vHost" -}}
+{{- $backendName := index . "backendName" -}}
+{{- $backendPort := index . "backendPort" -}}
+- host: {{ $vHost }}
+ http:
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: {{ $backendName }}
+ port:
+{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
+ number: {{ $backendPort | int }}
+{{- else }}
+ name: {{ $backendPort | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "helm-toolkit.manifests.ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendService := index . "backendService" | default "api" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+{{- $backendPort := index . "backendPort" -}}
+{{- $endpoint := index . "endpoint" | default "public" -}}
+{{- $certIssuer := index . "certIssuer" | default "" -}}
+{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ $ingressName }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
+{{- if $certIssuer }}
+ cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
+ certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
+{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
+{{- if (hasKey $slice "duration") }}
+ cert-manager.io/duration: {{ index $slice "duration" }}
+{{- end }}
+{{- end }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
+{{- if $certIssuer }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ printf "%s-ing" $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- else }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
+{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
+{{- $vHosts := list $hostNameFull }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
+ annotations:
+ kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
+{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
+spec:
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
+{{- $vHosts = append $vHosts $v }}
+{{- end }}
+{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
+ tls:
+ - secretName: {{ $secretName }}
+ hosts:
+{{- range $vHost := $vHosts }}
+ - {{ $vHost }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+ rules:
+{{- range $vHost := $vHosts }}
+{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
+{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
new file mode 100644
index 0000000..5d98c8b
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-bootstrap.tpl
@@ -0,0 +1,141 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
+# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
+
+{{- define "helm-toolkit.manifests.job_bootstrap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
+{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
+{{- $openrc := index . "openrc" | default "true" -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
+{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: bootstrap
+ image: {{ $envAll.Values.images.tags.bootstrap }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if eq $openrc "true" }}
+ env:
+{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/bootstrap.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/bootstrap.sh
+ subPath: bootstrap.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $configFile | quote }}
+ - name: bootstrap-conf
+ mountPath: {{ $configFile | quote }}
+ subPath: {{ base $configFile | quote }}
+ readOnly: true
+ - name: bootstrap-conf
+ mountPath: {{ $logConfigFile | quote }}
+ subPath: {{ base $logConfigFile | quote }}
+ readOnly: true
+{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: bootstrap-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
new file mode 100644
index 0000000..62ed119
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-db-drop-mysql.tpl
@@ -0,0 +1,170 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
+# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
+{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": pre-delete
+ "helm.sh/hook-delete-policy": hook-succeeded
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_drop }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToDropType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToDrop.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToDrop.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToDrop.configDbKey | quote }}
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+{{- if eq $dbToDropType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToDrop.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+ command:
+ - /tmp/db-drop.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-drop-sh
+ mountPath: /tmp/db-drop.py
+ subPath: db-drop.py
+ readOnly: true
+
+{{- if eq $dbToDropType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToDrop.configFile | quote }}
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.configFile | quote }}
+ subPath: {{ base $dbToDrop.configFile | quote }}
+ readOnly: true
+ - name: db-drop-conf
+ mountPath: {{ $dbToDrop.logConfigFile | quote }}
+ subPath: {{ base $dbToDrop.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-drop-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToDrop := $dbsToDrop }}
+{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
+{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-drop-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
new file mode 100644
index 0000000..745e8da
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-db-init-mysql.tpl
@@ -0,0 +1,169 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db creation and user management.
+# It can be used in charts dict created similar to the following:
+# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+#
+# If the service does not use oslo then the db can be managed with:
+# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
+# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
+# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
+
+{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
+{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
+{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
+ - name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
+ image: {{ $envAll.Values.images.tags.db_init }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: ROOT_DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.adminSecret | quote }}
+ key: DB_CONNECTION
+{{- if eq $dbToInitType "oslo" }}
+ - name: OPENSTACK_CONFIG_FILE
+ value: {{ $dbToInit.configFile | quote }}
+ - name: OPENSTACK_CONFIG_DB_SECTION
+ value: {{ $dbToInit.configDbSection | quote }}
+ - name: OPENSTACK_CONFIG_DB_KEY
+ value: {{ $dbToInit.configDbKey | quote }}
+{{- end }}
+{{- if eq $dbToInitType "secret" }}
+ - name: DB_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $dbToInit.userSecret | quote }}
+ key: DB_CONNECTION
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+ - name: MARIADB_X509
+ value: "REQUIRE X509"
+{{- end }}
+ command:
+ - /tmp/db-init.py
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-init-sh
+ mountPath: /tmp/db-init.py
+ subPath: db-init.py
+ readOnly: true
+{{- if eq $dbToInitType "oslo" }}
+ - name: etc-service
+ mountPath: {{ dir $dbToInit.configFile | quote }}
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.configFile | quote }}
+ subPath: {{ base $dbToInit.configFile | quote }}
+ readOnly: true
+ - name: db-init-conf
+ mountPath: {{ $dbToInit.logConfigFile | quote }}
+ subPath: {{ base $dbToInit.logConfigFile | quote }}
+ readOnly: true
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- $local := dict "configMapBinFirst" true -}}
+{{- range $key1, $dbToInit := $dbsToInit }}
+{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
+{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
+{{- $_ := set $local "configMapBinFirst" false }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-init-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
new file mode 100644
index 0000000..24d2496
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-db-sync.tpl
@@ -0,0 +1,137 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for db migration and management.
+# It can be used in charts dict created similar to the following:
+# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
+# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
+
+{{- define "helm-toolkit.manifests.job_db_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $podEnvVars := index . "podEnvVars" | default false -}}
+{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
+{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
+ image: {{ $dbToSync.image | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{- if $podEnvVars }}
+ env:
+{{ $podEnvVars | toYaml | indent 12 }}
+{{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/db-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: db-sync-sh
+ mountPath: /tmp/db-sync.sh
+ subPath: db-sync.sh
+ readOnly: true
+ - name: etc-service
+ mountPath: {{ dir $dbToSync.configFile | quote }}
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.configFile | quote }}
+ subPath: {{ base $dbToSync.configFile | quote }}
+ readOnly: true
+ - name: db-sync-conf
+ mountPath: {{ $dbToSync.logConfigFile | quote }}
+ subPath: {{ base $dbToSync.logConfigFile | quote }}
+ readOnly: true
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: db-sync-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etc-service
+ emptyDir: {}
+ - name: db-sync-conf
+ secret:
+ secretName: {{ $configMapEtc | quote }}
+ defaultMode: 0444
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
new file mode 100644
index 0000000..3a7df7f
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-ks-endpoints.tpl
@@ -0,0 +1,130 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
+
+{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
+{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
+ - name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
+ image: {{ $envAll.Values.images.tags.ks_endpoints }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-endpoints.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-endpoints-sh
+ mountPath: /tmp/ks-endpoints.sh
+ subPath: ks-endpoints.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SVC_ENDPOINT
+ value: {{ $osServiceEndPoint | quote }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+ - name: OS_SERVICE_ENDPOINT
+ value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- end }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-endpoints-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
new file mode 100644
index 0000000..a109e3c
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-ks-service.tpl
@@ -0,0 +1,124 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone service management.
+# It can be used in charts dict created similar to the following:
+# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
+# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
+
+{{- define "helm-toolkit.manifests.job_ks_service" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $serviceTypes := index . "serviceTypes" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_service" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
+{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+{{- range $key1, $osServiceType := $serviceTypes }}
+ - name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
+ image: {{ $envAll.Values.images.tags.ks_service }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-service.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-service-sh
+ mountPath: /tmp/ks-service.sh
+ subPath: ks-service.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: OS_SERVICE_NAME
+ value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
+ - name: OS_SERVICE_TYPE
+ value: {{ $osServiceType | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-service-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
new file mode 100644
index 0000000..905eb71
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -0,0 +1,154 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for keystone user management.
+# It can be used in charts dict created similar to the following:
+# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
+# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
+
+{{/*
+ # To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # pod:
+ # runAsUser: 65534
+ # To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
+ # example:
+ # values: |
+ # pod:
+ # security_context:
+ # ks_user:
+ # container:
+ # ks-user:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+*/}}
+
+{{- define "helm-toolkit.manifests.job_ks_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $restartPolicy_ := "OnFailure" -}}
+{{- if hasKey $envAll.Values "jobs" -}}
+{{- if hasKey $envAll.Values.jobs "ks_user" -}}
+{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
+{{- end }}
+{{- end }}
+{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
+{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+ restartPolicy: {{ $restartPolicy }}
+ {{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ks-user
+ image: {{ $envAll.Values.images.tags.ks_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/ks-user.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: ks-user-sh
+ mountPath: /tmp/ks-user.sh
+ subPath: ks-user.sh
+ readOnly: true
+{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+ env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_SERVICE_NAME
+ value: {{ $serviceName | quote }}
+{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
+{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
+{{- end }}
+ - name: SERVICE_OS_ROLES
+ {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+ {{- if kindIs "slice" $serviceOsRoles }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+ {{- else }}
+ value: {{ $serviceOsRoles | quote }}
+ {{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: ks-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
new file mode 100644
index 0000000..6982064
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-rabbit-init.yaml.tpl
@@ -0,0 +1,129 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
+{{- $tlsSecret := index . "tlsSecret" | default "" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
+{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: rabbit-init
+ image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/rabbit-init.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: rabbit-init-sh
+ mountPath: /tmp/rabbit-init.sh
+ subPath: rabbit-init.sh
+ readOnly: true
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
+ env:
+ - name: RABBITMQ_ADMIN_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
+ key: RABBITMQ_CONNECTION
+ - name: RABBITMQ_USER_CONNECTION
+ valueFrom:
+ secretKeyRef:
+ name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
+ key: RABBITMQ_CONNECTION
+{{- if $envAll.Values.conf.rabbitmq }}
+ - name: RABBITMQ_AUXILIARY_CONFIGURATION
+ value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
+{{- end }}
+{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
+ - name: RABBITMQ_X509
+ value: "REQUIRE X509"
+ - name: USER_CERT_PATH
+ value: {{ $tlsPath | quote }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: rabbit-init-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- if $envAll.Values.manifests.certificates }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
new file mode 100644
index 0000000..29cb993
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl
@@ -0,0 +1,147 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for linking an s3 bucket to an s3 user.
+# It can be used in charts dict created similar to the following:
+# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
+
+{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
+{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
+{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
+{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: s3-bucket
+ image: {{ $envAll.Values.images.tags.s3_bucket }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-bucket.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: s3-bucket-sh
+ mountPath: /tmp/create-s3-bucket.sh
+ subPath: create-s3-bucket.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ mountPath: {{ $tlsCertificatePath }}
+ subPath: ca.crt
+ readOnly: true
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: s3-bucket-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
+ - name: {{ $tlsCertificateSecret }}
+ secret:
+ secretName: {{ $tlsCertificateSecret }}
+ defaultMode: 292
+{{- end }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
new file mode 100644
index 0000000..50d9af5
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_job-s3-user.yaml.tpl
@@ -0,0 +1,159 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for s3 user management.
+# It can be used in charts dict created similar to the following:
+# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
+# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
+
+{{- define "helm-toolkit.manifests.job_s3_user" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
+{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName | quote }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: ceph-keyring-placement
+ image: {{ $envAll.Values.images.tags.ceph_key_placement }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+ command:
+ - /tmp/ceph-admin-keyring.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-keyring-sh
+ mountPath: /tmp/ceph-admin-keyring.sh
+ subPath: ceph-admin-keyring.sh
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ containers:
+ - name: s3-user
+ image: {{ $envAll.Values.images.tags.s3_user }}
+ imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/create-s3-user.sh
+ env:
+{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
+{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
+{{- end }}
+{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
+ - name: RGW_HOST
+ value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: create-s3-user-sh
+ mountPath: /tmp/create-s3-user.sh
+ subPath: create-s3-user.sh
+ readOnly: true
+ - name: etcceph
+ mountPath: /etc/ceph
+ - name: ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ mountPath: /tmp/client-keyring
+ subPath: key
+ readOnly: true
+ {{ end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: create-s3-user-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: ceph-keyring-sh
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+ - name: etcceph
+ emptyDir: {}
+ - name: ceph-etc
+ configMap:
+ name: {{ $configMapCeph | quote }}
+ defaultMode: 0444
+ {{- if empty $envAll.Values.conf.ceph.admin_keyring }}
+ - name: ceph-keyring
+ secret:
+ secretName: pvc-ceph-client-key
+ {{ end }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
new file mode 100644
index 0000000..0906df4
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_job_image_repo_sync.tpl
@@ -0,0 +1,119 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for the image repo sync jobs.
+# It can be used in charts dict created similar to the following:
+# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
+# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
+
+{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $serviceName := index . "serviceName" -}}
+{{- $jobAnnotations := index . "jobAnnotations" -}}
+{{- $jobLabels := index . "jobLabels" -}}
+{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
+{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
+{{- $podVolMounts := index . "podVolMounts" | default false -}}
+{{- $podVols := index . "podVols" | default false -}}
+{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
+{{- $secretBin := index . "secretBin" -}}
+{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
+{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
+{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
+
+{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
+{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook-delete-policy": before-hook-creation
+{{- if $jobAnnotations }}
+{{ toYaml $jobAnnotations | indent 4 }}
+{{- end }}
+spec:
+ backoffLimit: {{ $backoffLimit }}
+{{- if $activeDeadlineSeconds }}
+ activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
+{{- end }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{- if $jobLabels }}
+{{ toYaml $jobLabels | indent 8 }}
+{{- end }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: OnFailure
+ {{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
+ nodeSelector:
+{{ toYaml $nodeSelector | indent 8 }}
+{{- if $tolerationsEnabled }}
+{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{- end}}
+ initContainers:
+{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ env:
+ - name: LOCAL_REPO
+ value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+ - name: IMAGE_SYNC_LIST
+ value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
+ command:
+ - /bin/bash
+ - -c
+ - /tmp/image-repo-sync.sh
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: bootstrap-sh
+ mountPath: /tmp/image-repo-sync.sh
+ subPath: image-repo-sync.sh
+ readOnly: true
+ - name: docker-socket
+ mountPath: /var/run/docker.sock
+{{- if $podVolMounts }}
+{{ $podVolMounts | toYaml | indent 12 }}
+{{- end }}
+ volumes:
+ - name: pod-tmp
+ emptyDir: {}
+ - name: bootstrap-sh
+{{- if $secretBin }}
+ secret:
+ secretName: {{ $secretBin | quote }}
+ defaultMode: 0555
+{{- else }}
+ configMap:
+ name: {{ $configMapBin | quote }}
+ defaultMode: 0555
+{{- end }}
+ - name: docker-socket
+ hostPath:
+ path: /var/run/docker.sock
+{{- if $podVols }}
+{{ $podVols | toYaml | indent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_network_policy.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_network_policy.tpl
new file mode 100644
index 0000000..405197a
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_network_policy.tpl
@@ -0,0 +1,238 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a network policy manifest for services.
+values: |
+ endpoints:
+ kube_dns:
+ namespace: kube-system
+ name: kubernetes-dns
+ hosts:
+ default: kube-dns
+ host_fqdn_override:
+ default: null
+ path:
+ default: null
+ scheme: http
+ port:
+ dns_tcp:
+ default: 53
+ dns:
+ default: 53
+ protocol: UDP
+ network_policy:
+ myLabel:
+ podSelector:
+ matchLabels:
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+usage: |
+ {{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
+ {{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
+return: |
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myLabel
+ component: api
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+ ---
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ policyTypes:
+ - Ingress
+ - Egress
+ podSelector:
+ matchLabels:
+ application: myApp
+ component: myComp
+ ingress:
+ - from:
+ - podSelector:
+ matchLabels:
+ application: keystone
+ ports:
+ - protocol: TCP
+ port: 80
+ egress:
+ - to:
+ - podSelector:
+ matchLabels:
+ name: default
+ - namespaceSelector:
+ matchLabels:
+ name: kube-public
+ ports:
+ - protocol: TCP
+ port: 53
+ - protocol: UDP
+ port: 53
+*/}}
+
+{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $name := index . "name" -}}
+{{- $labels := index . "labels" | default nil -}}
+{{- $label := index . "key" | default (index . "label") -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ $label | replace "_" "-" }}-netpol
+ namespace: {{ $envAll.Release.Namespace }}
+spec:
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ policyTypes:
+{{- $is_egress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_egress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
+ - Egress
+{{ end -}}
+{{- $is_ingress := false -}}
+{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
+{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
+{{- $is_ingress = true -}}
+{{- end -}}
+{{- end -}}
+{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
+ - Ingress
+{{ end -}}
+{{- end }}
+ podSelector:
+ matchLabels:
+{{- if empty $labels }}
+ {{ $name }}: {{ $label }}
+{{- else }}
+{{ range $k, $v := $labels }}
+ {{ $k }}: {{ $v }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
+{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
+{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+ egress:
+{{- range $key, $value := $envAll.Values.endpoints }}
+{{- if kindIs "map" $value }}
+{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
+ - to:
+{{- if index $value "namespace" }}
+ - namespaceSelector:
+ matchLabels:
+ name: {{ index $value "namespace" }}
+{{- else if index $value "hosts" }}
+{{- $defaultValue := index $value "hosts" "internal" }}
+{{- if hasKey (index $value "hosts") "internal" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- else }}
+{{- $defaultValue := index $value "hosts" "default" }}
+{{- $a := split "-" $defaultValue }}
+ - podSelector:
+ matchLabels:
+ application: {{ printf "%s" (index $a._0) | default $defaultValue }}
+{{- end }}
+{{- end }}
+{{- if index $value "port" }}
+ ports:
+{{- range $k, $v := index $value "port" }}
+{{- if $k }}
+{{- range $pk, $pv := $v }}
+{{- if and $pv (ne $pk "protocol") }}
+ - port: {{ $pv }}
+ protocol: {{ $v.protocol | default "TCP" }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if index $envAll.Values.network_policy $label "egress" }}
+{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- if hasKey (index $envAll.Values "network_policy") $label }}
+{{- if index $envAll.Values.network_policy $label "ingress" }}
+ ingress:
+{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
new file mode 100644
index 0000000..24a7045
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_secret-tls.yaml.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a services public tls secret
+examples:
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ key: |
+ FOO-KEY
+ ca: |
+ FOO-CA_CRT
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
+
+ - values: |
+ secrets:
+ tls:
+ key_manager:
+ api:
+ public: barbican-tls-public
+ endpoints:
+ key_manager:
+ host_fqdn_override:
+ public:
+ tls:
+ crt: |
+ FOO-CRT
+ FOO-INTERMEDIATE_CRT
+ FOO-CA_CRT
+ key: |
+ FOO-KEY
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: barbican-tls-public
+ type: kubernetes.io/tls
+ data:
+ tls.key: Rk9PLUtFWQo=
+ tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
+{{- $envAll := index . "envAll" }}
+{{- $endpoint := index . "endpoint" | default "public" }}
+{{- $backendServiceType := index . "backendServiceType" }}
+{{- $backendService := index . "backendService" | default "api" }}
+{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
+{{- if hasKey $host $endpoint }}
+{{- $endpointHost := index $host $endpoint }}
+{{- if kindIs "map" $endpointHost }}
+{{- if hasKey $endpointHost "tls" }}
+{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
+type: kubernetes.io/tls
+data:
+ tls.key: {{ $endpointHost.tls.key | b64enc }}
+{{- if $endpointHost.tls.ca }}
+ tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
+{{- else }}
+ tls.crt: {{ $endpointHost.tls.crt | b64enc }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/manifests/_service-ingress.tpl b/charts/ovn/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
new file mode 100644
index 0000000..d2e7c0e
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/manifests/_service-ingress.tpl
@@ -0,0 +1,43 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function creates a manifest for a services ingress rules.
+# It can be used in charts dict created similar to the following:
+# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
+# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
+
+{{- define "helm-toolkit.manifests.service_ingress" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $backendServiceType := index . "backendServiceType" -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: http
+ port: 80
+ - name: https
+ port: 443
+ selector:
+ app: ingress-api
+{{- if index $envAll.Values.endpoints $backendServiceType }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
+{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
+ clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
new file mode 100644
index 0000000..bf1465b
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_create-s3-bucket.sh.tpl
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_bucket" }}
+#!/bin/bash
+set -e
+CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
+if [ "$RGW_PROTO" = "http" ]; then
+ CONNECTION_ARGS+=" --no-ssl"
+else
+ CONNECTION_ARGS+=" --no-check-certificate"
+fi
+ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
+USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
+function check_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
+}
+function create_rgw_s3_bucket () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
+}
+function modify_bucket_acl () {
+ s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
+}
+check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
+{{- end }}
\ No newline at end of file
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
new file mode 100644
index 0000000..08796d2
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_create-s3-user.sh.tpl
@@ -0,0 +1,65 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "helm-toolkit.scripts.create_s3_user" }}
+#!/bin/bash
+set -e
+function create_s3_user () {
+ echo "Creating s3 user and key pair"
+ radosgw-admin user create \
+ --uid=${S3_USERNAME} \
+ --display-name=${S3_USERNAME} \
+ --key-type=s3 \
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+}
+function update_s3_user () {
+ # Retrieve old access keys, if they exist
+ old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ if [[ ! -z ${old_access_keys} ]]; then
+ for access_key in $old_access_keys; do
+ # If current access key is the same as the key supplied, do nothing.
+ if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
+ echo "Current user and key pair exists."
+ continue
+ else
+ # If keys differ, remove previous key
+ radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
+ fi
+ done
+ fi
+
+ # Perform one more additional check to account for scenarios where multiple
+ # key pairs existed previously, but one existing key was the supplied key
+ current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
+ | jq -r '.keys[].access_key' || true)
+
+ # If the supplied key does not exist, modify the user
+ if [[ -z ${current_access_key} ]]; then
+ # Modify user with new access and secret keys
+ echo "Updating existing user's key pair"
+ radosgw-admin user modify \
+ --uid=${S3_USERNAME}\
+ --access-key ${S3_ACCESS_KEY} \
+ --secret-key ${S3_SECRET_KEY}
+ fi
+}
+user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
+if [[ -z ${user_exists} ]]; then
+ create_s3_user
+else
+ update_s3_user
+fi
+{{- end }}
\ No newline at end of file
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
new file mode 100644
index 0000000..03884fa
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_db-drop.py.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_drop" }}
+#!/usr/bin/env python
+
+# Drops db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Drop')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Delete DB
+try:
+ root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
+ logger.info("Deleted database {0}".format(database))
+except:
+ logger.critical("Could not drop database {0}".format(database))
+ raise
+
+# Delete DB User
+try:
+ root_engine.execute("DROP USER IF EXISTS {0}".format(user))
+ logger.info("Deleted user {0}".format(user))
+except:
+ logger.critical("Could not delete user {0}".format(user))
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_db-init.py.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
new file mode 100644
index 0000000..6027b95
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_db-init.py.tpl
@@ -0,0 +1,156 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.db_init" }}
+#!/usr/bin/env python
+
+# Creates db and user for an OpenStack Service:
+# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
+# SQLAlchemy strings for the root connection to the database and the one you
+# wish the service to use. Alternatively, you can use an ini formatted config
+# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
+# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
+# OPENSTACK_CONFIG_DB_SECTION.
+
+import os
+import sys
+try:
+ import ConfigParser
+ PARSER_OPTS = {}
+except ImportError:
+ import configparser as ConfigParser
+ PARSER_OPTS = {"strict": False}
+import logging
+from sqlalchemy import create_engine
+
+# Create logger, console handler and formatter
+logger = logging.getLogger('OpenStack-Helm DB Init')
+logger.setLevel(logging.DEBUG)
+ch = logging.StreamHandler()
+ch.setLevel(logging.DEBUG)
+formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+
+# Set the formatter and add the handler
+ch.setFormatter(formatter)
+logger.addHandler(ch)
+
+
+# Get the connection string for the service db root user
+if "ROOT_DB_CONNECTION" in os.environ:
+ db_connection = os.environ['ROOT_DB_CONNECTION']
+ logger.info('Got DB root connection')
+else:
+ logger.critical('environment variable ROOT_DB_CONNECTION not set')
+ sys.exit(1)
+
+mysql_x509 = os.getenv('MARIADB_X509', "")
+ssl_args = {}
+if mysql_x509:
+ ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
+ 'key': '/etc/mysql/certs/tls.key',
+ 'cert': '/etc/mysql/certs/tls.crt'}}
+
+# Get the connection string for the service db
+if "OPENSTACK_CONFIG_FILE" in os.environ:
+ os_conf = os.environ['OPENSTACK_CONFIG_FILE']
+ if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
+ os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
+ sys.exit(1)
+ if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
+ os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
+ else:
+ logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
+ sys.exit(1)
+ try:
+ config = ConfigParser.RawConfigParser(**PARSER_OPTS)
+ logger.info("Using {0} as db config source".format(os_conf))
+ config.read(os_conf)
+ logger.info("Trying to load db config from {0}:{1}".format(
+ os_conf_section, os_conf_key))
+ user_db_conn = config.get(os_conf_section, os_conf_key)
+ logger.info("Got config from {0}".format(os_conf))
+ except:
+ logger.critical("Tried to load config from {0} but failed.".format(os_conf))
+ raise
+elif "DB_CONNECTION" in os.environ:
+ user_db_conn = os.environ['DB_CONNECTION']
+ logger.info('Got config from DB_CONNECTION env var')
+else:
+ logger.critical('Could not get db config, either from config file or env var')
+ sys.exit(1)
+
+# Root DB engine
+try:
+ root_engine_full = create_engine(db_connection)
+ root_user = root_engine_full.url.username
+ root_password = root_engine_full.url.password
+ drivername = root_engine_full.url.drivername
+ host = root_engine_full.url.host
+ port = root_engine_full.url.port
+ root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
+ root_engine = create_engine(root_engine_url, connect_args=ssl_args)
+ connection = root_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
+ host, port, root_user))
+except:
+ logger.critical('Could not connect to database as root user')
+ raise
+
+# User DB engine
+try:
+ user_engine = create_engine(user_db_conn, connect_args=ssl_args)
+ # Get our user data out of the user_engine
+ database = user_engine.url.database
+ user = user_engine.url.username
+ password = user_engine.url.password
+ logger.info('Got user db config')
+except:
+ logger.critical('Could not get user database config')
+ raise
+
+# Create DB
+try:
+ root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
+ logger.info("Created database {0}".format(database))
+except:
+ logger.critical("Could not create database {0}".format(database))
+ raise
+
+# Create DB User
+try:
+ root_engine.execute(
+ "CREATE USER IF NOT EXISTS \'{0}\'@\'%%\' IDENTIFIED BY \'{1}\' {2}".format(
+ user, password, mysql_x509))
+ root_engine.execute(
+ "GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\'".format(database, user))
+ logger.info("Created user {0} for {1}".format(user, database))
+except:
+ logger.critical("Could not create user {0} for {1}".format(user, database))
+ raise
+
+# Test connection
+try:
+ connection = user_engine.connect()
+ connection.close()
+ logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
+ host, port, database, user))
+except:
+ logger.critical('Could not connect to database as user')
+ raise
+
+logger.info('Finished DB Management')
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
new file mode 100644
index 0000000..4d7dfaa
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -0,0 +1,69 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "helm-toolkit.scripts.pg_db_init" }}
+#!/bin/bash
+set -ex
+
+if [[ ! -v DB_HOST ]]; then
+ echo "environment variable DB_HOST not set"
+ exit 1
+elif [[ ! -v DB_ADMIN_USER ]]; then
+ echo "environment variable DB_ADMIN_USER not set"
+ exit 1
+elif [[ ! -v PGPASSWORD ]]; then
+ echo "environment variable PGPASSWORD not set"
+ exit 1
+elif [[ ! -v DB_PORT ]]; then
+ echo "environment variable DB_PORT not set"
+ exit 1
+elif [[ ! -v USER_DB_USER ]]; then
+ echo "environment variable USER_DB_USER not set"
+ exit 1
+elif [[ ! -v USER_DB_PASS ]]; then
+ echo "environment variable USER_DB_PASS not set"
+ exit 1
+elif [[ ! -v USER_DB_NAME ]]; then
+ echo "environment variable USER_DB_NAME not set"
+ exit 1
+else
+ echo "Got DB connection info"
+fi
+
+pgsql_superuser_cmd () {
+ DB_COMMAND="$1"
+ if [[ ! -z $2 ]]; then
+ EXPORT PGDATABASE=$2
+ fi
+ /usr/bin/psql \
+ -h ${DB_HOST} \
+ -p ${DB_PORT} \
+ -U ${DB_ADMIN_USER} \
+ --command="${DB_COMMAND}"
+}
+
+#create db
+pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
+
+#create db user
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
+ pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
+
+#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
+pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
+
+#give permissions to user
+pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
new file mode 100644
index 0000000..e41abe3
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl
@@ -0,0 +1,24 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+ docker pull ${IMAGE}
+ docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+ docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
new file mode 100644
index 0000000..8755cd5
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -0,0 +1,72 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_domain_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Manage domain
+SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ "${SERVICE_OS_DOMAIN_NAME}")
+
+# Display domain
+openstack domain show "${SERVICE_OS_DOMAIN_ID}"
+
+# Manage user
+SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
+ --password="${SERVICE_OS_PASSWORD}" \
+ "${SERVICE_OS_USERNAME}")
+
+# Manage user password (we do this to ensure the password is updated if required)
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
+
+# Display user
+openstack user show "${SERVICE_OS_USERID}"
+
+# Manage role
+SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
+ "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
+ "${SERVICE_OS_ROLE}" )
+
+# Manage user role assignment
+openstack role add \
+ --domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ "${SERVICE_OS_ROLE_ID}"
+
+# Display user role assignment
+openstack role assignment list \
+ --role="${SERVICE_OS_ROLE_ID}" \
+ --user-domain="${SERVICE_OS_DOMAIN_ID}" \
+ --user="${SERVICE_OS_USERID}"
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
new file mode 100644
index 0000000..e400bcd
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_endpoints" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Get Service ID
+OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+# Get Endpoint ID if it exists
+OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
+ grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
+ awk -F ',' '{ print $1 }' )
+
+# Making sure only a single endpoint exists for a service within a region
+if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
+ echo "More than one endpoint found, cleaning up"
+ for ENDPOINT_ID in $OS_ENDPOINT_ID; do
+ openstack endpoint delete ${ENDPOINT_ID}
+ done
+ unset OS_ENDPOINT_ID
+fi
+
+# Determine if Endpoint needs updated
+if [[ ${OS_ENDPOINT_ID} ]]; then
+ OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
+ if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
+ echo "Endpoints Match: no action required"
+ OS_ENDPOINT_UPDATE="False"
+ else
+ echo "Endpoints Dont Match: removing existing entries"
+ openstack endpoint delete ${OS_ENDPOINT_ID}
+ OS_ENDPOINT_UPDATE="True"
+ fi
+else
+ OS_ENDPOINT_UPDATE="True"
+fi
+
+# Update Endpoint if required
+if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
+ OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
+ --region="${OS_REGION_NAME}" \
+ "${OS_SERVICE_ID}" \
+ ${OS_SVC_ENDPOINT} \
+ "${OS_SERVICE_ENDPOINT}" )
+fi
+
+# Display the Endpoint
+openstack endpoint show ${OS_ENDPOINT_ID}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
new file mode 100644
index 0000000..8356b36
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-service.sh.tpl
@@ -0,0 +1,76 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_service" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+# Service boilerplate description
+OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
+
+# Get Service ID if it exists
+unset OS_SERVICE_ID
+
+# FIXME - There seems to be an issue once in a while where the
+# openstack service list fails and encounters an error message such as:
+# Unable to establish connection to
+# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
+# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
+# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
+# and it would attempt to create a new service when it was not needed.
+# This duplciate service would sometimes be used by other services such as
+# Horizon and would give an 'Invalid Service Catalog' error.
+# This loop allows for a 'retry' of the openstack service list in an
+# attempt to get the service list as expected if it does ecounter an error.
+# This loop and recheck can be reverted once the underlying issue is addressed.
+
+# If OS_SERVICE_ID is blank then wait a few seconds to give it
+# additional time and try again
+for i in $(seq 3)
+do
+ OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
+ grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
+ sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
+
+ # If the service was found, go ahead and exit successfully.
+ if [[ -n "${OS_SERVICE_ID}" ]]; then
+ exit 0
+ fi
+
+ sleep 2
+done
+
+# If we've reached this point and a Service ID was not found,
+# then create the service
+OS_SERVICE_ID=$(openstack service create -f value -c id \
+ --name="${OS_SERVICE_NAME}" \
+ --description "${OS_SERVICE_DESC}" \
+ --enable \
+ "${OS_SERVICE_TYPE}")
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
new file mode 100644
index 0000000..b45f798
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -0,0 +1,108 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.keystone_user" }}
+#!/bin/bash
+
+# Copyright 2017 Pete Birley
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+shopt -s nocasematch
+
+if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
+then
+ PROJECT_DOMAIN_ID="default"
+else
+ # Manage project domain
+ PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
+ "${SERVICE_OS_PROJECT_DOMAIN_NAME}")
+fi
+
+if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
+then
+ USER_DOMAIN_ID="default"
+else
+ # Manage user domain
+ USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
+ --description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USER_DOMAIN_NAME}")
+fi
+
+shopt -u nocasematch
+
+# Manage user project
+USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
+ --domain="${PROJECT_DOMAIN_ID}" \
+ --description="${USER_PROJECT_DESC}" \
+ "${SERVICE_OS_PROJECT_NAME}");
+
+# Manage user
+USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
+USER_ID=$(openstack user create --or-show --enable -f value -c id \
+ --domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ --description="${USER_DESC}" \
+ "${SERVICE_OS_USERNAME}");
+
+# Manage user password (we do this in a seperate step to ensure the password is updated if required)
+set +x
+echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
+openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
+set -x
+
+function ks_assign_user_role () {
+ if [[ "$SERVICE_OS_ROLE" == "admin" ]]
+ then
+ USER_ROLE_ID="$SERVICE_OS_ROLE"
+ else
+ USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
+ fi
+
+ # Manage user role assignment
+ openstack role add \
+ --user="${USER_ID}" \
+ --user-domain="${USER_DOMAIN_ID}" \
+ --project-domain="${PROJECT_DOMAIN_ID}" \
+ --project="${USER_PROJECT_ID}" \
+ "${USER_ROLE_ID}"
+}
+
+# Manage user service role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+ ks_assign_user_role
+done
+
+# Manage user member role
+: ${MEMBER_OS_ROLE:="member"}
+export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+ "${MEMBER_OS_ROLE}");
+ks_assign_user_role
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
new file mode 100644
index 0000000..3739f95
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -0,0 +1,111 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rabbit_init" }}
+#!/bin/bash
+set -e
+# Extract connection details
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $2}')
+
+# Extract Admin User creadential
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User creadential
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $1}' | \
+ awk -F'[//:]' '{print $5}')
+
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+ awk -F'[@]' '{print $2}' | \
+ awk -F'[:/]' '{print $3}')
+# Resolve vHost to / if no value is set
+RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
+
+function rabbitmqadmin_cli () {
+ if [ -n "$RABBITMQ_X509" ]
+ then
+ rabbitmqadmin \
+ --ssl \
+ --ssl-disable-hostname-verification \
+ --ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
+ --ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
+ --ssl-key-file="${USER_CERT_PATH}/tls.key" \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ else
+ rabbitmqadmin \
+ --host="${RABBIT_HOSTNAME}" \
+ --port="${RABBIT_PORT}" \
+ --username="${RABBITMQ_ADMIN_USERNAME}" \
+ --password="${RABBITMQ_ADMIN_PASSWORD}" \
+ ${@}
+ fi
+}
+
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+ declare user \
+ name="${RABBITMQ_USERNAME}" \
+ password="${RABBITMQ_PASSWORD}" \
+ tags="user"
+
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+ delete user \
+ name="guest" || true
+
+if [ "${RABBITMQ_VHOST}" != "/" ]
+then
+ echo "Managing: vHost: ${RABBITMQ_VHOST}"
+ rabbitmqadmin_cli \
+ declare vhost \
+ name="${RABBITMQ_VHOST}"
+else
+ echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
+fi
+
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+ declare permission \
+ vhost="${RABBITMQ_VHOST}" \
+ user="${RABBITMQ_USERNAME}" \
+ configure=".*" \
+ write=".*" \
+ read=".*"
+
+if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
+then
+ echo "Applying additional configuration"
+ echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
+ rabbitmqadmin_cli import /tmp/rmq_definitions.json
+fi
+
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
new file mode 100644
index 0000000..c08d320
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/_rally_test.sh.tpl
@@ -0,0 +1,88 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.rally_test" -}}
+#!/bin/bash
+set -ex
+{{- $rallyTests := index . 0 }}
+
+: "${RALLY_ENV_NAME:="openstack-helm"}"
+: "${OS_INTERFACE:="public"}"
+: "${RALLY_CLEANUP:="true"}"
+
+if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
+ function rally_cleanup {
+ openstack user delete \
+ --domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
+ "${SERVICE_OS_USERNAME}"
+{{ $rallyTests.clean_up | default "" | indent 4 }}
+ }
+ trap rally_cleanup EXIT
+fi
+
+function create_or_update_db () {
+ revisionResults=$(rally db revision)
+ if [ $revisionResults = "None" ]
+ then
+ rally db create
+ else
+ rally db upgrade
+ fi
+}
+
+create_or_update_db
+
+cat > /tmp/rally-config.json << EOF
+{
+ "openstack": {
+ "auth_url": "${OS_AUTH_URL}",
+ "region_name": "${OS_REGION_NAME}",
+ "endpoint_type": "${OS_INTERFACE}",
+ "admin": {
+ "username": "${OS_USERNAME}",
+ "password": "${OS_PASSWORD}",
+ "user_domain_name": "${OS_USER_DOMAIN_NAME}",
+ "project_name": "${OS_PROJECT_NAME}",
+ "project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
+ },
+ "users": [
+ {
+ "username": "${SERVICE_OS_USERNAME}",
+ "password": "${SERVICE_OS_PASSWORD}",
+ "project_name": "${SERVICE_OS_PROJECT_NAME}",
+ "user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
+ "project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
+ }
+ ],
+ "https_insecure": false,
+ "https_cacert": "${OS_CACERT}"
+ }
+}
+EOF
+rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
+rm -f /tmp/rally-config.json
+rally deployment use "${RALLY_ENV_NAME}"
+rally deployment check
+{{- if $rallyTests.run_tempest }}
+rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
+SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
+rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
+rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
+{{- end }}
+rally task validate /etc/rally/rally_tests.yaml
+rally task start /etc/rally/rally_tests.yaml
+rally task sla-check
+rally env cleanup
+rally deployment destroy --deployment "${RALLY_ENV_NAME}"
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
new file mode 100644
index 0000000..3963bd4
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -0,0 +1,567 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
+#!/bin/bash
+
+# This file contains a database backup framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/backup_main.sh
+#
+# Then the script should call the main backup function (backup_databases):
+# backup_databases [scope]
+# [scope] is an optional parameter, defaulted to "all". If only one specific
+# database is required to be backed up then this parameter will
+# contain the name of the database; otherwise all are backed up.
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
+# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
+# export ARCHIVE_DIR Local location where the backup tarballs should
+# be stored. (full directory path)
+# export BACK_UP_MODE Determines the mode of backup taken.
+# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
+# otherwise
+# export CONTAINER_NAME Name of the container on the RGW to store
+# the backup tarball.
+# export STORAGE_POLICY Name of the storage policy defined on the
+# RGW which is intended to store backups.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
+# in case of any temporary failures.
+# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW
+# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
+# to remote to stagger backups being sent to RGW.
+# A random number between min and max delay is generated
+# to set the delay.
+#
+# The database-specific functions that need to be implemented are:
+# dump_databases_to_directory <directory> <err_logfile> [scope]
+# where:
+# <directory> is the full directory path to dump the database files
+# into. This is a temporary directory for this backup only.
+# <err_logfile> is the full directory path where error logs are to be
+# written by the application.
+# [scope] set to "all" if all databases are to be backed up; or
+# set to the name of a specific database to be backed up.
+# This optional parameter is defaulted to "all".
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to dump the database file(s) to the specified
+# directory path. If this function completes successfully (returns 0), the
+# framework will automatically tar/zip the files in that directory and
+# name the tarball appropriately according to the proper conventions.
+#
+# verify_databases_backup_archives [scope]
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to verify the database backup archives. If this function
+# completes successfully (returns 0), the
+# framework will automatically starts remote backup upload.
+#
+#
+# The functions in this file will take care of:
+# 1) Calling "dump_databases_to_directory" and then compressing the files,
+# naming the tarball properly, and then storing it locally at the specified
+# local directory.
+# 2) Sending the tarball built to the remote gateway, to be stored in the
+# container configured to store database backups.
+# 3) Removing local backup tarballs which are older than the number of days
+# specified by the "LOCAL_DAYS_TO_KEEP" variable.
+# 4) Removing remote backup tarballs (from the remote gateway) which are older
+# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
+#
+
+# Note: not using set -e in this script because more elaborate error handling
+# is needed.
+
+log_backup_error_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+log_verify_backup_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ # rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+
+log() {
+ #Log message to a file or stdout
+ #TODO: This can be convert into mail alert of alert send to a monitoring system
+ #Params: $1 log level
+ #Params: $2 service
+ #Params: $3 message
+ #Params: $4 Destination
+ LEVEL=$1
+ SERVICE=$2
+ MSG=$3
+ DEST=$4
+ DATE=$(date +"%m-%d-%y %H:%M:%S")
+ if [[ -z "$DEST" ]]; then
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
+ else
+ echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
+ fi
+}
+
+# Generate a random number between MIN_DELAY_SEND_REMOTE and
+# MAX_DELAY_SEND_REMOTE
+random_number() {
+ diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
+ echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
+}
+
+#Get the day delta since the archive file backup
+seconds_difference() {
+ ARCHIVE_DATE=$( date --date="$1" +%s )
+ if [[ $? -ne 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ CURRENT_DATE=$( date +%s )
+ SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
+ if [[ "$SECOND_DELTA" -lt 0 ]]; then
+ SECOND_DELTA=0
+ fi
+ echo $SECOND_DELTA
+}
+
+# Send the specified tarball file at the specified filepath to the
+# remote gateway.
+send_to_remote_server() {
+ FILEPATH=$1
+ FILE=$2
+
+ # Grab the list of containers on the remote site
+ RESULT=$(openstack container list 2>&1)
+
+ if [[ $? -eq 0 ]]; then
+ echo $RESULT | grep $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ # Find the swift URL from the keystone endpoint list
+ SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
+ return 2
+ fi
+
+ # Get a token from keystone
+ TOKEN=$(openstack token issue -f value -c id)
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to get keystone token."
+ return 2
+ fi
+
+ # Create the container
+ RES_FILE=$(mktemp -p /tmp)
+ curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
+ -H "X-Auth-Token: ${TOKEN}" \
+ -H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
+
+ if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
+ cat $RES_FILE
+ rm -f $RES_FILE
+ return 2
+ fi
+ rm -f $RES_FILE
+
+ swift stat $CONTAINER_NAME
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
+ return 2
+ fi
+ fi
+ else
+ echo $RESULT | grep -E "HTTP 401|HTTP 403"
+ if [[ $? -eq 0 ]]; then
+ log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
+ return 1
+ else
+ echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
+ if [[ $? -eq 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+
+ # load balance delay
+ DELAY=$((1 + ${RANDOM} % 30))
+ echo "Sleeping for ${DELAY} seconds to spread the load in time..."
+ sleep ${DELAY}
+
+ # Create an object to store the file
+ openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
+ return 2
+ fi
+
+ openstack object show $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
+ return 2
+ fi
+
+ # Remote backup verification
+ MD5_REMOTE=$(openstack object show $CONTAINER_NAME $FILE -f json | jq -r ".etag")
+ MD5_LOCAL=$(cat ${FILEPATH}/${FILE} | md5sum | awk '{print $1}')
+ log INFO "${DB_NAME}_backup" "Obtained MD5 hash for the file $FILE in container $CONTAINER_NAME."
+ log INFO "${DB_NAME}_backup" "Local MD5 hash is ${MD5_LOCAL}."
+ log INFO "${DB_NAME}_backup" "Remote MD5 hash is ${MD5_REMOTE}."
+ if [[ "${MD5_LOCAL}" == "${MD5_REMOTE}" ]]; then
+ log INFO "${DB_NAME}_backup" "The local backup & remote backup MD5 hash values are matching for file $FILE in container $CONTAINER_NAME."
+ else
+ log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup MD5 hash values"
+ return 2
+ fi
+ rm -rf ${REMOTE_FILE}
+
+ log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
+ return 0
+}
+
+# This function attempts to store the built tarball to the remote gateway,
+# with built-in logic to handle error cases like:
+# 1) Network connectivity issues - retries for a specific amount of time
+# 2) Authorization errors - immediately logs an ERROR and returns
+store_backup_remotely() {
+ FILEPATH=$1
+ FILE=$2
+
+ count=1
+ while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
+ # Store the new archive to the remote backup storage facility.
+ send_to_remote_server $FILEPATH $FILE
+ SEND_RESULT="$?"
+
+ # Check if successful
+ if [[ $SEND_RESULT -eq 0 ]]; then
+ log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
+ return 0
+ elif [[ $SEND_RESULT -eq 2 ]]; then
+ if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
+ "${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
+ break
+ fi
+ # Temporary failure occurred. We need to retry
+ log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
+ sleep_time=$(random_number)
+ log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
+ sleep ${sleep_time}
+ log INFO "${DB_NAME}_backup" "Retrying..."
+ else
+ log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
+ break
+ fi
+
+ # Increment the counter
+ count=$((count+1))
+ done
+
+ return 1
+}
+
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
+# This function takes a list of archives' names as an input
+# and creates a hash table where keys are number of seconds
+# between current date and archive date (see seconds_difference),
+# and values are space separated archives' names
+#
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# <...>
+# +------------+---------------------------------------------------------------------------------------------------------+
+# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
+# +------------+---------------------------------------------------------------------------------------------------------+
+# We will use the explained above data stracture to cover rare, but still
+# possible case, when we have several backups of the same date. E.g.
+# one manual, and one automatic.
+
+declare -A fileTable
+create_hash_table() {
+unset fileTable
+fileList=$@
+ for ARCHIVE_FILE in ${fileList}; do
+ # Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
+ # to take in account a possibility, that we can have more than one scheduled
+ # backup per day.
+ ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
+ ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
+ log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
+ INDEX=$(seconds_difference ${ARCHIVE_DATE})
+ if [[ -z fileTable[${INDEX}] ]]; then
+ fileTable[${INDEX}]=${ARCHIVE_FILE}
+ else
+ fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
+ fi
+ echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
+ done
+}
+
+function get_backup_prefix() {
+# Create list of all possible prefixes in a format:
+# <db_name>.<namespace> to cover a possible situation
+# when different backups of different databases and/or
+# namespaces share the same local or remote storage.
+ ALL_FILES=($@)
+ PREFIXES=()
+ for fname in ${ALL_FILES[@]}; do
+ prefix=$(basename ${fname} | cut -d'.' -f1,2 )
+ for ((i=0; i<${#PREFIXES[@]}; i++)) do
+ if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
+ prefix=""
+ break
+ fi
+ done
+ if [[ ! -z ${prefix} ]]; then
+ PREFIXES+=(${prefix})
+ fi
+ done
+}
+
+remove_old_local_archives() {
+ SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ if [[ -d $ARCHIVE_DIR ]]; then
+ count=0
+ # We iterate over the hash table, checking the delta in seconds (hash keys),
+ # and minimum number of backups we must have in place. List of keys has to be sorted.
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
+ rm -f ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ # Log error but don't exit so we can finish the script
+ # because at this point we haven't sent backup to RGW yet
+ log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
+ fi
+ fi
+ done
+ else
+ log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
+ fi
+}
+
+prepare_list_of_remote_backups() {
+ BACKUP_FILES=$(mktemp -p /tmp)
+ DB_BACKUP_FILES=$(mktemp -p /tmp)
+ openstack object list $CONTAINER_NAME > $BACKUP_FILES
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
+ fi
+ # Filter out other types of backup files
+ cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
+}
+
+# The logic implemented with this function is absolutely similar
+# to the function remove_old_local_archives (see above)
+remove_old_remote_archives() {
+ count=0
+ SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
+ log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
+ if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
+ ((count++))
+ log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
+ else
+ log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
+ openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
+ "Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
+ fi
+ done
+
+ # Cleanup now that we're done.
+ for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
+ if [[ -f ${fd} ]]; then
+ rm -f ${fd}
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
+}
+
+# Main function to backup the databases. Calling functions need to supply:
+# 1) The directory where the final backup will be kept after it is compressed.
+# 2) A temporary directory to use for placing database files to be compressed.
+# Note: this temp directory will be deleted after backup is done.
+# 3) Optional "scope" parameter indicating what database to back up. Defaults
+# to "all".
+backup_databases() {
+ SCOPE=${1:-"all"}
+
+ # Create necessary directories if they do not exist.
+ mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
+ export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
+
+ # Create temporary log file
+ export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot create log file!"
+
+ # It is expected that this function will dump the database files to the $TMP_DIR
+ dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
+
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
+ fi
+
+ log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
+
+ NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
+ if [[ -z "${BACK_UP_MODE}" ]]; then
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
+ else
+ TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
+ fi
+
+ cd $TMP_DIR || log_backup_error_exit \
+ "Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
+
+ #Archive the current database files
+ tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
+ if [[ $? -ne 0 ]]; then
+ log_backup_error_exit \
+ "Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
+ fi
+
+ # Get the size of the file
+ ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
+
+ log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
+
+ cd $ARCHIVE_DIR
+
+ #Only delete the old archive after a successful archive
+ export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
+ if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
+ get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
+ remove_old_local_archives
+ done
+ fi
+
+ # Local backup verification process
+
+ # It is expected that this function will verify the database backup files
+ if verify_databases_backup_archives ${SCOPE}; then
+ log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+ else
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ fi
+ log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+ exit 1
+ fi
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ # Remote backup
+ REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
+ if $REMOTE_BACKUP; then
+ # Remove Quotes from the constants which were added due to reading
+ # from secret.
+ export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
+ export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
+ export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
+ export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
+
+ store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
+ if [[ $? -ne 0 ]]; then
+ # This error should print first, then print the summary as the last
+ # thing that the user sees in the output.
+ log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
+ echo "=================================================================="
+ echo "Local backup successful, but could not send to remote RGW."
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ # Because the local backup was successful, exit with 0 so the pod will not
+ # continue to restart and fill the disk with more backups. The ERRORs are
+ # logged and alerting system should catch those errors and flag the operator.
+ exit 0
+ fi
+
+ #Only delete the old archive after a successful archive
+ if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
+ prepare_list_of_remote_backups
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
+ fi
+
+ echo "=================================================================="
+ echo "Local backup and backup to remote RGW successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ else
+ # Remote backup is not enabled. This is ok; at least we have a local backup.
+ log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
+
+ echo "=================================================================="
+ echo "Local backup successful!"
+ echo "Backup archive name: $TARBALL_FILE"
+ echo "Backup archive size: $ARCHIVE_SIZE"
+ echo "=================================================================="
+ fi
+}
+{{- end }}
\ No newline at end of file
diff --git a/charts/ovn/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
new file mode 100644
index 0000000..093dd2c
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -0,0 +1,616 @@
+{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
+#!/bin/bash
+
+# This file contains a database restore framework which database scripts
+# can use to perform a backup. The idea here is that the database-specific
+# functions will be implemented by the various databases using this script
+# (like mariadb, postgresql or etcd for example). The database-specific
+# script will need to first "source" this file like this:
+# source /tmp/restore_main.sh
+#
+# Then the script should call the main CLI function (cli_main):
+# cli_main <arg_list>
+# where:
+# <arg_list> is the list of arguments given by the user
+#
+# The framework will require the following variables to be exported:
+#
+# export DB_NAMESPACE Namespace where the database(s) reside
+# export DB_NAME Name of the database system
+# export ARCHIVE_DIR Location where the backup tarballs should
+# be stored. (full directory path which
+# should already exist)
+# export CONTAINER_NAME Name of the container on the RGW where
+# the backups are stored.
+# RGW access variables:
+# export OS_REGION_NAME Name of the region the RGW resides in
+# export OS_AUTH_URL Keystone URL associated with the RGW
+# export OS_PROJECT_NAME Name of the project associated with the
+# keystone user
+# export OS_USERNAME Name of the keystone user
+# export OS_PASSWORD Password of the keystone user
+# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
+# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
+# export OS_IDENTITY_API_VERSION Keystone API version to use
+#
+# The database-specific functions that need to be implemented are:
+# get_databases
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <db_file> is the full path of the file to write the database
+# names into, one database per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the database names from the
+# uncompressed database files found in the given "tmp_dir", which is
+# the staging directory for database restore. The database names
+# should be written to the given "db_file", one database name per
+# line.
+#
+# get_tables
+# <db_name> is the name of the database to get the tables from
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <table_file> is the full path of the file to write the table
+# names into, one table per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the table names from the given
+# database, found in the uncompressed database files located in the
+# given "tmp_dir", which is the staging directory for database restore.
+# The table names should be written to the given "table_file", one
+# table name per line.
+#
+# get_rows
+# <table_name> is the name of the table to get the rows from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <rows_file> is the full path of the file to write the table
+# row data into, one row (INSERT statement) per line
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the rows from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table rows should be written to the given
+# "rows_file", one row (INSERT statement) per line.
+#
+# get_schema
+# <table_name> is the name of the table to get the schema from
+# <db_name> is the name of the database the table resides in
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# <schema_file> is the full path of the file to write the table
+# schema data into
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to extract the schema from the given table
+# in the given database, found in the uncompressed database files
+# located in the given "tmp_dir", which is the staging directory for
+# database restore. The table schema and related alterations and
+# grant information should be written to the given "schema_file".
+#
+# restore_single_db
+# where:
+# <db_name> is the name of the database to be restored
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore the database given as "db_name"
+# using the database files located in the "tmp_dir". The framework
+# will delete the "tmp_dir" and the files in it after the restore is
+# complete.
+#
+# restore_all_dbs
+# where:
+# <tmp_dir> is the full directory path where the decompressed
+# database files reside
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to restore all of the databases which
+# are backed up in the database files located in the "tmp_dir". The
+# framework will delete the "tmp_dir" and the files in it after the
+# restore is complete.
+#
+# The functions in this file will take care of:
+# 1) The CLI parameter parsing for the arguments passed in by the user.
+# 2) The listing of either local or remote archive files at the request
+# of the user.
+# 3) The retrieval/download of an archive file located either in the local
+# file system or remotely stored on an RGW.
+# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
+# chooses to restore a database or all databases.
+# 5) The framework will call "get_databases" when it needs a list of
+# databases when the user requests a database list or when the user
+# requests to restore a single database (to ensure it exists in the
+# archive). Similarly, the framework will call "get_tables", "get_rows",
+# or "get_schema" when it needs that data requested by the user.
+#
+
+usage() {
+ ret_val=$1
+ echo "Usage:"
+ echo "Restore command options"
+ echo "============================="
+ echo "help"
+ echo "list_archives [remote]"
+ echo "list_databases <archive_filename> [remote]"
+ echo "list_tables <archive_filename> <dbname> [remote]"
+ echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
+ echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
+ echo "restore <archive_filename> <db_specifier> [remote]"
+ echo " where <db_specifier> = <dbname> | ALL"
+ echo "delete_archive <archive_filename> [remote]"
+ clean_and_exit $ret_val ""
+}
+
+#Exit cleanly with some message and return code
+clean_and_exit() {
+ RETCODE=$1
+ MSG=$2
+
+ # Clean/remove temporary directories/files
+ rm -rf $TMP_DIR
+ rm -f $RESULT_FILE
+
+ if [[ "x${MSG}" != "x" ]]; then
+ echo $MSG
+ fi
+ exit $RETCODE
+}
+
+determine_resulting_error_code() {
+ RESULT="$1"
+
+ echo ${RESULT} | grep "HTTP 404"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not find the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 401"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not access the archive: ${RESULT}"
+ return 1
+ else
+ echo ${RESULT} | grep "HTTP 503"
+ if [[ $? -eq 0 ]]; then
+ echo "RGW service is unavailable. ${RESULT}"
+ # In this case, the RGW may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo ${RESULT} | grep "ConnectionError"
+ if [[ $? -eq 0 ]]; then
+ echo "Could not reach the RGW: ${RESULT}"
+ # In this case, keystone or the site/node may be temporarily down.
+ # Return slightly different error code so the calling code can retry
+ return 2
+ else
+ echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
+ return 1
+ fi
+ fi
+ fi
+ fi
+ return 0
+}
+
+# Retrieve a list of archives from the RGW.
+retrieve_remote_listing() {
+ RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
+ if [[ $? -eq 0 ]]; then
+ # Get the list, ensureing that we only pick up the right kind of backups from the
+ # requested namespace
+ openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
+ if [[ $? -ne 0 ]]; then
+ echo "Container object listing could not be obtained."
+ return 1
+ else
+ echo "Archive listing successfully retrieved."
+ fi
+ else
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ fi
+ return 0
+}
+
+# Retrieve a single archive from the RGW.
+retrieve_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive $ARCHIVE successfully retrieved."
+ fi
+ return 0
+}
+
+# Delete an archive from the RGW.
+delete_remote_archive() {
+ ARCHIVE=$1
+
+ RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
+ if [[ $? -ne 0 ]]; then
+ determine_resulting_error_code "${RESULT}"
+ return $?
+ else
+ echo "Archive ${ARCHIVE} successfully deleted."
+ fi
+ return 0
+}
+
+# Display all archives
+list_archives() {
+ REMOTE=$1
+
+ if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
+ retrieve_remote_listing
+ if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
+ echo
+ echo "All Archives from RGW Data Store"
+ echo "=============================================="
+ cat $TMP_DIR/archive_list | sort
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
+ fi
+ elif [[ "x${REMOTE}" == "x" ]]; then
+ if [[ -d $ARCHIVE_DIR ]]; then
+ archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
+ echo
+ echo "All Local Archives"
+ echo "=============================================="
+ for archive in $archives
+ do
+ echo $archive | cut -d '/' -f8-
+ done
+ clean_and_exit 0 ""
+ else
+ clean_and_exit 1 "ERROR: Local archive directory is not available."
+ fi
+ else
+ usage 1
+ fi
+}
+
+# Retrieve the archive from the desired location and decompress it into
+# the restore directory
+get_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+
+ if [[ "x$REMOTE" == "xremote" ]]; then
+ echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
+ retrieve_remote_archive $ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
+ fi
+ elif [[ "x$REMOTE" == "x" ]]; then
+ if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
+ cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ else
+ usage 1
+ fi
+
+ echo "Decompressing archive $ARCHIVE_FILE..."
+ cd $TMP_DIR
+ tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Archive decompression failed."
+ fi
+}
+
+# Display all databases from an archive
+list_databases() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Databases in the $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all tables of a database from an archive
+list_tables() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ REMOTE=$3
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_tables $DATABASE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display all rows of the given database table from an archive
+list_rows() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the database listing will be put into
+ # the given file one table per line
+ get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Display the schema information of the given database table from an archive
+list_schema() {
+ ARCHIVE_FILE=$1
+ DATABASE=$2
+ TABLE=$3
+ REMOTE=$4
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ # Get the archive from the source location (local/remote)
+ get_archive $ARCHIVE_FILE $REMOTE
+
+ # Expectation is that the schema information will be placed into
+ # the given schema file.
+ get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+
+ if [[ -f "$RESULT_FILE" ]]; then
+ echo " "
+ echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
+ echo "================================================================================"
+ cat $RESULT_FILE
+ else
+ clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
+ fi
+}
+
+# Delete an archive
+delete_archive() {
+ ARCHIVE_FILE=$1
+ REMOTE=$2
+ WHERE="local"
+
+ if [[ -n ${REMOTE} ]]; then
+ WHERE="remote"
+ fi
+
+ if [[ "${WHERE}" == "remote" ]]; then
+ delete_remote_archive ${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
+ fi
+ else # Local
+ if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
+ rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
+ if [[ $? -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not delete local archive."
+ fi
+ else
+ clean_and_exit 1 "ERROR: Local archive file could not be found."
+ fi
+ fi
+
+ echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
+}
+
+
+# Return 1 if the given database exists in the database file. 0 otherwise.
+database_exists() {
+ DB=$1
+
+ grep "${DB}" ${RESULT_FILE}
+ if [[ $? -eq 0 ]]; then
+ return 1
+ fi
+ return 0
+}
+
+# This is the main CLI interpreter function
+cli_main() {
+ ARGS=("$@")
+
+ # Create the ARCHIVE DIR if it's not already there.
+ mkdir -p $ARCHIVE_DIR
+
+ # Create temp directory for a staging area to decompress files into
+ export TMP_DIR=$(mktemp -d)
+
+ # Create a temp file for storing list of databases (if needed)
+ export RESULT_FILE=$(mktemp -p /tmp)
+
+ case "${ARGS[0]}" in
+ "help")
+ usage 0
+ ;;
+
+ "list_archives")
+ if [[ ${#ARGS[@]} -gt 2 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 1 ]]; then
+ list_archives
+ else
+ list_archives ${ARGS[1]}
+ fi
+ clean_and_exit 0
+ ;;
+
+ "list_databases")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ list_databases ${ARGS[1]}
+ else
+ list_databases ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+
+ "list_tables")
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 3 ]]; then
+ list_tables ${ARGS[1]} ${ARGS[2]}
+ else
+ list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ fi
+ ;;
+
+ "list_rows")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "list_schema")
+ if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
+ else
+ list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
+ fi
+ ;;
+
+ "restore")
+ REMOTE=""
+ if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 4 ]]; then
+ REMOTE=${ARGS[3]}
+ fi
+
+ ARCHIVE=${ARGS[1]}
+ DB_SPEC=${ARGS[2]}
+
+ #Get all the databases in that archive
+ get_archive $ARCHIVE $REMOTE
+
+ if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
+ # Expectation is that the database listing will be put into
+ # the given file one database per line
+ get_databases $TMP_DIR $RESULT_FILE
+ if [[ "$?" -ne 0 ]]; then
+ clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
+ fi
+
+ if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
+ #check if the requested database is available in the archive
+ database_exists $DB_SPEC
+ if [[ $? -ne 1 ]]; then
+ clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
+ fi
+ fi
+
+ echo "Restoring Database $DB_SPEC And Grants"
+ restore_single_db $DB_SPEC $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "Single database restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Single database restore failed."
+ fi
+ clean_and_exit 0 ""
+ else
+ echo "Restoring All The Databases. This could take a few minutes..."
+ restore_all_dbs $TMP_DIR
+ if [[ "$?" -eq 0 ]]; then
+ echo "All databases restored successfully."
+ else
+ clean_and_exit 1 "ERROR: Database restore failed."
+ fi
+ clean_and_exit 0 ""
+ fi
+ ;;
+ "delete_archive")
+ if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
+ usage 1
+ elif [[ ${#ARGS[@]} -eq 2 ]]; then
+ delete_archive ${ARGS[1]}
+ else
+ delete_archive ${ARGS[1]} ${ARGS[2]}
+ fi
+ ;;
+ *)
+ usage 1
+ ;;
+ esac
+
+ clean_and_exit 0 ""
+}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_image.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_image.tpl
new file mode 100644
index 0000000..029c93d
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_image.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Resolves an image reference to a string, and its pull policy
+values: |
+ images:
+ tags:
+ test_image: docker.io/port/test:version-foo
+ image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - image_foo
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+usage: |
+ {{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
+return: |
+ image: "localhost:5000/docker.io/port/test:version-foo"
+ imagePullPolicy: IfNotPresent
+*/}}
+
+{{- define "helm-toolkit.snippets.image" -}}
+{{- $envAll := index . 0 -}}
+{{- $image := index . 1 -}}
+{{- $imageTag := index $envAll.Values.images.tags $image -}}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
+{{- else -}}
+image: {{ $imageTag | quote }}
+{{- end }}
+imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
new file mode 100644
index 0000000..2f209fe
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_keystone_openrc_env_vars.tpl
@@ -0,0 +1,142 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, equivlant to an openrc for
+ use with keystone based command line clients.
+values: |
+ secrets:
+ identity:
+ admin: example-keystone-admin
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
+return: |
+ - name: OS_IDENTITY_API_VERSION
+ value: "3"
+ - name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_AUTH_URL
+ - name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_REGION_NAME
+ - name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_INTERFACE
+ - name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PROJECT_NAME
+ - name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USER_DOMAIN_NAME
+ - name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_USERNAME
+ - name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_PASSWORD
+ - name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-admin
+ key: OS_CACERT
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
+{{- $useCA := .useCA -}}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: OS_IDENTITY_API_VERSION
+ value: "3"
+- name: OS_AUTH_URL
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_AUTH_URL
+- name: OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: OS_INTERFACE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_ENDPOINT_TYPE
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_INTERFACE
+- name: OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+- name: OS_DEFAULT_DOMAIN
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_DEFAULT_DOMAIN
+{{- if $useCA }}
+- name: OS_CACERT
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_CACERT
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
new file mode 100644
index 0000000..f627657
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_keystone_secret_openrc.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
+{{- $userClass := index . 0 -}}
+{{- $identityEndpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
+OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
+OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
+OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
+OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
+OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
+OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
+OS_USERNAME: {{ $userContext.username | b64enc }}
+OS_PASSWORD: {{ $userContext.password | b64enc }}
+OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
+{{- if $userContext.cacert }}
+OS_CACERT: {{ $userContext.cacert | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
new file mode 100644
index 0000000..648711b
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_keystone_user_create_env_vars.tpl
@@ -0,0 +1,90 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a set of container enviorment variables, for use with the keystone
+ user management jobs.
+values: |
+ secrets:
+ identity:
+ service_user: example-keystone-user
+usage: |
+ {{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
+return: |
+ - name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_REGION_NAME
+ - name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_DOMAIN_NAME
+ - name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PROJECT_NAME
+ - name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USER_DOMAIN_NAME
+ - name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_USERNAME
+ - name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: example-keystone-user
+ key: OS_PASSWORD
+*/}}
+
+{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
+{{- $ksUserSecret := .ksUserSecret }}
+- name: SERVICE_OS_REGION_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_REGION_NAME
+- name: SERVICE_OS_PROJECT_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_DOMAIN_NAME
+- name: SERVICE_OS_PROJECT_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PROJECT_NAME
+- name: SERVICE_OS_USER_DOMAIN_NAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USER_DOMAIN_NAME
+- name: SERVICE_OS_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_USERNAME
+- name: SERVICE_OS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ $ksUserSecret }}
+ key: OS_PASSWORD
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
new file mode 100644
index 0000000..8ca1028
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_configmap.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a configmap used for loading custom AppArmor profiles.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor_profiles: |-
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+usage: |
+ {{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
+return: |
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: releaseName-myComponent-apparmor
+ namespace: myNamespace
+data:
+ my_apparmor-v1.profile: |-
+ #include <tunables/global>
+ profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
+ <profile_data>
+ }
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if $envAll.Values.conf.apparmor_profiles }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ $mapName }}
+ namespace: {{ $envAll.Release.Namespace }}
+data:
+{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
new file mode 100644
index 0000000..f231fe6
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_loader_init_container.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the init container used for apparmor loading.
+values: |
+ images:
+ tags:
+ apparmor_loader: my-repo.io/apparmor-loader:1.0.0
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+ apparmor-loader: unconfined
+usage: |
+ {{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
+return: |
+ - name: apparmor-loader
+ image: my-repo.io/apparmor-loader:1.0.0
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
+{{- $envAll := index . "envAll" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+- name: apparmor-loader
+ image: {{ $envAll.Values.images.tags.apparmor_loader }}
+ args:
+ - /profiles
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: sys
+ mountPath: /sys
+ readOnly: true
+ - name: includes
+ mountPath: /etc/apparmor.d
+ readOnly: true
+ - name: profiles
+ mountPath: /profiles
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
new file mode 100644
index 0000000..baebaa3
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_apparmor_volumes.tpl
@@ -0,0 +1,68 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders the volumes used by the apparmor loader.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ configmap_apparmor: true
+inputs: |
+ envAll: "Environment or Context."
+ component: "Name of the component used for the name of configMap."
+ requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
+usage: |
+ {{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
+return: |
+- name: sys
+ hostPath:
+ path: /sys
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: RELEASENAME-keystone-apparmor
+ defaultMode: 0555
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $requireSys := index . "requireSys" | default false -}}
+{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
+{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
+{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
+{{- if $requireSys }}
+- name: sys
+ hostPath:
+ path: /sys
+{{- end }}
+- name: includes
+ hostPath:
+ path: /etc/apparmor.d
+- name: profiles
+ configMap:
+ name: {{ $configName | quote }}
+ defaultMode: 0555
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
new file mode 100644
index 0000000..4741497
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_container_security_context.tpl
@@ -0,0 +1,48 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes container.
+ For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
+examples:
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ container:
+ foo:
+ runAsUser: 34356
+ readOnlyRootFilesystem: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
+ return: |
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $container := index . "container" -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
+securityContext:
+{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
new file mode 100644
index 0000000..bed712e
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@@ -0,0 +1,209 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a container definition for use with the kubernetes-entrypoint image
+ from stackanetes.
+values: |
+ images:
+ tags:
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ pull_policy: IfNotPresent
+ local_registry:
+ active: true
+ exclude:
+ - dep_check
+ dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - calico-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ calico_node:
+ services:
+ - endpoint: internal
+ service: etcd
+ custom_resources:
+ - apiVersion: argoproj.io/v1alpha1
+ kind: Workflow
+ name: wf-example
+ fields:
+ - key: "status.phase"
+ value: "Succeeded"
+ endpoints:
+ local_image_registry:
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ node: localhost
+ etcd:
+ hosts:
+ default: etcd
+ # NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
+ # specififed then the following will be used as defaults:
+ # pod:
+ # security_context:
+ # kubernetes_entrypoint:
+ # container:
+ # kubernetes_entrypoint:
+ # runAsUser: 65534
+ # readOnlyRootFilesystem: true
+ # allowPrivilegeEscalation: false
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 0
+ readOnlyRootFilesystem: false
+usage: |
+ {{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
+return: |
+ - name: init
+ image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ runAsUser: 0
+
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "default:etcd,docker-registry:localhost"
+ - name: DEPENDENCY_JOBS
+ value: "calico-image-repo-sync"
+ - name: DEPENDENCY_DAEMONSET
+ value: ""
+ - name: DEPENDENCY_CONTAINER
+ value: ""
+ - name: DEPENDENCY_POD_JSON
+ value: ""
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+ []
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
+Values:
+ pod:
+ security_context:
+ kubernetes_entrypoint:
+ container:
+ kubernetes_entrypoint:
+ runAsUser: 65534
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $mounts := index . 2 -}}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+
+{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
+{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+{{- range $deps.custom_resources }}
+{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
+{{- end -}}
+{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
+{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
+- name: init
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
+{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INTERFACE_NAME
+ value: eth0
+ - name: PATH
+ value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
+ - name: DEPENDENCY_SERVICE
+ value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
+{{- if $deps.jobs -}}
+ {{- if kindIs "string" (index $deps.jobs 0) }}
+ - name: DEPENDENCY_JOBS
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
+ {{- else }}
+ - name: DEPENDENCY_JOBS_JSON
+ value: {{- toJson $deps.jobs | quote -}}
+ {{- end -}}
+{{- end }}
+ - name: DEPENDENCY_DAEMONSET
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
+ - name: DEPENDENCY_CONTAINER
+ value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
+ - name: DEPENDENCY_POD_JSON
+ value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
+ - name: DEPENDENCY_CUSTOM_RESOURCE
+ value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
+ command:
+ - kubernetes-entrypoint
+ volumeMounts:
+{{ toYaml $mounts | indent 4 }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
new file mode 100644
index 0000000..34a7da3
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_kubectl_params.tpl
@@ -0,0 +1,20 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{ print "-l application=" $application " -l component=" $component }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
new file mode 100644
index 0000000..92d3ea5
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_mandatory_access_control_annotation.tpl
@@ -0,0 +1,60 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders mandatory access control annotations for a list of containers
+ driven by values.yaml. As of now, it can only generate an apparmor
+ annotation, but in the future could generate others.
+values: |
+ pod:
+ mandatory_access_control:
+ type: apparmor
+ myPodName:
+ myContainerName: localhost/myAppArmor
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
+return: |
+ container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
+ container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
+{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
+{{- if $macType -}}
+{{- if eq $macType "apparmor" -}}
+{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
+{{- range $name := $containerNames -}}
+{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
+{{- if $apparmorProfile }}
+container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
new file mode 100644
index 0000000..48b53fa
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_metadata_labels.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders a set of standardised labels
+values: |
+ release_group: null
+ pod:
+ labels:
+ default:
+ label1.example.com: value
+ bar:
+ label2.example.com: bar
+usage: |
+ {{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
+return: |
+ release_group: RELEASE-NAME
+ application: foo
+ component: bar
+ label1.example.com: value
+ label2.example.com: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
+application: {{ $application }}
+component: {{ $component }}
+{{- if ($envAll.Values.pod).labels }}
+{{- if hasKey $envAll.Values.pod.labels $component }}
+{{ index $envAll.Values.pod "labels" $component | toYaml }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.labels "default" }}
+{{ $envAll.Values.pod.labels.default | toYaml }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
new file mode 100644
index 0000000..fabbcf8
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_anti_affinity.tpl
@@ -0,0 +1,89 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes anti affinity rules, this function supports both hard
+ 'requiredDuringSchedulingIgnoredDuringExecution' and soft
+ 'preferredDuringSchedulingIgnoredDuringExecution' types.
+values: |
+ pod:
+ affinity:
+ anti:
+ topologyKey:
+ default: kubernetes.io/hostname
+ type:
+ default: requiredDuringSchedulingIgnoredDuringExecution
+ weight:
+ default: 10
+usage: |
+ {{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
+return: |
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: release_group
+ operator: In
+ values:
+ - RELEASE-NAME
+ - key: application
+ operator: In
+ values:
+ - appliction_x
+ - key: component
+ operator: In
+ values:
+ - component_y
+ topologyKey: kubernetes.io/hostname
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+{{- $component := index . "component" -}}
+{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
+{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
+{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
+{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
+{{- end -}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- $component := index . 2 -}}
+{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
+{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
+podAntiAffinity:
+{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
+{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 10 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- if $envAll.Values.pod.affinity.anti.weight }}
+ weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
+{{- else }}
+ weight: 10
+{{- end -}}
+{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
+ {{ $antiAffinityType }}:
+ - labelSelector:
+ matchExpressions:
+{{ $matchExpressions | indent 8 }}
+ topologyKey: {{ $antiAffinityKey }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
new file mode 100644
index 0000000..74173dc
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_image_pull_secret.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders image pull secrets for a pod
+values: |
+ pod:
+ image_pull_secrets:
+ default:
+ - name: some-pull-secret
+ bar:
+ - name: another-pull-secret
+usage: |
+ {{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
+return: |
+ imagePullSecrets:
+ - name: some-pull-secret
+ - name: another-pull-secret
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
+{{- $envAll := index . 0 -}}
+{{- $application := index . 1 -}}
+{{- if ($envAll.Values.pod).image_pull_secrets }}
+imagePullSecrets:
+{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
+{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
+{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
new file mode 100644
index 0000000..90a7a65
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@@ -0,0 +1,69 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ $releaseName }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+ namespace: {{ $saNamespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ - batch
+ - apps
+ verbs:
+ - get
+ - list
+ resources:
+ {{- range $k, $v := $deps -}}
+ {{ if eq $v "daemonsets" }}
+ - daemonsets
+ {{- end -}}
+ {{ if eq $v "jobs" }}
+ - jobs
+ {{- end -}}
+ {{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
+ - pods
+ {{- end -}}
+ {{ if eq $v "services" }}
+ - services
+ - endpoints
+ {{- end -}}
+ {{ if eq $v "secrets" }}
+ - secrets
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
new file mode 100644
index 0000000..bc2045e
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+
+{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
+{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- else -}}
+{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
+{{- end -}}
+{{- else -}}
+{{- if eq $component "pod_dependency" -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
+{{- else -}}
+{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
+{{- end -}}
+{{- end -}}
+{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $saName }}
+ namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if and (eq $k "jobs") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "daemonset") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "pod") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if and (eq $k "secret") $v }}
+{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
new file mode 100644
index 0000000..3a4fbaa
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_pod_security_context.tpl
@@ -0,0 +1,67 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders securityContext for a Kubernetes pod.
+ For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
+examples:
+ - values: |
+ pod:
+ # NOTE: The 'user' key is deprecated, and will be removed shortly.
+ user:
+ myApp:
+ uid: 34356
+ security_context:
+ myApp:
+ pod:
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsUser: 34356
+ runAsNonRoot: true
+ - values: |
+ pod:
+ security_context:
+ myApp:
+ pod:
+ runAsUser: 34356
+ runAsNonRoot: true
+ usage: |
+ {{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
+ return: |
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 34356
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $application := index . "application" -}}
+securityContext:
+{{- if hasKey $envAll.Values.pod "user" }}
+{{- if hasKey $envAll.Values.pod.user $application }}
+{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
+ runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if hasKey $envAll.Values.pod "security_context" }}
+{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
+{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
new file mode 100644
index 0000000..7470760
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
@@ -0,0 +1,55 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes liveness and readiness probes for containers
+values: |
+ pod:
+ probes:
+ api:
+ default:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+usage: |
+ {{- define "probeTemplate" }}
+ httpGet:
+ path: /status
+ port: 9090
+ {{- end }}
+ {{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
+return: |
+ readinessProbe:
+ httpGet:
+ path: /status
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $component := index . "component" -}}
+{{- $container := index . "container" -}}
+{{- $type := index . "type" -}}
+{{- $probeTemplate := index . "probeTemplate" -}}
+{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
+{{- if $probeOpts.enabled -}}
+{{- $probeOverides := index $probeOpts "params" | default dict -}}
+{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
new file mode 100644
index 0000000..24d30cf
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_resources.tpl
@@ -0,0 +1,53 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Note: This function is deprecated and will be removed in the future.
+
+abstract: |
+ Renders kubernetes resource limits for pods
+values: |
+ pod:
+ resources:
+ enabled: true
+ api:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ hugepages-1Gi: "1Gi"
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
+return: |
+ resources:
+ limits:
+ cpu: "2000m"
+ memory: "1024Mi"
+ hugepages-1Gi: "1Gi"
+ requests:
+ cpu: "100m"
+ memory: "128Mi
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- if $envAll.Values.pod.resources.enabled -}}
+resources:
+{{ toYaml $component | trim | indent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
new file mode 100644
index 0000000..555ffb0
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_seccomp_annotation.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders seccomp annotations for a list of containers driven by values.yaml.
+values: |
+ pod:
+ seccomp:
+ myPodName:
+ myContainerName: localhost/mySeccomp
+ mySecondContainerName: localhost/secondProfile # optional
+ myThirdContainerName: localhost/thirdProfile # optional
+usage: |
+ {{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
+return: |
+ container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
+ container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
+ container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
+note: |
+ The number of container underneath is a variable arguments. It loops through
+ all the container names specified.
+*/}}
+{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $podName := index . "podName" -}}
+{{- $containerNames := index . "containerNames" -}}
+{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
+{{- range $name := $containerNames -}}
+{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
+{{- if $seccompProfile }}
+container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
new file mode 100644
index 0000000..e4af6a6
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_tolerations.tpl
@@ -0,0 +1,45 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders kubernetes tolerations for pods
+values: |
+ pod:
+ tolerations:
+ api:
+ enabled: true
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+
+usage: |
+ {{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
+return: |
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node-role.kubernetes.io/node
+ operator: Exists
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $pod := index $envAll.Values.pod.tolerations $component }}
+tolerations:
+{{ toYaml $pod.tolerations }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
new file mode 100644
index 0000000..69cee47
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_daemonset.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
+{{- $envAll := index . 0 -}}
+{{- $component := index . 1 -}}
+{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
+{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
+{{- with $upgradeMap -}}
+{{- if .enabled }}
+minReadySeconds: {{ .min_ready_seconds }}
+updateStrategy:
+ type: {{ $pod_replacement_strategy }}
+ {{- if $pod_replacement_strategy }}
+ {{- if eq $pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .max_unavailable }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
new file mode 100644
index 0000000..be28cdb
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_deployment.tpl
@@ -0,0 +1,27 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
+revisionHistoryLimit: {{ .revision_history }}
+strategy:
+ type: {{ .pod_replacement_strategy }}
+ {{- if eq .pod_replacement_strategy "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .rolling_update.max_unavailable }}
+ maxSurge: {{ .rolling_update.max_surge }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
new file mode 100644
index 0000000..f897023
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_kubernetes_upgrades_statefulset.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders upgradeStrategy configuration for Kubernetes statefulsets.
+ See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ Types:
+ - RollingUpdate (default)
+ - OnDelete
+ Partitions:
+ - Stage updates to a statefulset by keeping pods at current version while
+ allowing mutations to statefulset's .spec.template
+values: |
+ pod:
+ lifecycle:
+ upgrades:
+ statefulsets:
+ pod_replacement_strategy: RollingUpdate
+ partition: 2
+usage: |
+ {{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
+return: |
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ partition: 2
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
+{{- $envAll := index . 0 -}}
+{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
+updateStrategy:
+ type: {{ .pod_replacement_strategy }}
+ {{ if .partition -}}
+ rollingUpdate:
+ partition: {{ .partition }}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
new file mode 100644
index 0000000..fc74c6f
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_mon_host_from_k8s_ep.sh.tpl
@@ -0,0 +1,68 @@
+{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
+{{/*
+
+Inserts a bash function definition mon_host_from_k8s_ep() which can be used
+to construct a mon_hosts value from the given namespaced endpoint.
+
+Usage (e.g. in _script.sh.tpl):
+ #!/bin/bash
+
+ : "${NS:=ceph}"
+ : "${EP:=ceph-mon-discovery}"
+
+ {{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
+
+ MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
+
+ if [ -z "$MON_HOST" ]; then
+ # deal with failure
+ else
+ sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
+ fi
+*/}}
+{{`
+# Construct a mon_hosts value from the given namespaced endpoint
+# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
+# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
+# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
+# The entries for all IPs will be joined with commas
+mon_host_from_k8s_ep() {
+ local ns=$1
+ local ep=$2
+
+ if [ -z "$ns" ] || [ -z "$ep" ]; then
+ return 1
+ fi
+
+ # We don't want shell expansion for the go-template expression
+ # shellcheck disable=SC2016
+ kubectl get endpoints -n "$ns" "$ep" -o go-template='
+ {{- $sep := "" }}
+ {{- range $_,$s := .subsets }}
+ {{- $v2port := 0 }}
+ {{- $v1port := 0 }}
+ {{- range $_,$port := index $s "ports" }}
+ {{- if (eq $port.name "mon-msgr2") }}
+ {{- $v2port = $port.port }}
+ {{- else if (eq $port.name "mon") }}
+ {{- $v1port = $port.port }}
+ {{- end }}
+ {{- end }}
+ {{- range $_,$address := index $s "addresses" }}
+ {{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
+ {{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
+ {{- if (and $v2port $v1port) }}
+ {{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v2port }}
+ {{- printf "%s[%s]" $sep $v2endpoint }}
+ {{- $sep = "," }}
+ {{- else if $v1port }}
+ {{- printf "%s[%s]" $sep $v1endpoint }}
+ {{- $sep = "," }}
+ {{- end }}
+ {{- end }}
+ {{- end }}'
+}
+`}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
new file mode 100644
index 0000000..fec41f8
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_prometheus_pod_annotations.tpl
@@ -0,0 +1,33 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape jobs via pod
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+# pod's declared ports (default is a port-free target if none are declared).
+
+{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
new file mode 100644
index 0000000..a827c4b
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_prometheus_service_annotations.tpl
@@ -0,0 +1,35 @@
+{{/*
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# Appends annotations for configuring prometheus scrape endpoints via
+# annotations. The required annotations are:
+# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+# to set this to `https` & most likely set the `tls_config` of the scrape config.
+# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+# * `prometheus.io/port`: If the metrics are exposed on a different port to the
+# service then set this appropriately.
+
+{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
+{{- $config := index . 0 -}}
+{{- if $config.scrape }}
+prometheus.io/scrape: {{ $config.scrape | quote }}
+{{- end }}
+{{- if $config.scheme }}
+prometheus.io/scheme: {{ $config.scheme | quote }}
+{{- end }}
+{{- if $config.path }}
+prometheus.io/path: {{ $config.path | quote }}
+{{- end }}
+{{- if $config.port }}
+prometheus.io/port: {{ $config.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_release_uuid.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
new file mode 100644
index 0000000..253920b
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_release_uuid.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Reneders an attonation key and value for a release
+values: |
+ release_uuid: null
+usage: |
+ {{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
+return: |
+ "openstackhelm.openstack.org/release_uuid": ""
+*/}}
+
+{{- define "helm-toolkit.snippets.release_uuid" -}}
+{{- $envAll := index . 0 -}}
+"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
new file mode 100644
index 0000000..a3169ce
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_rgw_s3_admin_env_vars.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
+{{- $s3AdminSecret := .s3AdminSecret }}
+- name: S3_ADMIN_USERNAME
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_USERNAME
+- name: S3_ADMIN_ACCESS_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_ACCESS_KEY
+- name: S3_ADMIN_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3AdminSecret }}
+ key: S3_ADMIN_SECRET_KEY
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
new file mode 100644
index 0000000..a611a5e
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_rgw_s3_secret_creds.tpl
@@ -0,0 +1,29 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
+{{- range $client, $config := .Values.storage.s3.clients -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+type: Opaque
+data:
+{{- range $key, $value := $config.auth }}
+ {{ $key | upper }}: {{ $value | toString | b64enc}}
+{{- end }}
+
+{{ end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
new file mode 100644
index 0000000..a3dd431
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_rgw_s3_user_env_vars.tpl
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
+{{- range $client, $user := .Values.storage.s3.clients }}
+{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
+- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: USERNAME
+- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: ACCESS_KEY
+- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $s3secret }}
+ key: SECRET_KEY
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_tls_volume.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
new file mode 100644
index 0000000..41fe3d9
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_tls_volume.tpl
@@ -0,0 +1,47 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a secret volume for tls.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name of the volume (required)
+ secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
+
+return: |
+ - name: glance-tls-api
+ secret:
+ secretName: glance-tls-api
+ defaultMode: 292
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $secretName := index . "secretName" | default $name -}}
+{{- if and $enabled (ne $name "") }}
+- name: {{ $name }}
+ secret:
+ secretName: {{ $secretName }}
+ defaultMode: 292
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
new file mode 100644
index 0000000..9cfa819
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_tls_volume_mount.tpl
@@ -0,0 +1,82 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+abstract: |
+ Renders a volume mount for TLS key, cert and CA.
+
+ Dictionary Parameters:
+ enabled: boolean check if you want to conditional disable this snippet (optional)
+ name: name that of the volume and should match the volume name (required)
+ path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
+ certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
+ the default is the full set. (optional)
+
+values: |
+ manifests:
+ certificates: true
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.crt
+ subPath: tls.crt
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/tls.key
+ subPath: tls.key
+ readOnly: true
+ - name: glance-tls-api
+ mountPath: /etc/glance/certs/ca.crt
+ subPath: ca.crt
+ readOnly: true
+
+abstract: |
+ This mounts a specific issuing CA only for service validation
+
+usage: |
+ {{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
+ {{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
+
+return: |
+ - name: glance-tls-api
+ mountPath: /etc/ssl/certs/openstack-helm.crt
+ subPath: ca.crt
+ readOnly: true
+*/}}
+{{- define "helm-toolkit.snippets.tls_volume_mount" }}
+{{- $enabled := index . "enabled" -}}
+{{- $name := index . "name" -}}
+{{- $path := index . "path" | default "" -}}
+{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
+{{- if $enabled }}
+{{- if and (eq $path "") (ne $name "") }}
+- name: {{ $name }}
+ mountPath: "/etc/ssl/certs/openstack-helm.crt"
+ subPath: ca.crt
+ readOnly: true
+{{- else }}
+{{- if ne $name "" }}
+{{- range $key, $value := $certs }}
+- name: {{ $name }}
+ mountPath: {{ printf "%s/%s" $path $value }}
+ subPath: {{ $value }}
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/charts/ovn/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
new file mode 100644
index 0000000..6e9d5a1
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/snippets/_values_template_renderer.tpl
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Renders out configuration sections into a format suitable for incorporation
+ into a config-map. Allowing various forms of input to be rendered out as
+ appropriate.
+values: |
+ conf:
+ inputs:
+ - foo
+ - bar
+ some:
+ config_to_render: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
+ config_to_complete:
+ #here we can fill out params, but things need to be valid yaml as input
+ '{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
+ static_config:
+ #this is just passed though as yaml to the configmap
+ foo: bar
+usage: |
+ {{- $envAll := . }}
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
+ {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
+return: |
+ ---
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ name: application-etc
+ data:
+ config_to_render.conf: |
+ #We can use all of gotpl here: eg macros, ranges etc.
+ foo,bar
+
+ config_to_complete.yaml: |
+ 'RELEASE-NAME': 'default-namespace'
+
+ static_config.yaml: |
+ foo: bar
+*/}}
+
+{{- define "helm-toolkit.snippets.values_template_renderer" -}}
+{{- $envAll := index . "envAll" -}}
+{{- $template := index . "template" -}}
+{{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
+{{- with $envAll -}}
+{{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
+{{- else }}
+{{ $key }}: |
+{{ $templateRendered | indent 2 }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl b/charts/ovn/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
new file mode 100644
index 0000000..6d617a1
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/tls/_tls_generate_certs.tpl
@@ -0,0 +1,94 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Produces a certificate from a certificate authority. If the "encode" parameter
+ is true, base64 encode the values for inclusion in a Kubernetes secret.
+values: |
+ test:
+ hosts:
+ names:
+ - barbican.openstackhelm.example
+ - barbican.openstack.svc.cluster.local
+ ips:
+ - 127.0.0.1
+ - 192.168.0.1
+ life: 3
+ # Use ca.crt and ca.key to build a customized ca, if they are provided.
+ # Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
+ ca:
+ crt: |
+ <CA CRT>
+ key: |
+ <CA PRIVATE KEY>
+usage: |
+ {{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
+return: |
+ ca: |
+ <CA CRT>
+ crt: |
+ <CRT>
+ exp: 2018-09-01T10:56:07.895392915-00:00
+ key: |
+ <CRT PRIVATE KEY>
+*/}}
+
+{{- define "helm-toolkit.utils.tls_generate_certs" -}}
+{{- $params := index . "params" -}}
+{{- $encode := index . "encode" | default false -}}
+{{- $local := dict -}}
+
+{{- $_hosts := $params.hosts.names | default list }}
+{{- if kindIs "string" $params.hosts.names }}
+{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
+{{- else }}
+{{- $_ := set $local "certHosts" $_hosts }}
+{{- end }}
+
+{{- $_ips := $params.hosts.ips | default list }}
+{{- if kindIs "string" $params.hosts.ips }}
+{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
+{{- else }}
+{{- $_ := set $local "certIps" $_ips }}
+{{- end }}
+
+{{- if hasKey $params "ca" }}
+{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
+{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+{{- else }}
+{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
+{{- $_ := set $local "ca" $ca }}
+{{- end }}
+
+{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
+{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
+{{- $certificate := dict -}}
+{{- if $encode -}}
+{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
+{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
+{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
+{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
+{{- $_ := b64enc $expDate | set $certificate "exp" -}}
+{{- else -}}
+{{- $_ := set $certificate "crt" $rawCert.Cert -}}
+{{- $_ := set $certificate "key" $rawCert.Key -}}
+{{- $_ := set $certificate "ca" $local.ca.Cert -}}
+{{- $_ := set $certificate "caKey" $local.ca.Key -}}
+{{- $_ := set $certificate "exp" $expDate -}}
+{{- end -}}
+{{- $certificate | toYaml }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
new file mode 100644
index 0000000..e26501f
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_comma_joined_service_list.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a comma separated list of namespace:service pairs.
+values: |
+ dependencies:
+ static:
+ api:
+ services:
+ - endpoint: internal
+ service: oslo_cache
+ - endpoint: internal
+ service: oslo_db
+ endpoints:
+ oslo_db:
+ namespace: foo
+ hosts:
+ default: mariadb
+ oslo_cache:
+ namespace: bar
+ hosts:
+ default: memcache
+usage: |
+ {{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
+return: |
+ bar:memcache,foo:mariadb
+*/}}
+
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
+{{- $deps := index . 0 -}}
+{{- $envAll := index . 1 -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_configmap_templater.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
new file mode 100644
index 0000000..7095c19
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_configmap_templater.tpl
@@ -0,0 +1,30 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.configmap_templater" }}
+{{- $keyRoot := index . 0 -}}
+{{- $configTemplate := index . 1 -}}
+{{- $context := index . 2 -}}
+{{ if $keyRoot.override -}}
+{{ $keyRoot.override | indent 4 }}
+{{- else -}}
+{{- if $keyRoot.prefix -}}
+{{ $keyRoot.prefix | indent 4 }}
+{{- end }}
+{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
+{{- if $keyRoot.append -}}
+{{ $keyRoot.append | indent 4 }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
new file mode 100644
index 0000000..40359f0
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_daemonset_overrides.tpl
@@ -0,0 +1,269 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.daemonset_overrides" }}
+ {{- $daemonset := index . 0 }}
+ {{- $daemonset_yaml := index . 1 }}
+ {{- $configmap_include := index . 2 }}
+ {{- $configmap_name := index . 3 }}
+ {{- $context := index . 4 }}
+ {{- $_ := unset $context ".Files" }}
+ {{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
+ {{- $_ := set $context.Values "__daemonset_list" list }}
+ {{- $_ := set $context.Values "__default" dict }}
+ {{- if hasKey $context.Values.conf "overrides" }}
+ {{- range $key, $val := $context.Values.conf.overrides }}
+
+ {{- if eq $key $daemonset_root_name }}
+ {{- range $type, $type_data := . }}
+
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset */}}
+ {{- $current_dict := dict }}
+
+ {{/* set daemonset name */}}
+ {{/* Note: long hostnames can cause the 63 char name limit to be
+ exceeded. Truncate the hostname if hostname > 20 char */}}
+ {{- if gt (len $host_data.name) 20 }}
+ {{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
+ {{- else }}
+ {{- $_ := set $current_dict "name" $host_data.name }}
+ {{- end }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $host_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to this host explicitly. */}}
+ {{- $nodeSelector_dict := dict }}
+
+ {{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $nodeSelector_dict "operator" "In" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $nodeSelector_dict "values" $values_list }}
+
+ {{- $list_aggregate := list $nodeSelector_dict }}
+ {{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- end }}
+ {{- end }}
+
+ {{- if eq $type "labels" }}
+ {{- $_ := set $context.Values "__label_list" . }}
+ {{- range $label_data := . }}
+ {{/* dictionary that will contain all info needed to generate this
+ iteration of the daemonset. */}}
+ {{- $_ := set $context.Values "__current_label" dict }}
+
+ {{/* set daemonset name */}}
+ {{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
+
+ {{/* apply overrides */}}
+ {{- $override_conf_copy := $label_data.conf }}
+ {{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
+ {{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
+ {{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
+ {{- $root_conf_copy2 := dict "conf" $merged_dict }}
+ {{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
+
+ {{/* Schedule to the provided label value(s) */}}
+ {{- $label_dict := omit $label_data.label "NULL" }}
+ {{- $_ := set $label_dict "operator" "In" }}
+ {{- $list_aggregate := list $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+
+ {{/* Do not schedule to other specified labels, with higher
+ precedence as the list position increases. Last defined label
+ is highest priority. */}}
+ {{- $other_labels := without $context.Values.__label_list $label_data }}
+ {{- range $label_data2 := $other_labels }}
+ {{- $label_dict := omit $label_data2.label "NULL" }}
+
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- $_ := set $context.Values "__label_list" $other_labels }}
+
+ {{/* Do not schedule to any other specified hosts */}}
+ {{- range $type, $type_data := $val }}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $label_dict := dict }}
+
+ {{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $label_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $label_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
+ {{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* store completed daemonset entry/info into global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+ {{- $_ := unset $context.Values "__current_label" }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* scheduler exceptions for the default daemonset */}}
+ {{- $_ := set $context.Values.__default "matchExpressions" list }}
+
+ {{- range $type, $type_data := . }}
+ {{/* Do not schedule to other specified labels */}}
+ {{- if eq $type "labels" }}
+ {{- range $label_data := . }}
+ {{- $default_dict := omit $label_data.label "NULL" }}
+
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{/* Do not schedule to other specified hosts */}}
+ {{- if eq $type "hosts" }}
+ {{- range $host_data := . }}
+ {{- $default_dict := dict }}
+
+ {{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
+ {{- $_ := set $default_dict "operator" "NotIn" }}
+
+ {{- $values_list := list $host_data.name }}
+ {{- $_ := set $default_dict "values" $values_list }}
+
+ {{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
+ {{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+
+ {{/* generate the default daemonset */}}
+
+ {{/* set name */}}
+ {{- $_ := set $context.Values.__default "name" "default" }}
+
+ {{/* no overrides apply, so copy as-is */}}
+ {{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
+ {{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
+ {{- $context_values := omit $context.Values "conf" }}
+ {{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
+ {{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
+ {{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
+
+ {{/* add to global list */}}
+ {{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
+ {{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
+
+ {{- range $current_dict := $context.Values.__daemonset_list }}
+
+ {{- $context_novalues := omit $context "Values" }}
+ {{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
+ {{- $_ := set $current_dict "nodeData" $merged_dict }}
+ {{/* Deep copy original daemonset_yaml */}}
+ {{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
+
+ {{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
+ {{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
+ {{/* labels may contain underscores which would be invalid here, so we replace them with dashes
+ there may be other valid label names which would make for an invalid DNS-1123 name
+ but these will be easier to handle in future with sprig regex* functions
+ (not availabile in helm 2.5.1) */}}
+ {{- $name_format2 := $name_format1 | replace "_" "-" }}
+ {{/* To account for the case where the same label is defined multiple times in overrides
+ (but with different label values), we add a sha of the scheduling data to ensure
+ name uniqueness */}}
+ {{- $_ := set $current_dict "dns_1123_name" dict }}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
+ {{- else }}
+ {{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
+ {{- end }}
+
+ {{/* set daemonset metadata name */}}
+ {{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
+
+ {{/* cross-reference configmap name to container volume definitions */}}
+ {{- $_ := set $context.Values "__volume_list" list }}
+ {{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
+ {{- $_ := set $context.Values "__volume" $current_volume }}
+ {{- if hasKey $context.Values.__volume "secret" }}
+ {{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
+ {{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
+ {{- end }}
+ {{- end }}
+ {{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
+ {{- $_ := set $context.Values "__volume_list" $updated_list }}
+ {{- end }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
+
+
+ {{/* populate scheduling restrictions */}}
+ {{- if hasKey $current_dict "matchExpressions" }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
+ {{- $match_exprs := dict }}
+ {{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
+ {{- $appended_match_expr := list $match_exprs }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
+ {{- end }}
+
+ {{/* input value hash for current set of values overrides */}}
+ {{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
+ {{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
+ {{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
+ {{- $values_hash := $cmap | quote | sha256sum }}
+ {{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
+
+ {{/* generate configmap */}}
+---
+{{ $cmap }}
+ {{/* generate daemonset yaml */}}
+---
+{{ $context.Values.__daemonset_yaml | toYaml }}
+ {{- end }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
new file mode 100644
index 0000000..b99c00d
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_dependency_resolver.tpl
@@ -0,0 +1,38 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.dependency_resolver" }}
+{{- $envAll := index . "envAll" -}}
+{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
+{{- $dependencyKey := index . "dependencyKey" -}}
+{{- if $dependencyMixinParam -}}
+{{- $_ := set $envAll.Values "pod_dependency" dict -}}
+{{- if kindIs "string" $dependencyMixinParam }}
+{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
+{{- else }}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- end }}
+{{- else if kindIs "slice" $dependencyMixinParam }}
+{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
+{{- range $k, $v := $dependencyMixinParam -}}
+{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
+{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
+{{- end }}
+{{- end }}
+{{- else -}}
+{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
+{{- end -}}
+{{ $envAll.Values.pod_dependency | toYaml }}
+{{- end }}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_hash.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_hash.tpl
new file mode 100644
index 0000000..d871b62
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_hash.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.hash" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{- include $wtf $context | sha256sum | quote -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_host_list.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_host_list.tpl
new file mode 100644
index 0000000..0c32136
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_host_list.tpl
@@ -0,0 +1,44 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns a list of unique hosts for an endpoint, in yaml.
+values: |
+ endpoints:
+ cluster_domain_suffix: cluster.local
+ oslo_db:
+ hosts:
+ default: mariadb
+ host_fqdn_override:
+ default: mariadb
+usage: |
+ {{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
+return: |
+ hosts:
+ - mariadb
+ - mariadb.default
+*/}}
+
+{{- define "helm-toolkit.utils.host_list" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
+{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
+{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
+{{- dict "hosts" $host_list | toYaml }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_image_sync_list.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
new file mode 100644
index 0000000..51923b6
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_image_sync_list.tpl
@@ -0,0 +1,25 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
new file mode 100644
index 0000000..5eb5785
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithComma.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
+return: |
+ foo,bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithComma" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
new file mode 100644
index 0000000..3bc6819
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithCommaAndSingleQuotes.tpl
@@ -0,0 +1,32 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a comma seperated string with single quotes
+ around each value.
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
+return: |
+ 'foo','bar'
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
new file mode 100644
index 0000000..40ebb15
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithPrefix.tpl
@@ -0,0 +1,32 @@
+{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of prefixed values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
+return: |
+ prefixfoo prefixbar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
+{{- $prefix := index . 0 -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
new file mode 100644
index 0000000..5912280
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_joinListWithSpace.tpl
@@ -0,0 +1,31 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Joins a list of values into a space separated string
+values: |
+ test:
+ - foo
+ - bar
+usage: |
+ {{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
+return: |
+ foo bar
+*/}}
+
+{{- define "helm-toolkit.utils.joinListWithSpace" -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_merge.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_merge.tpl
new file mode 100644
index 0000000..ea80546
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_merge.tpl
@@ -0,0 +1,135 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+Takes a tuple of values and merges into the first (target) one each subsequent
+(source) one in order. If all values to merge are maps, then the tuple can be
+passed as is and the target will be the result, otherwise pass a map with a
+"values" key containing the tuple of values to merge, and the merge result will
+be assigned to the "result" key of the passed map.
+
+When merging maps, for each key in the source, if the target does not define
+that key, the source value is assigned. If both define the key, then the key
+values are merged using this algorithm (recursively) and the result is assigned
+to the target key. Slices are merged by appending them and removing any
+duplicates, and when passing a map to this function and including a
+"merge_same_named" key set to true, then map items from the slices with the same
+value for the "name" key will be merged with each other. Any other values are
+merged by simply keeping the source, and throwing away the target.
+*/}}
+
+{{- define "helm-toolkit.utils.merge" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "merge_same_named" false -}}
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $local "values" $.values -}}
+ {{- if hasKey $ "merge_same_named" -}}
+ {{- $_ := set $local "merge_same_named" $.merge_same_named -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "values" $ -}}
+ {{- end -}}
+
+ {{- $target := first $local.values -}}
+ {{- range $item := rest $local.values -}}
+ {{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+
+ {{- if kindIs "map" $ -}}
+ {{- $_ := set $ "result" $local.result -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge" -}}
+ {{- $local := dict -}}
+
+ {{- $_ := set $ "result" $.source -}}
+
+ {{/*
+ TODO: Should we `fail` when trying to merge a collection (map or slice) with
+ either a different kind of collection or a scalar?
+ */}}
+
+ {{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
+ {{- range $key, $sourceValue := $.source -}}
+ {{- if not (hasKey $.target $key) -}}
+ {{- $_ := set $local "newTargetValue" $sourceValue -}}
+ {{- if kindIs "map" $sourceValue -}}
+ {{- $copy := dict -}}
+ {{- $call := dict "target" $copy "source" $sourceValue -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
+ {{- $_ := set $local "newTargetValue" $copy -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $targetValue := index $.target $key -}}
+ {{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- $_ := set $local "newTargetValue" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $.target $key $local.newTargetValue -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $.target -}}
+ {{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
+ {{- $call := dict "target" $.target "source" $.source -}}
+ {{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
+ {{- if $.merge_same_named -}}
+ {{- $_ := set $local "result" list -}}
+ {{- $_ := set $local "named_items" dict -}}
+ {{- range $item := $call.result -}}
+ {{- $_ := set $local "has_name_key" false -}}
+ {{- if kindIs "map" $item -}}
+ {{- if hasKey $item "name" -}}
+ {{- $_ := set $local "has_name_key" true -}}
+ {{- end -}}
+ {{- end -}}
+
+ {{- if $local.has_name_key -}}
+ {{- if hasKey $local.named_items $item.name -}}
+ {{- $named_item := index $local.named_items $item.name -}}
+ {{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
+ {{- $_ := include "helm-toolkit.utils._merge" $call -}}
+ {{- else -}}
+ {{- $copy := dict -}}
+ {{- $copy_call := dict "target" $copy "source" $item -}}
+ {{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
+ {{- $_ := set $local.named_items $item.name $copy -}}
+ {{- $_ := set $local "result" (append $local.result $copy) -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" (append $local.result $item) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- else -}}
+ {{- $_ := set $local "result" $call.result -}}
+ {{- end -}}
+ {{- $_ := set $ "result" (uniq $local.result) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.shallow" -}}
+ {{- range $key, $value := $.source -}}
+ {{- $_ := set $.target $key $value -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "helm-toolkit.utils._merge.append_slice" -}}
+ {{- $local := dict -}}
+ {{- $_ := set $local "result" $.target -}}
+ {{- range $value := $.source -}}
+ {{- $_ := set $local "result" (append $local.result $value) -}}
+ {{- end -}}
+ {{- $_ := set $ "result" $local.result -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_template.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_template.tpl
new file mode 100644
index 0000000..da56aa0
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_template.tpl
@@ -0,0 +1,21 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.template" -}}
+{{- $name := index . 0 -}}
+{{- $context := index . 1 -}}
+{{- $last := base $context.Template.Name }}
+{{- $wtf := $context.Template.Name | replace $last $name -}}
+{{ include $wtf $context }}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_to_ini.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_to_ini.tpl
new file mode 100644
index 0000000..a159364
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_to_ini.tpl
@@ -0,0 +1,51 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns INI formatted output from yaml input
+values: |
+ conf:
+ paste:
+ filter:debug:
+ use: egg:oslo.middleware#debug
+ filter:request_id:
+ use: egg:oslo.middleware#request_id
+ filter:build_auth_context:
+ use: egg:keystone#build_auth_context
+usage: |
+ {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
+return: |
+ [filter:build_auth_context]
+ use = egg:keystone#build_auth_context
+ [filter:debug]
+ use = egg:oslo.middleware#debug
+ [filter:request_id]
+ use = egg:oslo.middleware#request_id
+*/}}
+
+{{- define "helm-toolkit.utils.to_ini" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{else -}}
+{{ $key }} = {{ $value }}
+{{end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
new file mode 100644
index 0000000..885a86c
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@@ -0,0 +1,46 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns yaml formatted to be used in k8s templates as container
+ env vars injected via secrets. This requires a secret-<chartname> template to
+ be defined in the chart that can be used to house the desired secret
+ variables. For reference, see the fluentd chart.
+values: |
+ test:
+ secrets:
+ foo: bar
+
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ valueFrom:
+ secretKeyRef:
+ name: "my-release-name-env-secret"
+ key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+ key: {{ $key }}
+{{ end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
new file mode 100644
index 0000000..829dca6
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_to_k8s_env_vars.tpl
@@ -0,0 +1,39 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair formatted to be used in k8s templates as container
+ env vars.
+values: |
+ test:
+ foo: bar
+usage: |
+ {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+ - name: foo
+ value: "bar"
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
+{{range $key, $value := . -}}
+{{- if kindIs "slice" $value -}}
+- name: {{ $key }}
+ value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{else -}}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_to_kv_list.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
new file mode 100644
index 0000000..91bdeb6
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_to_kv_list.tpl
@@ -0,0 +1,42 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns key value pair in INI format (key = value)
+values: |
+ conf:
+ libvirt:
+ log_level: 3
+usage: |
+ {{ include "helm-toolkit.utils.to_kv_list" .Values.conf.libvirt }}
+return: |
+ log_level = 3
+*/}}
+
+{{- define "helm-toolkit.utils.to_kv_list" -}}
+{{- range $key, $value := . -}}
+{{- if kindIs "slice" $value }}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
+{{- else if kindIs "string" $value }}
+{{- if regexMatch "^[0-9]+$" $value }}
+{{ $key }} = {{ $value }}
+{{- else }}
+{{ $key }} = {{ $value | quote }}
+{{- end }}
+{{- else }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl b/charts/ovn/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
new file mode 100644
index 0000000..622a862
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/templates/utils/_to_oslo_conf.tpl
@@ -0,0 +1,75 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Returns OSLO.conf formatted output from yaml input
+values: |
+ conf:
+ keystone:
+ DEFAULT: # Keys at this level are used for section headings
+ max_token_size: 255
+ oslo_messaging_notifications:
+ driver: # An example of a multistring option's syntax
+ type: multistring
+ values:
+ - messagingv2
+ - log
+ oslo_messaging_notifications_stein:
+ driver: # An example of a csv option's syntax
+ type: csv
+ values:
+ - messagingv2
+ - log
+ security_compliance:
+ password_expires_ignore_user_ids:
+ # Values in a list will be converted to a comma separated key
+ - "123"
+ - "456"
+usage: |
+ {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.keystone }}
+return: |
+ [DEFAULT]
+ max_token_size = 255
+ [oslo_messaging_notifications]
+ driver = messagingv2
+ driver = log
+ [oslo_messaging_notifications_stein]
+ driver = messagingv2,log
+ [security_compliance]
+ password_expires_ignore_user_ids = 123,456
+*/}}
+
+{{- define "helm-toolkit.utils.to_oslo_conf" -}}
+{{- range $section, $values := . -}}
+{{- if kindIs "map" $values -}}
+[{{ $section }}]
+{{ range $key, $value := $values -}}
+{{- if kindIs "slice" $value -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
+{{ else if kindIs "map" $value -}}
+{{- if eq $value.type "multistring" }}
+{{- range $k, $multistringValue := $value.values -}}
+{{ $key }} = {{ $multistringValue }}
+{{ end -}}
+{{ else if eq $value.type "csv" -}}
+{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value.values }}
+{{ end -}}
+{{- else -}}
+{{ $key }} = {{ $value }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/ovn/charts/helm-toolkit/values.yaml b/charts/ovn/charts/helm-toolkit/values.yaml
new file mode 100644
index 0000000..681a92b
--- /dev/null
+++ b/charts/ovn/charts/helm-toolkit/values.yaml
@@ -0,0 +1,16 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for utils.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
diff --git a/charts/ovn/requirements.lock b/charts/ovn/requirements.lock
new file mode 100644
index 0000000..96fe7bc
--- /dev/null
+++ b/charts/ovn/requirements.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+ repository: file://../helm-toolkit
+ version: 0.2.53
+digest: sha256:ffe3f3b02607e6a035f38f83855988fd8d5c388dbd0bd46e75c22b493a50ede9
+generated: "2023-07-22T05:50:22.213685069Z"
diff --git a/charts/ovn/requirements.yaml b/charts/ovn/requirements.yaml
new file mode 100644
index 0000000..84f0aff
--- /dev/null
+++ b/charts/ovn/requirements.yaml
@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+ - name: helm-toolkit
+ repository: file://../helm-toolkit
+ version: ">= 0.1.0"
+...
diff --git a/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl b/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl
new file mode 100644
index 0000000..aa3ff6d
--- /dev/null
+++ b/charts/ovn/templates/bin/_ovn-controller-init.sh.tpl
@@ -0,0 +1,89 @@
+#!/bin/bash -xe
+
+# Copyright 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+function get_ip_address_from_interface {
+ local interface=$1
+ local ip=$(ip -4 -o addr s "${interface}" | awk '{ print $4; exit }' | awk -F '/' '{print $1}')
+ if [ -z "${ip}" ] ; then
+ exit 1
+ fi
+ echo ${ip}
+}
+
+# Detect tunnel interface
+tunnel_interface="{{- .Values.network.interface.tunnel -}}"
+if [ -z "${tunnel_interface}" ] ; then
+ # search for interface with tunnel network routing
+ tunnel_network_cidr="{{- .Values.network.interface.tunnel_network_cidr -}}"
+ if [ -z "${tunnel_network_cidr}" ] ; then
+ tunnel_network_cidr="0/0"
+ fi
+ # If there is not tunnel network gateway, exit
+ tunnel_interface=$(ip -4 route list ${tunnel_network_cidr} | awk -F 'dev' '{ print $2; exit }' \
+ | awk '{ print $1 }') || exit 1
+fi
+ovs-vsctl set open . external_ids:ovn-encap-ip="$(get_ip_address_from_interface ${tunnel_interface})"
+
+# Configure system ID
+set +e
+ovs-vsctl get open . external-ids:system-id
+if [ $? -eq 1 ]; then
+ ovs-vsctl set open . external-ids:system-id="$(uuidgen)"
+fi
+set -e
+
+# Configure OVN remote
+{{- if empty .Values.conf.ovn_remote -}}
+{{- $sb_svc_name := "ovn-ovsdb-sb" -}}
+{{- $sb_svc := (tuple $sb_svc_name "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup") -}}
+{{- $sb_port := (tuple "ovn-ovsdb-sb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+{{- $sb_service_list := list -}}
+{{- range $i := until (.Values.pod.replicas.ovn_ovsdb_sb | int) -}}
+ {{- $sb_service_list = printf "tcp:%s-%d.%s:%s" $sb_svc_name $i $sb_svc $sb_port | append $sb_service_list -}}
+{{- end }}
+
+ovs-vsctl set open . external-ids:ovn-remote="{{ include "helm-toolkit.utils.joinListWithComma" $sb_service_list }}"
+{{- else -}}
+ovs-vsctl set open . external-ids:ovn-remote="{{ .Values.conf.ovn_remote }}"
+{{- end }}
+
+# Configure OVN values
+ovs-vsctl set open . external-ids:rundir="/var/run/openvswitch"
+ovs-vsctl set open . external-ids:ovn-encap-type="{{ .Values.conf.ovn_encap_type }}"
+ovs-vsctl set open . external-ids:ovn-bridge="{{ .Values.conf.ovn_bridge }}"
+ovs-vsctl set open . external-ids:ovn-bridge-mappings="{{ .Values.conf.ovn_bridge_mappings }}"
+ovs-vsctl set open . external-ids:ovn-cms-options="{{ .Values.conf.ovn_cms_options }}"
+
+# Configure hostname
+{{- if .Values.conf.use_fqdn.compute }}
+ ovs-vsctl set open . external-ids:hostname="$(hostname -f)"
+{{- else }}
+ ovs-vsctl set open . external-ids:hostname="$(hostname)"
+{{- end }}
+
+# Create bridges and create ports
+# handle any bridge mappings
+# /tmp/auto_bridge_add is one line json file: {"br-ex1":"eth1","br-ex2":"eth2"}
+for bmap in `sed 's/[{}"]//g' /tmp/auto_bridge_add | tr "," "\n"`
+do
+ bridge=${bmap%:*}
+ iface=${bmap#*:}
+ ovs-vsctl --may-exist add-br $bridge -- set bridge $bridge protocols=OpenFlow13
+ if [ -n "$iface" ] && [ "$iface" != "null" ]
+ then
+ ovs-vsctl --may-exist add-port $bridge $iface
+ fi
+done
diff --git a/charts/ovn/templates/bin/_ovn-controller.sh.tpl b/charts/ovn/templates/bin/_ovn-controller.sh.tpl
new file mode 100644
index 0000000..ecb659d
--- /dev/null
+++ b/charts/ovn/templates/bin/_ovn-controller.sh.tpl
@@ -0,0 +1,39 @@
+#!/bin/bash -xe
+
+# Copyright 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+COMMAND="${@:-start}"
+
+function start () {
+ /usr/share/ovn/scripts/ovn-ctl start_controller \
+ --ovn-manage-ovsdb=no
+
+ tail --follow=name /var/log/ovn/ovn-controller.log
+}
+
+function stop () {
+ /usr/share/ovn/scripts/ovn-ctl stop_controller
+ pkill tail
+}
+
+function liveness () {
+ ovs-appctl -t /var/run/ovn/ovn-controller.$(cat /var/run/ovn/ovn-controller.pid).ctl status
+}
+
+function readiness () {
+ ovs-appctl -t /var/run/ovn/ovn-controller.$(cat /var/run/ovn/ovn-controller.pid).ctl status
+}
+
+$COMMAND
diff --git a/charts/ovn/templates/bin/_ovn-northd.sh.tpl b/charts/ovn/templates/bin/_ovn-northd.sh.tpl
new file mode 100644
index 0000000..fefd793
--- /dev/null
+++ b/charts/ovn/templates/bin/_ovn-northd.sh.tpl
@@ -0,0 +1,57 @@
+#!/bin/bash -xe
+
+# Copyright 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+COMMAND="${@:-start}"
+
+{{- $nb_svc_name := "ovn-ovsdb-nb" -}}
+{{- $nb_svc := (tuple $nb_svc_name "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup") -}}
+{{- $nb_port := (tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+{{- $nb_service_list := list -}}
+{{- range $i := until (.Values.pod.replicas.ovn_ovsdb_nb | int) -}}
+ {{- $nb_service_list = printf "tcp:%s-%d.%s:%s" $nb_svc_name $i $nb_svc $nb_port | append $nb_service_list -}}
+{{- end -}}
+
+{{- $sb_svc_name := "ovn-ovsdb-sb" -}}
+{{- $sb_svc := (tuple $sb_svc_name "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup") -}}
+{{- $sb_port := (tuple "ovn-ovsdb-sb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+{{- $sb_service_list := list -}}
+{{- range $i := until (.Values.pod.replicas.ovn_ovsdb_sb | int) -}}
+ {{- $sb_service_list = printf "tcp:%s-%d.%s:%s" $sb_svc_name $i $sb_svc $sb_port | append $sb_service_list -}}
+{{- end }}
+
+function start () {
+ /usr/share/ovn/scripts/ovn-ctl start_northd \
+ --ovn-manage-ovsdb=no \
+ --ovn-northd-nb-db={{ include "helm-toolkit.utils.joinListWithComma" $nb_service_list }} \
+ --ovn-northd-sb-db={{ include "helm-toolkit.utils.joinListWithComma" $sb_service_list }}
+
+ tail --follow=name /var/log/ovn/ovn-northd.log
+}
+
+function stop () {
+ /usr/share/ovn/scripts/ovn-ctl stop_northd
+ pkill tail
+}
+
+function liveness () {
+ ovs-appctl -t /var/run/ovn/ovn-northd.$(cat /var/run/ovn/ovn-northd.pid).ctl status
+}
+
+function readiness () {
+ ovs-appctl -t /var/run/ovn/ovn-northd.$(cat /var/run/ovn/ovn-northd.pid).ctl status
+}
+
+$COMMAND
diff --git a/charts/ovn/templates/bin/_ovn-setup-bridges-init.sh.tpl b/charts/ovn/templates/bin/_ovn-setup-bridges-init.sh.tpl
new file mode 100644
index 0000000..c474f1c
--- /dev/null
+++ b/charts/ovn/templates/bin/_ovn-setup-bridges-init.sh.tpl
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+set -ex
+
+# handle any bridge mappings
+# /tmp/auto_bridge_add is one line json file: {"br-ex1":"eth1","br-ex2":"eth2"}
+for bmap in `sed 's/[{}"]//g' /tmp/auto_bridge_add | tr "," "\n"`
+do
+ bridge=${bmap%:*}
+ iface=${bmap#*:}
+ ovs-vsctl --may-exist add-br $bridge -- set bridge $bridge protocols=OpenFlow13
+ if [ -n "$iface" ] && [ "$iface" != "null" ]
+ then
+ ovs-vsctl --may-exist add-port $bridge $iface
+ fi
+done
diff --git a/charts/ovn/templates/bin/_ovn.sh.tpl b/charts/ovn/templates/bin/_ovn.sh.tpl
new file mode 100644
index 0000000..afb84d4
--- /dev/null
+++ b/charts/ovn/templates/bin/_ovn.sh.tpl
@@ -0,0 +1,1393 @@
+#!/bin/bash
+# set -x
+
+bracketify() { case "$1" in *:*) echo "[$1]" ;; *) echo "$1" ;; esac }
+
+OVN_NORTH="tcp:${OVN_NB_DB_SERVICE_HOST}:${OVN_NB_DB_SERVICE_PORT_OVN_NB_DB}"
+OVN_SOUTH="tcp:${OVN_SB_DB_SERVICE_HOST}:${OVN_SB_DB_SERVICE_PORT_OVN_SB_DB}"
+
+# This script is the entrypoint to the image.
+# Supports version 3 daemonsets
+# $1 is the daemon to start.
+# In version 3 each process has a separate container. Some daemons start
+# more than 1 process. Also, where possible, output is to stdout and
+# The script waits for prerquisite deamons to come up first.
+# Commands ($1 values)
+# ovs-server Runs the ovs daemons - ovsdb-server and ovs-switchd (v3)
+# run-ovn-northd Runs ovn-northd as a process does not run nb_ovsdb or sb_ovsdb (v3)
+# nb-ovsdb Runs nb_ovsdb as a process (no detach or monitor) (v3)
+# sb-ovsdb Runs sb_ovsdb as a process (no detach or monitor) (v3)
+# ovn-master Runs ovnkube in master mode (v3)
+# ovn-controller Runs ovn controller (v3)
+# ovn-node Runs ovnkube in node mode (v3)
+# cleanup-ovn-node Runs ovnkube to cleanup the node (v3)
+# cleanup-ovs-server Cleanup ovs-server (v3)
+# display Displays log files
+# display_env Displays environment variables
+# ovn_debug Displays ovn/ovs configuration and flows
+
+# ====================
+# Environment variables are used to customize operation
+# K8S_APISERVER - hostname:port (URL)of the real apiserver, not the service address - v3
+# OVN_NET_CIDR - the network cidr - v3
+# OVN_SVC_CIDR - the cluster-service-cidr - v3
+# OVN_KUBERNETES_NAMESPACE - k8s namespace - v3
+# K8S_NODE - hostname of the node - v3
+#
+# OVN_DAEMONSET_VERSION - version match daemonset and image - v3
+# K8S_TOKEN - the apiserver token. Automatically detected when running in a pod - v3
+# K8S_CACERT - the apiserver CA. Automatically detected when running in a pod - v3
+# OVN_CONTROLLER_OPTS - the options for ovn-ctl
+# OVN_NORTHD_OPTS - the options for the ovn northbound db
+# OVN_GATEWAY_MODE - the gateway mode (shared or local) - v3
+# OVN_GATEWAY_OPTS - the options for the ovn gateway
+# OVN_GATEWAY_ROUTER_SUBNET - the gateway router subnet (shared mode, DPU only) - v3
+# OVNKUBE_LOGLEVEL - log level for ovnkube (0..5, default 4) - v3
+# OVN_LOGLEVEL_NORTHD - log level (ovn-ctl default: -vconsole:emer -vsyslog:err -vfile:info) - v3
+# OVN_LOGLEVEL_NB - log level (ovn-ctl default: -vconsole:off -vfile:info) - v3
+# OVN_LOGLEVEL_SB - log level (ovn-ctl default: -vconsole:off -vfile:info) - v3
+# OVN_LOGLEVEL_CONTROLLER - log level (ovn-ctl default: -vconsole:off -vfile:info) - v3
+# OVN_LOGLEVEL_NBCTLD - log level (ovn-ctl default: -vconsole:off -vfile:info) - v3
+# OVNKUBE_LOGFILE_MAXSIZE - log file max size in MB(default 100 MB)
+# OVNKUBE_LOGFILE_MAXBACKUPS - log file max backups (default 5)
+# OVNKUBE_LOGFILE_MAXAGE - log file max age in days (default 5 days)
+# OVN_ACL_LOGGING_RATE_LIMIT - specify default ACL logging rate limit in messages per second (default: 20)
+# OVN_NB_PORT - ovn north db port (default 6640)
+# OVN_SB_PORT - ovn south db port (default 6640)
+# OVN_NB_RAFT_PORT - ovn north db raft port (default 6643)
+# OVN_SB_RAFT_PORT - ovn south db raft port (default 6644)
+# OVN_NB_RAFT_ELECTION_TIMER - ovn north db election timer in ms (default 1000)
+# OVN_SB_RAFT_ELECTION_TIMER - ovn south db election timer in ms (default 1000)
+# OVN_SSL_ENABLE - use SSL transport to NB/SB db and northd (default: no)
+# OVN_REMOTE_PROBE_INTERVAL - ovn remote probe interval in ms (default 100000)
+# OVN_MONITOR_ALL - ovn-controller monitor all data in SB DB
+# OVN_OFCTRL_WAIT_BEFORE_CLEAR - ovn-controller wait time in ms before clearing OpenFlow rules during start up
+# OVN_ENABLE_LFLOW_CACHE - enable ovn-controller lflow-cache
+# OVN_LFLOW_CACHE_LIMIT - maximum number of logical flow cache entries of ovn-controller
+# OVN_LFLOW_CACHE_LIMIT_KB - maximum size of the logical flow cache of ovn-controller
+# OVN_EGRESSIP_ENABLE - enable egress IP for ovn-kubernetes
+# OVN_EGRESSIP_HEALTHCHECK_PORT - egress IP node check to use grpc on this port (0 ==> dial to port 9 instead)
+# OVN_EGRESSFIREWALL_ENABLE - enable egressFirewall for ovn-kubernetes
+# OVN_EGRESSQOS_ENABLE - enable egress QoS for ovn-kubernetes
+# OVN_UNPRIVILEGED_MODE - execute CNI ovs/netns commands from host (default no)
+# OVNKUBE_NODE_MODE - ovnkube node mode of operation, one of: full, dpu, dpu-host (default: full)
+# OVNKUBE_NODE_MGMT_PORT_NETDEV - ovnkube node management port netdev.
+# OVN_ENCAP_IP - encap IP to be used for OVN traffic on the node. mandatory in case ovnkube-node-mode=="dpu"
+# OVN_HOST_NETWORK_NAMESPACE - namespace to classify host network traffic for applying network policies
+
+# The argument to the command is the operation to be performed
+# ovn-master ovn-controller ovn-node display display_env ovn_debug
+# a cmd must be provided, there is no default
+cmd=${1:-""}
+
+# ovn daemon log levels
+ovn_loglevel_northd=${OVN_LOGLEVEL_NORTHD:-"-vconsole:info"}
+ovn_loglevel_nb=${OVN_LOGLEVEL_NB:-"-vconsole:info"}
+ovn_loglevel_sb=${OVN_LOGLEVEL_SB:-"-vconsole:info"}
+ovn_loglevel_controller=${OVN_LOGLEVEL_CONTROLLER:-"-vconsole:info"}
+
+ovnkubelogdir=/var/log/ovn-kubernetes
+
+# logfile rotation parameters
+ovnkube_logfile_maxsize=${OVNKUBE_LOGFILE_MAXSIZE:-"100"}
+ovnkube_logfile_maxbackups=${OVNKUBE_LOGFILE_MAXBACKUPS:-"5"}
+ovnkube_logfile_maxage=${OVNKUBE_LOGFILE_MAXAGE:-"5"}
+
+# ovnkube.sh version (update when API between daemonset and script changes - v.x.y)
+ovnkube_version="3"
+
+# The daemonset version must be compatible with this script.
+# The default when OVN_DAEMONSET_VERSION is not set is version 3
+ovn_daemonset_version=${OVN_DAEMONSET_VERSION:-"3"}
+
+# hostname is the host's hostname when using host networking,
+# This is useful on the master
+# otherwise it is the container ID (useful for debugging).
+ovn_pod_host=${K8S_NODE:-$(hostname)}
+
+# The ovs user id, by default it is going to be root:root
+ovs_user_id=${OVS_USER_ID:-""}
+
+# ovs options
+ovs_options=${OVS_OPTIONS:-""}
+
+if [[ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]]; then
+ k8s_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+else
+ k8s_token=${K8S_TOKEN}
+fi
+
+# certs and private keys for k8s and OVN
+K8S_CACERT=${K8S_CACERT:-/var/run/secrets/kubernetes.io/serviceaccount/ca.crt}
+
+ovn_ca_cert=/ovn-cert/ca-cert.pem
+ovn_nb_pk=/ovn-cert/ovnnb-privkey.pem
+ovn_nb_cert=/ovn-cert/ovnnb-cert.pem
+ovn_sb_pk=/ovn-cert/ovnsb-privkey.pem
+ovn_sb_cert=/ovn-cert/ovnsb-cert.pem
+ovn_northd_pk=/ovn-cert/ovnnorthd-privkey.pem
+ovn_northd_cert=/ovn-cert/ovnnorthd-cert.pem
+ovn_controller_pk=/ovn-cert/ovncontroller-privkey.pem
+ovn_controller_cert=/ovn-cert/ovncontroller-cert.pem
+ovn_controller_cname="ovncontroller"
+
+transport="tcp"
+ovndb_ctl_ssl_opts=""
+if [[ "yes" == ${OVN_SSL_ENABLE} ]]; then
+ transport="ssl"
+ ovndb_ctl_ssl_opts="-p ${ovn_controller_pk} -c ${ovn_controller_cert} -C ${ovn_ca_cert}"
+fi
+
+# ovn-northd - /etc/sysconfig/ovn-northd
+ovn_northd_opts=${OVN_NORTHD_OPTS:-""}
+
+# ovn-controller
+ovn_controller_opts=${OVN_CONTROLLER_OPTS:-""}
+
+# set the log level for ovnkube
+ovnkube_loglevel=${OVNKUBE_LOGLEVEL:-4}
+
+# by default it is going to be a shared gateway mode, however this can be overridden to any of the other
+# two gateway modes that we support using `images/daemonset.sh` tool
+ovn_gateway_mode=${OVN_GATEWAY_MODE:-"shared"}
+ovn_gateway_opts=${OVN_GATEWAY_OPTS:-""}
+ovn_gateway_router_subnet=${OVN_GATEWAY_ROUTER_SUBNET:-""}
+
+net_cidr=${OVN_NET_CIDR:-10.128.0.0/14/23}
+svc_cidr=${OVN_SVC_CIDR:-172.30.0.0/16}
+mtu=${OVN_MTU:-1400}
+routable_mtu=${OVN_ROUTABLE_MTU:-}
+
+# set metrics endpoint bind to K8S_NODE_IP.
+metrics_endpoint_ip=${K8S_NODE_IP:-0.0.0.0}
+metrics_endpoint_ip=$(bracketify $metrics_endpoint_ip)
+ovn_kubernetes_namespace=${OVN_KUBERNETES_NAMESPACE:-ovn-kubernetes}
+# namespace used for classifying host network traffic
+ovn_host_network_namespace=${OVN_HOST_NETWORK_NAMESPACE:-ovn-host-network}
+
+# host on which ovnkube-db POD is running and this POD contains both
+# OVN NB and SB DB running in their own container.
+ovn_db_host=$(hostname -i)
+
+# OVN_NB_PORT - ovn north db port (default 6640)
+ovn_nb_port=${OVN_NB_PORT:-6640}
+# OVN_SB_PORT - ovn south db port (default 6640)
+ovn_sb_port=${OVN_SB_PORT:-6640}
+# OVN_NB_RAFT_PORT - ovn north db port used for raft communication (default 6643)
+ovn_nb_raft_port=${OVN_NB_RAFT_PORT:-6643}
+# OVN_SB_RAFT_PORT - ovn south db port used for raft communication (default 6644)
+ovn_sb_raft_port=${OVN_SB_RAFT_PORT:-6644}
+# OVN_ENCAP_PORT - GENEVE UDP port (default 6081)
+ovn_encap_port=${OVN_ENCAP_PORT:-6081}
+# OVN_NB_RAFT_ELECTION_TIMER - ovn north db election timer in ms (default 1000)
+ovn_nb_raft_election_timer=${OVN_NB_RAFT_ELECTION_TIMER:-1000}
+# OVN_SB_RAFT_ELECTION_TIMER - ovn south db election timer in ms (default 1000)
+ovn_sb_raft_election_timer=${OVN_SB_RAFT_ELECTION_TIMER:-1000}
+
+ovn_hybrid_overlay_enable=${OVN_HYBRID_OVERLAY_ENABLE:-}
+ovn_hybrid_overlay_net_cidr=${OVN_HYBRID_OVERLAY_NET_CIDR:-}
+ovn_disable_snat_multiple_gws=${OVN_DISABLE_SNAT_MULTIPLE_GWS:-}
+ovn_disable_pkt_mtu_check=${OVN_DISABLE_PKT_MTU_CHECK:-}
+ovn_empty_lb_events=${OVN_EMPTY_LB_EVENTS:-}
+# OVN_V4_JOIN_SUBNET - v4 join subnet
+ovn_v4_join_subnet=${OVN_V4_JOIN_SUBNET:-}
+# OVN_V6_JOIN_SUBNET - v6 join subnet
+ovn_v6_join_subnet=${OVN_V6_JOIN_SUBNET:-}
+#OVN_REMOTE_PROBE_INTERVAL - ovn remote probe interval in ms (default 100000)
+ovn_remote_probe_interval=${OVN_REMOTE_PROBE_INTERVAL:-100000}
+#OVN_MONITOR_ALL - ovn-controller monitor all data in SB DB
+ovn_monitor_all=${OVN_MONITOR_ALL:-}
+#OVN_OFCTRL_WAIT_BEFORE_CLEAR - ovn-controller wait time in ms before clearing OpenFlow rules during start up
+ovn_ofctrl_wait_before_clear=${OVN_OFCTRL_WAIT_BEFORE_CLEAR:-}
+ovn_enable_lflow_cache=${OVN_ENABLE_LFLOW_CACHE:-}
+ovn_lflow_cache_limit=${OVN_LFLOW_CACHE_LIMIT:-}
+ovn_lflow_cache_limit_kb=${OVN_LFLOW_CACHE_LIMIT_KB:-}
+ovn_multicast_enable=${OVN_MULTICAST_ENABLE:-}
+#OVN_EGRESSIP_ENABLE - enable egress IP for ovn-kubernetes
+ovn_egressip_enable=${OVN_EGRESSIP_ENABLE:-false}
+#OVN_EGRESSIP_HEALTHCHECK_PORT - egress IP node check to use grpc on this port
+ovn_egress_ip_healthcheck_port=${OVN_EGRESSIP_HEALTHCHECK_PORT:-9107}
+#OVN_EGRESSFIREWALL_ENABLE - enable egressFirewall for ovn-kubernetes
+ovn_egressfirewall_enable=${OVN_EGRESSFIREWALL_ENABLE:-false}
+#OVN_EGRESSQOS_ENABLE - enable egress QoS for ovn-kubernetes
+ovn_egressqos_enable=${OVN_EGRESSQOS_ENABLE:-false}
+#OVN_DISABLE_OVN_IFACE_ID_VER - disable usage of the OVN iface-id-ver option
+ovn_disable_ovn_iface_id_ver=${OVN_DISABLE_OVN_IFACE_ID_VER:-false}
+ovn_acl_logging_rate_limit=${OVN_ACL_LOGGING_RATE_LIMIT:-"20"}
+ovn_netflow_targets=${OVN_NETFLOW_TARGETS:-}
+ovn_sflow_targets=${OVN_SFLOW_TARGETS:-}
+ovn_ipfix_targets=${OVN_IPFIX_TARGETS:-}
+ovn_ipfix_sampling=${OVN_IPFIX_SAMPLING:-} \
+ovn_ipfix_cache_max_flows=${OVN_IPFIX_CACHE_MAX_FLOWS:-} \
+ovn_ipfix_cache_active_timeout=${OVN_IPFIX_CACHE_ACTIVE_TIMEOUT:-} \
+
+# OVNKUBE_NODE_MODE - is the mode which ovnkube node operates
+ovnkube_node_mode=${OVNKUBE_NODE_MODE:-"full"}
+# OVNKUBE_NODE_MGMT_PORT_NETDEV - is the net device to be used for management port
+ovnkube_node_mgmt_port_netdev=${OVNKUBE_NODE_MGMT_PORT_NETDEV:-}
+ovnkube_config_duration_enable=${OVNKUBE_CONFIG_DURATION_ENABLE:-false}
+# OVN_ENCAP_IP - encap IP to be used for OVN traffic on the node
+ovn_encap_ip=${OVN_ENCAP_IP:-}
+
+ovn_ex_gw_network_interface=${OVN_EX_GW_NETWORK_INTERFACE:-}
+
+# Determine the ovn rundir.
+if [[ -f /usr/bin/ovn-appctl ]]; then
+ # ovn-appctl is present. Use new ovn run dir path.
+ OVN_RUNDIR=/var/run/ovn
+ OVNCTL_PATH=/usr/share/ovn/scripts/ovn-ctl
+ OVN_LOGDIR=/var/log/ovn
+ OVN_ETCDIR=/etc/ovn
+else
+ # ovn-appctl is not present. Use openvswitch run dir path.
+ OVN_RUNDIR=/var/run/openvswitch
+ OVNCTL_PATH=/usr/share/openvswitch/scripts/ovn-ctl
+ OVN_LOGDIR=/var/log/openvswitch
+ OVN_ETCDIR=/etc/openvswitch
+fi
+
+OVS_RUNDIR=/var/run/openvswitch
+OVS_LOGDIR=/var/log/openvswitch
+
+# =========================================
+
+setup_ovs_permissions() {
+ if [ ${ovs_user_id:-XX} != "XX" ]; then
+ chown -R ${ovs_user_id} /etc/openvswitch
+ chown -R ${ovs_user_id} ${OVS_RUNDIR}
+ chown -R ${ovs_user_id} ${OVS_LOGDIR}
+ chown -R ${ovs_user_id} ${OVN_ETCDIR}
+ chown -R ${ovs_user_id} ${OVN_RUNDIR}
+ chown -R ${ovs_user_id} ${OVN_LOGDIR}
+ fi
+}
+
+run_as_ovs_user_if_needed() {
+ setup_ovs_permissions
+
+ if [ ${ovs_user_id:-XX} != "XX" ]; then
+ local uid=$(id -u "${ovs_user_id%:*}")
+ local gid=$(id -g "${ovs_user_id%:*}")
+ local groups=$(id -G "${ovs_user_id%:*}" | tr ' ' ',')
+
+ setpriv --reuid $uid --regid $gid --groups $groups "$@"
+ echo "run as: setpriv --reuid $uid --regid $gid --groups $groups $@"
+ else
+ "$@"
+ echo "run as: $@"
+ fi
+}
+
+# wait_for_event [attempts=<num>] function_to_call [arguments_to_function]
+#
+# Processes running inside the container should immediately start, so we
+# shouldn't be making 80 attempts (default value). The "attempts=<num>"
+# argument will help us in configuring that value.
+wait_for_event() {
+ retries=0
+ sleeper=1
+ attempts=80
+ if [[ $1 =~ ^attempts= ]]; then
+ eval $1
+ shift
+ fi
+ while true; do
+ $@
+ if [[ $? != 0 ]]; then
+ ((retries += 1))
+ if [[ "${retries}" -gt ${attempts} ]]; then
+ echo "error: $@ did not come up, exiting"
+ exit 1
+ fi
+ echo "info: Waiting for $@ to come up, waiting ${sleeper}s ..."
+ sleep ${sleeper}
+ sleeper=5
+ else
+ if [[ "${retries}" != 0 ]]; then
+ echo "$@ came up in ${retries} ${sleeper} sec tries"
+ fi
+ break
+ fi
+ done
+}
+
+# check that daemonset version is among expected versions
+check_ovn_daemonset_version() {
+ ok=$1
+ for v in ${ok}; do
+ if [[ $v == ${ovn_daemonset_version} ]]; then
+ return 0
+ fi
+ done
+ echo "VERSION MISMATCH expect ${ok}, daemonset is version ${ovn_daemonset_version}"
+ exit 1
+}
+
+
+ovsdb_cleanup() {
+ local db=${1}
+ ovs-appctl -t ${OVN_RUNDIR}/ovn${db}_db.ctl exit >/dev/null 2>&1
+ kill $(jobs -p) >/dev/null 2>&1
+ exit 0
+}
+
+get_ovn_db_vars() {
+ ovn_nbdb_str=""
+ ovn_sbdb_str=""
+ for i in "${ovn_db_hosts[@]}"; do
+ if [ -n "$ovn_nbdb_str" ]; then
+ ovn_nbdb_str=${ovn_nbdb_str}","
+ ovn_sbdb_str=${ovn_sbdb_str}","
+ fi
+ ip=$(bracketify $i)
+ ovn_nbdb_str=${ovn_nbdb_str}${transport}://${ip}:${ovn_nb_port}
+ ovn_sbdb_str=${ovn_sbdb_str}${transport}://${ip}:${ovn_sb_port}
+ done
+ # OVN_NORTH and OVN_SOUTH override derived host
+ ovn_nbdb=${OVN_NORTH:-$ovn_nbdb_str}
+ ovn_sbdb=${OVN_SOUTH:-$ovn_sbdb_str}
+
+ # ovsdb server connection method <transport>:<host_address>:<port>
+ ovn_nbdb_conn=$(echo ${ovn_nbdb} | sed 's;//;;g')
+ ovn_sbdb_conn=$(echo ${ovn_sbdb} | sed 's;//;;g')
+}
+
+# OVS must be up before OVN comes up.
+# This checks if OVS is up and running
+ovs_ready() {
+ for daemon in $(echo ovsdb-server ovs-vswitchd); do
+ pidfile=${OVS_RUNDIR}/${daemon}.pid
+ if [[ -f ${pidfile} ]]; then
+ check_health $daemon $(cat $pidfile)
+ if [[ $? == 0 ]]; then
+ continue
+ fi
+ fi
+ return 1
+ done
+ return 0
+}
+
+# Verify that the process is running either by checking for the PID in `ps` output
+# or by using `ovs-appctl` utility for the processes that support it.
+# $1 is the name of the process
+process_ready() {
+ case ${1} in
+ "ovsdb-server" | "ovs-vswitchd")
+ pidfile=${OVS_RUNDIR}/${1}.pid
+ ;;
+ *)
+ pidfile=${OVN_RUNDIR}/${1}.pid
+ ;;
+ esac
+
+ if [[ -f ${pidfile} ]]; then
+ check_health $1 $(cat $pidfile)
+ if [[ $? == 0 ]]; then
+ return 0
+ fi
+ fi
+ return 1
+}
+
+# continuously checks if process is healthy. Exits if process terminates.
+# $1 is the name of the process
+# $2 is the pid of an another process to kill before exiting
+process_healthy() {
+ case ${1} in
+ "ovsdb-server" | "ovs-vswitchd")
+ pid=$(cat ${OVS_RUNDIR}/${1}.pid)
+ ;;
+ *)
+ pid=$(cat ${OVN_RUNDIR}/${1}.pid)
+ ;;
+ esac
+
+ while true; do
+ check_health $1 ${pid}
+ if [[ $? != 0 ]]; then
+ echo "=============== pid ${pid} terminated ========== "
+ # kill the tail -f
+ if [[ $2 != "" ]]; then
+ kill $2
+ fi
+ exit 6
+ fi
+ sleep 15
+ done
+}
+
+# checks for the health of the process either using `ps` or `ovs-appctl`
+# $1 is the name of the process
+# $2 is the process pid
+check_health() {
+ ctl_file=""
+ case ${1} in
+ "ovnkube" | "ovnkube-master" | "ovn-dbchecker")
+ # just check for presence of pid
+ ;;
+ "ovnnb_db" | "ovnsb_db")
+ ctl_file=${OVN_RUNDIR}/${1}.ctl
+ ;;
+ "ovn-northd" | "ovn-controller")
+ ctl_file=${OVN_RUNDIR}/${1}.${2}.ctl
+ ;;
+ "ovsdb-server" | "ovs-vswitchd")
+ ctl_file=${OVS_RUNDIR}/${1}.${2}.ctl
+ ;;
+ *)
+ echo "Unknown service ${1} specified. Exiting.. "
+ exit 1
+ ;;
+ esac
+
+ if [[ ${ctl_file} == "" ]]; then
+ # no control file, so just do the PID check
+ pid=${2}
+ pidTest=$(ps ax | awk '{ print $1 }' | grep "^${pid:-XX}$")
+ if [[ ${pid:-XX} == ${pidTest} ]]; then
+ return 0
+ fi
+ else
+ # use ovs-appctl to do the check
+ ovs-appctl -t ${ctl_file} version >/dev/null
+ if [[ $? == 0 ]]; then
+ return 0
+ fi
+ fi
+
+ return 1
+}
+
+display_file() {
+ if [[ -f $3 ]]; then
+ echo "====================== $1 pid "
+ cat $2
+ echo "====================== $1 log "
+ cat $3
+ echo " "
+ fi
+}
+
+# pid and log file for each container
+display() {
+ echo "==================== display for ${ovn_pod_host} =================== "
+ date
+ display_file "nb-ovsdb" ${OVN_RUNDIR}/ovnnb_db.pid ${OVN_LOGDIR}/ovsdb-server-nb.log
+ display_file "sb-ovsdb" ${OVN_RUNDIR}/ovnsb_db.pid ${OVN_LOGDIR}/ovsdb-server-sb.log
+ display_file "run-ovn-northd" ${OVN_RUNDIR}/ovn-northd.pid ${OVN_LOGDIR}/ovn-northd.log
+ display_file "ovn-master" ${OVN_RUNDIR}/ovnkube-master.pid ${ovnkubelogdir}/ovnkube-master.log
+ display_file "ovs-vswitchd" ${OVS_RUNDIR}/ovs-vswitchd.pid ${OVS_LOGDIR}/ovs-vswitchd.log
+ display_file "ovsdb-server" ${OVS_RUNDIR}/ovsdb-server.pid ${OVS_LOGDIR}/ovsdb-server.log
+ display_file "ovn-controller" ${OVN_RUNDIR}/ovn-controller.pid ${OVN_LOGDIR}/ovn-controller.log
+ display_file "ovnkube" ${OVN_RUNDIR}/ovnkube.pid ${ovnkubelogdir}/ovnkube.log
+ display_file "ovn-dbchecker" ${OVN_RUNDIR}/ovn-dbchecker.pid ${OVN_LOGDIR}/ovn-dbchecker.log
+}
+
+setup_cni() {
+ cp -f /usr/libexec/cni/ovn-k8s-cni-overlay /opt/cni/bin/ovn-k8s-cni-overlay
+}
+
+display_version() {
+ echo " =================== hostname: ${ovn_pod_host}"
+ echo " =================== daemonset version ${ovn_daemonset_version}"
+ if [[ -f /root/git_info ]]; then
+ disp_ver=$(cat /root/git_info)
+ echo " =================== Image built from ovn-kubernetes ${disp_ver}"
+ return
+ fi
+}
+
+display_env() {
+ echo OVS_USER_ID ${ovs_user_id}
+ echo OVS_OPTIONS ${ovs_options}
+ echo OVN_NORTH ${ovn_nbdb}
+ echo OVN_NORTHD_OPTS ${ovn_northd_opts}
+ echo OVN_SOUTH ${ovn_sbdb}
+ echo OVN_CONTROLLER_OPTS ${ovn_controller_opts}
+ echo OVN_LOGLEVEL_CONTROLLER ${ovn_loglevel_controller}
+ echo OVN_GATEWAY_MODE ${ovn_gateway_mode}
+ echo OVN_GATEWAY_OPTS ${ovn_gateway_opts}
+ echo OVN_GATEWAY_ROUTER_SUBNET ${ovn_gateway_router_subnet}
+ echo OVN_NET_CIDR ${net_cidr}
+ echo OVN_SVC_CIDR ${svc_cidr}
+ echo OVN_NB_PORT ${ovn_nb_port}
+ echo OVN_SB_PORT ${ovn_sb_port}
+ echo K8S_APISERVER ${K8S_APISERVER}
+ echo OVNKUBE_LOGLEVEL ${ovnkube_loglevel}
+ echo OVN_DAEMONSET_VERSION ${ovn_daemonset_version}
+ echo OVNKUBE_NODE_MODE ${ovnkube_node_mode}
+ echo OVN_ENCAP_IP ${ovn_encap_ip}
+ echo ovnkube.sh version ${ovnkube_version}
+ echo OVN_HOST_NETWORK_NAMESPACE ${ovn_host_network_namespace}
+}
+
+ovn_debug() {
+ echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb}"
+ echo "ovn_nbdb_conn ${ovn_nbdb_conn}"
+ echo "ovn_sbdb_conn ${ovn_sbdb_conn}"
+
+ # get ovs/ovn info from the node for debug purposes
+ echo "=========== ovn_debug hostname: ${ovn_pod_host} ============="
+ echo "=========== ovn-nbctl --db=${ovn_nbdb_conn} show ============="
+ ovn-nbctl --db=${ovn_nbdb_conn} show
+ echo " "
+ echo "=========== ovn-nbctl list ACL ============="
+ ovn-nbctl --db=${ovn_nbdb_conn} list ACL
+ echo " "
+ echo "=========== ovn-nbctl list address_set ============="
+ ovn-nbctl --db=${ovn_nbdb_conn} list address_set
+ echo " "
+ echo "=========== ovs-vsctl show ============="
+ ovs-vsctl show
+ echo " "
+ echo "=========== ovs-ofctl -O OpenFlow13 dump-ports br-int ============="
+ ovs-ofctl -O OpenFlow13 dump-ports br-int
+ echo " "
+ echo "=========== ovs-ofctl -O OpenFlow13 dump-ports-desc br-int ============="
+ ovs-ofctl -O OpenFlow13 dump-ports-desc br-int
+ echo " "
+ echo "=========== ovs-ofctl dump-flows br-int ============="
+ ovs-ofctl dump-flows br-int
+ echo " "
+ echo "=========== ovn-sbctl --db=${ovn_sbdb_conn} show ============="
+ ovn-sbctl --db=${ovn_sbdb_conn} show
+ echo " "
+ echo "=========== ovn-sbctl --db=${ovn_sbdb_conn} lflow-list ============="
+ ovn-sbctl --db=${ovn_sbdb_conn} lflow-list
+ echo " "
+ echo "=========== ovn-sbctl --db=${ovn_sbdb_conn} list datapath ============="
+ ovn-sbctl --db=${ovn_sbdb_conn} list datapath
+ echo " "
+ echo "=========== ovn-sbctl --db=${ovn_sbdb_conn} list port_binding ============="
+ ovn-sbctl --db=${ovn_sbdb_conn} list port_binding
+}
+
+ovs-server() {
+ # start ovs ovsdb-server and ovs-vswitchd
+ set -euo pipefail
+
+ # if another process is listening on the cni-server socket, wait until it exits
+ trap 'kill $(jobs -p); exit 0' TERM
+ retries=0
+ while true; do
+ if /usr/share/openvswitch/scripts/ovs-ctl status >/dev/null; then
+ echo "warning: Another process is currently managing OVS, waiting 10s ..." 2>&1
+ sleep 10 &
+ wait
+ ((retries += 1))
+ else
+ break
+ fi
+ if [[ "${retries}" -gt 60 ]]; then
+ echo "error: Another process is currently managing OVS, exiting" 2>&1
+ exit 1
+ fi
+ done
+ rm -f ${OVS_RUNDIR}/ovs-vswitchd.pid
+ rm -f ${OVS_RUNDIR}/ovsdb-server.pid
+
+ # launch OVS
+ function quit() {
+ /usr/share/openvswitch/scripts/ovs-ctl stop
+ exit 1
+ }
+ trap quit SIGTERM
+
+ setup_ovs_permissions
+
+ USER_ARGS=""
+ if [ ${ovs_user_id:-XX} != "XX" ]; then
+ USER_ARGS="--ovs-user=${ovs_user_id}"
+ fi
+
+ /usr/share/openvswitch/scripts/ovs-ctl start --no-ovs-vswitchd \
+ --system-id=random ${ovs_options} ${USER_ARGS} "$@"
+
+ # Restrict the number of pthreads ovs-vswitchd creates to reduce the
+ # amount of RSS it uses on hosts with many cores
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1571379
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1572797
+ if [[ $(nproc) -gt 12 ]]; then
+ ovs-vsctl --no-wait set Open_vSwitch . other_config:n-revalidator-threads=4
+ ovs-vsctl --no-wait set Open_vSwitch . other_config:n-handler-threads=10
+ fi
+ /usr/share/openvswitch/scripts/ovs-ctl start --no-ovsdb-server \
+ --system-id=random ${ovs_options} ${USER_ARGS} "$@"
+
+ tail --follow=name ${OVS_LOGDIR}/ovs-vswitchd.log ${OVS_LOGDIR}/ovsdb-server.log &
+ ovs_tail_pid=$!
+ sleep 10
+ while true; do
+ if ! /usr/share/openvswitch/scripts/ovs-ctl status >/dev/null; then
+ echo "OVS seems to have crashed, exiting"
+ kill ${ovs_tail_pid}
+ quit
+ fi
+ sleep 15
+ done
+}
+
+cleanup-ovs-server() {
+ echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovs-server (wait for ovn-node to exit) ======="
+ retries=0
+ while [[ ${retries} -lt 80 ]]; do
+ if [[ ! -e ${OVN_RUNDIR}/ovnkube.pid ]]; then
+ break
+ fi
+ echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovs-server ovn-node still running, wait) ======="
+ sleep 1
+ ((retries += 1))
+ done
+ echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovs-server (ovs-ctl stop) ======="
+ /usr/share/openvswitch/scripts/ovs-ctl stop
+}
+
+function memory_trim_on_compaction_supported {
+ if [[ $1 == "nbdb" ]]; then
+ mem_trim_check=$(ovn-appctl -t ${OVN_RUNDIR}/ovnnb_db.ctl list-commands | grep "memory-trim-on-compaction")
+ elif [[ $1 == "sbdb" ]]; then
+ mem_trim_check=$(ovn-appctl -t ${OVN_RUNDIR}/ovnsb_db.ctl list-commands | grep "memory-trim-on-compaction")
+ fi
+ if [[ ${mem_trim_check} != "" ]]; then
+ return $(/bin/true)
+ else
+ return $(/bin/false)
+ fi
+}
+
+# v3 - run nb_ovsdb in a separate container
+nb-ovsdb() {
+ trap 'ovsdb_cleanup nb' TERM
+ check_ovn_daemonset_version "3"
+ rm -f ${OVN_RUNDIR}/ovnnb_db.pid
+
+ if [[ ${ovn_db_host} == "" ]]; then
+ echo "The IP address of the host $(hostname) could not be determined. Exiting..."
+ exit 1
+ fi
+
+ echo "=============== run nb_ovsdb ========== MASTER ONLY"
+ run_as_ovs_user_if_needed \
+ ${OVNCTL_PATH} run_nb_ovsdb --no-monitor \
+ --ovn-nb-log="${ovn_loglevel_nb}" &
+
+ wait_for_event attempts=3 process_ready ovnnb_db
+ echo "=============== nb-ovsdb ========== RUNNING"
+
+ # setting northd probe interval
+ set_northd_probe_interval
+ [[ "yes" == ${OVN_SSL_ENABLE} ]] && {
+ ovn-nbctl set-ssl ${ovn_nb_pk} ${ovn_nb_cert} ${ovn_ca_cert}
+ echo "=============== nb-ovsdb ========== reconfigured for SSL"
+ }
+ [[ "true" == "${ENABLE_IPSEC}" ]] && {
+ ovn-nbctl set nb_global . ipsec=true
+ echo "=============== nb-ovsdb ========== reconfigured for ipsec"
+ }
+ ovn-nbctl --inactivity-probe=0 set-connection p${transport}:${ovn_nb_port}:$(bracketify ${ovn_db_host})
+ if memory_trim_on_compaction_supported "nbdb"
+ then
+ # Enable NBDB memory trimming on DB compaction, Every 10mins DBs are compacted
+ # memory on the heap is freed, when enable memory trimmming freed memory will go back to OS.
+ ovn-appctl -t ${OVN_RUNDIR}/ovnnb_db.ctl ovsdb-server/memory-trim-on-compaction on
+ fi
+ tail --follow=name ${OVN_LOGDIR}/ovsdb-server-nb.log &
+ ovn_tail_pid=$!
+ process_healthy ovnnb_db ${ovn_tail_pid}
+ echo "=============== run nb_ovsdb ========== terminated"
+}
+
+# v3 - run sb_ovsdb in a separate container
+sb-ovsdb() {
+ trap 'ovsdb_cleanup sb' TERM
+ check_ovn_daemonset_version "3"
+ rm -f ${OVN_RUNDIR}/ovnsb_db.pid
+
+ if [[ ${ovn_db_host} == "" ]]; then
+ echo "The IP address of the host $(hostname) could not be determined. Exiting..."
+ exit 1
+ fi
+
+ echo "=============== run sb_ovsdb ========== MASTER ONLY"
+ run_as_ovs_user_if_needed \
+ ${OVNCTL_PATH} run_sb_ovsdb --no-monitor \
+ --ovn-sb-log="${ovn_loglevel_sb}" &
+
+ wait_for_event attempts=3 process_ready ovnsb_db
+ echo "=============== sb-ovsdb ========== RUNNING"
+
+ [[ "yes" == ${OVN_SSL_ENABLE} ]] && {
+ ovn-sbctl set-ssl ${ovn_sb_pk} ${ovn_sb_cert} ${ovn_ca_cert}
+ echo "=============== sb-ovsdb ========== reconfigured for SSL"
+ }
+ ovn-sbctl --inactivity-probe=0 set-connection p${transport}:${ovn_sb_port}:$(bracketify ${ovn_db_host})
+
+ # create the ovnkube-db endpoints
+ if memory_trim_on_compaction_supported "sbdb"
+ then
+ # Enable SBDB memory trimming on DB compaction, Every 10mins DBs are compacted
+ # memory on the heap is freed, when enable memory trimmming freed memory will go back to OS.
+ ovn-appctl -t ${OVN_RUNDIR}/ovnsb_db.ctl ovsdb-server/memory-trim-on-compaction on
+ fi
+ tail --follow=name ${OVN_LOGDIR}/ovsdb-server-sb.log &
+ ovn_tail_pid=$!
+
+ process_healthy ovnsb_db ${ovn_tail_pid}
+ echo "=============== run sb_ovsdb ========== terminated"
+}
+
+# v3 - Runs ovn-dbchecker on ovnkube-db pod.
+ovn-dbchecker() {
+ trap 'kill $(jobs -p); exit 0' TERM
+ check_ovn_daemonset_version "3"
+ rm -f ${OVN_RUNDIR}/ovn-dbchecker.pid
+
+ echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb}"
+
+ # wait for nb-ovsdb and sb-ovsdb to start
+ echo "=============== ovn-dbchecker (wait for nb-ovsdb) ========== OVNKUBE_DB"
+ wait_for_event attempts=15 process_ready ovnnb_db
+
+ echo "=============== ovn-dbchecker (wait for sb-ovsdb) ========== OVNKUBE_DB"
+ wait_for_event attempts=15 process_ready ovnsb_db
+
+ local ovn_db_ssl_opts=""
+ [[ "yes" == ${OVN_SSL_ENABLE} ]] && {
+ ovn_db_ssl_opts="
+ --nb-client-privkey ${ovn_controller_pk}
+ --nb-client-cert ${ovn_controller_cert}
+ --nb-client-cacert ${ovn_ca_cert}
+ --nb-cert-common-name ${ovn_controller_cname}
+ --sb-client-privkey ${ovn_controller_pk}
+ --sb-client-cert ${ovn_controller_cert}
+ --sb-client-cacert ${ovn_ca_cert}
+ --sb-cert-common-name ${ovn_controller_cname}
+ "
+ }
+
+ echo "=============== ovn-dbchecker ========== OVNKUBE_DB"
+ /usr/bin/ovndbchecker \
+ --nb-address=${ovn_nbdb} --sb-address=${ovn_sbdb} \
+ ${ovn_db_ssl_opts} \
+ --loglevel=${ovnkube_loglevel} \
+ --logfile-maxsize=${ovnkube_logfile_maxsize} \
+ --logfile-maxbackups=${ovnkube_logfile_maxbackups} \
+ --logfile-maxage=${ovnkube_logfile_maxage} \
+ --pidfile ${OVN_RUNDIR}/ovn-dbchecker.pid \
+ --logfile /var/log/ovn-kubernetes/ovn-dbchecker.log &
+
+ echo "=============== ovn-dbchecker ========== running"
+ wait_for_event attempts=3 process_ready ovn-dbchecker
+
+ process_healthy ovn-dbchecker
+ exit 11
+}
+
+# v3 - Runs northd on master. Does not run nb_ovsdb, and sb_ovsdb
+run-ovn-northd() {
+ trap 'ovs-appctl -t ovn-northd exit >/dev/null 2>&1; exit 0' TERM
+ check_ovn_daemonset_version "3"
+ rm -f ${OVN_RUNDIR}/ovn-northd.pid
+ rm -f ${OVN_RUNDIR}/ovn-northd.*.ctl
+ mkdir -p ${OVN_RUNDIR}
+
+ echo "=============== run_ovn_northd ========== MASTER ONLY"
+ echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb}"
+ echo "ovn_northd_opts=${ovn_northd_opts}"
+ echo "ovn_loglevel_northd=${ovn_loglevel_northd}"
+
+ # no monitor (and no detach), start northd which connects to the
+ # ovnkube-db service
+ local ovn_northd_ssl_opts=""
+ [[ "yes" == ${OVN_SSL_ENABLE} ]] && {
+ ovn_northd_ssl_opts="
+ --ovn-northd-ssl-key=${ovn_northd_pk}
+ --ovn-northd-ssl-cert=${ovn_northd_cert}
+ --ovn-northd-ssl-ca-cert=${ovn_ca_cert}
+ "
+ }
+
+ run_as_ovs_user_if_needed \
+ ${OVNCTL_PATH} start_northd \
+ --ovn-northd-priority=0 \
+ --no-monitor --ovn-manage-ovsdb=no \
+ --ovn-northd-nb-db=${ovn_nbdb_conn} --ovn-northd-sb-db=${ovn_sbdb_conn} \
+ ${ovn_northd_ssl_opts} \
+ --ovn-northd-log="${ovn_loglevel_northd}" \
+ ${ovn_northd_opts}
+
+ wait_for_event attempts=3 process_ready ovn-northd
+ echo "=============== run_ovn_northd ========== RUNNING"
+
+ tail --follow=name ${OVN_LOGDIR}/ovn-northd.log &
+ ovn_tail_pid=$!
+
+ process_healthy ovn-northd ${ovn_tail_pid}
+ exit 8
+}
+
+# v3 - run ovnkube --master
+ovn-master() {
+ trap 'kill $(jobs -p); exit 0' TERM
+ check_ovn_daemonset_version "3"
+ rm -f ${OVN_RUNDIR}/ovnkube-master.pid
+
+ echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb}"
+
+ # wait for northd to start
+ wait_for_event process_ready ovn-northd
+
+ # wait for ovs-servers to start since ovn-master sets some fields in OVS DB
+ echo "=============== ovn-master - (wait for ovs)"
+ wait_for_event ovs_ready
+
+ hybrid_overlay_flags=
+ if [[ ${ovn_hybrid_overlay_enable} == "true" ]]; then
+ hybrid_overlay_flags="--enable-hybrid-overlay"
+ if [[ -n "${ovn_hybrid_overlay_net_cidr}" ]]; then
+ hybrid_overlay_flags="${hybrid_overlay_flags} --hybrid-overlay-cluster-subnets=${ovn_hybrid_overlay_net_cidr}"
+ fi
+ fi
+ disable_snat_multiple_gws_flag=
+ if [[ ${ovn_disable_snat_multiple_gws} == "true" ]]; then
+ disable_snat_multiple_gws_flag="--disable-snat-multiple-gws"
+ fi
+
+ disable_pkt_mtu_check_flag=
+ if [[ ${ovn_disable_pkt_mtu_check} == "true" ]]; then
+ disable_pkt_mtu_check_flag="--disable-pkt-mtu-check"
+ fi
+
+ empty_lb_events_flag=
+ if [[ ${ovn_empty_lb_events} == "true" ]]; then
+ empty_lb_events_flag="--ovn-empty-lb-events"
+ fi
+
+ ovn_v4_join_subnet_opt=
+ if [[ -n ${ovn_v4_join_subnet} ]]; then
+ ovn_v4_join_subnet_opt="--gateway-v4-join-subnet=${ovn_v4_join_subnet}"
+ fi
+
+ ovn_v6_join_subnet_opt=
+ if [[ -n ${ovn_v6_join_subnet} ]]; then
+ ovn_v6_join_subnet_opt="--gateway-v6-join-subnet=${ovn_v6_join_subnet}"
+ fi
+
+ local ovn_master_ssl_opts=""
+ [[ "yes" == ${OVN_SSL_ENABLE} ]] && {
+ ovn_master_ssl_opts="
+ --nb-client-privkey ${ovn_controller_pk}
+ --nb-client-cert ${ovn_controller_cert}
+ --nb-client-cacert ${ovn_ca_cert}
+ --nb-cert-common-name ${ovn_controller_cname}
+ --sb-client-privkey ${ovn_controller_pk}
+ --sb-client-cert ${ovn_controller_cert}
+ --sb-client-cacert ${ovn_ca_cert}
+ --sb-cert-common-name ${ovn_controller_cname}
+ "
+ }
+
+ ovn_acl_logging_rate_limit_flag=
+ if [[ -n ${ovn_acl_logging_rate_limit} ]]; then
+ ovn_acl_logging_rate_limit_flag="--acl-logging-rate-limit ${ovn_acl_logging_rate_limit}"
+ fi
+
+ multicast_enabled_flag=
+ if [[ ${ovn_multicast_enable} == "true" ]]; then
+ multicast_enabled_flag="--enable-multicast"
+ fi
+
+ egressip_enabled_flag=
+ if [[ ${ovn_egressip_enable} == "true" ]]; then
+ egressip_enabled_flag="--enable-egress-ip"
+ fi
+
+ egressip_healthcheck_port_flag=
+ if [[ -n "${ovn_egress_ip_healthcheck_port}" ]]; then
+ egressip_healthcheck_port_flag="--egressip-node-healthcheck-port=${ovn_egress_ip_healthcheck_port}"
+ fi
+
+ egressfirewall_enabled_flag=
+ if [[ ${ovn_egressfirewall_enable} == "true" ]]; then
+ egressfirewall_enabled_flag="--enable-egress-firewall"
+ fi
+ echo "egressfirewall_enabled_flag=${egressfirewall_enabled_flag}"
+ egressqos_enabled_flag=
+ if [[ ${ovn_egressqos_enable} == "true" ]]; then
+ egressqos_enabled_flag="--enable-egress-qos"
+ fi
+
+ ovnkube_master_metrics_bind_address="${metrics_endpoint_ip}:9409"
+ local ovnkube_metrics_tls_opts=""
+ if [[ ${OVNKUBE_METRICS_PK} != "" && ${OVNKUBE_METRICS_CERT} != "" ]]; then
+ ovnkube_metrics_tls_opts="
+ --node-server-privkey ${OVNKUBE_METRICS_PK}
+ --node-server-cert ${OVNKUBE_METRICS_CERT}
+ "
+ fi
+
+ ovnkube_config_duration_enable_flag=
+ if [[ ${ovnkube_config_duration_enable} == "true" ]]; then
+ ovnkube_config_duration_enable_flag="--metrics-enable-config-duration"
+ fi
+ echo "ovnkube_config_duration_enable_flag: ${ovnkube_config_duration_enable_flag}"
+
+ echo "=============== ovn-master ========== MASTER ONLY"
+ /usr/bin/ovnkube \
+ --init-master ${K8S_NODE} \
+ --cluster-subnets ${net_cidr} --k8s-service-cidr=${svc_cidr} \
+ --nb-address=${ovn_nbdb} --sb-address=${ovn_sbdb} \
+ --gateway-mode=${ovn_gateway_mode} \
+ --loglevel=${ovnkube_loglevel} \
+ --logfile-maxsize=${ovnkube_logfile_maxsize} \
+ --logfile-maxbackups=${ovnkube_logfile_maxbackups} \
+ --logfile-maxage=${ovnkube_logfile_maxage} \
+ ${hybrid_overlay_flags} \
+ ${disable_snat_multiple_gws_flag} \
+ ${empty_lb_events_flag} \
+ ${ovn_v4_join_subnet_opt} \
+ ${ovn_v6_join_subnet_opt} \
+ --pidfile ${OVN_RUNDIR}/ovnkube-master.pid \
+ --logfile /var/log/ovn-kubernetes/ovnkube-master.log \
+ ${ovn_master_ssl_opts} \
+ ${ovnkube_metrics_tls_opts} \
+ ${multicast_enabled_flag} \
+ ${ovn_acl_logging_rate_limit_flag} \
+ ${egressip_enabled_flag} \
+ ${egressip_healthcheck_port_flag} \
+ ${egressfirewall_enabled_flag} \
+ ${egressqos_enabled_flag} \
+ ${ovnkube_config_duration_enable_flag} \
+ --metrics-bind-address ${ovnkube_master_metrics_bind_address} \
+ --host-network-namespace ${ovn_host_network_namespace} &
+
+ echo "=============== ovn-master ========== running"
+ wait_for_event attempts=3 process_ready ovnkube-master
+
+ process_healthy ovnkube-master
+ exit 9
+}
+
+add-external-id-configs() {
+ ovs-vsctl get open . external-ids:system-id
+ if [ $? -eq 1 ]; then
+ ovs-vsctl set open . external-ids:system-id="$(uuidgen)"
+ fi
+
+ ovs-vsctl set open . external-ids:rundir="/var/run/openvswitch"
+ ovs-vsctl set open . external_ids:ovn-encap-ip="$ovn_encap_ip"
+ ovs-vsctl set open . external-ids:ovn-remote="{{ .Values.conf.ovn_remote }}"
+ ovs-vsctl set open . external-ids:ovn-encap-type="{{ .Values.conf.ovn_encap_type }}"
+ ovs-vsctl set open . external-ids:ovn-bridge="{{ .Values.conf.ovn_bridge }}"
+ ovs-vsctl set open . external-ids:ovn-bridge-mappings="{{ .Values.conf.ovn_bridge_mappings }}"
+ ovs-vsctl set open . external-ids:ovn-cms-options="{{ .Values.conf.ovn_cms_options }}"
+
+ {{- if .Values.conf.use_fqdn.compute }}
+ ovs-vsctl set open . external-ids:hostname="$ovn_pod_host.compute"
+ {{- else }}
+ ovs-vsctl set open . external-ids:hostname="$ovn_pod_host"
+ {{- end }}
+}
+
+# ovn-controller - all nodes
+ovn-controller() {
+ add-external-id-configs
+
+ check_ovn_daemonset_version "3"
+ rm -f ${OVN_RUNDIR}/ovn-controller.pid
+
+ echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb}"
+ echo "ovn_nbdb_conn ${ovn_nbdb_conn}"
+
+ echo "=============== ovn-controller start_controller"
+ rm -f /var/run/ovn-kubernetes/cni/*
+ rm -f ${OVN_RUNDIR}/ovn-controller.*.ctl
+
+ local ovn_controller_ssl_opts=""
+ [[ "yes" == ${OVN_SSL_ENABLE} ]] && {
+ ovn_controller_ssl_opts="
+ --ovn-controller-ssl-key=${ovn_controller_pk}
+ --ovn-controller-ssl-cert=${ovn_controller_cert}
+ --ovn-controller-ssl-ca-cert=${ovn_ca_cert}
+ "
+ }
+ run_as_ovs_user_if_needed \
+ ${OVNCTL_PATH} --no-monitor start_controller \
+ --ovn-controller-priority=0 \
+ ${ovn_controller_ssl_opts} \
+ --ovn-controller-log="${ovn_loglevel_controller}" \
+ ${ovn_controller_opts}
+
+ tail --follow=name ${OVN_LOGDIR}/ovn-controller.log &
+ controller_tail_pid=$!
+
+ wait_for_event attempts=3 process_ready ovn-controller
+ echo "=============== ovn-controller ========== running"
+
+ process_healthy ovn-controller ${controller_tail_pid}
+ exit 10
+}
+
+# ovn-node - all nodes
+ovn-node() {
+ trap 'kill $(jobs -p) ; rm -f /etc/cni/net.d/10-ovn-kubernetes.conf ; exit 0' TERM
+ check_ovn_daemonset_version "3"
+ rm -f ${OVN_RUNDIR}/ovnkube.pid
+
+ if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then
+ echo "=============== ovn-node - (wait for ovs)"
+ wait_for_event ovs_ready
+ fi
+
+ echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb} ovn_nbdb_conn ${ovn_nbdb_conn}"
+
+ if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then
+ echo "=============== ovn-node - (ovn-node wait for ovn-controller.pid)"
+ wait_for_event process_ready ovn-controller
+ fi
+
+ ovn_routable_mtu_flag=
+ if [[ -n "${routable_mtu}" ]]; then
+ routable_mtu_flag="--routable-mtu ${routable_mtu}"
+ fi
+
+ hybrid_overlay_flags=
+ if [[ ${ovn_hybrid_overlay_enable} == "true" ]]; then
+ hybrid_overlay_flags="--enable-hybrid-overlay"
+ if [[ -n "${ovn_hybrid_overlay_net_cidr}" ]]; then
+ hybrid_overlay_flags="${hybrid_overlay_flags} --hybrid-overlay-cluster-subnets=${ovn_hybrid_overlay_net_cidr}"
+ fi
+ fi
+
+ disable_snat_multiple_gws_flag=
+ if [[ ${ovn_disable_snat_multiple_gws} == "true" ]]; then
+ disable_snat_multiple_gws_flag="--disable-snat-multiple-gws"
+ fi
+
+ disable_pkt_mtu_check_flag=
+ if [[ ${ovn_disable_pkt_mtu_check} == "true" ]]; then
+ disable_pkt_mtu_check_flag="--disable-pkt-mtu-check"
+ fi
+
+ multicast_enabled_flag=
+ if [[ ${ovn_multicast_enable} == "true" ]]; then
+ multicast_enabled_flag="--enable-multicast"
+ fi
+
+ egressip_enabled_flag=
+ if [[ ${ovn_egressip_enable} == "true" ]]; then
+ egressip_enabled_flag="--enable-egress-ip"
+ fi
+
+ egressip_healthcheck_port_flag=
+ if [[ -n "${ovn_egress_ip_healthcheck_port}" ]]; then
+ egressip_healthcheck_port_flag="--egressip-node-healthcheck-port=${ovn_egress_ip_healthcheck_port}"
+ fi
+
+ disable_ovn_iface_id_ver_flag=
+ if [[ ${ovn_disable_ovn_iface_id_ver} == "true" ]]; then
+ disable_ovn_iface_id_ver_flag="--disable-ovn-iface-id-ver"
+ fi
+
+ netflow_targets=
+ if [[ -n ${ovn_netflow_targets} ]]; then
+ netflow_targets="--netflow-targets ${ovn_netflow_targets}"
+ fi
+
+ sflow_targets=
+ if [[ -n ${ovn_sflow_targets} ]]; then
+ sflow_targets="--sflow-targets ${ovn_sflow_targets}"
+ fi
+
+ ipfix_targets=
+ if [[ -n ${ovn_ipfix_targets} ]]; then
+ ipfix_targets="--ipfix-targets ${ovn_ipfix_targets}"
+ fi
+
+ ipfix_config=
+ if [[ -n ${ovn_ipfix_sampling} ]]; then
+ ipfix_config="--ipfix-sampling ${ovn_ipfix_sampling}"
+ fi
+ if [[ -n ${ovn_ipfix_cache_max_flows} ]]; then
+ ipfix_config="${ipfix_config} --ipfix-cache-max-flows ${ovn_ipfix_cache_max_flows}"
+ fi
+ if [[ -n ${ovn_ipfix_cache_active_timeout} ]]; then
+ ipfix_config="${ipfix_config} --ipfix-cache-active-timeout ${ovn_ipfix_cache_active_timeout}"
+ fi
+
+ monitor_all=
+ if [[ -n ${ovn_monitor_all} ]]; then
+ monitor_all="--monitor-all=${ovn_monitor_all}"
+ fi
+
+ ofctrl_wait_before_clear=
+ if [[ -n ${ovn_ofctrl_wait_before_clear} ]]; then
+ ofctrl_wait_before_clear="--ofctrl-wait-before-clear=${ovn_ofctrl_wait_before_clear}"
+ fi
+
+ enable_lflow_cache=
+ if [[ -n ${ovn_enable_lflow_cache} ]]; then
+ enable_lflow_cache="--enable-lflow-cache=${ovn_enable_lflow_cache}"
+ fi
+
+ lflow_cache_limit=
+ if [[ -n ${ovn_lflow_cache_limit} ]]; then
+ lflow_cache_limit="--lflow-cache-limit=${ovn_lflow_cache_limit}"
+ fi
+
+ lflow_cache_limit_kb=
+ if [[ -n ${ovn_lflow_cache_limit_kb} ]]; then
+ lflow_cache_limit_kb="--lflow-cache-limit-kb=${ovn_lflow_cache_limit_kb}"
+ fi
+
+ egress_interface=
+ if [[ -n ${ovn_ex_gw_network_interface} ]]; then
+ egress_interface="--exgw-interface ${ovn_ex_gw_network_interface}"
+ fi
+
+ ovn_encap_ip_flag=
+ if [[ ${ovn_encap_ip} != "" ]]; then
+ ovn_encap_ip_flag="--encap-ip=${ovn_encap_ip}"
+ else
+ ovn_encap_ip=$(ovs-vsctl --if-exists get Open_vSwitch . external_ids:ovn-encap-ip)
+ if [[ $? == 0 ]]; then
+ ovn_encap_ip=$(echo ${ovn_encap_ip} | tr -d '\"')
+ if [[ "${ovn_encap_ip}" != "" ]]; then
+ ovn_encap_ip_flag="--encap-ip=${ovn_encap_ip}"
+ fi
+ fi
+ fi
+
+ ovnkube_node_mode_flag=
+ if [[ ${ovnkube_node_mode} != "" ]]; then
+ ovnkube_node_mode_flag="--ovnkube-node-mode=${ovnkube_node_mode}"
+ if [[ ${ovnkube_node_mode} == "dpu" ]]; then
+ # encap IP is required for dpu, this is either provided via OVN_ENCAP_IP env variable or taken from ovs
+ if [[ ${ovn_encap_ip} == "" ]]; then
+ echo "ovn encap IP must be provided if \"ovnkube-node-mode\" set to \"dpu\". Exiting..."
+ exit 1
+ fi
+ fi
+ fi
+
+ ovnkube_node_mgmt_port_netdev_flag=
+ if [[ ${ovnkube_node_mgmt_port_netdev} != "" ]]; then
+ ovnkube_node_mgmt_port_netdev_flag="--ovnkube-node-mgmt-port-netdev=${ovnkube_node_mgmt_port_netdev}"
+ fi
+
+ local ovn_node_ssl_opts=""
+ if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then
+ [[ "yes" == ${OVN_SSL_ENABLE} ]] && {
+ ovn_node_ssl_opts="
+ --nb-client-privkey ${ovn_controller_pk}
+ --nb-client-cert ${ovn_controller_cert}
+ --nb-client-cacert ${ovn_ca_cert}
+ --nb-cert-common-name ${ovn_controller_cname}
+ --sb-client-privkey ${ovn_controller_pk}
+ --sb-client-cert ${ovn_controller_cert}
+ --sb-client-cacert ${ovn_ca_cert}
+ --sb-cert-common-name ${ovn_controller_cname}
+ "
+ }
+ fi
+
+ ovn_unprivileged_flag="--unprivileged-mode"
+ if test -z "${OVN_UNPRIVILEGED_MODE+x}" -o "x${OVN_UNPRIVILEGED_MODE}" = xno; then
+ ovn_unprivileged_flag=""
+ fi
+
+ ovn_metrics_bind_address="${metrics_endpoint_ip}:9476"
+ ovnkube_node_metrics_bind_address="${metrics_endpoint_ip}:9410"
+
+ local ovnkube_metrics_tls_opts=""
+ if [[ ${OVNKUBE_METRICS_PK} != "" && ${OVNKUBE_METRICS_CERT} != "" ]]; then
+ ovnkube_metrics_tls_opts="
+ --node-server-privkey ${OVNKUBE_METRICS_PK}
+ --node-server-cert ${OVNKUBE_METRICS_CERT}
+ "
+ fi
+
+ echo "=============== ovn-node --init-node"
+ /usr/bin/ovnkube --init-node ${K8S_NODE} \
+ --cluster-subnets ${net_cidr} --k8s-service-cidr=${svc_cidr} \
+ --nb-address=${ovn_nbdb} --sb-address=${ovn_sbdb} \
+ ${ovn_unprivileged_flag} \
+ --nodeport \
+ --mtu=${mtu} \
+ ${routable_mtu_flag} \
+ ${ovn_encap_ip_flag} \
+ --loglevel=${ovnkube_loglevel} \
+ --logfile-maxsize=${ovnkube_logfile_maxsize} \
+ --logfile-maxbackups=${ovnkube_logfile_maxbackups} \
+ --logfile-maxage=${ovnkube_logfile_maxage} \
+ ${hybrid_overlay_flags} \
+ ${disable_snat_multiple_gws_flag} \
+ ${disable_pkt_mtu_check_flag} \
+ --gateway-mode=${ovn_gateway_mode} ${ovn_gateway_opts} \
+ --gateway-router-subnet=${ovn_gateway_router_subnet} \
+ --pidfile ${OVN_RUNDIR}/ovnkube.pid \
+ --logfile /var/log/ovn-kubernetes/ovnkube.log \
+ ${ovn_node_ssl_opts} \
+ ${ovnkube_metrics_tls_opts} \
+ --inactivity-probe=${ovn_remote_probe_interval} \
+ ${monitor_all} \
+ ${ofctrl_wait_before_clear} \
+ ${enable_lflow_cache} \
+ ${lflow_cache_limit} \
+ ${lflow_cache_limit_kb} \
+ ${multicast_enabled_flag} \
+ ${egressip_enabled_flag} \
+ ${egressip_healthcheck_port_flag} \
+ ${disable_ovn_iface_id_ver_flag} \
+ ${netflow_targets} \
+ ${sflow_targets} \
+ ${ipfix_targets} \
+ ${ipfix_config} \
+ --ovn-metrics-bind-address ${ovn_metrics_bind_address} \
+ --metrics-bind-address ${ovnkube_node_metrics_bind_address} \
+ ${ovnkube_node_mode_flag} \
+ ${egress_interface} \
+ --host-network-namespace ${ovn_host_network_namespace} \
+ ${ovnkube_node_mgmt_port_netdev_flag} &
+
+ wait_for_event attempts=3 process_ready ovnkube
+ if [[ ${ovnkube_node_mode} != "dpu" ]]; then
+ setup_cni
+ fi
+ echo "=============== ovn-node ========== running"
+
+ process_healthy ovnkube
+ exit 7
+}
+
+# cleanup-ovn-node - all nodes
+cleanup-ovn-node() {
+ check_ovn_daemonset_version "3"
+
+ rm -f /etc/cni/net.d/10-ovn-kubernetes.conf
+
+ echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovn-node - (wait for ovn-controller to exit)"
+ retries=0
+ while [[ ${retries} -lt 80 ]]; do
+ process_ready ovn-controller
+ if [[ $? != 0 ]]; then
+ break
+ fi
+ echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovn-node - (ovn-controller still running, wait)"
+ sleep 1
+ ((retries += 1))
+ done
+
+ echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovn-node --cleanup-node"
+ /usr/bin/ovnkube --cleanup-node ${K8S_NODE} --gateway-mode=${ovn_gateway_mode} ${ovn_gateway_opts} \
+ --k8s-token=${k8s_token} --k8s-apiserver=${K8S_APISERVER} --k8s-cacert=${K8S_CACERT} \
+ --loglevel=${ovnkube_loglevel} \
+ --logfile /var/log/ovn-kubernetes/ovnkube.log
+
+}
+
+# v3 - Runs ovn-kube-util in daemon mode to export prometheus metrics related to OVS.
+ovs-metrics() {
+ check_ovn_daemonset_version "3"
+
+ echo "=============== ovs-metrics - (wait for ovs_ready)"
+ wait_for_event ovs_ready
+
+ ovs_exporter_bind_address="${metrics_endpoint_ip}:9310"
+ /usr/bin/ovn-kube-util \
+ --loglevel=${ovnkube_loglevel} \
+ ovs-exporter \
+ --metrics-bind-address ${ovs_exporter_bind_address}
+
+ echo "=============== ovs-metrics with pid ${?} terminated ========== "
+ exit 1
+}
+
+echo "================== ovnkube.sh --- version: ${ovnkube_version} ================"
+
+echo " ==================== command: ${cmd}"
+display_version
+
+# display_env
+
+# Start the requested daemons
+# daemons come up in order
+# ovs-db-server - all nodes -- not done by this script (v3)
+# ovs-vswitchd - all nodes -- not done by this script (v3)
+# run-ovn-northd Runs ovn-northd as a process does not run nb_ovsdb or sb_ovsdb (v3)
+# nb-ovsdb Runs nb_ovsdb as a process (no detach or monitor) (v3)
+# sb-ovsdb Runs sb_ovsdb as a process (no detach or monitor) (v3)
+# ovn-dbchecker Runs ovndb checker alongside nb-ovsdb and sb-ovsdb containers (v3)
+# ovn-master - master only (v3)
+# ovn-controller - all nodes (v3)
+# ovn-node - all nodes (v3)
+# cleanup-ovn-node - all nodes (v3)
+
+get_ovn_db_vars
+
+case ${cmd} in
+"nb-ovsdb") # pod ovnkube-db container nb-ovsdb
+ nb-ovsdb
+ ;;
+"sb-ovsdb") # pod ovnkube-db container sb-ovsdb
+ sb-ovsdb
+ ;;
+"ovn-dbchecker") # pod ovnkube-db container ovn-dbchecker
+ ovn-dbchecker
+ ;;
+"run-ovn-northd") # pod ovnkube-master container run-ovn-northd
+ run-ovn-northd
+ ;;
+"ovn-master") # pod ovnkube-master container ovnkube-master
+ ovn-master
+ ;;
+"ovs-server") # pod ovnkube-node container ovs-daemons
+ ovs-server
+ ;;
+"ovn-controller") # pod ovnkube-node container ovn-controller
+ ovn-controller
+ ;;
+"ovn-node") # pod ovnkube-node container ovn-node
+ ovn-node
+ ;;
+"ovn-northd")
+ ovn-northd
+ ;;
+"display_env")
+ display_env
+ exit 0
+ ;;
+"display")
+ display
+ exit 0
+ ;;
+"ovn_debug")
+ ovn_debug
+ exit 0
+ ;;
+"cleanup-ovs-server")
+ cleanup-ovs-server
+ ;;
+"cleanup-ovn-node")
+ cleanup-ovn-node
+ ;;
+"nb-ovsdb-raft")
+ ovsdb-raft nb ${ovn_nb_port} ${ovn_nb_raft_port} ${ovn_nb_raft_election_timer}
+ ;;
+"sb-ovsdb-raft")
+ ovsdb-raft sb ${ovn_sb_port} ${ovn_sb_raft_port} ${ovn_sb_raft_election_timer}
+ ;;
+"ovs-metrics")
+ ovs-metrics
+ ;;
+*)
+ echo "invalid command ${cmd}"
+ echo "valid v3 commands: ovs-server nb-ovsdb sb-ovsdb run-ovn-northd ovn-master " \
+ "ovn-controller ovn-node display_env display ovn_debug cleanup-ovs-server " \
+ "cleanup-ovn-node nb-ovsdb-raft sb-ovsdb-raft"
+ exit 0
+ ;;
+esac
+
+exit 0
diff --git a/charts/ovn/templates/bin/_ovsdb-server.sh.tpl b/charts/ovn/templates/bin/_ovsdb-server.sh.tpl
new file mode 100644
index 0000000..e023505
--- /dev/null
+++ b/charts/ovn/templates/bin/_ovsdb-server.sh.tpl
@@ -0,0 +1,72 @@
+#!/bin/bash -xe
+
+# Copyright 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+COMMAND="${@:-start}"
+
+OVSDB_HOST=$(hostname -f)
+ARGS=(
+ --db-${OVS_DATABASE}-create-insecure-remote=yes
+ --db-${OVS_DATABASE}-cluster-local-proto=tcp
+ --db-${OVS_DATABASE}-cluster-local-addr=$(hostname -f)
+)
+
+if [[ ! $HOSTNAME == *-0 && $OVSDB_HOST =~ (.+)-([0-9]+)\. ]]; then
+ OVSDB_BOOTSTRAP_HOST="${BASH_REMATCH[1]}-0.${OVSDB_HOST#*.}"
+
+ ARGS+=(
+ --db-${OVS_DATABASE}-cluster-remote-proto=tcp
+ --db-${OVS_DATABASE}-cluster-remote-addr=${OVSDB_BOOTSTRAP_HOST}
+ )
+fi
+
+function start () {
+ /usr/share/ovn/scripts/ovn-ctl start_${OVS_DATABASE}_ovsdb ${ARGS[@]}
+
+ tail --follow=name /var/log/ovn/ovsdb-server-${OVS_DATABASE}.log
+}
+
+function stop () {
+ /usr/share/ovn/scripts/ovn-ctl stop_${OVS_DATABASE}_ovsdb
+ pkill tail
+}
+
+function liveness () {
+ if [[ $OVS_DATABASE == "nb" ]]; then
+ OVN_DATABASE="Northbound"
+ elif [[ $OVS_DATABASE == "sb" ]]; then
+ OVN_DATABASE="Southbound"
+ else
+ echo "OVS_DATABASE must be nb or sb"
+ exit 1
+ fi
+
+ ovs-appctl -t /var/run/ovn/ovn${OVS_DATABASE}_db.ctl cluster/status OVN_${OVN_DATABASE}
+}
+
+function readiness () {
+ if [[ $OVS_DATABASE == "nb" ]]; then
+ OVN_DATABASE="Northbound"
+ elif [[ $OVS_DATABASE == "sb" ]]; then
+ OVN_DATABASE="Southbound"
+ else
+ echo "OVS_DATABASE must be nb or sb"
+ exit 1
+ fi
+
+ ovs-appctl -t /var/run/ovn/ovn${OVS_DATABASE}_db.ctl cluster/status OVN_${OVN_DATABASE}
+}
+
+$COMMAND
diff --git a/charts/ovn/templates/configmap-bin.yaml b/charts/ovn/templates/configmap-bin.yaml
new file mode 100644
index 0000000..a849dd8
--- /dev/null
+++ b/charts/ovn/templates/configmap-bin.yaml
@@ -0,0 +1,35 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: ovn-bin
+data:
+{{- if .Values.images.local_registry.active }}
+ image-repo-sync.sh: |
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}
+ ovsdb-server.sh: |
+{{ tuple "bin/_ovsdb-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ovn-northd.sh: |
+{{ tuple "bin/_ovn-northd.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ovn-controller-init.sh: |
+{{ tuple "bin/_ovn-controller-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+ ovn-controller.sh: |
+{{ tuple "bin/_ovn-controller.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
diff --git a/charts/ovn/templates/configmap-etc.yaml b/charts/ovn/templates/configmap-etc.yaml
new file mode 100644
index 0000000..47b84be
--- /dev/null
+++ b/charts/ovn/templates/configmap-etc.yaml
@@ -0,0 +1,34 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "ovn.configmap.etc" }}
+{{- $configMapName := index . 0 }}
+{{- $envAll := index . 1 }}
+{{- with $envAll }}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $configMapName }}
+type: Opaque
+data:
+ auto_bridge_add: {{ toJson $envAll.Values.conf.auto_bridge_add | b64enc }}
+
+{{- end }}
+{{- end }}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- list "ovn-etc" . | include "ovn.configmap.etc" }}
+{{- end }}
diff --git a/charts/ovn/templates/daemonset-controller.yaml b/charts/ovn/templates/daemonset-controller.yaml
new file mode 100644
index 0000000..32222ee
--- /dev/null
+++ b/charts/ovn/templates/daemonset-controller.yaml
@@ -0,0 +1,98 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.daemonset_controller }}
+{{- $envAll := . }}
+
+{{- $configMapName := "ovn-etc" }}
+{{- $serviceAccountName := "ovn-controller" }}
+{{ tuple $envAll "ovn_controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+ name: ovn-controller
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ labels:
+{{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ selector:
+ matchLabels:
+{{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "ovn" "ovn-controller" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ nodeSelector:
+ {{ .Values.labels.ovn_controller.node_selector_key }}: {{ .Values.labels.ovn_controller.node_selector_value }}
+ initContainers:
+{{- tuple $envAll "ovn_controller" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ - name: controller-init
+{{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
+ command:
+ - /tmp/ovn-controller-init.sh
+ volumeMounts:
+ - name: ovn-bin
+ mountPath: /tmp/ovn-controller-init.sh
+ subPath: ovn-controller-init.sh
+ readOnly: true
+ - name: run-openvswitch
+ mountPath: /run/openvswitch
+ - name: ovn-etc
+ mountPath: /tmp/auto_bridge_add
+ subPath: auto_bridge_add
+ readOnly: true
+ containers:
+ - name: controller
+{{ tuple $envAll "ovn_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovn_controller" "container" "controller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/ovn-controller.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/ovn-controller.sh
+ - stop
+ volumeMounts:
+ - name: ovn-bin
+ mountPath: /tmp/ovn-controller.sh
+ subPath: ovn-controller.sh
+ readOnly: true
+ - name: run-openvswitch
+ mountPath: /run/openvswitch
+ volumes:
+ - name: ovn-bin
+ configMap:
+ name: ovn-bin
+ defaultMode: 0777
+ - name: run-openvswitch
+ hostPath:
+ path: /run/openvswitch
+ type: DirectoryOrCreate
+ - name: ovn-etc
+ secret:
+ secretName: {{ $configMapName }}
+ defaultMode: 0444
+{{- end }}
diff --git a/charts/ovn/templates/deployment-northd.yaml b/charts/ovn/templates/deployment-northd.yaml
new file mode 100644
index 0000000..e3afdd0
--- /dev/null
+++ b/charts/ovn/templates/deployment-northd.yaml
@@ -0,0 +1,87 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "livenessProbeTemplate" }}
+exec:
+ command:
+ - /tmp/ovn-northd.sh
+ - liveness
+{{- end }}
+
+{{- define "readinessProbeTemplate" }}
+exec:
+ command:
+ - /tmp/ovn-northd.sh
+ - readiness
+{{- end }}
+
+{{- if .Values.manifests.deployment_northd }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "ovn-northd" }}
+{{ tuple $envAll "ovn_northd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+ name: ovn-northd
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "ovn" "ovn-northd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ replicas: {{ .Values.pod.replicas.ovn_northd }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "ovn" "ovn-northd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "ovn" "ovn-northd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ nodeSelector:
+ {{ .Values.labels.ovn_northd.node_selector_key }}: {{ .Values.labels.ovn_northd.node_selector_value }}
+ initContainers:
+{{- tuple $envAll "ovn_northd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: northd
+{{ tuple $envAll "ovn_northd" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ovn_northd" "container" "northd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "liveness" "probeTemplate" (include "livenessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+{{ dict "envAll" . "component" "ovn_northd" "container" "northd" "type" "readiness" "probeTemplate" (include "readinessProbeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }}
+ command:
+ - /tmp/ovn-northd.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/ovn-northd.sh
+ - stop
+ volumeMounts:
+ - name: ovn-bin
+ mountPath: /tmp/ovn-northd.sh
+ subPath: ovn-northd.sh
+ readOnly: true
+ volumes:
+ - name: ovn-bin
+ configMap:
+ name: ovn-bin
+ defaultMode: 0555
+{{- end }}
diff --git a/charts/ovn/templates/service-nb-db.yaml b/charts/ovn/templates/service-nb-db.yaml
new file mode 100644
index 0000000..7599c30
--- /dev/null
+++ b/charts/ovn/templates/service-nb-db.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_ovn_nb_db }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "ovn-nb-db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: ovn-nb-db
+ port: {{ tuple "ovn-nb-db" "internal" "db" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ selector:
+{{ tuple $envAll "ovn" "ovn-nb-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}
diff --git a/charts/ovn/templates/service-ovsdb-nb.yaml b/charts/ovn/templates/service-ovsdb-nb.yaml
new file mode 100644
index 0000000..39dbaf3
--- /dev/null
+++ b/charts/ovn/templates/service-ovsdb-nb.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_ovn_ovsdb_nb }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "ovn-ovsdb-nb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: ovsdb
+ port: {{ tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ selector:
+{{ tuple $envAll "ovn" "ovn-ovsdb-nb" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}
diff --git a/charts/ovn/templates/service-ovsdb-sb.yaml b/charts/ovn/templates/service-ovsdb-sb.yaml
new file mode 100644
index 0000000..871540b
--- /dev/null
+++ b/charts/ovn/templates/service-ovsdb-sb.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_ovn_ovsdb_sb }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "ovn-ovsdb-sb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: ovsdb
+ port: {{ tuple "ovn-ovsdb-sb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ selector:
+{{ tuple $envAll "ovn" "ovn-ovsdb-sb" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}
diff --git a/charts/ovn/templates/service-sb-db.yaml b/charts/ovn/templates/service-sb-db.yaml
new file mode 100644
index 0000000..c3723f9
--- /dev/null
+++ b/charts/ovn/templates/service-sb-db.yaml
@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service_ovn_sb_db }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ tuple "ovn-sb-db" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+ ports:
+ - name: ovn-sb-db
+ port: {{ tuple "ovn-sb-db" "internal" "db" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ selector:
+{{ tuple $envAll "ovn" "ovn-sb-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}
diff --git a/charts/ovn/templates/statefulset-nb-db.yaml b/charts/ovn/templates/statefulset-nb-db.yaml
new file mode 100644
index 0000000..78d7b56
--- /dev/null
+++ b/charts/ovn/templates/statefulset-nb-db.yaml
@@ -0,0 +1,85 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.statefulset_ovn_nb_db }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "ovn-nb-db" }}
+{{ tuple $envAll "ovn_nb_db" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: ovn-nb-db
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "ovn" "ovn-nb-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ serviceName: {{ tuple "ovn-nb-db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ replicas: 1
+ selector:
+ matchLabels:
+{{ tuple $envAll "ovn" "ovn-nb-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "ovn" "ovn-nb-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{- tuple $envAll "ovn" "ovn-nb-db" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.ovn_nb_db.node_selector_key }}: {{ .Values.labels.ovn_nb_db.node_selector_value }}
+ initContainers:
+{{- tuple $envAll "ovn_nb_db" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ovn-nb-db
+{{ tuple $envAll "ovn_nb_db" | include "helm-toolkit.snippets.image" | indent 10 }}
+ ports:
+ - containerPort: {{ tuple "ovn-nb-db" "internal" "db" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ command:
+ - /tmp/start.sh
+ - nb-ovsdb
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ volumeMounts:
+ - name: ovn-bin
+ mountPath: /tmp/start.sh
+ subPath: ovn.sh
+ readOnly: true
+ - name: ovn-nb-db-data
+ mountPath: /var/lib/ovn
+ volumes:
+ - name: ovn-bin
+ configMap:
+ name: ovn-bin
+ defaultMode: 0555
+{{- if not .Values.volume.ovn_nb_db.enabled }}
+ - name: ovn-nb-db-data
+ emptyDir: {}
+{{- else }}
+ volumeClaimTemplates:
+ - metadata:
+ name: ovn-nb-db-data
+ spec:
+ accessModes: ["ReadWriteOnce"]
+ resources:
+ requests:
+ storage: {{ $envAll.Values.volume.ovn_nb_db.size }}
+ storageClassName: {{ $envAll.Values.volume.ovn_nb_db.class_name }}
+{{- end }}
+
+{{- end }}
diff --git a/charts/ovn/templates/statefulset-ovsdb-nb.yaml b/charts/ovn/templates/statefulset-ovsdb-nb.yaml
new file mode 100644
index 0000000..8d81e62
--- /dev/null
+++ b/charts/ovn/templates/statefulset-ovsdb-nb.yaml
@@ -0,0 +1,99 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.statefulset_ovn_ovsdb_nb }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "ovn-ovsdb-nb" }}
+{{ tuple $envAll "ovn_ovsdb_nb" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: ovn-ovsdb-nb
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "ovn" "ovn-ovsdb-nb" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ serviceName: {{ tuple "ovn-ovsdb-nb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ replicas: {{ .Values.pod.replicas.ovn_ovsdb_nb }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "ovn" "ovn-ovsdb-nb" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "ovn" "ovn-ovsdb-nb" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{- tuple $envAll "ovn" "ovn-ovsdb-nb" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.ovn_ovsdb_nb.node_selector_key }}: {{ .Values.labels.ovn_ovsdb_nb.node_selector_value }}
+ initContainers:
+{{- tuple $envAll "ovn_ovsdb_nb" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ovsdb
+{{ tuple $envAll "ovn_ovsdb_nb" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ ports:
+ - containerPort: {{ tuple "ovn-ovsdb-nb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ env:
+ - name: OVS_DATABASE
+ value: nb
+ command:
+ - /tmp/ovsdb-server.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/ovsdb-server.sh
+ - stop
+ volumeMounts:
+ - name: ovn-bin
+ mountPath: /tmp/ovsdb-server.sh
+ subPath: ovsdb-server.sh
+ readOnly: true
+ - name: run-openvswitch
+ mountPath: /run/openvswitch
+ - name: data
+ mountPath: /var/lib/ovn
+ volumes:
+ - name: run-openvswitch
+ emptyDir: {}
+ - name: ovn-bin
+ configMap:
+ name: ovn-bin
+ defaultMode: 0555
+{{- if not .Values.volume.ovn_ovsdb_nb.enabled }}
+ - name: data
+ emptyDir: {}
+{{- else }}
+ volumeClaimTemplates:
+ - metadata:
+ name: data
+ spec:
+ accessModes: ["ReadWriteOnce"]
+ storageClassName: {{ $envAll.Values.volume.ovn_ovsdb_nb.class_name }}
+ resources:
+ requests:
+ storage: {{ $envAll.Values.volume.ovn_ovsdb_nb.size }}
+{{- end }}
+
+{{- end }}
diff --git a/charts/ovn/templates/statefulset-ovsdb-sb.yaml b/charts/ovn/templates/statefulset-ovsdb-sb.yaml
new file mode 100644
index 0000000..826a67b
--- /dev/null
+++ b/charts/ovn/templates/statefulset-ovsdb-sb.yaml
@@ -0,0 +1,99 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.statefulset_ovn_ovsdb_sb }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "ovn-ovsdb-sb" }}
+{{ tuple $envAll "ovn_ovsdb_sb" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: ovn-ovsdb-sb
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "ovn" "ovn-ovsdb-sb" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ serviceName: {{ tuple "ovn-ovsdb-sb" "direct" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ replicas: {{ .Values.pod.replicas.ovn_ovsdb_sb }}
+ selector:
+ matchLabels:
+{{ tuple $envAll "ovn" "ovn-ovsdb-sb" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "ovn" "ovn-ovsdb-sb" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{- tuple $envAll "ovn" "ovn-ovsdb-sb" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.ovn_ovsdb_sb.node_selector_key }}: {{ .Values.labels.ovn_ovsdb_sb.node_selector_value }}
+ initContainers:
+{{- tuple $envAll "ovn_ovsdb_sb" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ovsdb
+{{ tuple $envAll "ovn_ovsdb_sb" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ ports:
+ - containerPort: {{ tuple "ovn-ovsdb-sb" "internal" "ovsdb" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ env:
+ - name: OVS_DATABASE
+ value: sb
+ command:
+ - /tmp/ovsdb-server.sh
+ - start
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /tmp/ovsdb-server.sh
+ - stop
+ volumeMounts:
+ - name: ovn-bin
+ mountPath: /tmp/ovsdb-server.sh
+ subPath: ovsdb-server.sh
+ readOnly: true
+ - name: run-openvswitch
+ mountPath: /run/openvswitch
+ - name: data
+ mountPath: /var/lib/ovn
+ volumes:
+ - name: run-openvswitch
+ emptyDir: {}
+ - name: ovn-bin
+ configMap:
+ name: ovn-bin
+ defaultMode: 0555
+{{- if not .Values.volume.ovn_ovsdb_sb.enabled }}
+ - name: data
+ emptyDir: {}
+{{- else }}
+ volumeClaimTemplates:
+ - metadata:
+ name: data
+ spec:
+ accessModes: ["ReadWriteOnce"]
+ resources:
+ requests:
+ storage: {{ $envAll.Values.volume.ovn_ovsdb_sb.size }}
+ storageClassName: {{ $envAll.Values.volume.ovn_ovsdb_sb.class_name }}
+{{- end }}
+
+{{- end }}
diff --git a/charts/ovn/templates/statefulset-sb-db.yaml b/charts/ovn/templates/statefulset-sb-db.yaml
new file mode 100644
index 0000000..37c2ee0
--- /dev/null
+++ b/charts/ovn/templates/statefulset-sb-db.yaml
@@ -0,0 +1,85 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.statefulset_ovn_sb_db }}
+{{- $envAll := . }}
+
+{{- $serviceAccountName := "ovn-sb-db" }}
+{{ tuple $envAll "ovn_sb_db" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: ovn-sb-db
+ annotations:
+ {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+ labels:
+{{ tuple $envAll "ovn" "ovn-sb-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+ serviceName: {{ tuple "ovn-sb-db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+ replicas: 1
+ selector:
+ matchLabels:
+{{ tuple $envAll "ovn" "ovn-sb-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+ template:
+ metadata:
+ labels:
+{{ tuple $envAll "ovn" "ovn-sb-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+ annotations:
+{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ affinity:
+{{- tuple $envAll "ovn" "ovn-sb-db" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+ nodeSelector:
+ {{ .Values.labels.ovn_sb_db.node_selector_key }}: {{ .Values.labels.ovn_sb_db.node_selector_value }}
+ initContainers:
+{{- tuple $envAll "ovn_sb_db" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+ containers:
+ - name: ovn-sb-db
+{{ tuple $envAll "ovn_sb_db" | include "helm-toolkit.snippets.image" | indent 10 }}
+ ports:
+ - containerPort: {{ tuple "ovn-sb-db" "internal" "db" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ command:
+ - /tmp/start.sh
+ - sb-ovsdb
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ volumeMounts:
+ - name: ovn-bin
+ mountPath: /tmp/start.sh
+ subPath: ovn.sh
+ readOnly: true
+ - name: ovn-sb-db-data
+ mountPath: /var/lib/ovn
+ volumes:
+ - name: ovn-bin
+ configMap:
+ name: ovn-bin
+ defaultMode: 0555
+{{- if not .Values.volume.ovn_sb_db.enabled }}
+ - name: ovn-sb-db-data
+ emptyDir: {}
+{{- else }}
+ volumeClaimTemplates:
+ - metadata:
+ name: ovn-sb-db-data
+ spec:
+ accessModes: ["ReadWriteOnce"]
+ resources:
+ requests:
+ storage: {{ $envAll.Values.volume.ovn_sb_db.size }}
+ storageClassName: {{ $envAll.Values.volume.ovn_sb_db.class_name }}
+{{- end }}
+
+{{- end }}
diff --git a/charts/ovn/values.yaml b/charts/ovn/values.yaml
new file mode 100644
index 0000000..6774dcf
--- /dev/null
+++ b/charts/ovn/values.yaml
@@ -0,0 +1,317 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for openvswitch.
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+---
+release_group: null
+
+images:
+ tags:
+ ovn_ovsdb_nb: docker.io/openstackhelm/ovn:latest-ubuntu_focal
+ ovn_ovsdb_sb: docker.io/openstackhelm/ovn:latest-ubuntu_focal
+ ovn_northd: docker.io/openstackhelm/ovn:latest-ubuntu_focal
+ ovn_controller: docker.io/openstackhelm/ovn:latest-ubuntu_focal
+ dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+ image_repo_sync: docker.io/library/docker:17.07.0
+ pull_policy: "IfNotPresent"
+ local_registry:
+ active: false
+ exclude:
+ - dep_check
+ - image_repo_sync
+
+labels:
+ ovn_ovsdb_nb:
+ node_selector_key: openstack-network-node
+ node_selector_value: enabled
+ ovn_ovsdb_sb:
+ node_selector_key: openstack-network-node
+ node_selector_value: enabled
+ ovn_northd:
+ node_selector_key: openstack-network-node
+ node_selector_value: enabled
+ ovn_controller:
+ node_selector_key: openvswitch
+ node_selector_value: enabled
+
+volume:
+ ovn_ovsdb_nb:
+ enabled: true
+ class_name: general
+ size: 5Gi
+ ovn_ovsdb_sb:
+ enabled: true
+ class_name: general
+ size: 5Gi
+
+network:
+ interface:
+ # Tunnel interface will be used for VXLAN tunneling.
+ tunnel: null
+ # If tunnel is null there is a fallback mechanism to search
+ # for interface with routing using tunnel network cidr.
+ tunnel_network_cidr: "0/0"
+
+conf:
+ ovn_cms_options: "enable-chassis-as-gw,availability-zones=nova"
+ ovn_encap_type: geneve
+ ovn_bridge: br-int
+ ovn_bridge_mappings: external:br-ex
+
+ # auto_bridge_add:
+ # br-private: eth0
+ # br-public: eth1
+ auto_bridge_add: {}
+
+ # NOTE: should be same as nova.conf.use_fqdn.compute
+ use_fqdn:
+ compute: true
+
+pod:
+ security_context:
+ ovn_northd:
+ container:
+ northd:
+ capabilities:
+ add:
+ - SYS_NICE
+ ovn_controller:
+ container:
+ controller:
+ capabilities:
+ add:
+ - SYS_NICE
+ tolerations:
+ ovn_ovsdb_nb:
+ enabled: false
+ ovn_ovsdb_sb:
+ enabled: false
+ ovn_northd:
+ enabled: false
+ ovn_controller:
+ enabled: false
+ affinity:
+ anti:
+ type:
+ default: preferredDuringSchedulingIgnoredDuringExecution
+ topologyKey:
+ default: kubernetes.io/hostname
+ weight:
+ default: 10
+
+ probes:
+ ovn_northd:
+ northd:
+ readiness:
+ enabled: true
+ params:
+ initialDelaySeconds: 5
+ timeoutSeconds: 10
+ liveness:
+ enabled: true
+ params:
+ initialDelaySeconds: 5
+ timeoutSeconds: 10
+ dns_policy: "ClusterFirstWithHostNet"
+ replicas:
+ ovn_ovsdb_nb: 1
+ ovn_ovsdb_sb: 1
+ ovn_northd: 1
+ lifecycle:
+ upgrades:
+ daemonsets:
+ pod_replacement_strategy: RollingUpdate
+ ovn_ovsdb_nb:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ ovn_ovsdb_sb:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ ovn_northd:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ ovn_controller:
+ enabled: true
+ min_ready_seconds: 0
+ max_unavailable: 1
+ resources:
+ enabled: false
+ ovs:
+ ovn_ovsdb_nb:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ovn_ovsdb_sb:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ovn_northd:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ ovn_controller:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+ jobs:
+ image_repo_sync:
+ requests:
+ memory: "128Mi"
+ cpu: "100m"
+ limits:
+ memory: "1024Mi"
+ cpu: "2000m"
+
+secrets:
+ oci_image_registry:
+ ovn_ovsdb_nb: ovn-ovsdb-nb-oci-image-registry-key
+ ovn_ovsdb_sb: ovn-ovsdb-sb-oci-image-registry-key
+ ovn_northd: ovn-northd-oci-image-registry-key
+ ovn_controller: ovn-controller-oci-image-registry-key
+
+# TODO: Check these endpoints?!
+endpoints:
+ cluster_domain_suffix: cluster.local
+ local_image_registry:
+ name: docker-registry
+ namespace: docker-registry
+ hosts:
+ default: localhost
+ internal: docker-registry
+ node: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ node: 5000
+ oci_image_registry:
+ name: oci-image-registry
+ namespace: oci-image-registry
+ auth:
+ enabled: false
+ openvswitch:
+ username: openvswitch
+ password: password
+ hosts:
+ default: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ default: null
+ ovn_ovsdb_nb:
+ name: ovn-ovsdb-nb
+ namespace: null
+ hosts:
+ default: ovn-ovsdb-nb
+ host_fqdn_override:
+ default: null
+ port:
+ ovsdb:
+ default: 6643
+ ovn_ovsdb_sb:
+ name: ovn-ovsdb-sb
+ namespace: null
+ hosts:
+ default: ovn-ovsdb-sb
+ host_fqdn_override:
+ default: null
+ port:
+ ovsdb:
+ default: 6644
+
+network_policy:
+ ovn_ovsdb_nb:
+ ingress:
+ - {}
+ egress:
+ - {}
+ ovn_ovsdb_sb:
+ ingress:
+ - {}
+ egress:
+ - {}
+ ovn_northd:
+ ingress:
+ - {}
+ egress:
+ - {}
+ ovn_controller:
+ ingress:
+ - {}
+ egress:
+ - {}
+
+dependencies:
+ dynamic:
+ common:
+ local_image_registry:
+ jobs:
+ - openvswitch-image-repo-sync
+ services:
+ - endpoint: node
+ service: local_image_registry
+ static:
+ ovn_ovsdb_nb: null
+ ovn_ovsdb_sb: null
+ ovn_northd:
+ services:
+ - endpoint: internal
+ service: ovn-ovsdb-nb
+ - endpoint: internal
+ service: ovn-ovsdb-sb
+ ovn_controller:
+ services:
+ - endpoint: internal
+ service: ovn-ovsdb-sb
+ pod:
+ - requireSameNode: true
+ labels:
+ application: openvswitch
+ component: server
+ image_repo_sync:
+ services:
+ - endpoint: internal
+ service: local_image_registry
+
+manifests:
+ configmap_bin: true
+ configmap_etc: true
+ deployment_northd: true
+ daemonset_controller: true
+ service_ovn_ovsdb_nb: true
+ service_ovn_ovsdb_sb: true
+ statefulset_ovn_ovsdb_nb: true
+ statefulset_ovn_ovsdb_sb: true
+ deployment_ovn_northd: true
+ daemonset_ovn_controller: true
+ job_image_repo_sync: true
+...
diff --git a/hack/sync-charts.sh b/hack/sync-charts.sh
index c866e0d..fcf2d89 100755
--- a/hack/sync-charts.sh
+++ b/hack/sync-charts.sh
@@ -132,6 +132,16 @@
curl -sL https://github.com/rancher/local-path-provisioner/archive/refs/tags/v${LOCAL_PATH_PROVISIONER_VERSION}.tar.gz \
| tar -xz -C ${ATMOSPHERE}/charts --strip-components=3 local-path-provisioner-${LOCAL_PATH_PROVISIONER_VERSION}/deploy/chart/
+OVN_VERSION=0.1.2
+curl -sL https://tarballs.opendev.org/openstack/openstack-helm-infra/ovn-${OVN_VERSION}.tgz \
+ | tar -xz -C ${ATMOSPHERE}/charts
+curl 'https://review.opendev.org/changes/openstack%2Fopenstack-helm-infra~889187/revisions/4/patch?download' \
+ | base64 --decode \
+ | filterdiff -p1 -x 'releasenotes/*' \
+ | filterdiff -p2 -x 'Chart.yaml' \
+ | filterdiff -p1 -i 'ovn/*' \
+ | patch -p2 -d ${ATMOSPHERE}/charts/ovn
+
NEUTRON_VERSION=0.3.15
curl -sL https://tarballs.opendev.org/openstack/openstack-helm/neutron-${NEUTRON_VERSION}.tgz \
| tar -xz -C ${ATMOSPHERE}/charts
diff --git a/molecule/ceph/group_vars/all/molecule.yml b/molecule/ceph/group_vars/all/molecule.yml
index 8bed0fc..23d82d0 100644
--- a/molecule/ceph/group_vars/all/molecule.yml
+++ b/molecule/ceph/group_vars/all/molecule.yml
@@ -76,6 +76,17 @@
coredns_helm_values:
replicaCount: 1
+ovn_enabled: "{{ lookup('env', 'OVN_ENABLED') | default('false') | bool }}"
+ovn_helm_values:
+ conf:
+ auto_bridge_add:
+ br-ex: eth1
+ pod:
+ replicas:
+ ovn_ovsdb_nb: 1
+ ovn_ovsdb_sb: 1
+ ovn_northd: 1
+
nova_helm_values:
conf:
nova:
diff --git a/playbooks/openstack.yml b/playbooks/openstack.yml
index 97bff43..dbfd943 100644
--- a/playbooks/openstack.yml
+++ b/playbooks/openstack.yml
@@ -147,6 +147,11 @@
tags:
- nova
+ - role: ovn
+ when: ovn_enabled | default(false)
+ tags:
+ - ovn
+
- role: neutron
tags:
- neutron
diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
index cadca4b..6b85485 100644
--- a/roles/defaults/vars/main.yml
+++ b/roles/defaults/vars/main.yml
@@ -18,11 +18,11 @@
barbican_db_sync: quay.io/vexxhost/barbican@sha256:fde302ee731cca6019feaf87400f5a377c3e38f459bc88d4c7677f2967e0939b # image-source: quay.io/vexxhost/barbican:zed
bootstrap: quay.io/vexxhost/heat@sha256:755225f9a63c0968f1ceeda3a2f06c66dd8d247ff00308f549e66496aa8f59d0 # image-source: quay.io/vexxhost/heat:zed
ceph_config_helper: quay.io/vexxhost/libvirtd@sha256:d400204e0332dc815827e5902038a1c672446c58633ba97ede9e20f8ae9a2349 # image-source: quay.io/vexxhost/libvirtd:yoga-focal
+ ceph: quay.io/ceph/ceph:v16.2.11
cert_manager_cainjector: quay.io/jetstack/cert-manager-cainjector:v1.7.1
cert_manager_cli: quay.io/jetstack/cert-manager-ctl:v1.7.1
cert_manager_controller: quay.io/jetstack/cert-manager-controller:v1.7.1
cert_manager_webhook: quay.io/jetstack/cert-manager-webhook:v1.7.1
- ceph: quay.io/ceph/ceph:v16.2.11
cilium_node: quay.io/cilium/cilium:v1.13.3@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
cilium_operator: quay.io/cilium/operator-generic:v1.13.3@sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910
cinder_api: quay.io/vexxhost/cinder@sha256:875bc983a9c2a2d1fb6a952d147f2474a169dc77eb9dff4741f3a185c28753fb # image-source: quay.io/vexxhost/cinder:zed
@@ -85,7 +85,6 @@
ks_endpoints: quay.io/vexxhost/heat@sha256:755225f9a63c0968f1ceeda3a2f06c66dd8d247ff00308f549e66496aa8f59d0 # image-source: quay.io/vexxhost/heat:zed
ks_service: quay.io/vexxhost/heat@sha256:755225f9a63c0968f1ceeda3a2f06c66dd8d247ff00308f549e66496aa8f59d0 # image-source: quay.io/vexxhost/heat:zed
ks_user: quay.io/vexxhost/heat@sha256:755225f9a63c0968f1ceeda3a2f06c66dd8d247ff00308f549e66496aa8f59d0 # image-source: quay.io/vexxhost/heat:zed
- kubectl: docker.io/bitnami/kubectl@sha256:bd420268ae3424b3ab3174e26b895fd8dc464589a8cd62654b9aa739d00ff280 # image-source: docker.io/bitnami/kubectl:latest
kube_apiserver: registry.k8s.io/kube-apiserver:v1.22.17
kube_controller_manager: registry.k8s.io/kube-controller-manager:v1.22.17
kube_coredns: registry.k8s.io/coredns/coredns:v1.8.4
@@ -93,11 +92,12 @@
kube_proxy: registry.k8s.io/kube-proxy:v1.22.17
kube_scheduler: registry.k8s.io/kube-scheduler:v1.22.17
kube_state_metrics: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.6.0
+ kubectl: docker.io/bitnami/kubectl@sha256:bd420268ae3424b3ab3174e26b895fd8dc464589a8cd62654b9aa739d00ff280 # image-source: docker.io/bitnami/kubectl:latest
libvirt: quay.io/vexxhost/libvirtd@sha256:d400204e0332dc815827e5902038a1c672446c58633ba97ede9e20f8ae9a2349 # image-source: quay.io/vexxhost/libvirtd:yoga-focal
local_path_provisioner_helper: docker.io/library/busybox:1.36.0
local_path_provisioner: docker.io/rancher/local-path-provisioner:v0.0.24
- loki: docker.io/grafana/loki:2.7.3
loki_gateway: docker.io/nginxinc/nginx-unprivileged:1.19-alpine
+ loki: docker.io/grafana/loki:2.7.3
magnum_api: quay.io/vexxhost/magnum-cluster-api@sha256:ac6c27b0bc758175649114be6a5b5003fc9803eba9ad2c90e58fa1b56f0aadfb # image-source: quay.io/vexxhost/magnum-cluster-api:zed
magnum_cluster_api_proxy: quay.io/vexxhost/magnum-cluster-api@sha256:ac6c27b0bc758175649114be6a5b5003fc9803eba9ad2c90e58fa1b56f0aadfb # image-source: quay.io/vexxhost/magnum-cluster-api:zed
magnum_conductor: quay.io/vexxhost/magnum-cluster-api@sha256:ac6c27b0bc758175649114be6a5b5003fc9803eba9ad2c90e58fa1b56f0aadfb # image-source: quay.io/vexxhost/magnum-cluster-api:zed
@@ -151,6 +151,10 @@
octavia_worker: quay.io/vexxhost/octavia@sha256:9065365ed1d731e5130dcf7d600bc8dc8ffa158093c53dd151eddfe49a29a5ee # image-source: quay.io/vexxhost/octavia:zed
openvswitch_db_server: quay.io/vexxhost/openvswitch:2.17.3
openvswitch_vswitchd: quay.io/vexxhost/openvswitch:2.17.3
+ ovn_controller: quay.io/vexxhost/ovn-host:23.03.0
+ ovn_northd: quay.io/vexxhost/ovn-central:23.03.0
+ ovn_ovsdb_nb: quay.io/vexxhost/ovn-central:23.03.0
+ ovn_ovsdb_sb: quay.io/vexxhost/ovn-central:23.03.0
pause: registry.k8s.io/pause:3.8
percona_xtradb_cluster_haproxy: docker.io/percona/percona-xtradb-cluster-operator:1.12.0-haproxy
percona_xtradb_cluster_operator: docker.io/percona/percona-xtradb-cluster-operator:1.12.0
diff --git a/roles/neutron/defaults/main.yml b/roles/neutron/defaults/main.yml
index c7d21b3..b82e0b6 100644
--- a/roles/neutron/defaults/main.yml
+++ b/roles/neutron/defaults/main.yml
@@ -19,6 +19,9 @@
neutron_helm_release_namespace: openstack
neutron_helm_values: {}
+# OVN support
+neutron_ovn_enabled: "{{ ovn_enabled | default(false) | bool }}"
+
# List of networks to provision inside OpenStack
neutron_networks: []
diff --git a/roles/neutron/tasks/main.yml b/roles/neutron/tasks/main.yml
index 18266f6..b1741a4 100644
--- a/roles/neutron/tasks/main.yml
+++ b/roles/neutron/tasks/main.yml
@@ -36,6 +36,15 @@
name: "{{ neutron_helm_release_name }}"
namespace: "{{ neutron_helm_release_namespace }}"
+- name: Generate Helm values
+ ansible.builtin.set_fact:
+ _neutron_helm_values: "{{ __neutron_helm_values }}"
+
+- name: Add OVN configuration
+ when: neutron_ovn_enabled | bool
+ ansible.builtin.set_fact:
+ _neutron_helm_values: "{{ _neutron_helm_values | combine(__neutron_ovn_helm_values, recursive=True) }}"
+
- name: Deploy Helm chart
run_once: true
kubernetes.core.helm:
diff --git a/roles/neutron/vars/main.yml b/roles/neutron/vars/main.yml
index a4cd93f..5ce4997 100644
--- a/roles/neutron/vars/main.yml
+++ b/roles/neutron/vars/main.yml
@@ -12,7 +12,7 @@
# License for the specific language governing permissions and limitations
# under the License.
-_neutron_helm_values:
+__neutron_helm_values:
endpoints: "{{ openstack_helm_endpoints }}"
images:
tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('neutron') }}"
@@ -65,3 +65,56 @@
manifests:
ingress_server: false
service_ingress_server: false
+
+__neutron_ovn_helm_values:
+ network:
+ backend:
+ # - openvswitch
+ - ovn
+ conf:
+ neutron:
+ DEFAULT:
+ service_plugins: qos,ovn-router,segments,trunk
+ ovn:
+ dns_servers: "{{ neutron_coredns_cluster_ip | default('10.96.0.20') }}"
+ enable_distributed_floating_ip: true
+ ovn_metadata_enabled: true
+ ovn_nb_connection: "{% for n in range(ovn_helm_values.get('pod', {}).get('replicas', {}).get('ovn_ovsdb_nb', 3)) %}tcp:ovn-ovsdb-nb-{{ n }}.{{ neutron_helm_release_namespace }}.svc.cluster.local:6643{% if not loop.last %},{% endif %}{% endfor %}"
+ ovn_sb_connection: "{% for n in range(ovn_helm_values.get('pod', {}).get('replicas', {}).get('ovn_ovsdb_sb', 3)) %}tcp:ovn-ovsdb-sb-{{ n }}.{{ neutron_helm_release_namespace }}.svc.cluster.local:6642{% if not loop.last %},{% endif %}{% endfor %}"
+ plugins:
+ ml2_conf:
+ ml2:
+ type_drivers: flat,vlan,vxlan,geneve
+ tenant_network_types: geneve
+ ml2_type_geneve:
+ vni_ranges: 1:65536
+ max_header_size: 38
+ manifests:
+ daemonset_dhcp_agent: false
+ daemonset_l3_agent: false
+ daemonset_metadata_agent: false
+ daemonset_ovn_metadata_agent: true
+ daemonset_ovs_agent: false
+
+ # conf:
+ # plugins:
+ # ml2_conf:
+ # ml2:
+ # extension_drivers: port_security
+ # mechanism_drivers: ovn
+ # ovn_metadata_agent:
+ # DEFAULT:
+ # nova_metadata_port: 8775
+ # metadata_proxy_shared_secret: "{{ openstack_helm_endpoints['compute_metadata']['secret'] }}"
+ # metadata_workers: 8
+ # nova_metadata_host: __NOVA_METADATA_SERVICE_HOST__
+ # cache:
+ # enabled: true
+ # backend: dogpile.cache.memcached
+ # ovs:
+ # ovsdb_connection: tcp:127.0.0.1:6640
+ # ovsdb_timeout: 180
+ # ovn:
+ # ovn_metadata_enabled: true
+ # ovn_nb_connection: tcp:__OVN_NB_DB_SERVICE_HOST__:__OVN_NB_DB_SERVICE_PORT__
+ # ovn_sb_connection: tcp:__OVN_SB_DB_SERVICE_HOST__:__OVN_SB_DB_SERVICE_PORT__
diff --git a/roles/ovn/README.md b/roles/ovn/README.md
new file mode 100644
index 0000000..b38bf8d
--- /dev/null
+++ b/roles/ovn/README.md
@@ -0,0 +1 @@
+# `ovn`
diff --git a/roles/ovn/defaults/main.yml b/roles/ovn/defaults/main.yml
new file mode 100644
index 0000000..b904598
--- /dev/null
+++ b/roles/ovn/defaults/main.yml
@@ -0,0 +1,20 @@
+# Copyright (c) 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+ovn_helm_release_name: ovn
+ovn_helm_chart_path: "../../charts/ovn/"
+ovn_helm_chart_ref: /usr/local/src/ovn
+
+ovn_helm_release_namespace: openstack
+ovn_helm_values: {}
diff --git a/roles/ovn/meta/main.yml b/roles/ovn/meta/main.yml
new file mode 100644
index 0000000..7141b0f
--- /dev/null
+++ b/roles/ovn/meta/main.yml
@@ -0,0 +1,32 @@
+# Copyright (c) 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+galaxy_info:
+ author: VEXXHOST, Inc.
+ description: Ansible role for OVN
+ license: Apache-2.0
+ min_ansible_version: 5.5.0
+ standalone: false
+ platforms:
+ - name: Ubuntu
+ versions:
+ - focal
+ - jammy
+
+dependencies:
+ - role: defaults
+ - role: vexxhost.kubernetes.upload_helm_chart
+ vars:
+ upload_helm_chart_src: "{{ ovn_helm_chart_path }}"
+ upload_helm_chart_dest: "{{ ovn_helm_chart_ref }}"
diff --git a/roles/ovn/tasks/main.yml b/roles/ovn/tasks/main.yml
new file mode 100644
index 0000000..307c50e
--- /dev/null
+++ b/roles/ovn/tasks/main.yml
@@ -0,0 +1,23 @@
+# Copyright (c) 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Deploy Helm chart
+ run_once: true
+ kubernetes.core.helm:
+ name: "{{ ovn_helm_release_name }}"
+ chart_ref: "{{ ovn_helm_chart_ref }}"
+ release_namespace: "{{ ovn_helm_release_namespace }}"
+ create_namespace: true
+ kubeconfig: /etc/kubernetes/admin.conf
+ values: "{{ _ovn_helm_values | combine(ovn_helm_values, recursive=True) }}"
diff --git a/roles/ovn/vars/main.yml b/roles/ovn/vars/main.yml
new file mode 100644
index 0000000..59d9c20
--- /dev/null
+++ b/roles/ovn/vars/main.yml
@@ -0,0 +1,37 @@
+# Copyright (c) 2023 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+_ovn_helm_values:
+ images:
+ tags: "{{ atmosphere_images | vexxhost.atmosphere.openstack_helm_image_tags('ovn') }}"
+ labels:
+ ovn_ovsdb_nb:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ ovn_ovsdb_sb:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ ovn_northd:
+ node_selector_key: openstack-control-plane
+ node_selector_value: enabled
+ volume:
+ ovn_ovsdb_nb:
+ size: 20Gi
+ ovn_ovsdb_sb:
+ size: 20Gi
+ pod:
+ replicas:
+ ovn_ovsdb_nb: 3
+ ovn_ovsdb_sb: 3
+ ovn_northd: 3