chore: bump charts
diff --git a/charts/cinder/Chart.yaml b/charts/cinder/Chart.yaml
index c769da8..06d521e 100644
--- a/charts/cinder/Chart.yaml
+++ b/charts/cinder/Chart.yaml
@@ -9,4 +9,4 @@
sources:
- https://opendev.org/openstack/cinder
- https://opendev.org/openstack/openstack-helm
-version: 0.2.25
+version: 0.3.2
diff --git a/charts/cinder/charts/helm-toolkit/Chart.yaml b/charts/cinder/charts/helm-toolkit/Chart.yaml
index 4f9e6e5..12e2dd2 100644
--- a/charts/cinder/charts/helm-toolkit/Chart.yaml
+++ b/charts/cinder/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
sources:
- https://opendev.org/openstack/openstack-helm-infra
- https://opendev.org/openstack/openstack-helm
-version: 0.2.46
+version: 0.2.50
diff --git a/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl
index 70e64cc..4c476b2 100644
--- a/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/cinder/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,7 @@
{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
{{- end }}
{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- $ingressConf := $envAll.Values.network.kibana.ingress -}}
+{{- $ingressConf := $envAll.Values.network -}}
{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
{{- range $key2, $ingressController := $ingressClasses }}
{{- $vHosts := list $hostNameFull }}
@@ -706,7 +706,6 @@
{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
{{- $vHosts = append $vHosts $v }}
{{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
tls:
@@ -718,7 +717,6 @@
{{- end }}
{{- end }}
{{- end }}
-{{- end }}
rules:
{{- range $vHost := $vHosts }}
{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
password="${RABBITMQ_PASSWORD}" \
tags="user"
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+ delete user \
+ name="guest" || true
+
if [ "${RABBITMQ_VHOST}" != "/" ]
then
echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index 516d79e..687851e 100644
--- a/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/cinder/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
# framework will automatically tar/zip the files in that directory and
# name the tarball appropriately according to the proper conventions.
#
+# verify_databases_backup_archives [scope]
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to verify the database backup archives. If this function
+# completes successfully (returns 0), the
+# framework will automatically starts remote backup upload.
+#
+#
# The functions in this file will take care of:
# 1) Calling "dump_databases_to_directory" and then compressing the files,
# naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
exit $ERRCODE
}
+log_verify_backup_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ # rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+
log() {
#Log message to a file or stdout
#TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -201,12 +219,36 @@
log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
return 2
fi
+
openstack object show $CONTAINER_NAME $FILE
if [[ $? -ne 0 ]]; then
log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
return 2
fi
+ # Calculation remote file SHA256 hash
+ REMOTE_FILE=$(mktemp -p /tmp)
+ openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+ rm -rf ${REMOTE_FILE}
+ return 1
+ fi
+
+ # Remote backup verification
+ SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+ SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+ log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+ log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+ log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+ if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+ log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+ else
+ log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+ return 1
+ fi
+ rm -rf ${REMOTE_FILE}
+
log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
return 0
}
@@ -382,8 +424,8 @@
# Cleanup now that we're done.
for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
- if [[ -f fd ]]; then
- rm -f fd
+ if [[ -f ${fd} ]]; then
+ rm -f ${fd}
else
log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
fi
@@ -444,10 +486,6 @@
cd $ARCHIVE_DIR
- # Remove the temporary directory and files as they are no longer needed.
- rm -rf $TMP_DIR
- rm -f $ERR_LOG_FILE
-
#Only delete the old archive after a successful archive
export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -459,6 +497,25 @@
done
fi
+ # Local backup verification process
+
+ # It is expected that this function will verify the database backup files
+ if verify_databases_backup_archives ${SCOPE}; then
+ log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+ else
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ fi
+ log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+ exit 1
+ fi
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ # Remote backup
REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
if $REMOTE_BACKUP; then
# Remove Quotes from the constants which were added due to reading
@@ -490,7 +547,7 @@
get_backup_prefix $(cat $DB_BACKUP_FILES)
for ((i=0; i<${#PREFIXES[@]}; i++)); do
echo "Working with prefix: ${PREFIXES[i]}"
- create_hash_table $(cat $DB_BACKUP_FILES | grep ${PREFIXES[i]})
+ create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
remove_old_remote_archives
done
fi
@@ -511,4 +568,4 @@
echo "=================================================================="
fi
}
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/cinder/requirements.lock b/charts/cinder/requirements.lock
index a35c5a5..57e368f 100644
--- a/charts/cinder/requirements.lock
+++ b/charts/cinder/requirements.lock
@@ -1,6 +1,6 @@
dependencies:
- name: helm-toolkit
repository: file://../../openstack-helm-infra/helm-toolkit
- version: 0.2.46
-digest: sha256:4baae4035ac4ec09ff414ac48d8f1e3f030d1ce1629727cb1ff24d44ffa000f1
-generated: "2022-08-17T17:14:30.083437397Z"
+ version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:15.656648671Z"
diff --git a/charts/cinder/templates/configmap-etc.yaml b/charts/cinder/templates/configmap-etc.yaml
index a2ad5f2..fe73a88 100644
--- a/charts/cinder/templates/configmap-etc.yaml
+++ b/charts/cinder/templates/configmap-etc.yaml
@@ -94,7 +94,7 @@
{{- end -}}
{{- if empty .Values.conf.cinder.DEFAULT.osapi_volume_listen_port -}}
-{{- $_ := tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.cinder.DEFAULT "osapi_volume_listen_port" -}}
+{{- $_ := tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.cinder.DEFAULT "osapi_volume_listen_port" -}}
{{- end -}}
{{- if .Values.conf.cinder.service_user.send_service_user_token -}}
@@ -158,10 +158,10 @@
{{- $filePrefix := replace "_" "-" $key }}
{{ printf "%s.filters" $filePrefix }}: {{ $value.content | b64enc }}
{{- end }}
-{{- if .Values.backup.external_ceph_rbd.enabled }}
+{{- if and .Values.backup.external_ceph_rbd.enabled (not .Values.backup.external_ceph_rbd.configmap) }}
external-backup-ceph.conf: {{ include "helm-toolkit.utils.to_ini" .Values.backup.external_ceph_rbd.conf | b64enc }}
{{- end }}
-{{- if .Values.ceph_client.enable_external_ceph_backend }}
+{{- if and .Values.ceph_client.enable_external_ceph_backend (not .Values.ceph_client.external_ceph.configmap) }}
external-ceph.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.ceph_client.external_ceph.conf | b64enc }}
{{- end }}
{{- end }}
diff --git a/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
index c1c317c..1d935f1 100644
--- a/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
+++ b/charts/cinder/templates/cron-job-cinder-volume-usage-audit.yaml
@@ -64,6 +64,11 @@
{{ tuple $envAll "cinder_volume_usage_audit" | include "helm-toolkit.snippets.image" | indent 14 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.volume_usage_audit | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
{{ dict "envAll" $envAll "application" "volume_usage_audit" "container" "cinder_volume_usage_audit" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+ env:
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/cinder/certs/ca.crt"
+{{- end }}
command:
- /tmp/volume-usage-audit.sh
volumeMounts:
@@ -85,6 +90,7 @@
mountPath: /tmp/volume-usage-audit.sh
subPath: volume-usage-audit.sh
readOnly: true
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
{{ if $mounts_cinder_volume_usage_audit.volumeMounts }}{{ toYaml $mounts_cinder_volume_usage_audit.volumeMounts | indent 16 }}{{ end }}
@@ -101,6 +107,7 @@
configMap:
name: cinder-bin
defaultMode: 0555
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
{{ if $mounts_cinder_volume_usage_audit.volumes }}{{ toYaml $mounts_cinder_volume_usage_audit.volumes | indent 12 }}{{ end }}
diff --git a/charts/cinder/templates/deployment-api.yaml b/charts/cinder/templates/deployment-api.yaml
index 7925c60..b3e6be1 100644
--- a/charts/cinder/templates/deployment-api.yaml
+++ b/charts/cinder/templates/deployment-api.yaml
@@ -80,6 +80,11 @@
command:
- /tmp/cinder-api.sh
- start
+ env:
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/cinder/certs/ca.crt"
+{{- end }}
lifecycle:
preStop:
exec:
@@ -88,13 +93,17 @@
- stop
ports:
- name: c-api
- containerPort: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ containerPort: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
readinessProbe:
- tcpSocket:
- port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ httpGet:
+ scheme: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
livenessProbe:
- tcpSocket:
- port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ httpGet:
+ scheme: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 30
failureThreshold: 3
periodSeconds: 10
@@ -156,7 +165,7 @@
readOnly: true
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_cinder_api.volumeMounts }}{{ toYaml $mounts_cinder_api.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -179,7 +188,7 @@
emptyDir: {}
{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_cinder_api.volumes }}{{ toYaml $mounts_cinder_api.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/charts/cinder/templates/deployment-backup.yaml b/charts/cinder/templates/deployment-backup.yaml
index b4a429b..6107775 100644
--- a/charts/cinder/templates/deployment-backup.yaml
+++ b/charts/cinder/templates/deployment-backup.yaml
@@ -189,6 +189,11 @@
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
readOnly: true
+ {{- else if .Values.backup.external_ceph_rbd.configmap }}
+ - name: external-backup-ceph-etc
+ mountPath: /etc/ceph/ceph.conf
+ subPath: ceph.conf
+ readOnly: true
{{- else }}
- name: cinder-etc
mountPath: /etc/ceph/ceph.conf
@@ -207,10 +212,17 @@
readOnly: true
{{- end }}
{{- if .Values.ceph_client.enable_external_ceph_backend }}
+ {{- if .Values.ceph_client.external_ceph.configmap }}
+ - name: external-ceph-etc
+ mountPath: /etc/ceph/external-ceph.conf
+ subPath: external-ceph.conf
+ readOnly: true
+ {{- else }}
- name: cinder-etc
mountPath: /etc/ceph/external-ceph.conf
subPath: external-ceph.conf
readOnly: true
+ {{- end }}
{{- if .Values.ceph_client.external_ceph.rbd_user }}
- name: external-ceph-keyring
mountPath: /tmp/external-ceph-client-keyring
@@ -289,10 +301,22 @@
{{ if or (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) (eq "true" (include "cinder.utils.has_ceph_backend" $envAll)) }}
- name: etcceph
emptyDir: {}
+ {{- if and .Values.backup.external_ceph_rbd.enabled .Values.backup.external_ceph_rbd.configmap }}
+ - name: external-backup-ceph-etc
+ configMap:
+ name: {{ .Values.backup.external_ceph_rbd.configmap }}
+ defaultMode: 0444
+ {{- end }}
- name: ceph-etc
configMap:
name: {{ .Values.ceph_client.configmap }}
defaultMode: 0444
+ {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.configmap }}
+ - name: external-ceph-etc
+ configMap:
+ name: {{ .Values.ceph_client.external_ceph.configmap }}
+ defaultMode: 0444
+ {{- end }}
{{ end }}
{{- if (contains "cinder.backup.drivers.ceph" .Values.conf.cinder.DEFAULT.backup_driver) }}
- name: ceph-backup-keyring
diff --git a/charts/cinder/templates/deployment-volume.yaml b/charts/cinder/templates/deployment-volume.yaml
index 135672a..0fccd46 100644
--- a/charts/cinder/templates/deployment-volume.yaml
+++ b/charts/cinder/templates/deployment-volume.yaml
@@ -131,9 +131,9 @@
readOnly: true
- name: pod-shared
mountPath: /tmp/pod-shared
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
-{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: INTERNAL_PROJECT_NAME
@@ -150,6 +150,11 @@
{{ dict "envAll" $envAll "application" "cinder_volume" "container" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/cinder-volume.sh
+ env:
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/cinder/certs/ca.crt"
+{{- end }}
terminationMessagePath: /var/log/termination-log
volumeMounts:
- name: pod-tmp
@@ -188,10 +193,17 @@
subPath: key
readOnly: true
{{- if .Values.ceph_client.enable_external_ceph_backend }}
+ {{- if .Values.ceph_client.external_ceph.configmap }}
+ - name: external-ceph-etc
+ mountPath: /etc/ceph/external-ceph.conf
+ subPath: external-ceph.conf
+ readOnly: true
+ {{- else }}
- name: cinder-etc
mountPath: /etc/ceph/external-ceph.conf
subPath: external-ceph.conf
readOnly: true
+ {{- end }}
{{- if .Values.ceph_client.external_ceph.rbd_user }}
- name: external-ceph-keyring
mountPath: /tmp/external-ceph-client-keyring
@@ -269,7 +281,7 @@
mountPropagation: HostToContainer
{{- end }}
{{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
@@ -295,6 +307,12 @@
configMap:
name: {{ .Values.ceph_client.configmap }}
defaultMode: 0444
+ {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.configmap }}
+ - name: external-ceph-etc
+ configMap:
+ name: {{ .Values.ceph_client.external_ceph.configmap }}
+ defaultMode: 0444
+ {{- end }}
- name: ceph-keyring
secret:
secretName: {{ .Values.secrets.rbd.volume | quote }}
@@ -333,7 +351,7 @@
path: /sys
{{- end }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/charts/cinder/templates/job-bootstrap.yaml b/charts/cinder/templates/job-bootstrap.yaml
index 0db5409..a7b590e 100644
--- a/charts/cinder/templates/job-bootstrap.yaml
+++ b/charts/cinder/templates/job-bootstrap.yaml
@@ -19,7 +19,7 @@
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "cinder" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.cinder.DEFAULT.log_config_append "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
{{- end -}}
{{- if .Values.pod.tolerations.cinder.enabled -}}
diff --git a/charts/cinder/templates/job-create-internal-tenant.yaml b/charts/cinder/templates/job-create-internal-tenant.yaml
index b298e36..78de218 100644
--- a/charts/cinder/templates/job-create-internal-tenant.yaml
+++ b/charts/cinder/templates/job-create-internal-tenant.yaml
@@ -68,9 +68,9 @@
mountPath: /tmp/create-internal-tenant.sh
subPath: create-internal-tenant.sh
readOnly: true
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@@ -97,5 +97,5 @@
configMap:
name: {{ $configMapBin | quote }}
defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volumev3.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end -}}
diff --git a/charts/cinder/templates/job-ks-endpoints.yaml b/charts/cinder/templates/job-ks-endpoints.yaml
index 6b0493d..99d5360 100644
--- a/charts/cinder/templates/job-ks-endpoints.yaml
+++ b/charts/cinder/templates/job-ks-endpoints.yaml
@@ -19,7 +19,7 @@
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" ( tuple "volumev3" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
{{- end -}}
{{- if .Values.helm3_hook }}
diff --git a/charts/cinder/templates/job-ks-service.yaml b/charts/cinder/templates/job-ks-service.yaml
index 3299506..159f66a 100644
--- a/charts/cinder/templates/job-ks-service.yaml
+++ b/charts/cinder/templates/job-ks-service.yaml
@@ -25,7 +25,7 @@
{{- end }}
{{- end }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "cinder" "serviceTypes" $serviceTypes -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
{{- end -}}
{{- if .Values.helm3_hook }}
diff --git a/charts/cinder/templates/job-ks-user.yaml b/charts/cinder/templates/job-ks-user.yaml
index 4cd671d..78f48cf 100644
--- a/charts/cinder/templates/job-ks-user.yaml
+++ b/charts/cinder/templates/job-ks-user.yaml
@@ -19,7 +19,7 @@
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "cinder" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.volumev3.api.internal -}}
{{- end -}}
{{- if .Values.helm3_hook }}
diff --git a/charts/cinder/templates/service-api.yaml b/charts/cinder/templates/service-api.yaml
index 86d6b6f..d053063 100644
--- a/charts/cinder/templates/service-api.yaml
+++ b/charts/cinder/templates/service-api.yaml
@@ -22,7 +22,7 @@
spec:
ports:
- name: c-api
- port: {{ tuple "volumev3" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ port: {{ tuple "volumev3" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.network.api.node_port.enabled }}
nodePort: {{ .Values.network.api.node_port.port }}
{{ end }}
diff --git a/charts/cinder/values.yaml b/charts/cinder/values.yaml
index 647a049..7633d97 100644
--- a/charts/cinder/values.yaml
+++ b/charts/cinder/values.yaml
@@ -43,20 +43,20 @@
images:
tags:
test: docker.io/xrally/xrally-openstack:2.0.0
- db_init: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
- cinder_db_sync: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
- db_drop: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
+ db_init: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ cinder_db_sync: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
+ db_drop: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
rabbit_init: docker.io/rabbitmq:3.7-management
- ks_user: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
- ks_service: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
- ks_endpoints: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
- cinder_api: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
- bootstrap: docker.io/openstackhelm/heat:ussuri-ubuntu_bionic
- cinder_scheduler: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
- cinder_volume: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
- cinder_volume_usage_audit: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+ ks_user: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_service: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ ks_endpoints: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ cinder_api: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
+ bootstrap: docker.io/openstackhelm/heat:wallaby-ubuntu_focal
+ cinder_scheduler: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
+ cinder_volume: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
+ cinder_volume_usage_audit: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
cinder_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic
- cinder_backup: docker.io/openstackhelm/cinder:ussuri-ubuntu_bionic
+ cinder_backup: docker.io/openstackhelm/cinder:wallaby-ubuntu_focal
cinder_backup_storage_init: docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_bionic
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
@@ -140,6 +140,9 @@
runAsUser: 0
readOnlyRootFilesystem: true
cinder_volume:
+ capabilities:
+ add:
+ - SYS_ADMIN
readOnlyRootFilesystem: true
storage_init:
pod:
@@ -422,6 +425,7 @@
# secret for external ceph keyring will be created.
rbd_user: null
rbd_user_keyring: null
+ configmap: null
conf:
global: null
osd: null
@@ -464,122 +468,7 @@
filter:audit:
paste.filter_factory: keystonemiddleware.audit:filter_factory
audit_map_file: /etc/cinder/api_audit_map.conf
- policy:
- context_is_admin: role:admin
- admin_or_owner: is_admin:True or project_id:%(project_id)s
- default: rule:admin_or_owner
- admin_api: is_admin:True
- volume:create: ''
- volume:delete: rule:admin_or_owner
- volume:get: rule:admin_or_owner
- volume:get_all: rule:admin_or_owner
- volume:get_volume_metadata: rule:admin_or_owner
- volume:create_volume_metadata: rule:admin_or_owner
- volume:delete_volume_metadata: rule:admin_or_owner
- volume:update_volume_metadata: rule:admin_or_owner
- volume:get_volume_admin_metadata: rule:admin_api
- volume:update_volume_admin_metadata: rule:admin_api
- volume:get_snapshot: rule:admin_or_owner
- volume:get_all_snapshots: rule:admin_or_owner
- volume:create_snapshot: rule:admin_or_owner
- volume:delete_snapshot: rule:admin_or_owner
- volume:update_snapshot: rule:admin_or_owner
- volume:get_snapshot_metadata: rule:admin_or_owner
- volume:delete_snapshot_metadata: rule:admin_or_owner
- volume:update_snapshot_metadata: rule:admin_or_owner
- volume:extend: rule:admin_or_owner
- volume:update_readonly_flag: rule:admin_or_owner
- volume:retype: rule:admin_or_owner
- volume:update: rule:admin_or_owner
- volume_extension:types_manage: rule:admin_api
- volume_extension:types_extra_specs: rule:admin_api
- volume_extension:access_types_qos_specs_id: rule:admin_api
- volume_extension:access_types_extra_specs: rule:admin_api
- volume_extension:volume_type_access: rule:admin_or_owner
- volume_extension:volume_type_access:addProjectAccess: rule:admin_api
- volume_extension:volume_type_access:removeProjectAccess: rule:admin_api
- volume_extension:volume_type_encryption: rule:admin_api
- volume_extension:volume_encryption_metadata: rule:admin_or_owner
- volume_extension:extended_snapshot_attributes: rule:admin_or_owner
- volume_extension:volume_image_metadata: rule:admin_or_owner
- volume_extension:quotas:show: ''
- volume_extension:quotas:update: rule:admin_api
- volume_extension:quotas:delete: rule:admin_api
- volume_extension:quota_classes: rule:admin_api
- volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api
- volume_extension:volume_admin_actions:reset_status: rule:admin_api
- volume_extension:snapshot_admin_actions:reset_status: rule:admin_api
- volume_extension:backup_admin_actions:reset_status: rule:admin_api
- volume_extension:volume_admin_actions:force_delete: rule:admin_api
- volume_extension:volume_admin_actions:force_detach: rule:admin_api
- volume_extension:snapshot_admin_actions:force_delete: rule:admin_api
- volume_extension:backup_admin_actions:force_delete: rule:admin_api
- volume_extension:volume_admin_actions:migrate_volume: rule:admin_api
- volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api
- volume_extension:volume_actions:upload_public: rule:admin_api
- volume_extension:volume_actions:upload_image: rule:admin_or_owner
- volume_extension:volume_host_attribute: rule:admin_api
- volume_extension:volume_tenant_attribute: rule:admin_or_owner
- volume_extension:volume_mig_status_attribute: rule:admin_api
- volume_extension:hosts: rule:admin_api
- volume_extension:services:index: rule:admin_api
- volume_extension:services:update: rule:admin_api
- volume_extension:volume_manage: rule:admin_api
- volume_extension:volume_unmanage: rule:admin_api
- volume_extension:list_manageable: rule:admin_api
- volume_extension:capabilities: rule:admin_api
- volume:create_transfer: rule:admin_or_owner
- volume:accept_transfer: ''
- volume:delete_transfer: rule:admin_or_owner
- volume:get_transfer: rule:admin_or_owner
- volume:get_all_transfers: rule:admin_or_owner
- volume_extension:replication:promote: rule:admin_api
- volume_extension:replication:reenable: rule:admin_api
- volume:failover_host: rule:admin_api
- volume:freeze_host: rule:admin_api
- volume:thaw_host: rule:admin_api
- backup:create: ''
- backup:delete: rule:admin_or_owner
- backup:get: rule:admin_or_owner
- backup:get_all: rule:admin_or_owner
- backup:restore: rule:admin_or_owner
- backup:backup-import: rule:admin_api
- backup:backup-export: rule:admin_api
- backup:update: rule:admin_or_owner
- snapshot_extension:snapshot_actions:update_snapshot_status: ''
- snapshot_extension:snapshot_manage: rule:admin_api
- snapshot_extension:snapshot_unmanage: rule:admin_api
- snapshot_extension:list_manageable: rule:admin_api
- consistencygroup:create: group:nobody
- consistencygroup:delete: group:nobody
- consistencygroup:update: group:nobody
- consistencygroup:get: group:nobody
- consistencygroup:get_all: group:nobody
- consistencygroup:create_cgsnapshot: group:nobody
- consistencygroup:delete_cgsnapshot: group:nobody
- consistencygroup:get_cgsnapshot: group:nobody
- consistencygroup:get_all_cgsnapshots: group:nobody
- group:group_types_manage: rule:admin_api
- group:group_types_specs: rule:admin_api
- group:access_group_types_specs: rule:admin_api
- group:group_type_access: rule:admin_or_owner
- group:create: ''
- group:delete: rule:admin_or_owner
- group:update: rule:admin_or_owner
- group:get: rule:admin_or_owner
- group:get_all: rule:admin_or_owner
- group:create_group_snapshot: ''
- group:delete_group_snapshot: rule:admin_or_owner
- group:update_group_snapshot: rule:admin_or_owner
- group:get_group_snapshot: rule:admin_or_owner
- group:get_all_group_snapshots: rule:admin_or_owner
- scheduler_extension:scheduler_stats:get_pools: rule:admin_api
- message:delete: rule:admin_or_owner
- message:get: rule:admin_or_owner
- message:get_all: rule:admin_or_owner
- clusters:get: rule:admin_api
- clusters:get_all: rule:admin_api
- clusters:update: rule:admin_api
+ policy: {}
api_audit_map:
DEFAULT:
target_endpoint_type: None
@@ -1097,6 +986,7 @@
external_ceph_rbd:
enabled: false
admin_keyring: null
+ configmap: null
conf:
global: null
osd: null
@@ -1481,6 +1371,11 @@
# set helm3_hook: false when using the helm2 binary.
helm3_hook: true
+tls:
+ identity: false
+ oslo_messaging: false
+ oslo_db: false
+
manifests:
certificates: false
configmap_bin: true