chore: bump charts
diff --git a/charts/heat/Chart.yaml b/charts/heat/Chart.yaml
index 4d3af00..bb2b5af 100644
--- a/charts/heat/Chart.yaml
+++ b/charts/heat/Chart.yaml
@@ -9,4 +9,4 @@
sources:
- https://opendev.org/openstack/heat
- https://opendev.org/openstack/openstack-helm
-version: 0.2.8
+version: 0.3.1
diff --git a/charts/heat/charts/helm-toolkit/Chart.yaml b/charts/heat/charts/helm-toolkit/Chart.yaml
index ffa1cdc..12e2dd2 100644
--- a/charts/heat/charts/helm-toolkit/Chart.yaml
+++ b/charts/heat/charts/helm-toolkit/Chart.yaml
@@ -9,4 +9,4 @@
sources:
- https://opendev.org/openstack/openstack-helm-infra
- https://opendev.org/openstack/openstack-helm
-version: 0.2.36
+version: 0.2.50
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl
index c1693aa..4c476b2 100644
--- a/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_ingress.tpl
@@ -685,7 +685,9 @@
{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
{{- end }}
{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
-{{- range $key2, $ingressController := tuple "namespace" "cluster" }}
+{{- $ingressConf := $envAll.Values.network -}}
+{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
+{{- range $key2, $ingressController := $ingressClasses }}
{{- $vHosts := list $hostNameFull }}
---
apiVersion: networking.k8s.io/v1
@@ -704,7 +706,6 @@
{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
{{- $vHosts = append $vHosts $v }}
{{- end }}
-{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
tls:
@@ -716,7 +717,6 @@
{{- end }}
{{- end }}
{{- end }}
-{{- end }}
rules:
{{- range $vHost := $vHosts }}
{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
diff --git a/charts/heat/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl b/charts/heat/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
new file mode 100644
index 0000000..4854bb1
--- /dev/null
+++ b/charts/heat/charts/helm-toolkit/templates/manifests/_secret-registry.yaml.tpl
@@ -0,0 +1,93 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+ Creates a manifest for a authenticating a registry with a secret
+examples:
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+
+ - values: |
+ secrets:
+ oci_image_registry:
+ {{ $serviceName }}: {{ $keyName }}
+ endpoints:
+ oci_image_registry:
+ name: oci-image-registry
+ auth:
+ enabled: true
+ {{ $serviceName }}:
+ name: {{ $userName }}
+ password: {{ $password }}
+ usage: |
+ {{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
+ return: |
+ ---
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: {{ $secretName }}
+ type: kubernetes.io/dockerconfigjson
+ data:
+ dockerconfigjson: {{ $dockerAuth }}
+*/}}
+
+{{- define "helm-toolkit.manifests.secret_registry" }}
+{{- $envAll := index . "envAll" }}
+{{- $registryUser := index . "registryUser" }}
+{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
+{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
+{{/*
+We only use "host:port" when port is non-null, else just use "host"
+*/}}
+{{- $registryPort := "" }}
+{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
+{{- if $port }}
+{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- $registryPort = printf ":%s" $port }}
+{{- end }}
+{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
+{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
+{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $secretName }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ $dockerAuth }}
+{{- end -}}
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 87872d6..3739f95 100644
--- a/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -77,6 +77,11 @@
password="${RABBITMQ_PASSWORD}" \
tags="user"
+echo "Deleting Guest User"
+rabbitmqadmin_cli \
+ delete user \
+ name="guest" || true
+
if [ "${RABBITMQ_VHOST}" != "/" ]
then
echo "Managing: vHost: ${RABBITMQ_VHOST}"
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
index db12915..687851e 100644
--- a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
@@ -66,6 +66,14 @@
# framework will automatically tar/zip the files in that directory and
# name the tarball appropriately according to the proper conventions.
#
+# verify_databases_backup_archives [scope]
+# returns: 0 if no errors; 1 if any errors occurred
+#
+# This function is expected to verify the database backup archives. If this function
+# completes successfully (returns 0), the
+# framework will automatically starts remote backup upload.
+#
+#
# The functions in this file will take care of:
# 1) Calling "dump_databases_to_directory" and then compressing the files,
# naming the tarball properly, and then storing it locally at the specified
@@ -90,6 +98,16 @@
exit $ERRCODE
}
+log_verify_backup_exit() {
+ MSG=$1
+ ERRCODE=${2:-0}
+ log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
+ rm -f $ERR_LOG_FILE
+ # rm -rf $TMP_DIR
+ exit $ERRCODE
+}
+
+
log() {
#Log message to a file or stdout
#TODO: This can be convert into mail alert of alert send to a monitoring system
@@ -201,12 +219,36 @@
log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
return 2
fi
+
openstack object show $CONTAINER_NAME $FILE
if [[ $? -ne 0 ]]; then
log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
return 2
fi
+ # Calculation remote file SHA256 hash
+ REMOTE_FILE=$(mktemp -p /tmp)
+ openstack object save --file ${REMOTE_FILE} $CONTAINER_NAME $FILE
+ if [[ $? -ne 0 ]]; then
+ log WARN "${DB_NAME}_backup" "Unable to save container object $FILE for SHA256 hash verification."
+ rm -rf ${REMOTE_FILE}
+ return 1
+ fi
+
+ # Remote backup verification
+ SHA256_REMOTE=$(cat ${REMOTE_FILE} | sha256sum | awk '{print $1}')
+ SHA256_LOCAL=$(cat ${FILEPATH}/${FILE} | sha256sum | awk '{print $1}')
+ log INFO "${DB_NAME}_backup" "Calculated SHA256 hashes for the file $FILE in container $CONTAINER_NAME."
+ log INFO "${DB_NAME}_backup" "Local SHA256 hash is ${SHA256_LOCAL}."
+ log INFO "${DB_NAME}_backup" "Remote SHA256 hash is ${SHA256_REMOTE}."
+ if [[ "${SHA256_LOCAL}" == "${SHA256_REMOTE}" ]]; then
+ log INFO "${DB_NAME}_backup" "The local backup & remote backup SHA256 hash values are matching for file $FILE in container $CONTAINER_NAME."
+ else
+ log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup sha256 hash values"
+ return 1
+ fi
+ rm -rf ${REMOTE_FILE}
+
log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
return 0
}
@@ -253,6 +295,16 @@
return 1
}
+
+function get_archive_date(){
+# get_archive_date function returns correct archive date
+# for different formats of archives' names
+# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
+# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
+ local A_FILE="$1"
+ awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
+}
+
# This function takes a list of archives' names as an input
# and creates a hash table where keys are number of seconds
# between current date and archive date (see seconds_difference),
@@ -271,21 +323,6 @@
# possible case, when we have several backups of the same date. E.g.
# one manual, and one automatic.
-function get_archive_date(){
-# get_archive_date function returns correct archive date
-# for different formats of archives' names
-# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
-# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
-local A_FILE="$1"
-local A_DATE=""
-if [[ -z ${BACK_UP_MODE} ]]; then
- A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 4 | tr -d "Z")
-else
- A_DATE=$( awk -F/ '{print $NF}' <<< ${ARCHIVE_FILE} | cut -d'.' -f 5 | tr -d "Z")
-fi
-echo ${A_DATE}
-}
-
declare -A fileTable
create_hash_table() {
unset fileTable
@@ -329,33 +366,6 @@
}
remove_old_local_archives() {
- if [[ -d $ARCHIVE_DIR ]]; then
- count=0
- SECONDS_TO_KEEP=$((${LOCAL_DAYS_TO_KEEP}*86400))
- log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days"
- # We iterate over the hash table, checking the delta in seconds (hash keys),
- # and minimum number of backups we must have in place. List of keys has to be sorted.
- for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
- ARCHIVE_FILE=${FILETABLE[${INDEX}]}
- if [[ ${INDEX} -le ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
- ((count++))
- log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
- else
- log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
- rm -rf $ARCHIVE_FILE
- if [[ $? -ne 0 ]]; then
- # Log error but don't exit so we can finish the script
- # because at this point we haven't sent backup to RGW yet
- log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
- fi
- fi
- done
- else
- log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
- fi
-}
-
-remove_old_local_archives() {
SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
if [[ -d $ARCHIVE_DIR ]]; then
@@ -400,8 +410,8 @@
count=0
SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
- for INDEX in $(tr " " "\n" <<< ${!FILETABLE[@]} | sort -n -); do
- ARCHIVE_FILE=${FILETABLE[${INDEX}]}
+ for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
+ ARCHIVE_FILE=${fileTable[${INDEX}]}
if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
((count++))
log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
@@ -414,10 +424,12 @@
# Cleanup now that we're done.
for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
- if [[ -f fd ]]; then
- rm -f fd
- else
- log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ if [[ -f ${fd} ]]; then
+ rm -f ${fd}
+ else
+ log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
+ fi
+ done
}
# Main function to backup the databases. Calling functions need to supply:
@@ -474,10 +486,6 @@
cd $ARCHIVE_DIR
- # Remove the temporary directory and files as they are no longer needed.
- rm -rf $TMP_DIR
- rm -f $ERR_LOG_FILE
-
#Only delete the old archive after a successful archive
export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
@@ -489,6 +497,25 @@
done
fi
+ # Local backup verification process
+
+ # It is expected that this function will verify the database backup files
+ if verify_databases_backup_archives ${SCOPE}; then
+ log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
+ else
+ # If successful, there should be at least one file in the TMP_DIR
+ if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
+ cat $ERR_LOG_FILE
+ fi
+ log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
+ exit 1
+ fi
+
+ # Remove the temporary directory and files as they are no longer needed.
+ rm -rf $TMP_DIR
+ rm -f $ERR_LOG_FILE
+
+ # Remote backup
REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
if $REMOTE_BACKUP; then
# Remove Quotes from the constants which were added due to reading
@@ -517,8 +544,12 @@
#Only delete the old archive after a successful archive
if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
prepare_list_of_remote_backups
- create_hash_table $(cat $DB_BACKUP_FILES)
- remove_old_remote_archives
+ get_backup_prefix $(cat $DB_BACKUP_FILES)
+ for ((i=0; i<${#PREFIXES[@]}; i++)); do
+ echo "Working with prefix: ${PREFIXES[i]}"
+ create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
+ remove_old_remote_archives
+ done
fi
echo "=================================================================="
@@ -537,4 +568,4 @@
echo "=================================================================="
fi
}
-{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
index c2de3aa..093dd2c 100644
--- a/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
+++ b/charts/heat/charts/helm-toolkit/templates/scripts/db-backup-restore/_restore_main.sh.tpl
@@ -269,7 +269,7 @@
echo "=============================================="
for archive in $archives
do
- echo $archive | cut -d '/' -f 8
+ echo $archive | cut -d '/' -f8-
done
clean_and_exit 0 ""
else
diff --git a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
index 4cc898d..bc2045e 100644
--- a/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
+++ b/charts/heat/charts/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@@ -42,6 +42,12 @@
metadata:
name: {{ $saName }}
namespace: {{ $saNamespace }}
+{{- if $envAll.Values.manifests.secret_registry }}
+{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
+imagePullSecrets:
+ - name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
+{{- end -}}
+{{- end -}}
{{- range $k, $v := $deps -}}
{{- if eq $k "services" }}
{{- range $serv := $v }}
diff --git a/charts/heat/requirements.lock b/charts/heat/requirements.lock
index 1a130f6..84999b0 100644
--- a/charts/heat/requirements.lock
+++ b/charts/heat/requirements.lock
@@ -1,6 +1,6 @@
dependencies:
- name: helm-toolkit
repository: file://../../openstack-helm-infra/helm-toolkit
- version: 0.2.36
-digest: sha256:7815f273587bf686278d58f0c6e9c86c37f220ef3f3c1e83edc478613082fef4
-generated: "2022-03-24T05:04:10.242253189Z"
+ version: 0.2.50
+digest: sha256:67fc0fd70898d60cddd5c634b632205a7716bfeb21e57adaeda464efbcfa2ce3
+generated: "2023-01-13T22:23:19.559147167Z"
diff --git a/charts/heat/templates/configmap-etc.yaml b/charts/heat/templates/configmap-etc.yaml
index d5716e1..b49edcd 100644
--- a/charts/heat/templates/configmap-etc.yaml
+++ b/charts/heat/templates/configmap-etc.yaml
@@ -12,6 +12,12 @@
limitations under the License.
*/}}
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
@@ -106,21 +112,21 @@
{{- end -}}
{{- if empty .Values.conf.heat.heat_api.bind_port -}}
-{{- $_ := tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api "bind_port" -}}
+{{- $_ := tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api "bind_port" -}}
{{- end -}}
{{- if empty .Values.conf.heat.heat_api_cloudwatch.bind_port -}}
-{{- $_ := tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cloudwatch "bind_port" -}}
+{{- $_ := tuple "cloudwatch" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cloudwatch "bind_port" -}}
{{- end -}}
{{- if empty .Values.conf.heat.heat_api_cfn.bind_port -}}
-{{- $_ := tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cfn "bind_port" -}}
+{{- $_ := tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | set .Values.conf.heat.heat_api_cfn "bind_port" -}}
{{- end -}}
{{- if and (empty .Values.conf.logging.handler_fluent) (has "fluent" .Values.conf.logging.handlers.keys) -}}
{{- $fluentd_host := tuple "fluentd" "internal" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
{{- $fluentd_port := tuple "fluentd" "internal" "service" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .Release.Name $fluentd_host $fluentd_port }}
+{{- $fluent_args := printf "('%s.%s', '%s', %s)" .Release.Namespace .deployment_name $fluentd_host $fluentd_port }}
{{- $handler_fluent := dict "class" "fluent.handler.FluentHandler" "formatter" "fluent" "args" $fluent_args -}}
{{- $_ := set .Values.conf.logging "handler_fluent" $handler_fluent -}}
{{- end -}}
diff --git a/charts/heat/templates/cron-job-engine-cleaner.yaml b/charts/heat/templates/cron-job-engine-cleaner.yaml
index 1e7e6f3..a7eded4 100644
--- a/charts/heat/templates/cron-job-engine-cleaner.yaml
+++ b/charts/heat/templates/cron-job-engine-cleaner.yaml
@@ -21,7 +21,7 @@
{{- $serviceAccountName := "heat-engine-cleaner" }}
{{ tuple $envAll "engine_cleaner" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
kind: CronJob
metadata:
name: heat-engine-cleaner
@@ -55,6 +55,9 @@
serviceAccountName: {{ $serviceAccountName }}
{{ dict "envAll" $envAll "application" "engine_cleaner" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 10 }}
restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
+{{ end }}
nodeSelector:
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
initContainers:
@@ -64,6 +67,11 @@
{{ tuple $envAll "heat_engine_cleaner" | include "helm-toolkit.snippets.image" | indent 14 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.engine_cleaner | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
{{ dict "envAll" $envAll "application" "engine_cleaner" "container" "heat_engine_cleaner" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 14 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+ env:
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/heat/certs/ca.crt"
+{{- end }}
command:
- /tmp/heat-engine-cleaner.sh
volumeMounts:
@@ -85,6 +93,7 @@
subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
readOnly: true
{{ end }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
{{ if $mounts_heat_engine_cleaner.volumeMounts }}{{ toYaml $mounts_heat_engine_cleaner.volumeMounts | indent 14 }}{{ end }}
volumes:
@@ -96,6 +105,7 @@
secret:
secretName: heat-etc
defaultMode: 0444
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
- name: heat-bin
configMap:
diff --git a/charts/heat/templates/cron-job-purge-deleted.yaml b/charts/heat/templates/cron-job-purge-deleted.yaml
index dd275d7..4d83c29 100644
--- a/charts/heat/templates/cron-job-purge-deleted.yaml
+++ b/charts/heat/templates/cron-job-purge-deleted.yaml
@@ -21,7 +21,7 @@
{{- $serviceAccountName := "heat-purge-deleted" }}
{{ tuple $envAll "purge_deleted" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
-apiVersion: batch/v1beta1
+apiVersion: batch/v1
kind: CronJob
metadata:
name: heat-purge-deleted
@@ -49,6 +49,9 @@
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 10 }}
+{{ end }}
nodeSelector:
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
initContainers:
@@ -57,6 +60,11 @@
- name: heat-purge-deleted
{{ tuple $envAll "heat_purge_deleted" | include "helm-toolkit.snippets.image" | indent 14 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.purge_deleted | include "helm-toolkit.snippets.kubernetes_resources" | indent 14 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+ env:
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/heat/certs/ca.crt"
+{{- end }}
command:
- /tmp/heat-purge-deleted-active.sh
- {{ quote .Values.jobs.purge_deleted.purge_age }}
@@ -79,6 +87,7 @@
subPath: {{ base .Values.conf.heat.DEFAULT.log_config_append }}
readOnly: true
{{ end }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 14 }}
{{ if $mounts_heat_purge_deleted.volumeMounts }}{{ toYaml $mounts_heat_purge_deleted.volumeMounts | indent 14 }}{{ end }}
volumes:
@@ -90,6 +99,7 @@
secret:
secretName: heat-etc
defaultMode: 0444
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
- name: heat-bin
configMap:
diff --git a/charts/heat/templates/deployment-api.yaml b/charts/heat/templates/deployment-api.yaml
index a17ddae..0bed310 100644
--- a/charts/heat/templates/deployment-api.yaml
+++ b/charts/heat/templates/deployment-api.yaml
@@ -49,6 +49,9 @@
{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
nodeSelector:
{{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
@@ -59,6 +62,11 @@
{{ tuple $envAll "heat_api" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "heat" "container" "heat_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+ env:
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/heat/certs/ca.crt"
+{{- end }}
command:
- /tmp/heat-api.sh
- start
@@ -70,13 +78,17 @@
- stop
ports:
- name: h-api
- containerPort: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ containerPort: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
readinessProbe:
- tcpSocket:
- port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ httpGet:
+ scheme: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
livenessProbe:
- tcpSocket:
- port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ httpGet:
+ scheme: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 30
volumeMounts:
- name: pod-tmp
@@ -121,7 +133,7 @@
subPath: mpm_event.conf
readOnly: true
{{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_api.volumeMounts }}{{ toYaml $mounts_heat_api.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -139,7 +151,7 @@
secret:
secretName: heat-etc
defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_api.volumes }}{{ toYaml $mounts_heat_api.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/charts/heat/templates/deployment-cfn.yaml b/charts/heat/templates/deployment-cfn.yaml
index 9fab9e6..94ddd06 100644
--- a/charts/heat/templates/deployment-cfn.yaml
+++ b/charts/heat/templates/deployment-cfn.yaml
@@ -49,6 +49,9 @@
{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
nodeSelector:
{{ .Values.labels.cfn.node_selector_key }}: {{ .Values.labels.cfn.node_selector_value }}
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.cfn.timeout | default "30" }}
@@ -59,6 +62,11 @@
{{ tuple $envAll "heat_cfn" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.cfn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "heat" "container" "heat_cfn" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+ env:
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/heat/certs/ca.crt"
+{{- end }}
command:
- /tmp/heat-cfn.sh
- start
@@ -70,13 +78,17 @@
- stop
ports:
- name: h-cfn
- containerPort: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ containerPort: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
readinessProbe:
- tcpSocket:
- port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ httpGet:
+ scheme: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
livenessProbe:
- tcpSocket:
- port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ httpGet:
+ scheme: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
initialDelaySeconds: 30
volumeMounts:
- name: pod-tmp
@@ -121,7 +133,7 @@
subPath: mpm_event.conf
readOnly: true
{{- end }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_cfn.volumeMounts }}{{ toYaml $mounts_heat_cfn.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: pod-tmp
@@ -138,6 +150,6 @@
secret:
secretName: heat-etc
defaultMode: 0444
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.cloudformation.cfn.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_cfn.volumes }}{{ toYaml $mounts_heat_cfn.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/charts/heat/templates/deployment-cloudwatch.yaml b/charts/heat/templates/deployment-cloudwatch.yaml
index 092feac..f1f7353 100644
--- a/charts/heat/templates/deployment-cloudwatch.yaml
+++ b/charts/heat/templates/deployment-cloudwatch.yaml
@@ -48,6 +48,9 @@
{{ dict "envAll" $envAll "application" "heat" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
affinity:
{{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
nodeSelector:
{{ .Values.labels.cloudwatch.node_selector_key }}: {{ .Values.labels.cloudwatch.node_selector_value }}
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.cloudwatch.timeout | default "30" }}
@@ -69,10 +72,12 @@
- stop
ports:
- name: h-cwh
- containerPort: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ containerPort: {{ tuple "cloudwatch" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
readinessProbe:
- tcpSocket:
- port: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ httpGet:
+ scheme: {{ tuple "cloudwatch" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
+ path: /
+ port: {{ tuple "cloudwatch" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
volumeMounts:
- name: pod-tmp
mountPath: /tmp
diff --git a/charts/heat/templates/deployment-engine.yaml b/charts/heat/templates/deployment-engine.yaml
index 4ae0197..7b7b8ad 100644
--- a/charts/heat/templates/deployment-engine.yaml
+++ b/charts/heat/templates/deployment-engine.yaml
@@ -59,6 +59,9 @@
{{- tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
{{ .Values.labels.engine.node_selector_key }}: {{ .Values.labels.engine.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.engine.timeout | default "30" }}
initContainers:
{{ tuple $envAll "engine" $mounts_heat_engine_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
@@ -67,6 +70,11 @@
{{ tuple $envAll "heat_engine" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.engine | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "heat" "container" "heat_engine" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+{{- if or .Values.manifests.certificates .Values.tls.identity }}
+ env:
+ - name: REQUESTS_CA_BUNDLE
+ value: "/etc/heat/certs/ca.crt"
+{{- end }}
command:
- /tmp/heat-engine.sh
- start
@@ -100,7 +108,7 @@
subPath: policy.yaml
readOnly: true
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal "path" "/etc/heat/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_engine.volumeMounts }}{{ toYaml $mounts_heat_engine.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -116,8 +124,8 @@
secret:
secretName: heat-etc
defaultMode: 0444
- {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_engine.volumes }}{{ toYaml $mounts_heat_engine.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/charts/heat/templates/job-bootstrap.yaml b/charts/heat/templates/job-bootstrap.yaml
index 5dfe56f..e5157da 100644
--- a/charts/heat/templates/job-bootstrap.yaml
+++ b/charts/heat/templates/job-bootstrap.yaml
@@ -14,16 +14,18 @@
{{- define "metadata.annotations.job.bootstrap" }}
helm.sh/hook: post-install,post-upgrade
-helm.sh/hook-weight: "5"
{{- end }}
{{- if and .Values.manifests.job_bootstrap .Values.bootstrap.enabled }}
{{- $bootstrapJob := dict "envAll" . "serviceName" "heat" "keystoneUser" .Values.bootstrap.ks_user "logConfigFile" .Values.conf.heat.DEFAULT.log_config_append -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $bootstrapJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $bootstrapJob "jobAnnotations" (include "metadata.annotations.job.bootstrap" . | fromYaml) }}
{{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $bootstrapJob "tolerationsEnabled" true -}}
+{{- end -}}
{{ $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }}
{{- end }}
diff --git a/charts/heat/templates/job-db-drop.yaml b/charts/heat/templates/job-db-drop.yaml
index d74fa7b..7caa961 100644
--- a/charts/heat/templates/job-db-drop.yaml
+++ b/charts/heat/templates/job-db-drop.yaml
@@ -17,5 +17,8 @@
{{- if .Values.manifests.certificates -}}
{{- $_ := set $dbDropJob "dbAdminTlsSecret" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal -}}
{{- end -}}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $dbDropJob "tolerationsEnabled" true -}}
+{{- end -}}
{{ $dbDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }}
{{- end }}
diff --git a/charts/heat/templates/job-db-init.yaml b/charts/heat/templates/job-db-init.yaml
index b3b44fe..442a2fa 100644
--- a/charts/heat/templates/job-db-init.yaml
+++ b/charts/heat/templates/job-db-init.yaml
@@ -25,5 +25,8 @@
{{- if .Values.helm3_hook }}
{{- $_ := set $dbInitJob "jobAnnotations" (include "metadata.annotations.job.db_init" . | fromYaml) }}
{{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $dbInitJob "tolerationsEnabled" true -}}
+{{- end -}}
{{ $dbInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }}
{{- end }}
diff --git a/charts/heat/templates/job-db-sync.yaml b/charts/heat/templates/job-db-sync.yaml
index 5670792..a25faf8 100644
--- a/charts/heat/templates/job-db-sync.yaml
+++ b/charts/heat/templates/job-db-sync.yaml
@@ -25,5 +25,8 @@
{{- if .Values.helm3_hook }}
{{- $_ := set $dbSyncJob "jobAnnotations" (include "metadata.annotations.job.db_sync" . | fromYaml) }}
{{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $dbSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
{{ $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }}
{{- end }}
diff --git a/charts/heat/templates/job-image-repo-sync.yaml b/charts/heat/templates/job-image-repo-sync.yaml
index a9da325..83a84bb 100644
--- a/charts/heat/templates/job-image-repo-sync.yaml
+++ b/charts/heat/templates/job-image-repo-sync.yaml
@@ -21,5 +21,8 @@
{{- if .Values.helm3_hook }}
{{- $_ := $imageRepoSyncJob "jobAnnotations" (include "metadata.annotations.job.repo_sync" . | fromYaml) }}
{{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $imageRepoSyncJob "tolerationsEnabled" true -}}
+{{- end -}}
{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }}
{{- end }}
diff --git a/charts/heat/templates/job-ks-endpoints.yaml b/charts/heat/templates/job-ks-endpoints.yaml
index 9388806..21b0bd1 100644
--- a/charts/heat/templates/job-ks-endpoints.yaml
+++ b/charts/heat/templates/job-ks-endpoints.yaml
@@ -19,11 +19,14 @@
{{- if .Values.manifests.job_ks_endpoints }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_endpoints" . | fromYaml) }}
{{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }}
{{- end }}
diff --git a/charts/heat/templates/job-ks-service.yaml b/charts/heat/templates/job-ks-service.yaml
index 5947c0e..930707a 100644
--- a/charts/heat/templates/job-ks-service.yaml
+++ b/charts/heat/templates/job-ks-service.yaml
@@ -19,11 +19,14 @@
{{- if .Values.manifests.job_ks_service }}
{{- $ksServiceJob := dict "envAll" . "serviceName" "heat" "serviceTypes" ( tuple "orchestration" "cloudformation" ) -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksServiceJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksServiceJob "jobAnnotations" (include "metadata.annotations.job.ks_service" . | fromYaml) }}
{{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $ksServiceJob "tolerationsEnabled" true -}}
+{{- end -}}
{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }}
{{- end }}
diff --git a/charts/heat/templates/job-ks-user-domain.yaml b/charts/heat/templates/job-ks-user-domain.yaml
index a709608..6e76df8 100644
--- a/charts/heat/templates/job-ks-user-domain.yaml
+++ b/charts/heat/templates/job-ks-user-domain.yaml
@@ -46,6 +46,9 @@
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
initContainers:
{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
@@ -61,9 +64,9 @@
mountPath: /tmp/ks-domain-user.sh
subPath: ks-domain-user.sh
readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_SERVICE_NAME
@@ -97,5 +100,5 @@
configMap:
name: heat-bin
defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
diff --git a/charts/heat/templates/job-ks-user-trustee.yaml b/charts/heat/templates/job-ks-user-trustee.yaml
index 21f1b57..665be81 100644
--- a/charts/heat/templates/job-ks-user-trustee.yaml
+++ b/charts/heat/templates/job-ks-user-trustee.yaml
@@ -18,11 +18,14 @@
{{- if .Values.manifests.job_ks_user_trustee }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" "serviceUser" "heat_trustee" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.heat_trust" . | fromYaml) }}
{{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}
diff --git a/charts/heat/templates/job-ks-user.yaml b/charts/heat/templates/job-ks-user.yaml
index bf23eeb..c5be1fe 100644
--- a/charts/heat/templates/job-ks-user.yaml
+++ b/charts/heat/templates/job-ks-user.yaml
@@ -19,11 +19,14 @@
{{- if .Values.manifests.job_ks_user }}
{{- $ksUserJob := dict "envAll" . "serviceName" "heat" -}}
-{{- if .Values.manifests.certificates -}}
+{{- if or .Values.manifests.certificates .Values.tls.identity -}}
{{- $_ := set $ksUserJob "tlsSecret" .Values.secrets.tls.orchestration.api.internal -}}
{{- end -}}
{{- if .Values.helm3_hook }}
{{- $_ := set $ksUserJob "jobAnnotations" (include "metadata.annotations.job.ks_user" . | fromYaml) }}
{{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $ksUserJob "tolerationsEnabled" true -}}
+{{- end -}}
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
{{- end }}
diff --git a/charts/heat/templates/job-rabbit-init.yaml b/charts/heat/templates/job-rabbit-init.yaml
index 8da178b..bd6b228 100644
--- a/charts/heat/templates/job-rabbit-init.yaml
+++ b/charts/heat/templates/job-rabbit-init.yaml
@@ -25,5 +25,8 @@
{{- if .Values.helm3_hook }}
{{- $_ := set $rmqUserJob "jobAnnotations" (include "metadata.annotations.job.rabbit_init" . | fromYaml) }}
{{- end }}
+{{- if .Values.pod.tolerations.heat.enabled -}}
+{{- $_ := set $rmqUserJob "tolerationsEnabled" true -}}
+{{- end -}}
{{ $rmqUserJob | include "helm-toolkit.manifests.job_rabbit_init" }}
{{- end }}
diff --git a/charts/heat/templates/job-trusts.yaml b/charts/heat/templates/job-trusts.yaml
index afa6bde..ae5bc64 100644
--- a/charts/heat/templates/job-trusts.yaml
+++ b/charts/heat/templates/job-trusts.yaml
@@ -48,6 +48,9 @@
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
+{{ end }}
initContainers:
{{ tuple $envAll "trusts" $mounts_heat_trusts_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
@@ -65,10 +68,10 @@
mountPath: /tmp/trusts.sh
subPath: trusts.sh
readOnly: true
-{{ dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{ dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_heat_trusts.volumeMounts }}{{ toYaml $mounts_heat_trusts.volumeMounts | indent 12 }}{{ end }}
env:
-{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" $envAll.Values.manifests.certificates }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
{{- end }}
- name: SERVICE_OS_ROLES
@@ -84,5 +87,5 @@
configMap:
name: heat-bin
defaultMode: 0555
-{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.orchestration.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_heat_trusts.volumes }}{{ toYaml $mounts_heat_trusts.volumes | indent 8 }}{{ end }}
diff --git a/charts/heat/templates/pdb-api.yaml b/charts/heat/templates/pdb-api.yaml
index 284e079..847873c 100644
--- a/charts/heat/templates/pdb-api.yaml
+++ b/charts/heat/templates/pdb-api.yaml
@@ -15,7 +15,7 @@
{{- if .Values.manifests.pdb_api }}
{{- $envAll := . }}
---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: heat-api
diff --git a/charts/heat/templates/pdb-cfn.yaml b/charts/heat/templates/pdb-cfn.yaml
index 52a72fb..e78c4f2 100644
--- a/charts/heat/templates/pdb-cfn.yaml
+++ b/charts/heat/templates/pdb-cfn.yaml
@@ -15,7 +15,7 @@
{{- if .Values.manifests.pdb_cfn }}
{{- $envAll := . }}
---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: heat-cfn
diff --git a/charts/heat/templates/pdb-cloudwatch.yaml b/charts/heat/templates/pdb-cloudwatch.yaml
index a0b057b..5687967 100644
--- a/charts/heat/templates/pdb-cloudwatch.yaml
+++ b/charts/heat/templates/pdb-cloudwatch.yaml
@@ -15,7 +15,7 @@
{{- if .Values.manifests.pdb_cloudwatch }}
{{- $envAll := . }}
---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: heat-cloudwatch
diff --git a/charts/heat/templates/pod-rally-test.yaml b/charts/heat/templates/pod-rally-test.yaml
index 9aa6373..ac6c636 100644
--- a/charts/heat/templates/pod-rally-test.yaml
+++ b/charts/heat/templates/pod-rally-test.yaml
@@ -12,19 +12,25 @@
limitations under the License.
*/}}
+{{- if (.Values.global).subchart_release_name }}
+{{- $_ := set . "deployment_name" .Chart.Name }}
+{{- else }}
+{{- $_ := set . "deployment_name" .Release.Name }}
+{{- end }}
+
{{- if .Values.manifests.pod_rally_test }}
{{- $envAll := . }}
{{- $mounts_tests := .Values.pod.mounts.heat_tests.heat_tests }}
{{- $mounts_tests_init := .Values.pod.mounts.heat_tests.init_container }}
-{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{- $serviceAccountName := print $envAll.deployment_name "-test" }}
{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: v1
kind: Pod
metadata:
- name: {{ print $envAll.Release.Name "-test" }}
+ name: {{ print $envAll.deployment_name "-test" }}
labels:
{{ tuple $envAll "heat" "test" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
@@ -33,11 +39,14 @@
spec:
nodeSelector:
{{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
+{{ if $envAll.Values.pod.tolerations.heat.enabled }}
+{{ tuple $envAll "heat" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 2 }}
+{{ end }}
restartPolicy: Never
serviceAccountName: {{ $serviceAccountName }}
initContainers:
{{ tuple $envAll "tests" $mounts_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
- - name: {{ .Release.Name }}-test-ks-user
+ - name: {{ .deployment_name }}-test-ks-user
{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
command:
@@ -62,7 +71,7 @@
- name: SERVICE_OS_ROLE
value: {{ .Values.endpoints.identity.auth.test.role | quote }}
containers:
- - name: {{ .Release.Name }}-test
+ - name: {{ .deployment_name }}-test
{{ tuple $envAll "test" | include "helm-toolkit.snippets.image" | indent 6 }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
@@ -73,7 +82,7 @@
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 8 }}
{{- end }}
- name: RALLY_ENV_NAME
- value: {{.Release.Name}}
+ value: {{.deployment_name}}
command:
- /tmp/rally-test.sh
volumeMounts:
diff --git a/charts/heat/templates/secret-registry.yaml b/charts/heat/templates/secret-registry.yaml
new file mode 100644
index 0000000..da979b3
--- /dev/null
+++ b/charts/heat/templates/secret-registry.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_registry .Values.endpoints.oci_image_registry.auth.enabled }}
+{{ include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) }}
+{{- end }}
diff --git a/charts/heat/templates/service-api.yaml b/charts/heat/templates/service-api.yaml
index fd0aadf..39de598 100644
--- a/charts/heat/templates/service-api.yaml
+++ b/charts/heat/templates/service-api.yaml
@@ -22,7 +22,7 @@
spec:
ports:
- name: h-api
- port: {{ tuple "orchestration" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ port: {{ tuple "orchestration" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.network.api.node_port.enabled }}
nodePort: {{ .Values.network.api.node_port.port }}
{{ end }}
diff --git a/charts/heat/templates/service-cfn.yaml b/charts/heat/templates/service-cfn.yaml
index 568c1db..4114962 100644
--- a/charts/heat/templates/service-cfn.yaml
+++ b/charts/heat/templates/service-cfn.yaml
@@ -22,7 +22,7 @@
spec:
ports:
- name: h-cfn
- port: {{ tuple "cloudformation" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ port: {{ tuple "cloudformation" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.network.cfn.node_port.enabled }}
nodePort: {{ .Values.network.cfn.node_port.port }}
{{ end }}
diff --git a/charts/heat/templates/service-cloudwatch.yaml b/charts/heat/templates/service-cloudwatch.yaml
index 4978371..0afec9d 100644
--- a/charts/heat/templates/service-cloudwatch.yaml
+++ b/charts/heat/templates/service-cloudwatch.yaml
@@ -22,7 +22,7 @@
spec:
ports:
- name: h-cwh
- port: {{ tuple "cloudwatch" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+ port: {{ tuple "cloudwatch" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.network.cloudwatch.node_port.enabled }}
nodePort: {{ .Values.network.cloudwatch.node_port.port }}
{{ end }}
diff --git a/charts/heat/values.yaml b/charts/heat/values.yaml
index 58f786b..555af53 100644
--- a/charts/heat/values.yaml
+++ b/charts/heat/values.yaml
@@ -340,95 +340,7 @@
paste.filter_factory: oslo_middleware.request_id:RequestId.factory
filter:osprofiler:
paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
- policy:
- context_is_admin: role:admin and is_admin_project:True
- project_admin: role:admin
- deny_stack_user: not role:heat_stack_user
- deny_everybody: "!"
- cloudformation:ListStacks: rule:deny_stack_user
- cloudformation:CreateStack: rule:deny_stack_user
- cloudformation:DescribeStacks: rule:deny_stack_user
- cloudformation:DeleteStack: rule:deny_stack_user
- cloudformation:UpdateStack: rule:deny_stack_user
- cloudformation:CancelUpdateStack: rule:deny_stack_user
- cloudformation:DescribeStackEvents: rule:deny_stack_user
- cloudformation:ValidateTemplate: rule:deny_stack_user
- cloudformation:GetTemplate: rule:deny_stack_user
- cloudformation:EstimateTemplateCost: rule:deny_stack_user
- cloudformation:DescribeStackResource: ''
- cloudformation:DescribeStackResources: rule:deny_stack_user
- cloudformation:ListStackResources: rule:deny_stack_user
- cloudwatch:DeleteAlarms: rule:deny_stack_user
- cloudwatch:DescribeAlarmHistory: rule:deny_stack_user
- cloudwatch:DescribeAlarms: rule:deny_stack_user
- cloudwatch:DescribeAlarmsForMetric: rule:deny_stack_user
- cloudwatch:DisableAlarmActions: rule:deny_stack_user
- cloudwatch:EnableAlarmActions: rule:deny_stack_user
- cloudwatch:GetMetricStatistics: rule:deny_stack_user
- cloudwatch:ListMetrics: rule:deny_stack_user
- cloudwatch:PutMetricAlarm: rule:deny_stack_user
- cloudwatch:PutMetricData: ''
- cloudwatch:SetAlarmState: rule:deny_stack_user
- actions:action: rule:deny_stack_user
- build_info:build_info: rule:deny_stack_user
- events:index: rule:deny_stack_user
- events:show: rule:deny_stack_user
- resource:index: rule:deny_stack_user
- resource:metadata: ''
- resource:signal: ''
- resource:mark_unhealthy: rule:deny_stack_user
- resource:show: rule:deny_stack_user
- stacks:abandon: rule:deny_stack_user
- stacks:create: rule:deny_stack_user
- stacks:delete: rule:deny_stack_user
- stacks:detail: rule:deny_stack_user
- stacks:export: rule:deny_stack_user
- stacks:generate_template: rule:deny_stack_user
- stacks:global_index: rule:deny_everybody
- stacks:index: rule:deny_stack_user
- stacks:list_resource_types: rule:deny_stack_user
- stacks:list_template_versions: rule:deny_stack_user
- stacks:list_template_functions: rule:deny_stack_user
- stacks:lookup: ''
- stacks:preview: rule:deny_stack_user
- stacks:resource_schema: rule:deny_stack_user
- stacks:show: rule:deny_stack_user
- stacks:template: rule:deny_stack_user
- stacks:environment: rule:deny_stack_user
- stacks:files: rule:deny_stack_user
- stacks:update: rule:deny_stack_user
- stacks:update_patch: rule:deny_stack_user
- stacks:preview_update: rule:deny_stack_user
- stacks:preview_update_patch: rule:deny_stack_user
- stacks:validate_template: rule:deny_stack_user
- stacks:snapshot: rule:deny_stack_user
- stacks:show_snapshot: rule:deny_stack_user
- stacks:delete_snapshot: rule:deny_stack_user
- stacks:list_snapshots: rule:deny_stack_user
- stacks:restore_snapshot: rule:deny_stack_user
- stacks:list_outputs: rule:deny_stack_user
- stacks:show_output: rule:deny_stack_user
- software_configs:global_index: rule:deny_everybody
- software_configs:index: rule:deny_stack_user
- software_configs:create: rule:deny_stack_user
- software_configs:show: rule:deny_stack_user
- software_configs:delete: rule:deny_stack_user
- software_deployments:index: rule:deny_stack_user
- software_deployments:create: rule:deny_stack_user
- software_deployments:show: rule:deny_stack_user
- software_deployments:update: rule:deny_stack_user
- software_deployments:delete: rule:deny_stack_user
- software_deployments:metadata: ''
- service:index: rule:context_is_admin
- resource_types:OS::Nova::Flavor: rule:project_admin
- resource_types:OS::Cinder::EncryptedVolumeType: rule:project_admin
- resource_types:OS::Cinder::VolumeType: rule:project_admin
- resource_types:OS::Cinder::Quota: rule:project_admin
- resource_types:OS::Manila::ShareType: rule:project_admin
- resource_types:OS::Neutron::QoSPolicy: rule:project_admin
- resource_types:OS::Neutron::QoSBandwidthLimitRule: rule:project_admin
- resource_types:OS::Nova::HostAggregate: rule:project_admin
- resource_types:OS::Cinder::QoSSpecs: rule:project_admin
+ policy: {}
heat:
DEFAULT:
log_config_append: /etc/heat/logging.conf
@@ -804,6 +716,9 @@
cfn:
public: cloudformation-tls-public
internal: heat-tls-cfn
+ oci_image_registry:
+ heat: heat-oci-image-registry
+
# typically overridden by environmental
# values, but should include all endpoints
# required by this chart
@@ -821,6 +736,21 @@
port:
registry:
node: 5000
+ oci_image_registry:
+ name: oci-image-registry
+ namespace: oci-image-registry
+ auth:
+ enabled: false
+ heat:
+ username: heat
+ password: password
+ hosts:
+ default: localhost
+ host_fqdn_override:
+ default: null
+ port:
+ registry:
+ default: null
identity:
name: keystone
auth:
@@ -892,10 +822,12 @@
default: '/v1/%(project_id)s'
scheme:
default: 'http'
+ service: 'http'
port:
api:
default: 8004
public: 80
+ service: 8004
cloudformation:
name: heat-cfn
hosts:
@@ -914,10 +846,12 @@
default: /v1
scheme:
default: 'http'
+ service: 'http'
port:
api:
default: 8000
public: 80
+ service: 8000
# Cloudwatch does not get an entry in the keystone service catalog
cloudwatch:
name: heat-cloudwatch
@@ -931,10 +865,12 @@
type: null
scheme:
default: 'http'
+ service: 'http'
port:
api:
default: 8003
public: 80
+ service: 8003
oslo_db:
auth:
admin:
@@ -1082,6 +1018,13 @@
default: kubernetes.io/hostname
weight:
default: 10
+ tolerations:
+ heat:
+ enabled: false
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
mounts:
heat_api:
init_container: null
@@ -1295,6 +1238,11 @@
# set helm3_hook: false when using the helm2 binary.
helm3_hook: true
+tls:
+ identity: false
+ oslo_messaging: false
+ oslo_db: false
+
manifests:
certificates: false
configmap_bin: true
@@ -1328,6 +1276,7 @@
secret_ingress_tls: true
secret_keystone: true
secret_rabbitmq: true
+ secret_registry: true
service_api: true
service_cfn: true
service_cloudwatch: false