Fix nova-compute health probe and import upstream merges
diff --git a/charts/nova/Chart.yaml b/charts/nova/Chart.yaml
index 07e3872..eb47ead 100644
--- a/charts/nova/Chart.yaml
+++ b/charts/nova/Chart.yaml
@@ -9,4 +9,4 @@
sources:
- https://opendev.org/openstack/nova
- https://opendev.org/openstack/openstack-helm
-version: 0.3.16
+version: 0.3.19
diff --git a/charts/nova/requirements.lock b/charts/nova/requirements.lock
index 6db5f70..4cb5c9c 100644
--- a/charts/nova/requirements.lock
+++ b/charts/nova/requirements.lock
@@ -3,4 +3,4 @@
repository: file://../../openstack-helm-infra/helm-toolkit
version: 0.2.54
digest: sha256:337a0f1ffb3eae591150b305c22293d85fb8c18abec78f56672de4f3ada2faae
-generated: "2023-08-19T09:33:02.220997881Z"
+generated: "2023-08-30T00:10:57.22984359Z"
diff --git a/charts/nova/templates/bin/_health-probe.py.tpl b/charts/nova/templates/bin/_health-probe.py.tpl
index 660d62b..a019187 100644
--- a/charts/nova/templates/bin/_health-probe.py.tpl
+++ b/charts/nova/templates/bin/_health-probe.py.tpl
@@ -142,7 +142,7 @@
try:
with open(sys.argv[2]) as conf_file:
for line in conf_file:
- if "connection =" in line:
+ if line.startswith("connection ="):
service = line.split(':', 3)[3].split('/')[1].rstrip('\n')
if service == "nova":
database_ports.add(
diff --git a/charts/nova/templates/bin/_ssh-init.sh.tpl b/charts/nova/templates/bin/_ssh-init.sh.tpl
index 9032933..8e5b187 100644
--- a/charts/nova/templates/bin/_ssh-init.sh.tpl
+++ b/charts/nova/templates/bin/_ssh-init.sh.tpl
@@ -20,7 +20,6 @@
export NOVA_USER_HOME=$(eval echo ~${NOVA_USERNAME})
mkdir -p ${NOVA_USER_HOME}/.ssh
-chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
cat > ${NOVA_USER_HOME}/.ssh/config <<EOF
Host *
@@ -32,3 +31,4 @@
cp /tmp/nova-ssh/* ${NOVA_USER_HOME}/.ssh/
chmod 600 ${NOVA_USER_HOME}/.ssh/id_rsa
+chown -R ${NOVA_USERNAME}:${NOVA_USERNAME} ${NOVA_USER_HOME}/.ssh
diff --git a/charts/nova/templates/certificate-novnc.yaml b/charts/nova/templates/certificate-novnc.yaml
deleted file mode 100644
index e0b613b..0000000
--- a/charts/nova/templates/certificate-novnc.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-{{/*
-Copyright (c) 2023 VEXXHOST, Inc.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- name: nova-novncproxy-vencrypt
- namespace: {{ .Release.Namespace }}
-spec:
- secretName: nova-novncproxy-vencrypt
- commonName: nova-novncproxy
- usages:
- - client auth
- issuerRef:
- kind: Issuer
- name: libvirt-vnc
-{{- end -}}
diff --git a/charts/nova/templates/certificates.yaml b/charts/nova/templates/certificates.yaml
index 3bf6c8d..39c98b0 100644
--- a/charts/nova/templates/certificates.yaml
+++ b/charts/nova/templates/certificates.yaml
@@ -17,6 +17,9 @@
{{- if .Values.manifests.deployment_novncproxy }}
{{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
+{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
+{{ dict "envAll" . "service" "compute_novnc_vencrypt" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end }}
{{- if .Values.manifests.deployment_placement }}
{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
diff --git a/charts/nova/templates/configmap-etc.yaml b/charts/nova/templates/configmap-etc.yaml
index 230305a..d098cbd 100644
--- a/charts/nova/templates/configmap-etc.yaml
+++ b/charts/nova/templates/configmap-etc.yaml
@@ -85,18 +85,6 @@
{{- $_ := set $envAll.Values.conf.nova.wsgi "api_paste_config" "/var/lib/openstack/etc/nova/api-paste.ini" -}}
{{- end }}
-{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
-{{- if empty .Values.conf.nova.vnc.vencrypt_client_key }}
-{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_key" "/etc/pki/nova-novncproxy/tls.key" -}}
-{{- end }}
-{{- if empty .Values.conf.nova.vnc.vencrypt_client_cert }}
-{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_cert" "/etc/pki/nova-novncproxy/tls.crt" -}}
-{{- end }}
-{{- if empty .Values.conf.nova.vnc.vencrypt_ca_certs }}
-{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_ca_certs" "/etc/pki/nova-novncproxy/ca.crt" -}}
-{{- end }}
-{{- end }}
-
{{- if empty .Values.conf.nova.database.connection -}}
{{- $connection := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
{{- if .Values.manifests.certificates -}}
@@ -204,6 +192,18 @@
{{- end -}}
{{- end -}}
+{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
+{{- if empty .Values.conf.nova.vnc.vencrypt_client_key }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_key" "/etc/pki/nova-novncproxy/tls.key" -}}
+{{- end }}
+{{- if empty .Values.conf.nova.vnc.vencrypt_client_cert }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_cert" "/etc/pki/nova-novncproxy/tls.crt" -}}
+{{- end }}
+{{- if empty .Values.conf.nova.vnc.vencrypt_ca_certs }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_ca_certs" "/etc/pki/nova-novncproxy/ca.crt" -}}
+{{- end }}
+{{- end }}
+
{{- if eq .Values.console.console_kind "spice"}}
{{- $_ := "false" | set .Values.conf.nova.vnc "enabled" -}}
{{- $_ := "true" | set .Values.conf.nova.spice "enabled" -}}
diff --git a/charts/nova/templates/deployment-novncproxy.yaml b/charts/nova/templates/deployment-novncproxy.yaml
index cd58fd4..e1c79ab 100644
--- a/charts/nova/templates/deployment-novncproxy.yaml
+++ b/charts/nova/templates/deployment-novncproxy.yaml
@@ -28,6 +28,8 @@
{{- $mounts_nova_novncproxy := .Values.pod.mounts.nova_novncproxy.nova_novncproxy }}
{{- $mounts_nova_novncproxy_init := .Values.pod.mounts.nova_novncproxy.init_novncproxy }}
+{{- $vencrypt_enabled := (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) }}
+
{{- $serviceAccountName := "nova-novncproxy" }}
{{ tuple $envAll "novncproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
@@ -133,11 +135,6 @@
mountPath: /etc/nova/nova.conf
subPath: nova.conf
readOnly: true
-{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) }}
- - name: vencrypt-certs
- mountPath: /etc/pki/nova-novncproxy
- readOnly: true
-{{- end }}
- name: nova-etc
mountPath: /etc/nova/logging.conf
subPath: logging.conf
@@ -149,6 +146,7 @@
mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal "path" "/etc/pki/nova-novncproxy" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -166,14 +164,9 @@
emptyDir: {}
- name: pod-shared
emptyDir: {}
-{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) }}
- - name: vencrypt-certs
- secret:
- secretName: nova-novncproxy-vencrypt
- defaultMode: 0444
-{{- end }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
{{- end }}
diff --git a/charts/nova/values.yaml b/charts/nova/values.yaml
index 7f897ee..c5a679d 100644
--- a/charts/nova/values.yaml
+++ b/charts/nova/values.yaml
@@ -1511,6 +1511,8 @@
novncproxy:
public: nova-novncproxy-tls-public
internal: nova-novncproxy-tls-proxy
+ vencrypt:
+ internal: nova-novncproxy-vencrypt
compute_metadata:
metadata:
public: metadata-tls-public
@@ -1803,6 +1805,17 @@
novnc_proxy:
default: 6080
public: 80
+ # This endpoint is only to allow configuring the cert used specifically for
+ # vencrypt. Specifically, the same CA/issuer needs to be used to sign both
+ # this cert, and the libvirt/qemu certs.
+ compute_novnc_vencrypt:
+ hosts:
+ default: nova-novncproxy
+ host_fqdn_override:
+ default:
+ commonName: nova-novncproxy
+ usages:
+ - client auth
compute_spice_proxy:
name: nova
hosts:
diff --git a/hack/sync-charts.sh b/hack/sync-charts.sh
index 7b1f887..67e7bed 100755
--- a/hack/sync-charts.sh
+++ b/hack/sync-charts.sh
@@ -135,7 +135,7 @@
| filterdiff -p1 -i 'neutron/*' \
| patch -p2 -d ${ATMOSPHERE}/charts/neutron
-NOVA_VERISON=0.3.16
+NOVA_VERISON=0.3.22
curl -sL https://tarballs.opendev.org/openstack/openstack-helm/nova-${NOVA_VERISON}.tgz \
| tar -xz -C ${ATMOSPHERE}/charts
curl 'https://review.opendev.org/changes/openstack%2Fopenstack-helm~893563/revisions/1/patch?download' \